All Apps and Add-ons

How to fish with REST?

rphillips_splk
Splunk Employee
Splunk Employee

Did you ever wonder how to see the REST api calls splunk web is making to splunkd when you click around the web UI? There may be a specific task you are trying to perform via REST yet don't know the specific endpoint to hit for the REST api. You can do this through the web UI but are having trouble finding the right syntax for the REST api call?

1 Solution

rphillips_splk
Splunk Employee
Splunk Employee
  1. enable DEBUG for python in $SPLUNK_HOME/etc/log.cfg

[python]
splunk = DEBUG
splunk.appserver = DEBUG
splunk.appserver.controllers = DEBUG

at DEBUG level the proxy controller will log the contents of all requests and responses

this can be very verbose and is not recommended for production use

splunk.appserver.controllers.proxy = DEBUG
splunk.appserver.lib = DEBUG
splunk.pdfgen = DEBUG

restart splunk
$SPLUNK_HOME/bin
./splunk restart

Tail the web_service.log file in $SPLUNK_HOME/var/log/splunk/

tail -f web_service.log

Tail the splunkd_access.log file in $SPLUNK_HOME/var/log/splunk/

tail -f splunkd_access.log

Log in to the the web UI and generate the change you intend to discover.

In this example we are updating the LDAP Group Name mapping to splunk role to add a role (power) to the existing LDAP Group Name (splunk_test)

actions through the web UI:
Settings>Access Controls> Authentication Method>LDAP Settings>Map groups>click ldap group name > add or remove a role > Save.

Stop tailing the web_service.log and splunkd_access.log once your web UI actions are complete.

in web_service.log you will see the endpoint path and argument key/values passed:

web_service.log:

2015-11-05 20:01:55,759 DEBUG [563bfc036d7f3a387e2290] admin:1120 - endpoint_path:: admin/LDAP-groups/splunk_test.

2015-11-05 20:02:07,945 DEBUG [563bfc0fc77f3a3812f150] admin:989 - Saving Entity to namespace=launcher owner= endpoint_path=admin/LDAP-groups entity_name=splunk_test args={'splunk_form_key': u'3272919072636037471', 'f_ns': u'launcher', 'f_api.strategy': u'your_strategy_name', 'roles': [u'user', u'power']}

in splunkd_access.log you will see the POST similar to:

127.0.0.1 - admin [06/Nov/2015:13:20:52.702 -0500] "POST /servicesNS/-/launcher/admin/LDAP-groups/your_strategy_name%2Csplunk_test HTTP/1.0" 200 3909 - - - 56ms

Piecing this information together you can generate your curl command :

curl -k -u admin:changeme https://localhost:8089/servicesNS/-/launcher/admin/LDAP-groups/your_strategy_name%2Csplunk_test -d roles=user -d roles=power

Disable DEBUG for python in $SPLUNK_HOME/etc/log.cfg

[python]
splunk = INFO
splunk.appserver = INFO
splunk.appserver.controllers = INFO

at DEBUG level the proxy controller will log the contents of all requests and responses

this can be very verbose and is not recommended for production use

splunk.appserver.controllers.proxy = INFO
splunk.appserver.lib = INFO
splunk.pdfgen = INFO

restart splunk
$SPLUNK_HOME/bin
./splunk restart

View solution in original post

rphillips_splk
Splunk Employee
Splunk Employee
  1. enable DEBUG for python in $SPLUNK_HOME/etc/log.cfg

[python]
splunk = DEBUG
splunk.appserver = DEBUG
splunk.appserver.controllers = DEBUG

at DEBUG level the proxy controller will log the contents of all requests and responses

this can be very verbose and is not recommended for production use

splunk.appserver.controllers.proxy = DEBUG
splunk.appserver.lib = DEBUG
splunk.pdfgen = DEBUG

restart splunk
$SPLUNK_HOME/bin
./splunk restart

Tail the web_service.log file in $SPLUNK_HOME/var/log/splunk/

tail -f web_service.log

Tail the splunkd_access.log file in $SPLUNK_HOME/var/log/splunk/

tail -f splunkd_access.log

Log in to the the web UI and generate the change you intend to discover.

In this example we are updating the LDAP Group Name mapping to splunk role to add a role (power) to the existing LDAP Group Name (splunk_test)

actions through the web UI:
Settings>Access Controls> Authentication Method>LDAP Settings>Map groups>click ldap group name > add or remove a role > Save.

Stop tailing the web_service.log and splunkd_access.log once your web UI actions are complete.

in web_service.log you will see the endpoint path and argument key/values passed:

web_service.log:

2015-11-05 20:01:55,759 DEBUG [563bfc036d7f3a387e2290] admin:1120 - endpoint_path:: admin/LDAP-groups/splunk_test.

2015-11-05 20:02:07,945 DEBUG [563bfc0fc77f3a3812f150] admin:989 - Saving Entity to namespace=launcher owner= endpoint_path=admin/LDAP-groups entity_name=splunk_test args={'splunk_form_key': u'3272919072636037471', 'f_ns': u'launcher', 'f_api.strategy': u'your_strategy_name', 'roles': [u'user', u'power']}

in splunkd_access.log you will see the POST similar to:

127.0.0.1 - admin [06/Nov/2015:13:20:52.702 -0500] "POST /servicesNS/-/launcher/admin/LDAP-groups/your_strategy_name%2Csplunk_test HTTP/1.0" 200 3909 - - - 56ms

Piecing this information together you can generate your curl command :

curl -k -u admin:changeme https://localhost:8089/servicesNS/-/launcher/admin/LDAP-groups/your_strategy_name%2Csplunk_test -d roles=user -d roles=power

Disable DEBUG for python in $SPLUNK_HOME/etc/log.cfg

[python]
splunk = INFO
splunk.appserver = INFO
splunk.appserver.controllers = INFO

at DEBUG level the proxy controller will log the contents of all requests and responses

this can be very verbose and is not recommended for production use

splunk.appserver.controllers.proxy = INFO
splunk.appserver.lib = INFO
splunk.pdfgen = INFO

restart splunk
$SPLUNK_HOME/bin
./splunk restart

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...