All Apps and Add-ons

How to fish with REST?

Splunk Employee
Splunk Employee

Did you ever wonder how to see the REST api calls splunk web is making to splunkd when you click around the web UI? There may be a specific task you are trying to perform via REST yet don't know the specific endpoint to hit for the REST api. You can do this through the web UI but are having trouble finding the right syntax for the REST api call?

1 Solution

Splunk Employee
Splunk Employee
  1. enable DEBUG for python in $SPLUNK_HOME/etc/log.cfg

[python]
splunk = DEBUG
splunk.appserver = DEBUG
splunk.appserver.controllers = DEBUG

at DEBUG level the proxy controller will log the contents of all requests and responses

this can be very verbose and is not recommended for production use

splunk.appserver.controllers.proxy = DEBUG
splunk.appserver.lib = DEBUG
splunk.pdfgen = DEBUG

restart splunk
$SPLUNK_HOME/bin
./splunk restart

Tail the web_service.log file in $SPLUNK_HOME/var/log/splunk/

tail -f web_service.log

Tail the splunkd_access.log file in $SPLUNK_HOME/var/log/splunk/

tail -f splunkd_access.log

Log in to the the web UI and generate the change you intend to discover.

In this example we are updating the LDAP Group Name mapping to splunk role to add a role (power) to the existing LDAP Group Name (splunk_test)

actions through the web UI:
Settings>Access Controls> Authentication Method>LDAP Settings>Map groups>click ldap group name > add or remove a role > Save.

Stop tailing the web_service.log and splunkd_access.log once your web UI actions are complete.

in web_service.log you will see the endpoint path and argument key/values passed:

web_service.log:

2015-11-05 20:01:55,759 DEBUG [563bfc036d7f3a387e2290] admin:1120 - endpoint_path:: admin/LDAP-groups/splunk_test.

2015-11-05 20:02:07,945 DEBUG [563bfc0fc77f3a3812f150] admin:989 - Saving Entity to namespace=launcher owner= endpoint_path=admin/LDAP-groups entity_name=splunk_test args={'splunk_form_key': u'3272919072636037471', 'f_ns': u'launcher', 'f_api.strategy': u'your_strategy_name', 'roles': [u'user', u'power']}

in splunkd_access.log you will see the POST similar to:

127.0.0.1 - admin [06/Nov/2015:13:20:52.702 -0500] "POST /servicesNS/-/launcher/admin/LDAP-groups/your_strategy_name%2Csplunk_test HTTP/1.0" 200 3909 - - - 56ms

Piecing this information together you can generate your curl command :

curl -k -u admin:changeme https://localhost:8089/servicesNS/-/launcher/admin/LDAP-groups/your_strategy_name%2Csplunk_test -d roles=user -d roles=power

Disable DEBUG for python in $SPLUNK_HOME/etc/log.cfg

[python]
splunk = INFO
splunk.appserver = INFO
splunk.appserver.controllers = INFO

at DEBUG level the proxy controller will log the contents of all requests and responses

this can be very verbose and is not recommended for production use

splunk.appserver.controllers.proxy = INFO
splunk.appserver.lib = INFO
splunk.pdfgen = INFO

restart splunk
$SPLUNK_HOME/bin
./splunk restart

View solution in original post

Splunk Employee
Splunk Employee
  1. enable DEBUG for python in $SPLUNK_HOME/etc/log.cfg

[python]
splunk = DEBUG
splunk.appserver = DEBUG
splunk.appserver.controllers = DEBUG

at DEBUG level the proxy controller will log the contents of all requests and responses

this can be very verbose and is not recommended for production use

splunk.appserver.controllers.proxy = DEBUG
splunk.appserver.lib = DEBUG
splunk.pdfgen = DEBUG

restart splunk
$SPLUNK_HOME/bin
./splunk restart

Tail the web_service.log file in $SPLUNK_HOME/var/log/splunk/

tail -f web_service.log

Tail the splunkd_access.log file in $SPLUNK_HOME/var/log/splunk/

tail -f splunkd_access.log

Log in to the the web UI and generate the change you intend to discover.

In this example we are updating the LDAP Group Name mapping to splunk role to add a role (power) to the existing LDAP Group Name (splunk_test)

actions through the web UI:
Settings>Access Controls> Authentication Method>LDAP Settings>Map groups>click ldap group name > add or remove a role > Save.

Stop tailing the web_service.log and splunkd_access.log once your web UI actions are complete.

in web_service.log you will see the endpoint path and argument key/values passed:

web_service.log:

2015-11-05 20:01:55,759 DEBUG [563bfc036d7f3a387e2290] admin:1120 - endpoint_path:: admin/LDAP-groups/splunk_test.

2015-11-05 20:02:07,945 DEBUG [563bfc0fc77f3a3812f150] admin:989 - Saving Entity to namespace=launcher owner= endpoint_path=admin/LDAP-groups entity_name=splunk_test args={'splunk_form_key': u'3272919072636037471', 'f_ns': u'launcher', 'f_api.strategy': u'your_strategy_name', 'roles': [u'user', u'power']}

in splunkd_access.log you will see the POST similar to:

127.0.0.1 - admin [06/Nov/2015:13:20:52.702 -0500] "POST /servicesNS/-/launcher/admin/LDAP-groups/your_strategy_name%2Csplunk_test HTTP/1.0" 200 3909 - - - 56ms

Piecing this information together you can generate your curl command :

curl -k -u admin:changeme https://localhost:8089/servicesNS/-/launcher/admin/LDAP-groups/your_strategy_name%2Csplunk_test -d roles=user -d roles=power

Disable DEBUG for python in $SPLUNK_HOME/etc/log.cfg

[python]
splunk = INFO
splunk.appserver = INFO
splunk.appserver.controllers = INFO

at DEBUG level the proxy controller will log the contents of all requests and responses

this can be very verbose and is not recommended for production use

splunk.appserver.controllers.proxy = INFO
splunk.appserver.lib = INFO
splunk.pdfgen = INFO

restart splunk
$SPLUNK_HOME/bin
./splunk restart

View solution in original post