Hello,
How we would send Data to Third Party Server (non-SPLUNK server) using REST API. They basically send requests from Third Party Server by REST API to pull the data from SPLUNK. What should we tell them to send with their API requests? And how we need to configure our SPLUNK Server to serve their API requests? Your guidance would be highly appreciated. Thank you in advance for your support in these efforts.
 
		
		
		
		
		
	
			
		
		
			
					
		If the third party are pulling events i.e. they initiate the communication, then you just need to set up a report which they access through the Splunk ReST API.
If you want Splunk to push events to the third party, i.e. Splunk initiates the communication, then you could use a custom command to access their ReST API.
 
		
		
		
		
		
	
			
		
		
			
					
		You're getting confusing. 🙂
"Sending data" means a push mode which would mean that Splunk would need to call your external server and send data there.
But a bit further you're telling that your team wants to call Splunk API and pull data from Splunk.
These are two separate things.
Pushing Splunk to external REST API during ingestion phase could be difficult if at all possible.
Periodical pushing data using predefined searches or calling Splunk from external source and executing searches to retrieve data is of course possible but might (depending on what exactly you want to achieve) introduce problems with synchronization, data received out of order and such.
Yes, it should be Pull ("send" I meant actually Pull, like serve API request), sorry about that, thank you so much!
 
		
		
		
		
		
	
			
		
		
			
					
		You could write a custom command to do that. For example, the command could take the events in the event pipeline and send them to your third-party servers using their ReST API.
Custom search commands | Documentation | Splunk Developer Program
Thank you so much for your quick response and proving that resourceful link, truly appreciate it.
I have a couple of questions.
1. What do you mean by event pipe?
2. What parameters I need to recommend them to include in their REST API: our object is to send them events with 4 fields: Account_Number, Name, Account_Type, Contact_Info
Thank you so much again.
 
		
		
		
		
		
	
			
		
		
			
					
		1) You would normally use your custom command in a pipeline of commands
... | <custom command> <options> | ...As with all SPL commands, the command receives a series of events coming done the pipe (and usually send events onwards to other commands in the pipeline.
Depending on the type of custom command you are writing, you may require all the events before you can complete your processing, or you may be able to process them as a stream of events.
2) Normally, the owner of the API decides what the interface looks like. If you have input to that, probably a JSON style interface would be the simplest and most recognisable, but it is entirely up to you and your thrid party to agree what the interface looks like.
One thing to bear in mind is how you locate where their server is. I would suggest the you make this configurable in your custom command and not rely on in being either hard coded or passed as an option in the SPL (but either of those are also possible - just not recommended!)
Your custom command may also need to be aware of or at least be able to deal with things like proxies and perhaps SSL certificates, etc. depending on how your connectivity is set up to your third party.
Yes, thank you so much, truly appreciate it. One more question at this stage: there is one use case under this API call. They like to get (pull) certain events from the stream of events. These certain events are based on the Account_Number they will pass through the REST API call. Would it be possible to Pull certain events from a stream of event in SPLUNK? and if so, how we would do that? Thank you!
 
		
		
		
		
		
	
			
		
		
			
					
		If the third party are pulling events i.e. they initiate the communication, then you just need to set up a report which they access through the Splunk ReST API.
If you want Splunk to push events to the third party, i.e. Splunk initiates the communication, then you could use a custom command to access their ReST API.
Thank you so much again!
It's an "If the third party are pulling events i.e. they initiate the communication, then you just need to set up a report which they access through the Splunk ReST API."
So I just need to create a report and give them access through REST API...correct?
One more question, what do you meant by through the Splunk ReST API? Need to Initiate the API call from our server or from their/third party server? Who in responsible to write that REST API call? Their server is Third Party Server, no SPLUNK there!
 
		
		
		
		
		
	
			
		
		
			
					
		Yes, giving them access to the report results is one way to do it.
I think you need to clarify the architecture of your solution. Which system is calling which? how often? what parameters / variables are required? how much data do you expect to transfer? etc. Then decide what is the most appropriate method to use. To be honest, this probably isn't a topic for this forum.
 
		
		
		
		
		
	
			
		
		
			
					
		I will only add again that there are many caveats that you have to watch for with such asynchronous data transferring resulting typically in either data loss or duplicate data. The lower delay you want to achieve in your "forwarding", the higher probability of such stuff happening. On the other hand - the lower the frequency with which you search Splunk, the more results you have to store.
So it's a more complicated topic than "how to query Splunk".
Yes, I agree with you. I will reach out to you and @ITWhisperer it needed. Thank you so much both of you again, truly appreciate your support in these efforts.
