All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

REST Data Inputs

Kendo213
Communicator
‎06-18-2018 01:02 PM

I'm running Splunk Enterprise 6.6.4 and have several REST inputs added under Settings > Data Inputs > REST.

I'm noticing in the internal logs that many other add-ons that also leverage rest API are attempting to make calls utilizing these inputs.

For example, I have a REST input I created called 'Storage01CPU' that has an endpoint URL that goes directly to the storage array with parameters to pull in CPU usage. We also have a Falcon Crowdstrike TA add-on installed (Splunk supported) on this search head that queries the Crowdstrike cloud API to pull in events.

I see this in the _internal logs: splunk-system-user [18/Jun/2018:13:59:45.827 -0500] "GET /services/data/inputs/falcon_host_api/Storage01CPU HTTP/1.0" 404 155 - - - 76ms

It's doing this for many other things as well, thus resulting in a ton of 404s. Any ideas?

0 Karma
Reply

Kendo213
Communicator
‎07-03-2018 08:58 AM

Any ideas?

0 Karma
Reply

Damien_Dallimor
Ultra Champion
‎07-03-2018 05:39 PM

Have you contacted Splunk support about the supported Falcon Crowdstrike TA add-on as your 404 error above is from this app's inputs (falcon_host_api)

0 Karma
Reply

Damien_Dallimor
Ultra Champion
‎06-18-2018 02:12 PM

These are internal calls to Spunk's management REST API , not outgoing calls. Also, these are not logs generated by the REST API Mod Input.

A 404 is "not found". It would appear that Splunk is trying to find an internal rest endpoint for a "Storage01CPU" stanza that lives in the "falcon_host_api" app context.

When you setup your REST stanzas , under what app/user context did you create them ? ie: look where the inputs.conf file lives (find/grep for it on your filesystem).

0 Karma
Reply

Kendo213
Communicator
‎06-19-2018 06:08 AM

I was logged in as my admin account, and went to Settings > Data Inputs > REST > Add New

I then added a new input per statistic I wanted to pull from the storage array. It contacts the storage array using a service account.

It shouldn't be in any way associated with any other app on the server ;\ I set a manual source type of dell:emc on the REST API input. The inputs.conf is located in search/local/inputs.conf.

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...