All Apps and Add-ons

REST Data Inputs

Kendo213
Communicator

I'm running Splunk Enterprise 6.6.4 and have several REST inputs added under Settings > Data Inputs > REST.

I'm noticing in the internal logs that many other add-ons that also leverage rest API are attempting to make calls utilizing these inputs.

For example, I have a REST input I created called 'Storage01CPU' that has an endpoint URL that goes directly to the storage array with parameters to pull in CPU usage. We also have a Falcon Crowdstrike TA add-on installed (Splunk supported) on this search head that queries the Crowdstrike cloud API to pull in events.

I see this in the _internal logs: splunk-system-user [18/Jun/2018:13:59:45.827 -0500] "GET /services/data/inputs/falcon_host_api/Storage01CPU HTTP/1.0" 404 155 - - - 76ms

It's doing this for many other things as well, thus resulting in a ton of 404s. Any ideas?

0 Karma

Kendo213
Communicator

Any ideas?

0 Karma

Damien_Dallimor
Ultra Champion

Have you contacted Splunk support about the supported Falcon Crowdstrike TA add-on as your 404 error above is from this app's inputs (falcon_host_api)

0 Karma

Damien_Dallimor
Ultra Champion

These are internal calls to Spunk's management REST API , not outgoing calls. Also, these are not logs generated by the REST API Mod Input.

A 404 is "not found". It would appear that Splunk is trying to find an internal rest endpoint for a "Storage01CPU" stanza that lives in the "falcon_host_api" app context.

When you setup your REST stanzas , under what app/user context did you create them ? ie: look where the inputs.conf file lives (find/grep for it on your filesystem).

0 Karma

Kendo213
Communicator

I was logged in as my admin account, and went to Settings > Data Inputs > REST > Add New

I then added a new input per statistic I wanted to pull from the storage array. It contacts the storage array using a service account.

It shouldn't be in any way associated with any other app on the server ;\ I set a manual source type of dell:emc on the REST API input. The inputs.conf is located in search/local/inputs.conf.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...