I'm running Splunk Enterprise 6.6.4 and have several REST inputs added under Settings > Data Inputs > REST.
I'm noticing in the internal logs that many other add-ons that also leverage rest API are attempting to make calls utilizing these inputs.
For example, I have a REST input I created called 'Storage01CPU' that has an endpoint URL that goes directly to the storage array with parameters to pull in CPU usage. We also have a Falcon Crowdstrike TA add-on installed (Splunk supported) on this search head that queries the Crowdstrike cloud API to pull in events.
I see this in the internal logs: splunk-system-user [18/Jun/2018:13:59:45.827 -0500] "GET /services/data/inputs/falconhost_api/Storage01CPU HTTP/1.0" 404 155 - - - 76ms
It's doing this for many other things as well, thus resulting in a ton of 404s. Any ideas?
These are internal calls to Spunk's management REST API , not outgoing calls. Also, these are not logs generated by the REST API Mod Input.
A 404 is "not found". It would appear that Splunk is trying to find an internal rest endpoint for a "Storage01CPU" stanza that lives in the "falconhostapi" app context.
When you setup your REST stanzas , under what app/user context did you create them ? ie: look where the inputs.conf file lives (find/grep for it on your filesystem).
I was logged in as my admin account, and went to Settings > Data Inputs > REST > Add New
I then added a new input per statistic I wanted to pull from the storage array. It contacts the storage array using a service account.
It shouldn't be in any way associated with any other app on the server ;\ I set a manual source type of dell:emc on the REST API input. The inputs.conf is located in search/local/inputs.conf.