All Apps and Add-ons
Highlighted

REST Data Inputs

Communicator

I'm running Splunk Enterprise 6.6.4 and have several REST inputs added under Settings > Data Inputs > REST.

I'm noticing in the internal logs that many other add-ons that also leverage rest API are attempting to make calls utilizing these inputs.

For example, I have a REST input I created called 'Storage01CPU' that has an endpoint URL that goes directly to the storage array with parameters to pull in CPU usage. We also have a Falcon Crowdstrike TA add-on installed (Splunk supported) on this search head that queries the Crowdstrike cloud API to pull in events.

I see this in the internal logs: splunk-system-user [18/Jun/2018:13:59:45.827 -0500] "GET /services/data/inputs/falconhost_api/Storage01CPU HTTP/1.0" 404 155 - - - 76ms

It's doing this for many other things as well, thus resulting in a ton of 404s. Any ideas?

0 Karma
Highlighted

Re: REST Data Inputs

Ultra Champion

These are internal calls to Spunk's management REST API , not outgoing calls. Also, these are not logs generated by the REST API Mod Input.

A 404 is "not found". It would appear that Splunk is trying to find an internal rest endpoint for a "Storage01CPU" stanza that lives in the "falconhostapi" app context.

When you setup your REST stanzas , under what app/user context did you create them ? ie: look where the inputs.conf file lives (find/grep for it on your filesystem).

0 Karma
Highlighted

Re: REST Data Inputs

Communicator

I was logged in as my admin account, and went to Settings > Data Inputs > REST > Add New

I then added a new input per statistic I wanted to pull from the storage array. It contacts the storage array using a service account.

It shouldn't be in any way associated with any other app on the server ;\ I set a manual source type of dell:emc on the REST API input. The inputs.conf is located in search/local/inputs.conf.

0 Karma
Highlighted

Re: REST Data Inputs

Communicator

Any ideas?

0 Karma
Highlighted

Re: REST Data Inputs

Ultra Champion

Have you contacted Splunk support about the supported Falcon Crowdstrike TA add-on as your 404 error above is from this app's inputs (falconhostapi)

0 Karma