Hi,
We are currently planing an automated deployment of Splunk our VPCs on AWS. To do this, we need to configure the Splunk Add-on for Amazon Web Services via API. So, it would be great if we could see the documentation for the API.
So the question is: How can I access the REST API and find out what are the allowed operations for the Splunk Add-on for Amazon Web Services?
Thanks,
Igor
I just had the same problem as you, and I found this endpoint: https://localhost:8089/servicesNS/nobody/Splunk_TA_aws
I am poking around this endpoint with curl and jq, which I've defined this handy shell function for: req() {curl -ku admin:changeme "$1?output_mode=json" | jq -C . | less -R}
(of course, you'll have to adjust the admin/changeme passwords to suit your deployment).
Then, req https://localhost:8089/servicesNS/nobody/Splunk_TA_aws
to discover all the query endpoints that the AWS add-on REST api supports. You'll see, for example:
{
"name": "splunk_ta_aws_iam_roles",
"id": "https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles",
"updated": "2018-01-26T10:08:27+00:00",
"links": {
"alternate": "/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles",
"create": "/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles/_new",
"list": "/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles",
"_acl": "/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles/_acl"
},
"author": "system",
"acl": {
"app": "",
"can_list": true,
"can_write": true,
"modifiable": false,
"owner": "system",
"perms": null,
"removable": false,
"sharing": "system"
},
"content": {
"eai:acl": null
}
},
The links
section here takes you to other endpoints that you can use, and you can, for example, make a GET request on the "create" endpoint to figure out the parameters that it takes.
As a side note, I'm pretty sure there are no guarantees on backwards/forwards-compatibility here, but I super feel your pain re. having to set up machines automatically, so it looks like this is the best way to set things up automatically for now.
I was provided some specific documentation on this REST API, you may find this helpful: http://splunkservices.io/downloads/PROD-AWSAdd-on4.0.0ConfigurationRESTAPIReference-210417-1515-50.p...
I'm planning to make a Terraform provider for this API at some point, as I suspect many may find it helpful.
@mcluver any chance you have the update URL on where this documentation moved to?
I am currently working on automating adding our accounts into the AWS addon as well as keeping the accounts up to date and having some trouble. I think this info would help. Thanks!
Check out the tools found in Splunk_TA_aws/bin/tools/configure. This will provide you with a CLI approach to add IAM roles by using your custom-created JSON files for your configurations.
You can run something like the following:
/opt/splunk/bin/splunk cmd python aws_config_cli.py iam-role create --config-file description_input.json --hostname localhost
This will expect your description_input.json
file and a separate splunk-info.json
file that contains your authentication information. Unfortunately it doesn't look like you can specify a file/location name for splunk-info.json
so it needs to reside in the same directory as the aws_config_cli.py
script.
I just had the same problem as you, and I found this endpoint: https://localhost:8089/servicesNS/nobody/Splunk_TA_aws
I am poking around this endpoint with curl and jq, which I've defined this handy shell function for: req() {curl -ku admin:changeme "$1?output_mode=json" | jq -C . | less -R}
(of course, you'll have to adjust the admin/changeme passwords to suit your deployment).
Then, req https://localhost:8089/servicesNS/nobody/Splunk_TA_aws
to discover all the query endpoints that the AWS add-on REST api supports. You'll see, for example:
{
"name": "splunk_ta_aws_iam_roles",
"id": "https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles",
"updated": "2018-01-26T10:08:27+00:00",
"links": {
"alternate": "/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles",
"create": "/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles/_new",
"list": "/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles",
"_acl": "/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles/_acl"
},
"author": "system",
"acl": {
"app": "",
"can_list": true,
"can_write": true,
"modifiable": false,
"owner": "system",
"perms": null,
"removable": false,
"sharing": "system"
},
"content": {
"eai:acl": null
}
},
The links
section here takes you to other endpoints that you can use, and you can, for example, make a GET request on the "create" endpoint to figure out the parameters that it takes.
As a side note, I'm pretty sure there are no guarantees on backwards/forwards-compatibility here, but I super feel your pain re. having to set up machines automatically, so it looks like this is the best way to set things up automatically for now.
One additional note that tripped me up: To create an object, you POST to the plain endpoint, not the one ending in /_new
, so for example POST https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles
- not POST https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles/_new
!