Solved: Re: Splunk Add-on for Amazon Web Services: How can...

Igor1984 · ‎04-19-2017

Hi,

We are currently planing an automated deployment of Splunk our VPCs on AWS. To do this, we need to configure the Splunk Add-on for Amazon Web Services via API. So, it would be great if we could see the documentation for the API.
So the question is: How can I access the REST API and find out what are the allowed operations for the Splunk Add-on for Amazon Web Services?

Thanks,
Igor

asf_stripe · ‎01-26-2018

I just had the same problem as you, and I found this endpoint: https://localhost:8089/servicesNS/nobody/Splunk_TA_aws

I am poking around this endpoint with curl and jq, which I've defined this handy shell function for: req() {curl -ku admin:changeme "$1?output_mode=json" | jq -C . | less -R} (of course, you'll have to adjust the admin/changeme passwords to suit your deployment).

Then, req https://localhost:8089/servicesNS/nobody/Splunk_TA_aws to discover all the query endpoints that the AWS add-on REST api supports. You'll see, for example:

{ "name": "splunk_ta_aws_iam_roles", "id": "https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles", "updated": "2018-01-26T10:08:27+00:00", "links": { "alternate": "/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles", "create": "/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles/_new", "list": "/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles", "_acl": "/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles/_acl" }, "author": "system", "acl": { "app": "", "can_list": true, "can_write": true, "modifiable": false, "owner": "system", "perms": null, "removable": false, "sharing": "system" }, "content": { "eai:acl": null } },

The links section here takes you to other endpoints that you can use, and you can, for example, make a GET request on the "create" endpoint to figure out the parameters that it takes.

As a side note, I'm pretty sure there are no guarantees on backwards/forwards-compatibility here, but I super feel your pain re. having to set up machines automatically, so it looks like this is the best way to set things up automatically for now.

View solution in original post

mcluver · ‎10-05-2018

I was provided some specific documentation on this REST API, you may find this helpful: http://splunkservices.io/downloads/PROD-AWSAdd-on4.0.0ConfigurationRESTAPIReference-210417-1515-50.p...

I'm planning to make a Terraform provider for this API at some point, as I suspect many may find it helpful.

we553 · ‎03-05-2020

@mcluver any chance you have the update URL on where this documentation moved to?

I am currently working on automating adding our accounts into the AWS addon as well as keeping the accounts up to date and having some trouble. I think this info would help. Thanks!

drutstein · ‎02-23-2018

Check out the tools found in Splunk_TA_aws/bin/tools/configure. This will provide you with a CLI approach to add IAM roles by using your custom-created JSON files for your configurations.

You can run something like the following:

/opt/splunk/bin/splunk cmd python aws_config_cli.py iam-role create --config-file description_input.json --hostname localhost

This will expect your description_input.json file and a separate splunk-info.json file that contains your authentication information. Unfortunately it doesn't look like you can specify a file/location name for splunk-info.json so it needs to reside in the same directory as the aws_config_cli.py script.

asf_stripe · ‎01-26-2018

I just had the same problem as you, and I found this endpoint: https://localhost:8089/servicesNS/nobody/Splunk_TA_aws

I am poking around this endpoint with curl and jq, which I've defined this handy shell function for: req() {curl -ku admin:changeme "$1?output_mode=json" | jq -C . | less -R} (of course, you'll have to adjust the admin/changeme passwords to suit your deployment).

Then, req https://localhost:8089/servicesNS/nobody/Splunk_TA_aws to discover all the query endpoints that the AWS add-on REST api supports. You'll see, for example:

{ "name": "splunk_ta_aws_iam_roles", "id": "https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles", "updated": "2018-01-26T10:08:27+00:00", "links": { "alternate": "/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles", "create": "/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles/_new", "list": "/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles", "_acl": "/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles/_acl" }, "author": "system", "acl": { "app": "", "can_list": true, "can_write": true, "modifiable": false, "owner": "system", "perms": null, "removable": false, "sharing": "system" }, "content": { "eai:acl": null } },

The links section here takes you to other endpoints that you can use, and you can, for example, make a GET request on the "create" endpoint to figure out the parameters that it takes.

As a side note, I'm pretty sure there are no guarantees on backwards/forwards-compatibility here, but I super feel your pain re. having to set up machines automatically, so it looks like this is the best way to set things up automatically for now.

asf_stripe · ‎01-26-2018

One additional note that tripped me up: To create an object, you POST to the plain endpoint, not the one ending in /_new, so for example POST https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles - not POST https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles/_new!

Splunk Add-on for Amazon Web Services: How can I access the REST API and find out what are the allowed operations for the add-on?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life