All Apps and Add-ons

Splunk Add-on for Amazon Web Services: How can I access the REST API and find out what are the allowed operations for the add-on?

Engager

Hi,

We are currently planing an automated deployment of Splunk our VPCs on AWS. To do this, we need to configure the Splunk Add-on for Amazon Web Services via API. So, it would be great if we could see the documentation for the API.
So the question is: How can I access the REST API and find out what are the allowed operations for the Splunk Add-on for Amazon Web Services?

Thanks,
Igor

1 Solution

Engager

I just had the same problem as you, and I found this endpoint: https://localhost:8089/servicesNS/nobody/Splunk_TA_aws

I am poking around this endpoint with curl and jq, which I've defined this handy shell function for: req() {curl -ku admin:changeme "$1?output_mode=json" | jq -C . | less -R} (of course, you'll have to adjust the admin/changeme passwords to suit your deployment).

Then, req https://localhost:8089/servicesNS/nobody/Splunk_TA_aws to discover all the query endpoints that the AWS add-on REST api supports. You'll see, for example:

{
"name": "splunk_ta_aws_iam_roles",
"id": "https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles",
"updated": "2018-01-26T10:08:27+00:00",
"links": {
"alternate": "/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles",
"create": "/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles/_new",
"list": "/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles",
"_acl": "/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles/_acl"
},
"author": "system",
"acl": {
"app": "",
"can_list": true,
"can_write": true,
"modifiable": false,
"owner": "system",
"perms": null,
"removable": false,
"sharing": "system"
},
"content": {
"eai:acl": null
}
},

The links section here takes you to other endpoints that you can use, and you can, for example, make a GET request on the "create" endpoint to figure out the parameters that it takes.

As a side note, I'm pretty sure there are no guarantees on backwards/forwards-compatibility here, but I super feel your pain re. having to set up machines automatically, so it looks like this is the best way to set things up automatically for now.

View solution in original post

0 Karma

Path Finder

I was provided some specific documentation on this REST API, you may find this helpful: http://splunkservices.io/downloads/PROD-AWSAdd-on4.0.0ConfigurationRESTAPIReference-210417-1515-50.p...

I'm planning to make a Terraform provider for this API at some point, as I suspect many may find it helpful.

0 Karma

Engager

@mcluver any chance you have the update URL on where this documentation moved to?

I am currently working on automating adding our accounts into the AWS addon as well as keeping the accounts up to date and having some trouble. I think this info would help. Thanks!

0 Karma

Explorer

Check out the tools found in SplunkTAaws/bin/tools/configure. This will provide you with a CLI approach to add IAM roles by using your custom-created JSON files for your configurations.

You can run something like the following:

/opt/splunk/bin/splunk cmd python aws_config_cli.py iam-role create --config-file description_input.json --hostname localhost

This will expect your description_input.json file and a separate splunk-info.json file that contains your authentication information. Unfortunately it doesn't look like you can specify a file/location name for splunk-info.json so it needs to reside in the same directory as the aws_config_cli.py script.

0 Karma

Engager

I just had the same problem as you, and I found this endpoint: https://localhost:8089/servicesNS/nobody/Splunk_TA_aws

I am poking around this endpoint with curl and jq, which I've defined this handy shell function for: req() {curl -ku admin:changeme "$1?output_mode=json" | jq -C . | less -R} (of course, you'll have to adjust the admin/changeme passwords to suit your deployment).

Then, req https://localhost:8089/servicesNS/nobody/Splunk_TA_aws to discover all the query endpoints that the AWS add-on REST api supports. You'll see, for example:

{
"name": "splunk_ta_aws_iam_roles",
"id": "https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles",
"updated": "2018-01-26T10:08:27+00:00",
"links": {
"alternate": "/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles",
"create": "/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles/_new",
"list": "/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles",
"_acl": "/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles/_acl"
},
"author": "system",
"acl": {
"app": "",
"can_list": true,
"can_write": true,
"modifiable": false,
"owner": "system",
"perms": null,
"removable": false,
"sharing": "system"
},
"content": {
"eai:acl": null
}
},

The links section here takes you to other endpoints that you can use, and you can, for example, make a GET request on the "create" endpoint to figure out the parameters that it takes.

As a side note, I'm pretty sure there are no guarantees on backwards/forwards-compatibility here, but I super feel your pain re. having to set up machines automatically, so it looks like this is the best way to set things up automatically for now.

View solution in original post

0 Karma

Engager

One additional note that tripped me up: To create an object, you POST to the plain endpoint, not the one ending in /_new, so for example POST https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles - not POST https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles/_new!

0 Karma