All Apps and Add-ons

Splunk Stream: How to configure streams using REST API?

mathiask
Communicator

Hello Splunkers

There is a partial REST API documentation.
There is a lot of information missing.
http://docs.splunk.com/Documentation/StreamApp/7.0.1/DeployStreamApp/SplunkAppforStreamRESTAPI

We are really interested in configuring our streams using the REST API.
Especially, since we are unable to use the SDK, because we are using python3.

Current, urgent use case
We want to create, modify and delete streams

Greetings
Mathias

0 Karma

sumangala
Path Finder

A splunkd endpoint (Rest API) resides on port 8089 by default. In order to access these from code running in the browser, it needs to be “expose” setting in $SPLUNK_HOME/etc/system/default/web.conf. Or else it gives cross-origin prevention and CSRF protections in the browser.
To resolve this you are trying to send tokens for splunkweb_csrf_token_8000, splunkd_8000 and session_id_8000.
Actually these token are saved in your browser as cookies when u login to splunk web browser.
U need not to explicitly send in the request header. In turn, the browser will send these tokens in request header. U can see this in network section of browser.

0 Karma

sroback_splunk
Splunk Employee
Splunk Employee

hi. The Splunk Stream REST API docs have been updated with new request/response examples, parameter information, etc., for each operation. To use the /streams endpoint to create, modify, and delete streams, see: http://docs.splunk.com/Documentation/StreamApp/7.0.1/DeployStreamApp/SplunkAppforStreamRESTAPI#Strea...

HTH.

0 Karma

mathiask
Communicator

Hi

Thanks.

What I don't understand yet is how do I get the tokens
The /streams/ GET command comments
The cookies and x-splunk-form-key can be obtained from the GET request's response headers.

But when I run it I only get

$ curl -i -k https://localhost:8000/en-US/custom/splunk_app_stream/streams/test
HTTP/1.1 404 Not Found
Date: Wed, 15 Feb 2017 14:35:14 GMT
Content-Type: text/json;charset=utf-8
X-Content-Type-Options: nosniff
Content-Length: 337
Vary: Cookie
Connection: Keep-Alive
X-Frame-Options: SAMEORIGIN
Set-Cookie: session_id_8000=ee2f22f1c69a96be792938a883934b541b503d89; expires=Thu, 16 Feb 2017 14:35:10 GMT; httponly; Path=/; secure
Server: Splunkd

{"status": 404, "error": "Stream with specified id not found", "success": false}

I assume that I can just take the sessionID for the cookie so

splunkd_8000=ee2f22f1c69a96be792938a883934b541b503d89

But when I look at the POST command I also need

  • splunkweb_csrf_token_8000=
  • X-Splunk-Form-Key:

Where do I get these from?

0 Karma

sroback_splunk
Splunk Employee
Splunk Employee

Hi. Just FYI:
The Stream REST API docs have been updated with instructions on how to generate the required tokens. See:
http://docs.splunk.com/Documentation/StreamApp/7.0.1/DeployStreamApp/SplunkAppforStreamRESTAPI#How_t...

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...