Archive

how to connect to SPLUNK server from SPLUNK ODBC driver using LDAP authenticated user

Communicator

HI,
I have installed SPLUNK ODBC driver in my desktop and i was able to connect to SPLUNK enterprise which is installed in my desktop.

i used SPLUNK URL and admin/{password} to connect to SPLUNK ODBC driver.

but when try to connect SPLUNK enterprise server which is installed in remote systems,its not connecting

below are the details i am using

Login ID - domain\userid
password - {password}
Server URL - splunk forwade server and port

Tags (1)
0 Karma

Influencer

For reference the installation guide for the ODBC Driver is located: https://docs.splunk.com/Documentation/ODBC/2.1.1/UseODBC/Installation

For Server URL -> You should be connecting to the Splunk API port of the search head. Typically this is https://searchhead.example.com:8089 This is not the Forwarder receiving port (typically 9997 on the indexers), nor the Splunk web port (typically http://searchhead.example.com:8000). Obviously these mentioned ports are defaults, so if your Search heads are behind a load balancer, you'll need to adjust and connect to the load balanced API host:port accordingly.

For Password -> Obviously the password of the domain account

For Login Id -> This should be the same id that you use to log into the search head Splunk web interface for that account. The exact format of this depends on the Splunk LDAP configuration settings setup by your Splunk Administrator. For Active Directory often times logins are mapped to samAccountName, in which case you would simply use userid. Just as validly however, Splunk could be configured to map userNameAttribute in authentication.conf to userPrincipalName in which case you would likely use a string that looks like userid@domain.dns.name (but of course depending on the AD architecture, it might be a dns name of a related domain). DOMAIN\userid is most likely wrong as I don't believe there is an attribute in LDAP that would contain this value on your account.

0 Karma

Communicator

I have a search head URL something like this,how can i find the port number from this URL

https://splunk-search-sw-dev.can.ntroot.net/en-US/account/login

0 Karma

Influencer

You have to talk to your Splunk admins to see if they expose the API port, and how.

That URL tells us that the Web Interface is on port 443 (because we all know that https is port 443 by default ), but it tells us nothing about the location of the API port that the ODBC Driver needs.

By default the Web API port is port 8089, but as your admins have changed the web default port it's possible they changed the port for the API as well, or your search heads are being proxied by a load balancer and therefore the API is through a different host name/port.

0 Karma