Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to call rest endpoint without authenticating?

amat
Explorer
‎03-24-2022 08:21 PM

I am in the process of writing a Splunk script that is going to overwrite the contents of a lookup file using REST. However, the issue I am hitting is how to authenticate against the REST endpoint.

I am planning on having Splunk running the script ( probably through inputs.conf). It would every x hours and update the lookup using a python script that calls an outside source. I can successfully call the outside source and parse the data, however I am stuck on how to overwrite the lookup table via REST. All examples of REST calls show passing credentials. I dont want to hardcode any admin creds on the script itself.

I found this article from splunk, but the REST section clearly shows they are passing creds. Are there any other ways to do this? 

https://www.splunk.com/en_us/blog/tips-and-tricks/store-encrypted-secrets-in-a-splunk-app.html

Any suggestions?

Labels (3)
Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-25-2022 03:23 AM

You can't use REST without authentication.

https://docs.splunk.com/Documentation/Splunk/8.2.5/RESTUM/RESTusing#Authentication_and_authorization

You can fiddle with token-based authentication to reduce user's privileges as much as you can and store credentials for that user only.

0 Karma
Reply

amat
Explorer
‎03-25-2022 06:23 PM

So that is what I thought. But there are apps that will overwrite lookup tables or fetch credentials from Splunk's password store. How do those apps do that if they are not authenticating? Typically these apps are doing this via script so how are they able to overwrite files or use secretes without calling the password store? I didnt noticee any hardcoding of creds in their scripts. Also Splunk Cloud will scan these apps for creds so if they are Splunk Cloud certified, then that means they are somehow storing the creds in the secret store and calling it back whenever the script runs

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-26-2022 01:11 AM

OK. There are two sides to this story.

One is that if you call REST API you must authenticate (unless perhaps you're calling some public endpoints; I'm not sure if there are any).

But the other thing is that if you're using splunk SDK and run your script as modular input (in context of splunk process), splunk lib is able to authenticate itself and you don't have to worry about it.

At least that's what I understand from the docs - I did some fiddling with other people's scripts but I haven't created any from scratch yet.

See for example https://github.com/splunk/splunk-sdk-python/blob/master/examples/kvstore.py

In general, you manipulate kvstore with splunk.kvstore class.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...