Splunk Dev

Manipulate conf file through Splunk/Rest API

klausJohan
Path Finder

Hi,

Is there any experience around to be shared concerning how to programmatically manipulate (read, update) through Splunk API or REST API a custom conf file (say "myapp.conf").

Cheers

1 Solution

sowings
Splunk Employee
Splunk Employee

I'd start with trying the | rest search command in Splunk. It would at least tell you if your custom config file is reachable by the REST endpoint. Try: | rest /services/configs/conf-myapp (or optionally, constrain the app and user: | rest /servicesNS/admin/myapp/configs/conf-myapp).

Note that any POSTs to define settings don't have restrictions on the keys, that's up to your app to define. More docs about the POST (and an example) can be found here:

http://docs.splunk.com/Documentation/Splunk/6.0/RESTAPI/RESTconfig

View solution in original post

sowings
Splunk Employee
Splunk Employee

I'd start with trying the | rest search command in Splunk. It would at least tell you if your custom config file is reachable by the REST endpoint. Try: | rest /services/configs/conf-myapp (or optionally, constrain the app and user: | rest /servicesNS/admin/myapp/configs/conf-myapp).

Note that any POSTs to define settings don't have restrictions on the keys, that's up to your app to define. More docs about the POST (and an example) can be found here:

http://docs.splunk.com/Documentation/Splunk/6.0/RESTAPI/RESTconfig

klausJohan
Path Finder

Eventually it worked with curl also.

0 Karma

sowings
Splunk Employee
Splunk Employee

How did you issue the curl call?

I created a new config 'myconfig' and a corresponding 'myconfig.conf.spec' in the README subdir of my app. After that, I was able to

curl -k -u admin:pass https://127.0.0.1:8089/servicesNS/admin/fire_brigade/configs/conf-myconfig

I only mention the README subdir because I didn't try it without. Did you get an error from the curl call? I got an XML response that contained the config key. Note also that I restarted Splunk after adding the config file and the README/myconfig.conf.spec. I'm not sure if that was required, but....

0 Karma

klausJohan
Path Finder

Yes, through "| rest ..." I can see my conf file. But the get/post request with curl or from the browser return no result

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...