Getting Data In

For Splunk API requests, are authentication tokens needed?

asmyth1995
Explorer

Hello

I was reading about making requests to the Splunk API. When I was reading this link below and when making a request the username (admin) and password (pass) need to be included in the request which is seen below:

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/-/alerts/alert_actions

https://docs.splunk.com/Documentation/SplunkCloud/9.0.2303/RESTREF/RESTsearch#search.2Fjobs

However there was another link mentioning that authentication tokens are needed to make API requests.

curl -H "Authorization: <type> <token>" -X <method> https://<instance host name or IP address>:<management port>/<REST endpoint> -d <data...> [-d <data...>...]

https://docs.splunk.com/Documentation/SplunkCloud/9.0.2209/Security/UseAuthTokens

Is the first API request can only be used by admins and is the second request only given to users granted access by admins where they are given authentication tokens?

Labels (1)
Tags (2)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

1st request can use any user which have access for REST queries.

One note: when you are writing "-u <user:pass>" on command line anyone on that node can see it on process list and from your history if they have enough power for that! For that reason it's better to put those to variable and then use it on cmd. You can do it like this on *nix command line.

read VarUserPass
admin:changeme
^D
curl -k -u $VarUserPass https://localhost:8089/servicesNS/admin/-/alerts/alert_actions

 

2nd one can use any users (including admins) which have valid authentication token assigned to them.

r. Ismo

0 Karma

asmyth1995
Explorer

Thank you very much for answering that. I was also checking the status codes for the REST API and it doesn't include a 429 status code. Does the GET requests to the saved/search query have any rate limits or is there a max number of API calls that you can do in a day?

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Unfortunately I don't know those limits and in personally haven't even gotten those.

@gjanders@Brett have you any experiences about rate limit for REST calls?

0 Karma

gjanders
SplunkTrust
SplunkTrust

I'm unaware of any limits here...I haven't seen a documented limit for Splunk cloud instances for REST APi calls. There may be an AWS system that is helping to prevent a flood of traffic...(I'm not familiar with the actual Splunk cloud build)

Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...