Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How can we use the Splunk API better?

ddrillic
Ultra Champion
‎03-08-2019 11:12 AM

We ended up mapping api-splunk.<company>.com to a certain search head. Our concern with giving it to the users is the fact that the search head captain is not aware of searches that hit the api-splunk.<company>.com end point and also because users might abuse the access.

Any ideas?

For one thing, I would like to set an alert for certain users that use the API and ensure that they don’t pass a certain threshold in the number of searches they invoke via the API access. How can I find out these searches given the user name?

Tags (2)
Reply

efavreau
Motivator
‎03-19-2019 06:43 AM

Counting your title, you asked three questions. However, the question I can answer is how to find out API searches based on a user name.

I built the following search from this answer: https://answers.splunk.com/answers/116285/how-can-i-audit-users-who-are-connected-through-rest-api.h...

Try this to find API users (substituting WHODIS with the username of the person you want to search for):

index=_internal sourcetype=splunkd_access NOT ( user="splunk-system-user" OR user="-") NOT clientip="127.0.0.1" user=WHODIS 
| rex field=uri_path "search/jobs/(?<search_id>[^/\?]+)" 
| eval search_id="'"+coalesce(search_id,id)+"'"
###

If this reply helps you, an upvote would be appreciated.
0 Karma
Reply

maciep
Champion
‎03-09-2019 05:55 AM

do you have a load balancer in front of your shc? if so, is there a reason you don't load balance the api as well?

You may be able to tie the access logs to the audit logs but I'm not positive. Not sure if there is any sort of "this is an api" search in the logs or if you have to base it on connections to the management port?

Reply

ddrillic
Ultra Champion
‎03-12-2019 08:13 AM

Hi @maciep, we do have the load balancer in front of your shc. Not sure why the design is as such that the we hit only on sh for the api.

Interesting about the "this is an api" search...

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...