Getting Data In

Is there a REST API call to rebuild the forwarder asset table?

sarahkrisher
New Member

Is there an API call that can rebuild the forwarder asset table as opposed to going into the Distributed Management Console settings and manually doing so through Splunk Web?

0 Karma

dd_msearles
Path Finder

I have a slightly different requirement where the missing forwarders would blow out due to constantly changing Citrix clients, so my first comment below about dismissing the "DMC Forwarder - Build Asset Table" is because its appending to the existing table.

If you check the Job Activity page on the Monitoring Console you will see two jobs that show up:

1. DMC Forwarder - Build Asset Table
2. `dmc_re_build_forwarder_assets(48m)`

The first is scheduled to run every 15 minutes and can be ignored.
The second is the job that is initiated when you "Rebuild forwarder assets" (previous 24 hours defines the 48m sparkline argument), this is what we are interested in.
If you follow the bouncing ball you can figure out what it's doing yourself, to get you started:

#  grep "dmc_re_build_forwarder_assets(1)" /opt/splunk/etc/apps/splunk_monitoring_console/default/macros.conf
[dmc_re_build_forwarder_assets(1)]

I'd then recommend you create a scheduled search with "dmc_re_build_forwarder_assets(48m)".
This can then be called via REST:

curl --silent -k -u admin https://localhost:8089/servicesNS/admin/splunk_monitoring_console/saved/searches/YOUR_SAVED_SEARCH/dispatch -d trigger_actions=1

If you're security conscious and want to put this into a then I'd recommend doing two things:
1. https://stackoverflow.com/questions/33794842/forcing-curl-to-get-a-password-from-the-environment/338...
2. Create a dedicated user and role

The role can be tightend and given just the below:
Restrict search terms: index=_internal sourcetype=splunkd
Capabilities: admin_all_objects, output_file, search
Available search indexes: _internal

I kept running into permission issues unless I gave the "admin_all_objects" capabilitiy. Not sure if I missed something or if this is due to some Monitoring Console magic.
The capabilities above are fairly locked down, so I feel like it is a reasonable compromise.

hexx
Splunk Employee
Splunk Employee

To rebuild the forwarder asset table, you simply have to run the "DMC Forwarder - Build Asset Table" saved search with earliest and latest times that cover the lookback period that you want to consider.

To do so from the REST API, you'd have to POST to the saved/searches/{name}/dispatch endpoint for this search - http://docs.splunk.com/Documentation/Splunk/6.4.1/RESTREF/RESTsearch#saved.2Fsearches.2F.7Bname.7D.2...

Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...