Solved: REST API - How to?

jdunlea_splunk · ‎04-04-2012

I want to know the following in relation to the REST API:

Can we hit endpoints on UFs and LWFs?
What is the REST endpoint to check if an instance is alive?
Can we read a splunk log file from the file system itself using the REST API? EG: On a LWF, where we are not indexing any data, but we are writing to splunk logs files - Is there a way to view/query/tail the log files directly from the REST API?

Thanks!

John

ziegfried · ‎04-05-2012

1) Yes, depending on the following preconditions:

Network access is not blocked to the remote machine on port 8089
Remote login on splunkd is enabled on the UF/LWF (ie. an admin password has been set) see http://blogs.splunk.com/2010/07/19/introducing-allowremotelogin/

2) Probably any. Being able to connect to the splunkd webserver at all indicates the process is running.

3) Don't think so. You can forward the splunk logs to your indexer(s), though. Eg. by adding the following to the outputs.conf on your UF/LWF:

[tcpout]
forwardedindex.3.whitelist = _internal

ziegfried · ‎04-05-2012

1) Yes, depending on the following preconditions:

Network access is not blocked to the remote machine on port 8089
Remote login on splunkd is enabled on the UF/LWF (ie. an admin password has been set) see http://blogs.splunk.com/2010/07/19/introducing-allowremotelogin/

2) Probably any. Being able to connect to the splunkd webserver at all indicates the process is running.

3) Don't think so. You can forward the splunk logs to your indexer(s), though. Eg. by adding the following to the outputs.conf on your UF/LWF:

[tcpout]
forwardedindex.3.whitelist = _internal

jdunlea_splunk · ‎04-05-2012

Thank you Ziegfried! 🙂