Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Setting up an ultra-light front-end instance for API request

sgerogia
New Member
‎10-29-2013 06:16 AM

Hello.

In our company we already have a Splunk 5 setup with multiple search heads and indexers.

What I would like to do is setup a local Splunk instance, which would just accept REST API requests, simply relay them to the existing search head(s) and return back results.
As minimum data as possible are to be maintained on this light instance; I like to think of it as a query proxy.

Does Splunk support this topology?

If yes, which settings in the light instance should I look into? Or perhaps some page in the online docs that I have missed?

Thank you,
S.

UPDATE:
I forgot to clarify that, for whatever historical/obscure reason, direct REST API access to the search heads has been disabled.

Tags (1)
0 Karma
Reply

dmaislin_splunk
Splunk Employee
Splunk Employee
‎11-01-2013 10:11 AM

You have read this?

http://dev.splunk.com/view/rest-api-overview/SP-CAAADP8

0 Karma
Reply

sgerogia
New Member
‎11-01-2013 10:20 AM

This would obviously be better, I agree.
Namely, make a REST call to the local Splunk which would relay it to the remote search head. Do you know how to set the equivalent of the -uri switch in the API request?

0 Karma
Reply

sgerogia
New Member
‎11-01-2013 10:07 AM

I will (almost) answer my own question after some searching.

A (very brutal) way to do it is by using the CLI commands, namely
* Install Splunk locally and start its daemon
* Launch a query from the command line similar to splunk search 'earliest=-10m latest=-1m index=foo host="bar*" sourcetype="test" "some text" AND NOT "other" ' -uri https://remote-splunk:port

Downside is that the first time you are prompted for username/password of the remote host.

Obviously this will only work well for local scripting or batch jobs, not used by a high request-volume server/process.

I hope this helps.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top