Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Setting up an ultra-light front-end instance for API request

sgerogia
New Member
‎10-29-2013 06:16 AM

Hello.

In our company we already have a Splunk 5 setup with multiple search heads and indexers.

What I would like to do is setup a local Splunk instance, which would just accept REST API requests, simply relay them to the existing search head(s) and return back results.
As minimum data as possible are to be maintained on this light instance; I like to think of it as a query proxy.

Does Splunk support this topology?

If yes, which settings in the light instance should I look into? Or perhaps some page in the online docs that I have missed?

Thank you,
S.

UPDATE:
I forgot to clarify that, for whatever historical/obscure reason, direct REST API access to the search heads has been disabled.

Tags (1)
0 Karma
Reply

dmaislin_splunk
Splunk Employee
Splunk Employee
‎11-01-2013 10:11 AM

You have read this?

http://dev.splunk.com/view/rest-api-overview/SP-CAAADP8

0 Karma
Reply

sgerogia
New Member
‎11-01-2013 10:20 AM

This would obviously be better, I agree.
Namely, make a REST call to the local Splunk which would relay it to the remote search head. Do you know how to set the equivalent of the -uri switch in the API request?

0 Karma
Reply

sgerogia
New Member
‎11-01-2013 10:07 AM

I will (almost) answer my own question after some searching.

A (very brutal) way to do it is by using the CLI commands, namely
* Install Splunk locally and start its daemon
* Launch a query from the command line similar to splunk search 'earliest=-10m latest=-1m index=foo host="bar*" sourcetype="test" "some text" AND NOT "other" ' -uri https://remote-splunk:port

Downside is that the first time you are prompted for username/password of the remote host.

Obviously this will only work well for local scripting or batch jobs, not used by a high request-volume server/process.

I hope this helps.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What did the zero say to the eight?

June 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...

Splunk Observability Cloud's AI Assistant in Action Series: Onboarding New Hires & ...

This is the fifth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Now Playing: Splunk Education Summer Learning Premieres

It’s premiere season, and Splunk Education is rolling out new releases you won’t want to miss. Whether you’re ...
Top