Splunk Cloud Platform

How to get splunk event logs by using rest api?

tcsec2user
Explorer

Hi Team,

I'm using Splunk cloud  REST API "/services/collector/event"  used to post the data to Splunk cloud .what is the Get API for fetch the data ?

Labels (1)
0 Karma

tcsec2user
Explorer

Thanks for your quick response. I have tried same just I have replaced the my URL and credentials but im getting the this below json response 

My request:

curl -u test:test -k https://test:8088/services/search/jobs -d search="search *"

Response:

{
"text": "The requested URL was not found on this server.",
"code": 404
}

0 Karma

tcsec2user
Explorer

Thanks for your quick response. I have tried same just I have replaced the my URL and credentials but im getting the this below json response 

My request:

curl -u test:test -k https://test:8088/services/search/jobs -d search="search *"

Response:

{
"text": "The requested URL was not found on this server.",
"code": 404
}

0 Karma

PickleRick
SplunkTrust
SplunkTrust

8088 != 8089 😉

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

😀

0 Karma

tcsec2user
Explorer

8089 is also not working.

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@tcsec2user - What error you are getting with that?

0 Karma

tcsec2user
Explorer

Im using HEC  method .I post the data to Splunk cloud using this URL https://localhost:8088/services/collector/event

then I want fetch that event data ?

I'm using token for authentications not using  my username and password .

if I use 8089 as my port number it is not connected to server 

using 8088 https://localhost:8088/services/search/jobs?search="search *"

the response is 

{
    "text": "The requested URL was not found on this server.",
    "code": 404
}

 

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@tcsec2user - 

 

  • Then you do a search with the management port:
    • https://localhost:8088/services/search/jobs?search="search *"
    • Two things need to be corrected here:
      • Port needs to be 8089
        • You said "if I use 8089 as my port number it is not connected to server"
        • This could be due to the management port could be blocked for outside use on the Splunk cloud. I'm not 100% sure. Please check with Splunk Cloud support that I need to use the management port for REST API.
      • Second, "search="search *" is not a param so you need to make a post request and send it as the body.

 

So start with access to the management port on your Splunk cloud environment, and reach out to Splunk cloud support.

 

I hope this helps!!!

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

Look at the port number it should be 8089.

8088 is the HEC port.

8089 is a management port.

(Though I'm not sure if management port on Splunk cloud would be publicly available or not.)

tcsec2user
Explorer

I changed and tried different ports numbers and in my global setting is the port number is 8088

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@tcsec2user  HEC is totally different than REST API.

  • REST API is on 8089 (management port)
  • HEC is on 8088 port.
0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@tcsec2user - To fetch the data you need to execute the SPL search query through REST api.

https://docs.splunk.com/Documentation/Splunk/9.0.0/RESTTUT/RESTsearches

  • First you need to post the search job
    • curl -u admin:changeme -k https://localhost:8089/services/search/jobs -d search="search *"

  • Then you need to check it's status
  • Once successful you can retrieve the results
    • curl -u admin:changeme \
           -k https://localhost:8089/services/search/jobs/1258421375.19/results/ \
           --get -d output_mode=csv

       

You can also use Python Splunk SDK for this. - https://dev.splunk.com/view/python-sdk/SP-CAAAEBB 

 

I hope this helps!!!

Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...