How to get splunk event logs by using rest api?

tcsec2user · ‎06-30-2022

Hi Team,

I'm using Splunk cloud REST API "/services/collector/event" used to post the data to Splunk cloud .what is the Get API for fetch the data ?

tcsec2user · ‎06-30-2022

Thanks for your quick response. I have tried same just I have replaced the my URL and credentials but im getting the this below json response

My request:

curl -u test:test -k https://test:8088/services/search/jobs -d search="search *"

Response:

{
"text": "The requested URL was not found on this server.",
"code": 404
}

tcsec2user · ‎06-30-2022

Thanks for your quick response. I have tried same just I have replaced the my URL and credentials but im getting the this below json response

My request:

curl -u test:test -k https://test:8088/services/search/jobs -d search="search *"

Response:

{
"text": "The requested URL was not found on this server.",
"code": 404
}

PickleRick · ‎06-30-2022

8088 != 8089 😉

VatsalJagani · ‎06-30-2022

😀

tcsec2user · ‎06-30-2022

8089 is also not working.

VatsalJagani · ‎06-30-2022

@tcsec2user - What error you are getting with that?

tcsec2user · ‎06-30-2022

Im using HEC method .I post the data to Splunk cloud using this URL https://localhost:8088/services/collector/event

then I want fetch that event data ?

I'm using token for authentications not using my username and password .

if I use 8089 as my port number it is not connected to server

using 8088 https://localhost:8088/services/search/jobs?search="search *"

the response is

{

"text": "The requested URL was not found on this server.",

"code": 404

}

VatsalJagani · ‎06-30-2022

@tcsec2user -

The first call is for HEC which you are doing is correct.
- I post the data to Splunk cloud using this URL https://localhost:8088/services/collector/event

Then you do a search with the management port:
- https://localhost:8088/services/search/jobs?search="search *"
- Two things need to be corrected here:
  - Port needs to be 8089
    - You said "if I use 8089 as my port number it is not connected to server"
    - This could be due to the management port could be blocked for outside use on the Splunk cloud. I'm not 100% sure. Please check with Splunk Cloud support that I need to use the management port for REST API.
  - Second, "search="search *" is not a param so you need to make a post request and send it as the body.

So start with access to the management port on your Splunk cloud environment, and reach out to Splunk cloud support.

I hope this helps!!!

VatsalJagani · ‎06-30-2022

Look at the port number it should be 8089.

8088 is the HEC port.

8089 is a management port.

(Though I'm not sure if management port on Splunk cloud would be publicly available or not.)

tcsec2user · ‎06-30-2022

I changed and tried different ports numbers and in my global setting is the port number is 8088

VatsalJagani · ‎06-30-2022

@tcsec2user HEC is totally different than REST API.

REST API is on 8089 (management port)
HEC is on 8088 port.

VatsalJagani · ‎06-30-2022

@tcsec2user - To fetch the data you need to execute the SPL search query through REST api.

https://docs.splunk.com/Documentation/Splunk/9.0.0/RESTTUT/RESTsearches

First you need to post the search job

curl -u admin:changeme -k https://localhost:8089/services/search/jobs -d search="search *"

Then you need to check it's status

curl -u admin:changeme -k https://localhost:8089/services/search/jobs/1258421375.19

Once successful you can retrieve the results

curl -u admin:changeme \
     -k https://localhost:8089/services/search/jobs/1258421375.19/results/ \
     --get -d output_mode=csv

You can also use Python Splunk SDK for this. - https://dev.splunk.com/view/python-sdk/SP-CAAAEBB

I hope this helps!!!

How to get splunk event logs by using rest api?

using Splunk Cloud

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?