Splunk Cloud Platform
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Setting up the ACS API for accessing the Splunk Cloud REST API?

tomapatan
Communicator
‎04-03-2023 04:06 AM

I`m trying to query Splunk Cloud using the REST API so that I can export some data externally, however I`m not entirely sure how to download/install/configure the ACS Open API 3.0 specification. The Splunk documentation is a bit ambiguous.

I`m also unable to setup a new authentication token, receiving the error below. I`m using an admin account.

 

 

curl -u username:password -X POST https://admin.splunk.com/[myValidStackName]/adminconfig/v2/tokens
{"code":"401-unauthorized","message":"{\"messages\":[{\"type\":\"ERROR\",\"text\":\"Unauthorized\"}]}. Please refer https://docs.splunk.com/Documentation/SplunkCloud/latest/Config/ACSerrormessages for general troubleshooting tips."}

 

 

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-03-2023 02:13 PM

Use the search/v2/jobs/export endpoint to fetch results.

Yes, you should be able to use tokens to authenticate a REST API call.  See https://docs.splunk.com/Documentation/Splunk/9.0.4/RESTUM/RESTusing#Authentication_and_authorization

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-03-2023 06:51 AM

As the name implies, Admin Config Service (ACS) is for making administrative configuration changes to a Splunk Cloud stack.  It does not provide a means for exporting data.

The 401 error means the credentials supplied with the ACS request are incorrect.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

tomapatan
Communicator
‎04-03-2023 01:50 PM

Thanks for the reply.

I`ve managed to create the token using a native user account and I can successfully query the Admin Config Services API, but I`m having issues getting data from the REST API, receiving a timed out message.

curl https://[myValidStackName].splunkcloud.com:8089/services/saved/searches/

Am I using the correct endpoint ?

Also, can the REST API  be queried using the token, or do I  have to provide credentials ?

Many thanks.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-03-2023 02:13 PM

Use the search/v2/jobs/export endpoint to fetch results.

Yes, you should be able to use tokens to authenticate a REST API call.  See https://docs.splunk.com/Documentation/Splunk/9.0.4/RESTUM/RESTusing#Authentication_and_authorization

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...