Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to call rest endpoint without authenticating?

amat
Explorer
‎03-24-2022 08:21 PM

I am in the process of writing a Splunk script that is going to overwrite the contents of a lookup file using REST. However, the issue I am hitting is how to authenticate against the REST endpoint.

I am planning on having Splunk running the script ( probably through inputs.conf). It would every x hours and update the lookup using a python script that calls an outside source. I can successfully call the outside source and parse the data, however I am stuck on how to overwrite the lookup table via REST. All examples of REST calls show passing credentials. I dont want to hardcode any admin creds on the script itself.

I found this article from splunk, but the REST section clearly shows they are passing creds. Are there any other ways to do this? 

https://www.splunk.com/en_us/blog/tips-and-tricks/store-encrypted-secrets-in-a-splunk-app.html

Any suggestions?

Labels (3)
Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-25-2022 03:23 AM

You can't use REST without authentication.

https://docs.splunk.com/Documentation/Splunk/8.2.5/RESTUM/RESTusing#Authentication_and_authorization

You can fiddle with token-based authentication to reduce user's privileges as much as you can and store credentials for that user only.

0 Karma
Reply

amat
Explorer
‎03-25-2022 06:23 PM

So that is what I thought. But there are apps that will overwrite lookup tables or fetch credentials from Splunk's password store. How do those apps do that if they are not authenticating? Typically these apps are doing this via script so how are they able to overwrite files or use secretes without calling the password store? I didnt noticee any hardcoding of creds in their scripts. Also Splunk Cloud will scan these apps for creds so if they are Splunk Cloud certified, then that means they are somehow storing the creds in the secret store and calling it back whenever the script runs

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-26-2022 01:11 AM

OK. There are two sides to this story.

One is that if you call REST API you must authenticate (unless perhaps you're calling some public endpoints; I'm not sure if there are any).

But the other thing is that if you're using splunk SDK and run your script as modular input (in context of splunk process), splunk lib is able to authenticate itself and you don't have to worry about it.

At least that's what I understand from the docs - I did some fiddling with other people's scripts but I haven't created any from scratch yet.

See for example https://github.com/splunk/splunk-sdk-python/blob/master/examples/kvstore.py

In general, you manipulate kvstore with splunk.kvstore class.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...