Splunk Dev

Is there a reference listing all the EAI paths for all resource types?

sideview
SplunkTrust
SplunkTrust

Reverse engineering this stuff from the logs and existing usage in SplunkWeb's python code, I see a lot of things use the big flat 'admin/foo' paths to get/set data in EAI. However I also know vaguely from overhearing conversations at Splunk that this big flat list of 'admin/foo' endpoints is considered less than ideal and I thought I overheard that for each of them there is a more fundamental endpoint that we're all supposed to use.

And another data point is that I know that I can usually go to https://localhost:8089/servicesNS/admin/<app_name>/data , click past the stern security warnings from firefox, and there I should be able to drive to the stuff I want.

Then once I've found it, its easy to determine the proper EAI path by just looking at the browser URL.

The problem is that I cant find the 'proper' path for macros, and i cant find any path at all for extractions that are defined in props.conf

eg:

1) if I want to get a macro using the splunk.entity class in python, the only path I know is 'admin/macros', as in

splunk.entity.getEntity("admin/macros", "my_macro_name", namespace="my_app_name", owner="splunk.auth.getCurrentUser()['name'])

2) And I have an extracted field that is defined in my app and I cannot find a way to get this at all from EAI. (Maybe it would be there if I had defined it over in transforms and merely referred to it from props? )

Thanks in advance for any and all help.

Tags (4)
1 Solution

gkanapathy
Splunk Employee
Splunk Employee
  1. I'd suggest going to the manager/admin screen in the GUI (or doing something using the CLI if you prefer that), then looking at what pages are hit in the splunkd_access.log. I found: https://localhost:8089/servicesNS/-/search/admin/macros, which generalizes to https://localhost:8089/servicesNS/-/-/admin/macros, which I guess is what you have anyway, as it just incorporates the owner and the app namespace in the URL.
  2. https://localhost:8089/services/data/props/extractions, or the namespaced version at https://localhost:8089/servicesNS/-/-/data/props/extractions

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee
  1. I'd suggest going to the manager/admin screen in the GUI (or doing something using the CLI if you prefer that), then looking at what pages are hit in the splunkd_access.log. I found: https://localhost:8089/servicesNS/-/search/admin/macros, which generalizes to https://localhost:8089/servicesNS/-/-/admin/macros, which I guess is what you have anyway, as it just incorporates the owner and the app namespace in the URL.
  2. https://localhost:8089/services/data/props/extractions, or the namespaced version at https://localhost:8089/servicesNS/-/-/data/props/extractions

sideview
SplunkTrust
SplunkTrust

Yea, for macros i can only find the admin/macros path, and i always thought those admin ones were hacks and not to be used. And for props I cant find anything. URLs in splunkd_access for the macros list page in manager is /servicesNS/admin//admin/data/props/extractions/, but the entity class only gives back 404's and 500's for any combination of those segments...

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...