Join the Conversation
- Find Answers
- :
- Splunk Products
- :
- Splunk Enterprise
- :
- Re: Splunk API for SH bootstrap
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello everyone,
The splunk API documentation does not mention it, but the endpoint: "/services/shcluster/member/consensus/default/bootstrap?servers_list=<some_servers>" could be used in Splunk Enterprise version 9.3 to perform a SHCluster bootstrap manually from API. However, this does not work in version 10.2 anymore, and there is no documentation mentionning it to my knowledge.
Does anyone know how can this be done from API in 10.2 ?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For anyone having the same issue, the fix was as simple as forcing the REST API call to be a POST (such as using -X POST on curl or sending empty data).
It appears the API has changed to make this endpoint accept POST only but the data (servers_list) is still passed as an encoded argument to the endpoint for some reason, perhaps it will change in some future update.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For anyone having the same issue, the fix was as simple as forcing the REST API call to be a POST (such as using -X POST on curl or sending empty data).
It appears the API has changed to make this endpoint accept POST only but the data (servers_list) is still passed as an encoded argument to the endpoint for some reason, perhaps it will change in some future update.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you able to check the logs when you do hit that endpoint?
What error code are you getting?
Do you get any body content returned from the request?
The issue with non-documented components such as this is that they arent intended to be used outside of the internal Splunk process. If the URL/endpoint has changed in some way it may well be replaced with something different, or behave slightly different (e.g. requires additional field) which Splunk internally might be sending but obviously we dont really know.
That being said the url (/shcluster/member/consensus/default/bootstrap) is referenced in $SPLUNK_HOME/etc/system/static/splunkrc_cmds.xml which suggests to me it probably hasnt been removed entirely.
🌟 Did this answer help you? If so, please consider:
- Adding karma to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @livehybrid,
I don't see anything related in the logs, splunkd.log doesn't seem to log anything, the only thing I saw is the successfull authentication in audit.log; I also unfortunately cannot share the full logs here.
When trying this endpoint I get the standard Splunk error body response format (type="ERROR") with the following message: "The specified custom action of this endpoint requires POST". The odd thing is that it does not seem to support POST request because the argument 'servers_list' is refused when passed as data (with the error "Argument '{'servers_list': '<value>'}' is not supported by this handler."). In version 9.3 the request worked normally when using GET.
The '$SPLUNK_HOME/etc/system/static/splunkrc_cmds.xml' file does mention it and it has not changed between version 9.3 and 10.2 which is even more odd; the same command using CLI has also not changed so I guess I am missing something. If all else fails I can always set up some proxy to intercept the actual request using CLI but I'd rather not.
I also understand that it was meant by Splunk as an internal handler and not a production endpoint, but this is a rather important feature which is very much needed in my particular use case.
Thank you for your help !
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Continue Your Federation Journey: Join Session 3 of the Bootcamp Series
Announcing Modern Navigation: A New Era of Splunk User Experience
Casting Call: Compete in Cyber Games
