Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk API for SH bootstrap

MichelMichel
New Member
Monday

Hello everyone,

The splunk API documentation does not mention it, but the endpoint: "/services/shcluster/member/consensus/default/bootstrap?servers_list=<some_servers>" could be used in Splunk Enterprise version 9.3 to perform a SHCluster bootstrap manually from API. However, this does not work in version 10.2 anymore, and there is no documentation mentionning it to my knowledge.

Does anyone know how can this be done from API in 10.2 ?

Thanks

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
Monday

Hi @MichelMichel 

Are you able to check the logs when you do hit that endpoint?

What error code are you getting? 

Do you get any body content returned from the request? 

The issue with non-documented components such as this is that they arent intended to be used outside of the internal Splunk process. If the URL/endpoint has changed in some way it may well be replaced with something different, or behave slightly different (e.g. requires additional field) which Splunk internally might be sending but obviously we dont really know.

That being said the url (/shcluster/member/consensus/default/bootstrap) is referenced in $SPLUNK_HOME/etc/system/static/splunkrc_cmds.xml which suggests to me it probably hasnt been removed entirely. 

🌟 Did this answer help you? If so, please consider:

    • Adding karma to show it was useful
    • Marking it as the solution if it resolved your issue
    • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing.

0 Karma
Reply

MichelMichel
New Member
yesterday

Hi @livehybrid,

I don't see anything related in the logs, splunkd.log doesn't seem to log anything, the only thing I saw is the successfull authentication in audit.log; I also unfortunately cannot share the full logs here.

When trying this endpoint I get the standard Splunk error body response format (type="ERROR") with the following message: "The specified custom action of this endpoint requires POST". The odd thing is that it does not seem to support POST request because the argument 'servers_list' is refused when passed as data (with the error "Argument '{'servers_list': '<value>'}' is not supported by this handler."). In version 9.3 the request worked normally when using GET.

The '$SPLUNK_HOME/etc/system/static/splunkrc_cmds.xml' file does mention it and it has not changed between version 9.3 and 10.2 which is even more odd; the same command using CLI has also not changed so I guess I am missing something. If all else fails I can always set up some proxy to intercept the actual request using CLI but I'd rather not.
I also understand that it was meant by Splunk as an internal handler and not a production endpoint, but this is a rather important feature which is very much needed in my particular use case.

Thank you for your help !

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

How Edge Processor's Durable Queue Works

Edge Processor sits in one of the most consequential places in any Splunk pipeline: between your data sources ...