Splunk Enterprise
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Which instance should I send REST API to?

chenyt
Explorer
‎01-17-2022 08:20 AM

Hi, everyone.

I am new to Splunk. I have an environment with 3 nodes indexer cluster + cm + Search Head. I am wondering which instance I should send my request to when using REST API? 

I have checked API reference and API User tutorial, try to figure it out which endpoint for which instance, but no luck. It seems all HTTPS request send to localhost:8089?

Please help. Thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tscroggins
Influencer
‎01-17-2022 08:26 AM

@chenyt 

You should send REST API requests to your search head: https://yourhostname:8089. In most cases, REST API access to the your indexers should be limited to other Splunk instances. Your search head provides the authentication and authorization configuration necessary to control access to your data.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

chenyt
Explorer
‎01-17-2022 09:11 AM

@tscroggins @SinghK 

Thank you very much.

0 Karma
Reply
Solved! Jump to solution
Solution

tscroggins
Influencer
‎01-17-2022 08:26 AM

@chenyt 

You should send REST API requests to your search head: https://yourhostname:8089. In most cases, REST API access to the your indexers should be limited to other Splunk instances. Your search head provides the authentication and authorization configuration necessary to control access to your data.

0 Karma
Reply
Solved! Jump to solution

chenyt
Explorer
‎01-17-2022 08:54 AM

@tscroggins 

Thanks for the reply.

Does that mean I don't need to bother which endpoint for which instance, just configure the authentication and authorization on Search Head then send all the REST API request to it?

 

0 Karma
Reply
Solved! Jump to solution

tscroggins
Influencer
‎01-17-2022 09:06 AM

@chenyt 

Yes, the configuration you define on the search head--users, roles, etc.--will be pushed to the indexers in a bundle used during the search. Different search heads can define different authentication and authorization settings.

Splunk security is decentralized. While you can and should define strict authorization settings on your indexers through configuration deployed by your cluster manager, your users should access the environment through the search head.

0 Karma
Reply
Solved! Jump to solution

SinghK
Builder
‎01-17-2022 09:01 AM

Yes, because SH will do the rest and fetch the results of you query. 

Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...
Top