Splunk Enterprise

Which instance should I send REST API to?

chenyt
Explorer

Hi, everyone.

I am new to Splunk. I have an environment with 3 nodes indexer cluster + cm + Search Head. I am wondering which instance I should send my request to when using REST API? 

I have checked API reference and API User tutorial, try to figure it out which endpoint for which instance, but no luck. It seems all HTTPS request send to localhost:8089?

Please help. Thanks.

0 Karma
1 Solution

tscroggins
Influencer

@chenyt 

You should send REST API requests to your search head: https://yourhostname:8089. In most cases, REST API access to the your indexers should be limited to other Splunk instances. Your search head provides the authentication and authorization configuration necessary to control access to your data.

View solution in original post

0 Karma

chenyt
Explorer

@tscroggins @SinghK 

Thank you very much.

0 Karma

tscroggins
Influencer

@chenyt 

You should send REST API requests to your search head: https://yourhostname:8089. In most cases, REST API access to the your indexers should be limited to other Splunk instances. Your search head provides the authentication and authorization configuration necessary to control access to your data.

0 Karma

chenyt
Explorer

@tscroggins 

Thanks for the reply.

Does that mean I don't need to bother which endpoint for which instance, just configure the authentication and authorization on Search Head then send all the REST API request to it?

 

0 Karma

tscroggins
Influencer

@chenyt 

Yes, the configuration you define on the search head--users, roles, etc.--will be pushed to the indexers in a bundle used during the search. Different search heads can define different authentication and authorization settings.

Splunk security is decentralized. While you can and should define strict authorization settings on your indexers through configuration deployed by your cluster manager, your users should access the environment through the search head.

0 Karma

SinghK
Builder

Yes, because SH will do the rest and fetch the results of you query. 

Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...