Re: How to make rest search on one search head abl...

jaburke1 · ‎02-01-2022

If you have a dashboard that has a panel with a search like the one below:

| rest splunk_server=* /services/-/-/admin/......../appName/local
| table name splunk_server title

How can you make it so that it searches the other search heads? (a search like the one above returns values for the current search head and its peers - indexers)

isoutamo · ‎02-01-2022

If you want to search from other search head you must define those as a search peers to this node. Usually this is not a thing you want to do as it’s affects also on all normal searches.

If/when you have a MC (monitoring console) it has defined those SHs as a search peers already and you can run that query there.

r. Ismo

jaburke1 · ‎02-02-2022

Thanks isoutamo. Agree I do not want to make them peers. Do you know if this could be done using a custom command?

isoutamo · ‎02-02-2022

If/when you can set authentication&authorization to that command and use it in custom command it should work. I don't see any (real) reason why you couldn't use python and make rest request from it to correct target?

If I recall right in splunkbase there is already some package for doing rest inputs (TA-rest or something)? Probably you could use it as starting point if it didn't work without changes?

r. Ismo

jaburke1 · ‎02-02-2022

isoutamo - Thank you very much!

Is "REST API Modular Input" the app you are referring?

isoutamo · ‎02-02-2022

Yes, but as I said, it's for inputs and probably not working as you need without changes? I haven't use it by myself.

jaburke1 · ‎02-02-2022

isoutamo - I understand. Thank you very much!

How to make rest search on one search head able to get results from other search heads?

join

Other

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout