Splunk Search

How to make rest search on one search head able to get results from other search heads?

jaburke1
Path Finder

If you have a dashboard that has a panel with a  search like the one below:

| rest splunk_server=* /services/-/-/admin/......../appName/local
| table name splunk_server title

How can you make it so that it searches the other search heads? (a search like the one above returns values for the current search head and its peers - indexers) 

 

Labels (2)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

If you want to search from other search head you must define those as a search peers to this node. Usually this is not a thing you want to do as it’s affects also on all normal searches. 

If/when you have a MC (monitoring console) it has defined those SHs as a search peers already and you can run that query there.

r. Ismo

0 Karma

jaburke1
Path Finder

Thanks isoutamo.  Agree I do not want to make them peers. Do you know if this could be done using a custom command?

0 Karma

isoutamo
SplunkTrust
SplunkTrust

If/when you can set authentication&authorization to that command and use it in custom command it should work. I don't see any (real) reason why you couldn't use python and make rest request from it to correct target?

If I recall right in splunkbase there is already some package for doing rest inputs (TA-rest or something)? Probably you could use it as starting point if it didn't work without changes?

r. Ismo

jaburke1
Path Finder

isoutamo - Thank you very much!

Is "REST API Modular Input" the app you are referring?

 

Tags (1)
0 Karma

isoutamo
SplunkTrust
SplunkTrust
Yes, but as I said, it's for inputs and probably not working as you need without changes? I haven't use it by myself.

jaburke1
Path Finder

isoutamo - I understand. Thank you very much!

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...