Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to search Splunk API from a remote host with Forwarder installed via CLI with user and password

watkinst
Engager
‎03-02-2016 02:14 PM

If you wish to Search the API via command line (using the Splunk Binary included in the Forwarder package for example) it is executed as follows: 

$SPLUNK_HOME/bin/splunk search 'yoursearch' -uri 'https://splunkAPI_Instance:8089/'

This works great on its own, however, prompts for User & Password on execution. Making scripted extraction of splunk data to export to local file called from a cron job or otherwise difficult.

My Question is, how can you execute the same and provide the username & password the way one might with CURL or WGET in the command request itself?

CURL example:

curl -k -u admin:pass https://splunkAPI_Instance:8089/services/saved/searches \
     -d name=MySavedSearch                                           \ 
     --data-urlencode search="index=_internal source=*metrics.log"

CURL outlined in Splunk Documentation References:
http://docs.splunk.com/Documentation/Splunk/6.3.3/RESTUM/RESTusing

I can't seem to find any documentation (in this REST User doc or otherwise) around passing the username & password via command line when specifically leveraging the splunk forwarder/binary. (Without also the SDK and adding Python or Ruby to the mix).

Side note: CURL & WGET are prohibited from being installed on the server where the forwarder in this scenario happens to exist, so it would be ideal to use the forwarder installation itself to perform the search since it is already there and available to local users of that (unix) system.

Once solution identified, the following should be updated to reflect the same information:
http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/AboutCLIsearches
http://docs.splunk.com/Documentation/Splunk/6.2.0/RESTTUT/RESTsearches
http://docs.splunk.com/Documentation/Splunk/6.3.3/RESTUM/RESTusing#Authentication_and_authorization

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎03-02-2016 03:03 PM

Hi watkinst,

your can use the -auth switch with your remote search command:

/opt/splunkforwarder/bin/splunk search 'index=_internal' -uri 'https://someremoteip:8089' -auth admin:changeme

Just remember that you have to allow remote login on the remote Splunk instance in server.conf

allowRemoteLogin=always

read the docs for more details on this http://docs.splunk.com/Documentation/Splunk/6.3.3/Admin/AccessandusetheCLIonaremoteserver

Hope this helps ...

cheers, MuS

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...