I have a need to be able to do a search in the Splunk UI using the Rest search command against a completely different instance of Splunk. I see the options allow you to specify a splunk server, is that only within your splunk environment? I don't see a mechanism to include a username or password. I know you can do this with the Rest API utilizing python but would like to be able to pull directly from the Splunk interface without writing an external command to do it. Any ideas?
Thanks,
-Bob
You can use the REST API Modular Input to poll data from any REST endpoint , including remote Splunk instances.
App has moved (URL) 😉 I'm wondering if there's an equivalent of all the curl solutions in a search query format - not from the CLI but the UI, as I have more or less the same question as topicstarter.
On my webinterface of the heavy forwarder, I'd like to run a (remote) saved search on the search head, to check for the license usage and if >99% stop the heavy forwarding mechanism. This works fine on my testing environment with a single instance machine performing all splunk functionalities on 1 machine.
I can run a CLI sh file connecting and executing the search, but a security issue is I have to plain text include admin:password in the file as every splunk server has its own credentials. Also, on the production environment I don't want to create scripts on the commandline; the general idea is to keep all in the UI and saved searches and prevent prompt access to files.
So in brief: does something like "| rest endpoint=searchheaduriorname:8089 | search /services/somequeryremotely" exist, or is it intentionally or not made available with REST?
Nope, you can't query non-related Splunk instances from the web interface - unless you write your own custom command for doing something like that. You can, obviously, query Splunk instances that have been added as search peers, though.
This is very unfortunate, since the SOS app uses it for licensing. Licenser is not a part of search pool.
Thanks, that is what I suspected. Unfortunately the Splunk instance is embedded in a product that only allows you accees through Rest. I guess using python to write a command through the Rest API is the best option.
What about in the "Distributed search"?
It I wanted to try because I can set from the GUI.
Unfortunately, I don't believe I can add the other Splunk instance as a search peer.