Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk rest api , if hostname matched

burakatabay
Path Finder
‎09-22-2020 01:28 PM

Hi,
I try to if saved search result hostname is matched, reload deploy-server with rest API. But When saved search runs, the deploy server is reloading every time. My saved search cron schedule 5 minutes periods work.
There is a deploy server reload every 5 minutes.
How I do, if hostname is matched , reload deploy server.

 

My savedsearches.conf

[Syslog New Source Monitor]
action.syslogmonitor = 1
alert.digest_mode = 0
alert.suppress = 0
alert.track = 0
counttype = number of events
cron_schedule = */5 * * * *
dispatch.earliest_time = -5m
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_app = search
request.ui_dispatch_view = search
search = index=inotify \
| rex field=_raw "ISDIR\s(?<path>.+)" \
| eval orig_path="/var/log/splunk/syslog/" \
| eval new_path=orig_path . path \
| stats count by host new_path \
| eval API = case(host=="splunk-sch", \
[| rest /services/deployment/server/serverclasses//HF%201/reload],host=="splunkfwd", \
[| rest /services/deployment/server/serverclasses//HF%202/reload], 1=1, 0)

 

image.png

 

 

 

 

 

No result doesnt come back but case statement is running.

image.png

 

 

Labels (2)
Labels
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-22-2020 01:45 PM

The problem lies in the final eval.

| eval API = case(host=="splunk-sch", \
[| rest /services/deployment/server/serverclasses//HF%201/reload],host=="splunkfwd", \
[| rest /services/deployment/server/serverclasses//HF%202/reload], 1=1, 0)

The square brackets around each rest command denote a subsearch and subsearches (almost) always execute first.  Therefore, the reload command is running before any conditions are tested.

SPL doesn't have conditional execution like programming languages do.  You may be able to work around that this way, however.

| eval API = case(host=="splunk-sch", 
"\| rest /services/deployment/server/serverclasses//HF%201/reload",host=="splunkfwd", 
"\| rest /services/deployment/server/serverclasses//HF%202/reload", 1=1, "noop")
| map search="$API$"

 I have to ask, however, what you are trying to accomplish.  Reload the deployment server is not a routine task.  It's something that is necessary only when the serverclass.conf file is modified.  What is the problem you are trying to solve with this search?

---
If this reply helps you, Karma would be appreciated.
Reply

burakatabay
Path Finder
‎09-23-2020 01:20 PM

Hi @richgalloway 

Thank you for answers.

Firstly;

if any result doesn't come back, splunk search is fail.image.png

 

Secondly;

if any result come back, rest doesn't running.image.png

The reason why I want to do this is that, I want this custom alert action python script to trigger when there is a new Syslog added to SplunkHF, the script would add the newly discovered Syslog paths onto the deployment_apps inputs.conf to monitor those new paths and then send the deployed app towards the splunkHF. I have added the correct information to inputs.conf, Incase any results are returned I just want to Reload the related server class.

 

Happy Splunking.

Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...