Splunk Search

Splunk rest api , if hostname matched

burakatabay
Path Finder

Hi,
I try to if saved search result hostname is matched, reload deploy-server with rest API. But When saved search runs, the deploy server is reloading every time. My saved search cron schedule 5 minutes periods work.
There is a deploy server reload every 5 minutes.
How I do, if hostname is matched , reload deploy server.

 

My savedsearches.conf

[Syslog New Source Monitor]
action.syslogmonitor = 1
alert.digest_mode = 0
alert.suppress = 0
alert.track = 0
counttype = number of events
cron_schedule = */5 * * * *
dispatch.earliest_time = -5m
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_app = search
request.ui_dispatch_view = search
search = index=inotify \
| rex field=_raw "ISDIR\s(?<path>.+)" \
| eval orig_path="/var/log/splunk/syslog/" \
| eval new_path=orig_path . path \
| stats count by host new_path \
| eval API = case(host=="splunk-sch", \
[| rest /services/deployment/server/serverclasses//HF%201/reload],host=="splunkfwd", \
[| rest /services/deployment/server/serverclasses//HF%202/reload], 1=1, 0)

 

image.png

 

 

 

 

 

No result doesnt come back but case statement is running.

image.png

 

 

Labels (2)

richgalloway
SplunkTrust
SplunkTrust

The problem lies in the final eval.

| eval API = case(host=="splunk-sch", \
[| rest /services/deployment/server/serverclasses//HF%201/reload],host=="splunkfwd", \
[| rest /services/deployment/server/serverclasses//HF%202/reload], 1=1, 0)

The square brackets around each rest command denote a subsearch and subsearches (almost) always execute first.  Therefore, the reload command is running before any conditions are tested.

SPL doesn't have conditional execution like programming languages do.  You may be able to work around that this way, however.

| eval API = case(host=="splunk-sch", 
"\| rest /services/deployment/server/serverclasses//HF%201/reload",host=="splunkfwd", 
"\| rest /services/deployment/server/serverclasses//HF%202/reload", 1=1, "noop")
| map search="$API$"

 I have to ask, however, what you are trying to accomplish.  Reload the deployment server is not a routine task.  It's something that is necessary only when the serverclass.conf file is modified.  What is the problem you are trying to solve with this search?

---
If this reply helps you, Karma would be appreciated.

burakatabay
Path Finder

Hi @richgalloway 

Thank you for answers.

Firstly;

if any result doesn't come back, splunk search is fail.image.png

 

Secondly;

if any result come back, rest doesn't running.image.png

The reason why I want to do this is that, I want this custom alert action python script to trigger when there is a new Syslog added to SplunkHF, the script would add the newly discovered Syslog paths onto the deployment_apps inputs.conf to monitor those new paths and then send the deployed app towards the splunkHF. I have added the correct information to inputs.conf, Incase any results are returned I just want to Reload the related server class.

 

Happy Splunking.

Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...