Getting Data In

Why is the REST API not answering ?

charlou
Engager

I'm trying, in vain, to get answers from the REST API as described here: http://dev.splunk.com/view/basic-tutorial/SP-CAAADQT

I tried a lot of things, among which:
$ curl -u cibrahim -k https://10.83.88.20:8089/servicesNS/cibrahim/search/
Enter host password for user 'cibrahim':
curl: (7) couldn't connect to host

or

$ curl -vk -u cibrahim https://10.83.88.20:8089/servicesNS/-/-/search/jobs/1421068924.6480
Enter host password for user 'cibrahim':
* About to connect() to 10.83.88.20 port 8089 (#0)
* Trying 10.83.88.20...
* Connexion terminée par expiration du délai d'attente
* couldn't connect to host
* Closing connection #0
curl: (7) couldn't connect to host

As you can see, I don't get any answer of any kind. Connection times out after a certain (timeout) amount of time.

I checked that my local instance of splunk (on my local server @ 10.83.88.20) is listening to port 8089:
# netstat -a | grep 8089
tcp 0 0 :8089 *: LISTEN

tcp 0 0 localhost:56809 localhost:8089 ESTABLISHED
tcp 0 0 localhost:8089 localhost:56809 ESTABLISHED

Any idea about what I could be missing in this (very) annoying hinderance ?

Thx in advance

0 Karma
1 Solution

bmunson_splunk
Splunk Employee
Splunk Employee

Hi charlou

That seems to be correct. I have tried similar on one of our lab servers and it works as expected. I would suspect a firewall or similar is blocking you. It is good practice on any system to block ports that can be used to gain remote access so I suspect your architect has done that deliberately.

Here was my command and output.

bmunson$ curl -vku admin https://54.154.184.25:8089/servicesNS/admin/search/
Enter host password for user 'admin':
* Hostname was NOT found in DNS cache
*   Trying 54.154.184.25...
* Connected to 54.154.184.25 (54.154.184.25) port 8089 (#0)
* TLS 1.2 connection using TLS_RSA_WITH_AES_256_CBC_SHA
* Server certificate: SplunkServerDefaultCert
* Server certificate: SplunkCommonCA
* Server auth using Basic with user 'admin'
> GET /servicesNS/admin/search/ HTTP/1.1
> Authorization: Basic YWRtaW46NnViYmxlcyE=
> User-Agent: curl/7.37.1
> Host: 54.154.184.25:8089
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Fri, 06 Feb 2015 12:26:39 GMT
< Expires: Thu, 26 Oct 1978 00:00:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, max-age=0
< Content-Type: text/xml; charset=UTF-8
< X-Content-Type-Options: nosniff
< Content-Length: 9386
< Vary: Cookie, Authorization
< Connection: Keep-Alive
< X-Frame-Options: SAMEORIGIN
* Server Splunkd is not blacklisted
< Server: Splunkd
< 
<?xml version="1.0" encoding="UTF-8"?>
<!--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-->
<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest">
  <title>servicesNS</title>
  <id>https://54.154.184.25:8089/servicesNS/admin/search/</id>
  <updated>2015-02-06T12:26:39+00:00</updated>
  <generator build="237341" version="6.2.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <entry>
    <title>admin</title>
    <id>https://54.154.184.25:8089/servicesNS/admin/search/admin</id>
    <updated>2015-02-06T12:26:39+00:00</updated>
    <link href="/servicesNS/admin/search/admin" rel="alternate"/>
  </entry>
  <entry>
    <title>alerts</title>
    <id>https://54.154.184.25:8089/servicesNS/admin/search/alerts</id>
    <updated>2015-02-06T12:26:39+00:00</updated>
    <link href="/servicesNS/admin/search/alerts" rel="alternate"/>
  </entry>
  <entry>
    <title>apps</title>
    <id>https://54.154.184.25:8089/servicesNS/admin/search/apps</id>
    <updated>2015-02-06T12:26:39+00:00</updated>
    <link href="/servicesNS/admin/search/apps" rel="alternate"/>
  </entry>
  <entry>
    <title>auth</title>
    <id>https://54.154.184.25:8089/servicesNS/admin/search/auth</id>
    <updated>2015-02-06T12:26:39+00:00</updated>
    <link href="/servicesNS/admin/search/auth" rel="alternate"/>
  </entry>
--- TRIMMED ---
  <entry>
    <title>template</title>
    <id>https://54.154.184.25:8089/servicesNS/admin/search/template</id>
    <updated>2015-02-06T12:26:39+00:00</updated>
    <link href="/servicesNS/admin/search/template" rel="alternate"/>
  </entry>
</feed>

View solution in original post

kharford
New Member

I am running into the same issue, however mine is a little different:

curl -vku kenneth.harford https://54.225.250.77:8089/services/apps/local
Enter host password for user 'kenneth.harford':
* Trying 54.225.250.77...
* Connected to 54.225.250.77 (127.0.0.1) port 8089 (#0)
* Server aborted the SSL handshake
* Closing connection 0
curl: (35) Server aborted the SSL handshake

Any ideas?
Thanks
Ken

0 Karma

bmunson_splunk
Splunk Employee
Splunk Employee

Hi charlou

That seems to be correct. I have tried similar on one of our lab servers and it works as expected. I would suspect a firewall or similar is blocking you. It is good practice on any system to block ports that can be used to gain remote access so I suspect your architect has done that deliberately.

Here was my command and output.

bmunson$ curl -vku admin https://54.154.184.25:8089/servicesNS/admin/search/
Enter host password for user 'admin':
* Hostname was NOT found in DNS cache
*   Trying 54.154.184.25...
* Connected to 54.154.184.25 (54.154.184.25) port 8089 (#0)
* TLS 1.2 connection using TLS_RSA_WITH_AES_256_CBC_SHA
* Server certificate: SplunkServerDefaultCert
* Server certificate: SplunkCommonCA
* Server auth using Basic with user 'admin'
> GET /servicesNS/admin/search/ HTTP/1.1
> Authorization: Basic YWRtaW46NnViYmxlcyE=
> User-Agent: curl/7.37.1
> Host: 54.154.184.25:8089
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Fri, 06 Feb 2015 12:26:39 GMT
< Expires: Thu, 26 Oct 1978 00:00:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, max-age=0
< Content-Type: text/xml; charset=UTF-8
< X-Content-Type-Options: nosniff
< Content-Length: 9386
< Vary: Cookie, Authorization
< Connection: Keep-Alive
< X-Frame-Options: SAMEORIGIN
* Server Splunkd is not blacklisted
< Server: Splunkd
< 
<?xml version="1.0" encoding="UTF-8"?>
<!--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-->
<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest">
  <title>servicesNS</title>
  <id>https://54.154.184.25:8089/servicesNS/admin/search/</id>
  <updated>2015-02-06T12:26:39+00:00</updated>
  <generator build="237341" version="6.2.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <entry>
    <title>admin</title>
    <id>https://54.154.184.25:8089/servicesNS/admin/search/admin</id>
    <updated>2015-02-06T12:26:39+00:00</updated>
    <link href="/servicesNS/admin/search/admin" rel="alternate"/>
  </entry>
  <entry>
    <title>alerts</title>
    <id>https://54.154.184.25:8089/servicesNS/admin/search/alerts</id>
    <updated>2015-02-06T12:26:39+00:00</updated>
    <link href="/servicesNS/admin/search/alerts" rel="alternate"/>
  </entry>
  <entry>
    <title>apps</title>
    <id>https://54.154.184.25:8089/servicesNS/admin/search/apps</id>
    <updated>2015-02-06T12:26:39+00:00</updated>
    <link href="/servicesNS/admin/search/apps" rel="alternate"/>
  </entry>
  <entry>
    <title>auth</title>
    <id>https://54.154.184.25:8089/servicesNS/admin/search/auth</id>
    <updated>2015-02-06T12:26:39+00:00</updated>
    <link href="/servicesNS/admin/search/auth" rel="alternate"/>
  </entry>
--- TRIMMED ---
  <entry>
    <title>template</title>
    <id>https://54.154.184.25:8089/servicesNS/admin/search/template</id>
    <updated>2015-02-06T12:26:39+00:00</updated>
    <link href="/servicesNS/admin/search/template" rel="alternate"/>
  </entry>
</feed>
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...