The namespace is specified by an owner and app and is governed by a sharing mode which you’ll recognize from the ‘permissions’ settings on Splunk knowledge objects such as alerts, dashboards, reports, etc. In like fashion, you must specify the owner of a resource because if the permissions for a given saved search are set to ‘private’, the saved search content actually resides in a ‘user’ folder, not in the /etc/apps/ folder.Įvery Splunk resource belongs to a namespace. But if you’re querying Splunk to retrieve the saved searches associated with a given Splunk app (which are stored in a nf file within that app), you must specify the app in the URL because there can be saved searches in multiple Splunk apps and Splunk needs to know which one you’re referencing. Some resources don’t require that you reference a namespace, such as when you request information about a Splunk server with the /services/server/info endpoint. Related to the Access Control List is the concept of ‘ namespace ’, which in the context of Splunk refers to the use of an ‘owner’ (often a username) and ‘app’ when specifying a resource. The ‘eai:acl’ portion of Splunk API results is simply an access control list in EAI format. An ACL specifies which users or system processes are granted access to specific endpoint objects and what operations are allowed on those objects. The other part – ‘acl’ – stands for ‘Access-Control List’, which is a list of relationships and permissions associated with a system resource (endpoint object). The ‘eai’ part stands for ‘Enterprise Application Integration’, which is an industry standardized framework to enable different systems and applications across an enterprise to exchange data – basically, a universally accepted data exchange format. DELETE – delete an endpoint from the resource hierarchy.Īnother set of concepts that are key to working with many of the Splunk API endpoints is ‘ eai:acl ’, which you’ll see in the output of most Splunk API calls.POST – create a resource or update existing resource data.GET – read the current resource state, or if the endpoint represents a collection, list the members of the collection.These methods are available in Splunk API HTTP calls as: A key concept is that of ‘ CRUD ’, which is an acronym that represents the types of operations or ‘methods’ you can use with an API: Create, Read, Update, and Delete. In addition to endpoints, there are several other concepts that you should be familiar with when working with the Splunk REST API. For example, the API endpoint URL to obtain basic information about a Splunk server is: This URL will return a list of Splunk applications installed on this server: You can see from the differences in the above examples that the various API ‘endpoints’ for accessing data are simply the different URL paths to those resources. A term that is commonly associated with API discussions is ‘ endpoint ’, which is simply the URL utilized to contact a server or service and specify which information is being accessed. We’ll also provide several use cases and examples you can easily duplicate to take advantage of this powerful feature.Ī REST (Representational State Transfer) API (Application Programming Interface) is a way for computer programs to exchange information in a structured, standardized fashion. This article will explain what the Splunk REST API is all about, how it works, the key concepts you need to know to use it. It may be interesting to note that almost without exception every activity performed in Splunk Web or any Splunk command executed from a command line will result in an API call to the splunkd daemon – which gives you some idea of the coverage and power of the API endpoints. This capability can be leveraged to query, configure, and even run searches in your Splunk environment programmatically utilizing client software based on the popular programming languages C#, Java, JavaScript, or Python, and you can even run REST commands from the Splunk Web Search bar or your browser address bar. The Splunk platform REST API provides the ability to create, read, update, or delete resources across the Splunk Enterprise platform.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |