Reference information for each endpoint in the REST API includes the following items. Some operations have specific capability requirements, as noted. See the Endpoints reference list for an alphabetical list of endpoints.ĭepending on the endpoint, GET, POST, and/or DELETE operations are available for accessing, creating, updating, or deleting resources. For a full list of endpoints supported in Splunk Enterprise, see Resource groups in the Splunk Enterprise REST API Reference Manual. Splunk Cloud Platform supports a subset of the REST API endpoints available in Splunk Enterprise. Manage searches and search-generated alerts and view objects. ![]() Manage federated providers and federated indexes.ĭefine indexed and searched data configurations.Įnumerate metrics and dimensions associated with metrics. Resources are grouped into the following categories. Use the corresponding publicly documented endpoint instead. Splunk does not support or document REST API endpoints that contain /admin/ in their URIs. If you are using Splunk Cloud Platform, review details in Access requirements and limitations for the Splunk Cloud Platform REST API. ![]() There are some REST API access and usage differences between Splunk Cloud Platform and Splunk Enterprise. See the REST API User Manual to learn about the Splunk REST API basic concepts. (Make sure you set the variables for Splunk host, dashboard author, and app name appropriately.Use the REST API Reference to learn about available endpoints and operations for accessing, creating, updating, or deleting resources. get-dashboard-source.sh my-dashboard > my-dashboard.xml randint( 1, 59) # pick a random minute during 01:01 - 01:59 params = ?output_mode=json" \ getenv( "SPLUNK_AUTH_TOKEN")ĭef create_alert(search_name, search, splunk_app, webhook_host):Ĭrontab = " %s 1 * * *" % random. #!/usr/bin/env python import os, argparse, random your new search replaces the old one), and randomises theĬrontab spec slightly to spread out load on the Splunk server. It also deletes any existing search of the same name The above code is all you actually need, but here’s a slightlyĮxpanded example that accepts command line arguments and multiple (*) Note that I have not yet tested this, so I’m not sure which other Creating aĬonditional alert is left as an exercise for the reader… Rather than depending on a condition being met. #22 ) cause this alert to send results every time it is invoked, The digest mode and alert threshold settings (lines #20 and Lines #25-26 define the time range over which to run the search This example is “daily at 1:00 am” (in the Splunk server’s Line #24 specifies when to run the saved search, as a crontabĮntry. '' to send the alert as an email instead_*_. You could also specify 'actions': 'email' and Our alert: in this example, a webhook and the URL that Splunk will The first two lines ( #17-18) specify the action to trigger for There’s a few things in that dictionary of parameters to the API call ![]() '': ' 'alert_comparator': 'greater than', Script you can use to set this variable (assuming you have xmllintįilename = 'my_search.txt' search_name = os. Theįollowing code assumes you have a valid auth token in theĮnvironment variable SPLUNK_AUTH_TOKEN. Next we’re going to write some Python to drive the Splunk API. Interactively until you’re happy with it, then save it in a file It’s a good idea to test and refine the search This is the same search definition as you would enter in the Splunk As an example, here is a really simple search thatĬounts the number of 404 errors by sourcetype: index=* | stats count(eval(status="404")) AS count_status BY sourcetype Specifying the searchįirst of all, let’s specify our search. Individual searches, while keeping everything under source control. This makes it easy to set up alerts for many While theseĪlerts can easily be created in the web UI (by clicking “SaveĪs/Alert” in a search) in many cases would be nice to do it Have Splunk send you data on a scheduled basis, or when certainĬonditions are met (e.g. Splunk Alerts (also called saved searches) are a great way to JCreating Splunk Alerts (aka 'Saved Searches') from the command line
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |