Also, rather than add the hostname to DNS, you could just edit your hosts file for testing purposes, or of course use the IP in the URL directly. We give our AWS instance an Elastic IP, so it has a static IP throughout our usage. Ensure the Windows firewall permits this port outbound to your receiver. You do not need to configure the deployment server option. Only the receiving Splunk Enterprise server hostname (or IP) and port TCP 9997 need to be configured during the install (for which you are prompted). The Windows host requires an install of the Splunk Universal Forwarder. We’re also running a Windows 2012 R2 Datacenter instance in GCP (Google Cloud Platform) as our forwarder, which will send Splunk its Windows Event log data. Quick Setup UpĪs mentioned briefly earlier, we are using an AWS Splunk AMI on the AWS free tier to get us going with a clean and fully functional Splunk install. Later we will also look at using Tines for a more holistic workflow automation approach. ToolingĬURL on the CLI is the fastest way to get going, albeit you could just as easily use Postman, PowerShell, or another scripting tool (or language) of your choice. Additional Splunk restrictions and limitations with the API are listed here. This will save you time and enable you to explore the API faster. It only exposes the “Search” endpoint, that is, if you can get it enabled on your instance by manually calling support! We recommend not being put off by the term “enterprise” in Splunk Enterprise and proceeding with the AWS AMI (or doing a full install yourself on your host). Splunk Cloud is extremely limited in terms of endpoint availability. In this guide, we will be defaulting to simple Basic HTTP authentication. Splunk API Authenticationīasic HTTP authentication (RFC 2617), session-based, and token authentication (Splunk v7.3+) types are available. The REST API is exposed on TCP port 8089 and responds with XML unless you ask for another output mode in the query or action. However, specific types of endpoints are grouped into resource groups, of which “search” is one. Splunk community forum here / developer site here.ĭepending on your type of install, be it Splunk Cloud or Splunk Enterprise, your host (FQDN) will be different. Splunkbase (application marketplace) here. REST API (Search) here (Search Tutorial/Tips here). REST API user manual here / reference manual here. Main Splunk documentation hub here ( Splunk Enterprise manual here). What tooling can I use to quickly prototype and test? Where and what sort of documentation does the API have?Īre there any limitations (including rate-limits), or ‘ gotchas’ ? When diving into an API, the first concerns tend to be: Splunk can get very complicated very quickly if you do larger deployments or run clusters, so we’re just running a single forwarder (Windows host + event logs) and a single receiver (our Splunk Enterprise host). We recommend you do, too, if you want to explore the API functionality quickly and conveniently, though all commercial or enterprise versions should have the API enabled.īefore we dive into the API, some basic nomenclature and concepts should be understood around Splunk, mainly that of forwarders and receivers. Its APIs are rich, mature, and first-class! The Splunk Cloud trial has some API limitations and restrictions, so we’ll use Splunk Enterprise running on an Amazon AWS AMI instance. Splunk even has its own Search Processing Language (SPL) and multiple training and certification tracks. It is a rich and versatile platform that, once fed with multiple data sources, can help you surface and identify valuable insights and trigger actions. There are many reasons to automate Splunk's operations. We will then turn our learnings into a fully-fledged self-service internal tool for use by colleagues (or perhaps other teams in your organization). We will explore and then automate search operations for a simple threat-hunting example. Here, we look specifically at Splunk Enterprise, the original and still much-loved core. Splunk is a powerful data ingestion, manipulation, and analytics platform that has grown over the years to form a whole suite of products.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |