Getting Data In

Setting up an ultra-light front-end instance for API request

sgerogia
New Member

Hello.

In our company we already have a Splunk 5 setup with multiple search heads and indexers.

What I would like to do is setup a local Splunk instance, which would just accept REST API requests, simply relay them to the existing search head(s) and return back results.
As minimum data as possible are to be maintained on this light instance; I like to think of it as a query proxy.

Does Splunk support this topology?

If yes, which settings in the light instance should I look into? Or perhaps some page in the online docs that I have missed?

Thank you,
S.

UPDATE:
I forgot to clarify that, for whatever historical/obscure reason, direct REST API access to the search heads has been disabled.

Tags (1)
0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee
0 Karma

sgerogia
New Member

This would obviously be better, I agree.
Namely, make a REST call to the local Splunk which would relay it to the remote search head. Do you know how to set the equivalent of the -uri switch in the API request?

0 Karma

sgerogia
New Member

I will (almost) answer my own question after some searching.

A (very brutal) way to do it is by using the CLI commands, namely
* Install Splunk locally and start its daemon
* Launch a query from the command line similar to splunk search 'earliest=-10m latest=-1m index=foo host="bar*" sourcetype="test" "some text" AND NOT "other" ' -uri https://remote-splunk:port

Downside is that the first time you are prompted for username/password of the remote host.

Obviously this will only work well for local scripting or batch jobs, not used by a high request-volume server/process.

I hope this helps.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...