Getting Data In

Why is the REST API not answering ?

charlou
Engager

I'm trying, in vain, to get answers from the REST API as described here: http://dev.splunk.com/view/basic-tutorial/SP-CAAADQT

I tried a lot of things, among which:
$ curl -u cibrahim -k https://10.83.88.20:8089/servicesNS/cibrahim/search/
Enter host password for user 'cibrahim':
curl: (7) couldn't connect to host

or

$ curl -vk -u cibrahim https://10.83.88.20:8089/servicesNS/-/-/search/jobs/1421068924.6480
Enter host password for user 'cibrahim':
* About to connect() to 10.83.88.20 port 8089 (#0)
* Trying 10.83.88.20...
* Connexion terminée par expiration du délai d'attente
* couldn't connect to host
* Closing connection #0
curl: (7) couldn't connect to host

As you can see, I don't get any answer of any kind. Connection times out after a certain (timeout) amount of time.

I checked that my local instance of splunk (on my local server @ 10.83.88.20) is listening to port 8089:
# netstat -a | grep 8089
tcp 0 0 :8089 *: LISTEN

tcp 0 0 localhost:56809 localhost:8089 ESTABLISHED
tcp 0 0 localhost:8089 localhost:56809 ESTABLISHED

Any idea about what I could be missing in this (very) annoying hinderance ?

Thx in advance

0 Karma
1 Solution

bmunson_splunk
Splunk Employee
Splunk Employee

Hi charlou

That seems to be correct. I have tried similar on one of our lab servers and it works as expected. I would suspect a firewall or similar is blocking you. It is good practice on any system to block ports that can be used to gain remote access so I suspect your architect has done that deliberately.

Here was my command and output.

bmunson$ curl -vku admin https://54.154.184.25:8089/servicesNS/admin/search/
Enter host password for user 'admin':
* Hostname was NOT found in DNS cache
*   Trying 54.154.184.25...
* Connected to 54.154.184.25 (54.154.184.25) port 8089 (#0)
* TLS 1.2 connection using TLS_RSA_WITH_AES_256_CBC_SHA
* Server certificate: SplunkServerDefaultCert
* Server certificate: SplunkCommonCA
* Server auth using Basic with user 'admin'
> GET /servicesNS/admin/search/ HTTP/1.1
> Authorization: Basic YWRtaW46NnViYmxlcyE=
> User-Agent: curl/7.37.1
> Host: 54.154.184.25:8089
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Fri, 06 Feb 2015 12:26:39 GMT
< Expires: Thu, 26 Oct 1978 00:00:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, max-age=0
< Content-Type: text/xml; charset=UTF-8
< X-Content-Type-Options: nosniff
< Content-Length: 9386
< Vary: Cookie, Authorization
< Connection: Keep-Alive
< X-Frame-Options: SAMEORIGIN
* Server Splunkd is not blacklisted
< Server: Splunkd
< 
<?xml version="1.0" encoding="UTF-8"?>
<!--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-->
<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest">
  <title>servicesNS</title>
  <id>https://54.154.184.25:8089/servicesNS/admin/search/</id>
  <updated>2015-02-06T12:26:39+00:00</updated>
  <generator build="237341" version="6.2.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <entry>
    <title>admin</title>
    <id>https://54.154.184.25:8089/servicesNS/admin/search/admin</id>
    <updated>2015-02-06T12:26:39+00:00</updated>
    <link href="/servicesNS/admin/search/admin" rel="alternate"/>
  </entry>
  <entry>
    <title>alerts</title>
    <id>https://54.154.184.25:8089/servicesNS/admin/search/alerts</id>
    <updated>2015-02-06T12:26:39+00:00</updated>
    <link href="/servicesNS/admin/search/alerts" rel="alternate"/>
  </entry>
  <entry>
    <title>apps</title>
    <id>https://54.154.184.25:8089/servicesNS/admin/search/apps</id>
    <updated>2015-02-06T12:26:39+00:00</updated>
    <link href="/servicesNS/admin/search/apps" rel="alternate"/>
  </entry>
  <entry>
    <title>auth</title>
    <id>https://54.154.184.25:8089/servicesNS/admin/search/auth</id>
    <updated>2015-02-06T12:26:39+00:00</updated>
    <link href="/servicesNS/admin/search/auth" rel="alternate"/>
  </entry>
--- TRIMMED ---
  <entry>
    <title>template</title>
    <id>https://54.154.184.25:8089/servicesNS/admin/search/template</id>
    <updated>2015-02-06T12:26:39+00:00</updated>
    <link href="/servicesNS/admin/search/template" rel="alternate"/>
  </entry>
</feed>

View solution in original post

kharford
New Member

I am running into the same issue, however mine is a little different:

curl -vku kenneth.harford https://54.225.250.77:8089/services/apps/local
Enter host password for user 'kenneth.harford':
* Trying 54.225.250.77...
* Connected to 54.225.250.77 (127.0.0.1) port 8089 (#0)
* Server aborted the SSL handshake
* Closing connection 0
curl: (35) Server aborted the SSL handshake

Any ideas?
Thanks
Ken

0 Karma

bmunson_splunk
Splunk Employee
Splunk Employee

Hi charlou

That seems to be correct. I have tried similar on one of our lab servers and it works as expected. I would suspect a firewall or similar is blocking you. It is good practice on any system to block ports that can be used to gain remote access so I suspect your architect has done that deliberately.

Here was my command and output.

bmunson$ curl -vku admin https://54.154.184.25:8089/servicesNS/admin/search/
Enter host password for user 'admin':
* Hostname was NOT found in DNS cache
*   Trying 54.154.184.25...
* Connected to 54.154.184.25 (54.154.184.25) port 8089 (#0)
* TLS 1.2 connection using TLS_RSA_WITH_AES_256_CBC_SHA
* Server certificate: SplunkServerDefaultCert
* Server certificate: SplunkCommonCA
* Server auth using Basic with user 'admin'
> GET /servicesNS/admin/search/ HTTP/1.1
> Authorization: Basic YWRtaW46NnViYmxlcyE=
> User-Agent: curl/7.37.1
> Host: 54.154.184.25:8089
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Fri, 06 Feb 2015 12:26:39 GMT
< Expires: Thu, 26 Oct 1978 00:00:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, max-age=0
< Content-Type: text/xml; charset=UTF-8
< X-Content-Type-Options: nosniff
< Content-Length: 9386
< Vary: Cookie, Authorization
< Connection: Keep-Alive
< X-Frame-Options: SAMEORIGIN
* Server Splunkd is not blacklisted
< Server: Splunkd
< 
<?xml version="1.0" encoding="UTF-8"?>
<!--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-->
<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest">
  <title>servicesNS</title>
  <id>https://54.154.184.25:8089/servicesNS/admin/search/</id>
  <updated>2015-02-06T12:26:39+00:00</updated>
  <generator build="237341" version="6.2.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <entry>
    <title>admin</title>
    <id>https://54.154.184.25:8089/servicesNS/admin/search/admin</id>
    <updated>2015-02-06T12:26:39+00:00</updated>
    <link href="/servicesNS/admin/search/admin" rel="alternate"/>
  </entry>
  <entry>
    <title>alerts</title>
    <id>https://54.154.184.25:8089/servicesNS/admin/search/alerts</id>
    <updated>2015-02-06T12:26:39+00:00</updated>
    <link href="/servicesNS/admin/search/alerts" rel="alternate"/>
  </entry>
  <entry>
    <title>apps</title>
    <id>https://54.154.184.25:8089/servicesNS/admin/search/apps</id>
    <updated>2015-02-06T12:26:39+00:00</updated>
    <link href="/servicesNS/admin/search/apps" rel="alternate"/>
  </entry>
  <entry>
    <title>auth</title>
    <id>https://54.154.184.25:8089/servicesNS/admin/search/auth</id>
    <updated>2015-02-06T12:26:39+00:00</updated>
    <link href="/servicesNS/admin/search/auth" rel="alternate"/>
  </entry>
--- TRIMMED ---
  <entry>
    <title>template</title>
    <id>https://54.154.184.25:8089/servicesNS/admin/search/template</id>
    <updated>2015-02-06T12:26:39+00:00</updated>
    <link href="/servicesNS/admin/search/template" rel="alternate"/>
  </entry>
</feed>
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...