Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there a REST API call to rebuild the forwarder asset table?

sarahkrisher
New Member
‎07-11-2016 08:18 AM

Is there an API call that can rebuild the forwarder asset table as opposed to going into the Distributed Management Console settings and manually doing so through Splunk Web?

0 Karma
Reply

dd_msearles
Path Finder
‎07-17-2018 11:47 PM

I have a slightly different requirement where the missing forwarders would blow out due to constantly changing Citrix clients, so my first comment below about dismissing the "DMC Forwarder - Build Asset Table" is because its appending to the existing table.

If you check the Job Activity page on the Monitoring Console you will see two jobs that show up:

1. DMC Forwarder - Build Asset Table
2. `dmc_re_build_forwarder_assets(48m)`

The first is scheduled to run every 15 minutes and can be ignored.
The second is the job that is initiated when you "Rebuild forwarder assets" (previous 24 hours defines the 48m sparkline argument), this is what we are interested in.
If you follow the bouncing ball you can figure out what it's doing yourself, to get you started:

#  grep "dmc_re_build_forwarder_assets(1)" /opt/splunk/etc/apps/splunk_monitoring_console/default/macros.conf
[dmc_re_build_forwarder_assets(1)]

I'd then recommend you create a scheduled search with "dmc_re_build_forwarder_assets(48m)".
This can then be called via REST:

curl --silent -k -u admin https://localhost:8089/servicesNS/admin/splunk_monitoring_console/saved/searches/YOUR_SAVED_SEARCH/dispatch -d trigger_actions=1

If you're security conscious and want to put this into a then I'd recommend doing two things:
1. https://stackoverflow.com/questions/33794842/forcing-curl-to-get-a-password-from-the-environment/338...
2. Create a dedicated user and role

The role can be tightend and given just the below:
Restrict search terms: index=_internal sourcetype=splunkd
Capabilities: admin_all_objects, output_file, search
Available search indexes: _internal

I kept running into permission issues unless I gave the "admin_all_objects" capabilitiy. Not sure if I missed something or if this is due to some Monitoring Console magic.
The capabilities above are fairly locked down, so I feel like it is a reasonable compromise.

Reply

hexx
Splunk Employee
Splunk Employee
‎08-05-2016 12:31 PM

To rebuild the forwarder asset table, you simply have to run the "DMC Forwarder - Build Asset Table" saved search with earliest and latest times that cover the lookback period that you want to consider.

To do so from the REST API, you'd have to POST to the saved/searches/{name}/dispatch endpoint for this search - http://docs.splunk.com/Documentation/Splunk/6.4.1/RESTREF/RESTsearch#saved.2Fsearches.2F.7Bname.7D.2...

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...