Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Setting up an ultra-light front-end instance for API request

sgerogia
New Member
‎10-29-2013 06:16 AM

Hello.

In our company we already have a Splunk 5 setup with multiple search heads and indexers.

What I would like to do is setup a local Splunk instance, which would just accept REST API requests, simply relay them to the existing search head(s) and return back results.
As minimum data as possible are to be maintained on this light instance; I like to think of it as a query proxy.

Does Splunk support this topology?

If yes, which settings in the light instance should I look into? Or perhaps some page in the online docs that I have missed?

Thank you,
S.

UPDATE:
I forgot to clarify that, for whatever historical/obscure reason, direct REST API access to the search heads has been disabled.

Tags (1)
0 Karma
Reply

dmaislin_splunk
Splunk Employee
Splunk Employee
‎11-01-2013 10:11 AM

You have read this?

http://dev.splunk.com/view/rest-api-overview/SP-CAAADP8

0 Karma
Reply

sgerogia
New Member
‎11-01-2013 10:20 AM

This would obviously be better, I agree.
Namely, make a REST call to the local Splunk which would relay it to the remote search head. Do you know how to set the equivalent of the -uri switch in the API request?

0 Karma
Reply

sgerogia
New Member
‎11-01-2013 10:07 AM

I will (almost) answer my own question after some searching.

A (very brutal) way to do it is by using the CLI commands, namely
* Install Splunk locally and start its daemon
* Launch a query from the command line similar to splunk search 'earliest=-10m latest=-1m index=foo host="bar*" sourcetype="test" "some text" AND NOT "other" ' -uri https://remote-splunk:port

Downside is that the first time you are prompted for username/password of the remote host.

Obviously this will only work well for local scripting or batch jobs, not used by a high request-volume server/process.

I hope this helps.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...