Due to limitations in the Splunk application with SAML and Splunk only integrating with a single external authentication provider, authentication to the API (or ODBC) is not integrated with network logins at this time and a dedicated “Splunk Auth” account must be used. An enhancement request has been filed for this limitation.
- Request an API account by emailing TechSvcsSplunkReq@illinois.edu or via the form at https://go.illinois.edu/newsplunkapi
(When provisioned, you can test your Service Account (and assess it’s default settings, permissions, etc.) by logging in to the Web UI at the following URL: https://illinois.splunkcloud.com/en-US/account/login?loginType=splunk ) - Format a query against the API. The syntax in the search string will follow Splunk Search Processing Language (SPL)
- A simple example
$ curl -u'splunk-auth-username:password'https://illinois.splunkcloud.com:8089/services/search/jobs/export -d search="search index=main earliest=-1d@d latest=@d | stats count by host" -d output_mode=json - A modification of the above example – where one can specify user (in this case “sa-myserviceaccount”) and app (“uofi_urb_myunit”) context:
$ curl -u'splunk-auth-username:password'https://illinois.splunkcloud.com:8089/servicesNS/sa-myserviceaccount/uofi_urb_myunit/search/jobs/export -d search="search index=main earliest=-1d@d latest=@d | stats count by host" -d output_mode=json
- A simple example
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
import requestsusername = '<USERNAME>'password = '<PASSWORD>'# term 'search' preceeds a searchquery = 'search index=main sourcetype=syslog earliest=-1d@d | dedup host' # exampledata = { "search": query, "preview": "false", "output_mode": '<OUTPUT MODE>' # csv, json, xml}response = requests.post(url, data=data, auth=(username, password)) |
API Environments
| Environment | URL |
|---|---|
| Production – Search Cloud | https://illinois.splunkcloud.com:8089 |
| Test – Search Cloud | https://dev-illinois.splunkcloud.com:8089 |