Splunk started out as a command line search tool. Naturally this fell out of favor towards a GUI which leverages many of these underlying search commands just wraps it in pretty Python. The command line tool will run against the Splunk API just utilize the Splunk agent to run the commands and provide the output of the data in a much cleaner human readable format than running the web api.
To utilize the command line interface (CLI) all you need to do is grab the Splunk binary, pass it credentials, and a properly formatted search string. You can find Splunk provided documentation here. The rest of the documentation will be Splunk SPL (search processing language).
- Request a Splunk API user via TechSvcsSplunkReq@illinois.edu or the form at https://go.illinois.edu/newsplunkapiuser
- Splunk GUI is integrated with SAML. At this time Splunk CLI and API do not have SAML access and require local authentication credentials that are not tied to network logins.
- When provisioned, you can test your Service Account (and assess it’s default settings, permissions, etc.) by logging in to the Web UI at the following URL: https://illinois.splunkcloud.com/en-US/account/login?loginType=splunk
- Install the Splunk Universal Forwarder Agent
- Format a query against the API from the Splunk executable located in /opt/splunkforwarder/bin or C:Program FilesSplunkUniversalForwarderbin
- Searches from the CLI will need to specify the URI of the Splunk Search Head that you are querying against
splunk.exe search'<search string>'-uri https://<splunk-server>:8089 -parameter <value> C:\Program Files\SplunkUniversalForwarder\bin> .\splunk.exe search'index=main | stats count by host'-uri https://splunk-on-ramp.machinedata.illinois.edu:8089 -earliest_time -1h@h -latest_time @h
- Searches from the CLI will need to specify the URI of the Splunk Search Head that you are querying against
- When prompted for credentials enter the API username and password provided in the first step