Frequently Used Rest Commands In Splunk

BHAVNEESH VOHRA BHAVNEESH VOHRA

BHAVNEESH VOHRA

SPLUNK|PYTHON|AWS

发布日期: 2023年9月1日
+ 关注

The rest command is one of the most commonly used commands in Splunk to interact with the Splunk REST API and access or manage resources programmatically. Here are some of the most common use cases and examples of using the rest command in Splunk:

Accessing search job information

The rest command can be used to retrieve information about search jobs, such as saved searches, from the Splunk REST API: 

| rest /services/search/jobs count=0 splunk_server=local | search isSavedSearch=1

This will return information on all the saved search jobs configured in Splunk. The count=0 parameter disables any limits on results, and splunk_server=local specifies to retrieve jobs from the local Splunk instance.

Listing all users and roles

To retrieve a list of all configured users and their assigned roles 

|rest /services/authentication/users 
| table title, roles

The /services/authentication/users endpoint provides access to user account information.

Retrieving user login details

More detailed user account information including last login time can be accessed with: 

|rest /services/authentication/users
| fields email id last_successful_login 
| eval last_successful_login=strftime(last_successful_login,"%Y-%m-%d:%H-%M-%S")
| rename last_successful_login as Last Login

The fields command specifies which user account fields to return, and eval converts the timestamp to a readable format.

领英推荐

Listing active logged in users

To see currently logged in users: 

| rest splunk_server=local /services/authentication/current-context 
| rename username as active_users
| fields active_users

The current-context endpoint provides information on active user sessions.

Retrieving license usage information

To retrieve current daily license usage statistics: 

| rest /services/licenser/pools

The /services/licenser/pools endpoint provides access to licensing usage data.

Retrieving Owner and last Updated Time of a Saved Search 

| rest /servicesNS/-/-/saved/searches|where 'eai:acl.owner' != "nobody" |table updated title eai:acl.owner

updated gives the last updated time of the report and eai:acl.owner will give the owner of report.

Retrieve roles of each server in a cluster 

| rest /services/cluster/master/info
| table label, role, uri

You should have administrative privileges to get the response of the above command

要查看或添加评论,请登录

BHAVNEESH VOHRA的更多文章

  • Unlocking the Power of Regex: Everything You Need to Know
    2024年5月11日

    Unlocking the Power of Regex: Everything You Need to Know

    Regex, which stands for regular expression, is like a powerful tool for working with text. It helps people create…

  • Understanding Cyber Kill Chain
    2023年9月5日

    Understanding Cyber Kill Chain

    "If you understand the attack life cycle there is a better chance for you to prevent the attack" Cyber Kill chain aka…

社区洞察

其他会员也浏览了