Blogs: CLI

With this tool:

$ splunk _internal call <relative rest path>
[-get:<param> <value>] ... [-post:<param> <value>] ...
[-method <http action>] [-multival] [-auth <user>:<pass>]

As mentioned in my previous post, exploring our endpoints is pretty simple to do, by pointing your browser at the Splunk management port. Actually making use of the endpoints requires more work, but this utility makes it easy to get started.

Restarting an input component is a handy example, such as restarting monitoring after editing inputs.conf by hand:

splunk _internal call /data/inputs/monitor/_reload
This is supported by the other components in /data/inputs, as well – browse there and look for the _reload links.

Parameters

• get:foo bar – adds an HTTP GET parameter to

…

Scenario: You deploy a Splunk forwarder, disable the web interface, and now you want to add inputs. What do you do? You could SSH to the box, do it through the CLI locally… you stop… think about it.. and you think to yourself, “No way, that’s how a pirate rolls.”

You’re a ninja. You use Splunk. You’re going to use a search to add an input to the remote Splunk server (the forwarder) in the same fashion that you throw ninja stars to lay the smack down from a distance everyday.

1. Go to the CLI (command line interface) of any server that has Splunk on it (ie. the indexer).

2. Execute a Splunk CLI search using…

The saved search scheduler that the UI uses runs into trouble when you start running a bunch of searches at the same time. It kicks off one, waits for it to return or timeout and then moves on to the next. If the searches take more than a few seconds to run or there are dozens of them all with high frequency, it gets overloaded. One way to address this is to take advantage of the new dispatch (asynchronous search.) Dispatch is what is behind the REST API search functions and you can also get to it from the CLI with the “dispatch” command instead of the old “search.”

Old CLI search:

./splunk search “sourcetype=access_combined googlebot | stats count”…