Skip to content

Commit f85827d

Browse files
gjandersgjanders
committed
Adding semantic jobs API
1 parent 68c45e5 commit f85827d

File tree

2 files changed

+8
-4
lines changed

2 files changed

+8
-4
lines changed

README.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -366,6 +366,10 @@ New alerts:
366366
New reports:
367367
- `SearchHeadLevel - indexes per dashboard`
368368

369+
Updated reports/alerts:
370+
- `SearchHeadLevel - Excessive REST API usage` - added semantic jobs endpoints
371+
- `SearchHeadLevel - platform_stats access summary` - added semantic jobs endpoints
372+
369373
### 4.0.4
370374
New reports:
371375
- `SearchHeadLevel - access logs kvstore usage`

default/savedsearches.conf

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -5309,10 +5309,10 @@ search = | multisearch \
53095309
| rex field=decoded_uri_query "/saved/searches/(?P<report>[^&]+)" \
53105310
| eval report=urldecode(report), source="splunk_web_access" ] \
53115311
[ search index=_internal `searchheadhosts` method=GET sourcetype=splunkd_ui_access \
5312-
| regex uri="^(/([^/]+/){2}__raw/services/search/jobs\?output_mode=json&id=)|(/([^/]+/){2}__raw/servicesNS/([^/]+/){2}search/jobs/[^\?/]+\?output)" \
5312+
| regex uri="^(/([^/]+/){2}__raw/services/search/(v1/|v2/)?jobs\?output_mode=json&id=)|(/([^/]+/){2}__raw/servicesNS/([^/]+/){2}search/jobs/(v1/|v2/)?[^\?/]+\?output)" \
53135313
| rex field=uri "id=(?P<sid>[^&]+)" max_match=20 \
53145314
| eval app=null(), report=null(), view=null() \
5315-
| rex field=uri "^/([^/]+/){2}__raw/servicesNS/([^/]+/)(?P<app>[^/]+)/search/jobs/(?P<sid_2>[^\?]+)\?output" \
5315+
| rex field=uri "^/([^/]+/){2}__raw/servicesNS/([^/]+/)(?P<app>[^/]+)/search/jobs/(v1/|v2/)?(?P<sid_2>[^\?]+)\?output" \
53165316
| eval sid=coalesce(sid,sid_2), prebintime=_time, source="splunkd_ui_access" \
53175317
| bin _time span=2m] \
53185318
[ search index=_internal `searchheadhosts` method=POST status=201 sourcetype=splunkd_ui_access \
@@ -7267,13 +7267,13 @@ quantity = 0
72677267
relation = greater than
72687268
request.ui_dispatch_app = SplunkAdmins
72697269
request.ui_dispatch_view = search
7270-
search = ```attempt to detect overuse of the REST API by non-system users``` index=_internal `searchheadhosts` sourcetype=splunkd_access useragent!="Splunk/*" useragent!="Splunkd/*" user!=splunk-system-user user!=admin user!=- NOT "/results_preview" "/search/jobs/" clientip!="127.0.0.1" ```this is the splunk internal httplib version proxying requests on behalf of clients this will likely change on upgrade, current as of 8.2.2.1``` NOT (`splunkadmins_excessive_rest_api_httplib` "isProxyRequest=true")\
7270+
search = ```attempt to detect overuse of the REST API by non-system users``` index=_internal `searchheadhosts` sourcetype=splunkd_access useragent!="Splunk/*" useragent!="Splunkd/*" user!=splunk-system-user user!=admin user!=- NOT "/results_preview" ("/search/jobs/" OR "/search/v1/jobs/" OR "/search/v2/jobs/") clientip!="127.0.0.1" ```this is the splunk internal httplib version proxying requests on behalf of clients this will likely change on upgrade, current as of 8.2.2.1``` NOT (`splunkadmins_excessive_rest_api_httplib` "isProxyRequest=true")\
72717271
| regex uri!="/control$" \
72727272
| bin _time span=2m \
72737273
| stats count by user, _time \
72747274
| where count>`splunkadmins_excessive_rest_api_threshold` \
72757275
| eval earliest=_time-120, latest=_time+120 \
7276-
| eval query="index=_internal `searchheadhosts` sourcetype=splunkd_access useragent!=\"Splunk/*\" useragent!=\"Splunkd/*\" user!=splunk-system-user user!=admin user!=- NOT \"/results_preview\" \"/search/jobs/\" clientip!=\"127.0.0.1\" NOT (\"Python-httplib2/0.13.1 (gzip)\" \"isProxyRequest=true\") user=" . user . " earliest=" . earliest . " latest=" . latest . " | regex uri!=\"/control$\" | rex field=uri \"/(?P<last_of_url>[^/]+$)\" | streamstats current=false last(_time) AS prev_time by last_of_url | eventstats count AS count_by_last_of_url by last_of_url | eval time_diff=if(isnull(prev_time),null(),prev_time-_time)" \
7276+
| eval query="index=_internal `searchheadhosts` sourcetype=splunkd_access useragent!=\"Splunk/*\" useragent!=\"Splunkd/*\" user!=splunk-system-user user!=admin user!=- NOT \"/results_preview\" (\"/search/jobs/\" OR \"/search/v1/jobs/\" OR \"/search/v2/jobs/\") clientip!=\"127.0.0.1\" NOT (\"Python-httplib2/0.13.1 (gzip)\" \"isProxyRequest=true\") user=" . user . " earliest=" . earliest . " latest=" . latest . " | regex uri!=\"/control$\" | rex field=uri \"/(?P<last_of_url>[^/]+$)\" | streamstats current=false last(_time) AS prev_time by last_of_url | eventstats count AS count_by_last_of_url by last_of_url | eval time_diff=if(isnull(prev_time),null(),prev_time-_time)" \
72777277
| fields - earliest, latest\
72787278
| sort - count
72797279
disabled = 1

0 commit comments

Comments
 (0)