(Only available for Splunk Enterprise)
Prerequisites
Download/Install/Configure Splunk Enterprise
https://www.splunk.com/en_us/download/splunk-enterprise.html
Download/Install/Configure Splunk REST API Modular Input v1.4
This is a Splunk Modular Input for polling REST APIs and indexing the responses.
https://splunkbase.splunk.com/app/1546/#/details
Dependencies
Splunk 5.0+
Supported on Windows, Linux, MacOS, Solaris, FreeBSD, HP-UX, AIX
Setup
- Untar the release to your $SPLUNK_HOME/etc/apps directory (recommend using 7zip for Windows users)
- Restart Splunk
- Browse to Manager -> Data Inputs -> REST and setup your inputs
Logging
Any modular input log errors will get written to $SPLUNK_HOME/var/log/splunk/splunkd.log
Troubleshooting
You are using Splunk 5+?
Look for any errors in $SPLUNK_HOME/var/log/splunk/splunkd.log?
Any firewalls blocking outgoing HTTP calls?
Are your REST URL, headers, url arguments correct?
Is your authentication setup correctly?
Making HTTP request
Step 1.
Create app token for calling TeamViewer API
- Log into MCO>Administer “Company Profile”>Apps>Create script token
- Name: Splunk integration (your preference)
- Description: Optional
- Connection reporting: View connection entries
Step 2.
Please review TeamViewer’s API documentation page for further requests: https://integrate.teamviewer.com/en/develop/api/documentation/
- Log into the The Splunk web interface: http://HOSTNAME:8000
- Enter the appropriate fields:
- Endpoint URL: https://webapi.teamviewer.com/api/v1/reports/connections
- HTTP Method: GET
- HTTP Header Properties: authorization=Bearer XXXXXX-XXXXXXXXXXXXXXXXX <- your token
- Response Type: json
- Polling interval: (optional as Splunk polls every 60 seconds)
- Set sourcetype: Manual
- Source type: _json
- Save
Step 3.
Reviewing the results
- In top left corner choose Apps>Search & Reporting>Data Summary>Sources (middle tab)>rest(“Name of report”)
- Recommendation is to change from “Raw” view to “Table” view for meaning results
