ksconf rest-export

Deprecated since version 0.7.0: You should consider using ksconf rest-publish instead of this one. The only remaining valid use case for rest-export (this command) is for disconnected scenarios. In other words, if you need to push stanzas to a Splunkd instance where you don’t (and can’t) install ksconf, then this command may still be useful to you. In this case, ksconf rest-export can create a shell script that you can transfer to the correct network, and then run the shell script. But for ALL other use cases, the rest-publish command is superior.

Build an executable script of the stanzas in a configuration file that can be later applied to a running Splunk instance via the Splunkd REST endpoint.

This can be helpful when pushing complex props and transforms to an instance where you only have UI access and can’t directly publish an app.

usage: ksconf rest-export [-h] [--output FILE] [--disable-auth-output]
                          [--pretty-print] [-u | -D] [--url URL] [--app APP]
                          [--user USER] [--owner OWNER] [--conf TYPE]
                          [--extra-args EXTRA_ARGS]
                          CONF [CONF ...]

Positional Arguments

CONF Configuration file(s) to export settings from.

Named Arguments

--output, -t Save the shell script output to this file. If not provided, the output is written to standard output.
-u, --update Assume that the REST entities already exist. By default, output assumes stanzas are being created.
-D, --delete Remove existing REST entities. This is a destructive operation. In this mode, stanza attributes are unnecessary and ignored. NOTE: This works for ‘local’ entities only; the default folder cannot be updated.
--url URL of Splunkd. Default: “https://localhost:8089
--app Set the namespace (app name) for the endpoint
--user Deprecated. Use –owner instead.
--owner Set the object owner. Typically, the default of ‘nobody’ is ideal if you want to share the configurations at the app-level.
--conf Explicitly set the configuration file type. By default, this is derived from CONF, but sometimes it’s helpful to set this explicitly. Can be any valid Splunk conf file type. Examples include: ‘app’, ‘props’, ‘tags’, ‘savedsearches’, etc.
--extra-args Extra arguments to pass to all CURL commands. Quote arguments on the command line to prevent confusion between arguments to ksconf vs curl.

Output Control

--disable-auth-output
 Turn off sample login curl commands from the output.
--pretty-print, -p
 Enable pretty-printing. Make shell output a bit more readable by splitting entries across lines.

Warning

For interactive use only!

This command is indented for manual admin workflows. It’s quite possible that shell escaping bugs exist that may allow full shell access if you put this into an automated workflow. Evaluate the risks, review the code, run as a least-privilege user, and be responsible.

Roadmap

For now, the assumption is that curl command will be used. (Patches to support the Power Shell Invoke-WebRequest cmdlet would be greatly welcomed!)

Example

ksconf rest-export --output=apply_props.sh etc/app/Splunk_TA_aws/local/props.conf