Using The SplunkJS Stack – Part 1

I’ve recently helped a customer integrate the SplunkJS stack into their own custom web application. I wanted to spread the knowledge so others could learn as well.

What is the SplunkJS stack you ask? The SplunkJS stack is a component of the Splunk Web Framework that allows web developers to create apps in their own development environment allowing them to access and manipulate Splunk data. This allows you greater flexibility over the look and feel of your app, including the use of third party visualization tools like D3 and Keylines.

This blog post will be a three part series. I will be covering the following topics in detail.

  • Authentication to Splunk using a local proxy or CORS (covered in this post)
  • Using the search manager to query and display results
  • Creating a custom third party visualization
  • Before we get started, go download the SplunkJS stack so we’re all on the same page.

    The fist hurdle in using the SplunkJS Stack is figuring out how to communicate with and authenticate against your Splunk search head. When using the SplunkJS stack you need to either use a proxy server or cross-origin resource sharing (CORS). Let’s start with the first method, using a local proxy server.

    Authenticating Via Proxy

    You’re free to use whatever proxy server you wish but I’m going to highlight using Nginx. Nginx (pronounced engine-x) is a free, open-source, high-performance HTTP server and reverse proxy. As of this blog post I’m using the 1.8.0 stable version. I’m going to show how to build Nginx from source and install on CentOS 6.6. If this doesn’t fit your environment you can still leverage the base config and follow the official Nginx install docs.

    Install & Configure Nginx

    You may need to install a few dependencies on your server in order to build Nginx. I was missing the PCRE and OpenSSL developer libraries.

    yum install pcre-devel openssl-devel

    Copy nginx-1.8.0.tar.gz to your server and uncompress it. I’m going to install into /opt/nginx but feel free to adjust. Also note that I’m running the Nginx worker processes as the http user.

    cd nginx-1.8.0
    ./configure --user=http --prefix=/opt/nginx --with-http_ssl_module
    sudo make install

    If you want Nginx to start when the system starts then you’ll need to get an init script. You can download a start script for your OS here. If you’re using Redhat/CentOS you can get the init script directly here. I made a couple slight modifications since I installed in /opt/nginx.


    Make your init script executable.

    chmod 755 /etc/init.d/nginx

    Add the http user

    # useradd http

    Create a directory to host your web app

    mkdir -p /var/www/html/static
    chown -R http.http /var/www/html

    We’ll now need to edit the default Nginx config at /opt/nginx/conf/nginx.conf. Modify the existing server and update the root directory to /var/www/html

    location / {
                root   /var/www/html;
                index  index.html index.htm;

    We’re also going to add a section to proxy to our Splunk search head on the management port 8089. My search head is called splunk-dev and I have an entry in /etc/hosts but you could also use the server IP here. Add this block just below the location you modified above within the server block.

    location /proxy/ {
                proxy_pass https://splunk-dev:8089/;
                proxy_ssl_session_reuse off;

    Lastly, we start Nginx.

    # /etc/init.d/nginx start

    There are a ton of different configuration parameters for Nginx. I am only using a very basic config to illustrate functionality. If you want to learn more, see the docs.

    Install the SplunkJS Stack

    Copy the SplunkJS stack to your server and place it in /var/www/html/static

    Copy Examples

    The SplunkJS stack comes with a directory named tests_and_samples. There are two files we’re going to use in this directory to test connecting to and authenticating with Splunk.

  • test_login.html – example using basic authentication with username/password
  • test_login_function.html – example using more advanced authenticate function
  • Copy both of these files to /var/www/html

    Configure The SplunkJS Stack

    The default config for the SplunkJS stack looks like this. In order to authenticate, at a very minimum you need to provide a dictionary of {username: username, password: password} along with the other parameters (proxyPath, scheme, host, port).

        proxyPath: "/proxy",
        scheme: "https",
        host: "localhost",
        port: 8089,
        authenticate: function (done) {
            // TO DO: Custom function
        onSessionExpired: function(authenticate, done) {
            // TO DO: Custom function
        onDrilldown (drilldown) {
            // TO DO: Custom function

    There’s a great reference on the configuration here.

    If you’d like to see a detailed example of using a custom authentication function and onSessionExpired fuction see this page in the docs.

    Test The Examples

    Now let’s test the examples that we copied to our server in an earlier section. Let’s start with test_login.html. Update the username and password to reflect the credentials you’re using to connect to Splunk. Please note that if you’re using a fresh install with the admin user you need to change the password from the default changeme. Splunk has a built-in security mechanism to block any external access to the REST API using the default password.

            proxyPath: '/proxy',
            scheme: 'https',
            host: 'mysplunkserver',
            port: 8089,
            authenticate: {username: 'admin', password: 'mychangedpassword'}

    Now you can hit this page at http://myserver/test_login.html. You should see a successful connection that looks like this.

    Screen Shot 2015-09-17 at 4.13.59 PM

    You can also update the splunkjs.config in test_login_function.html and test that file if you like.

    Use both of these test pages as boilerplate code to drop into your own custom app.

    Authenticating Via CORS

    What is CORS? Here is what Wikipedia says:

    Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources (e.g. fonts) on a web page to be requested from another domain outside the domain from which the resource originated

    Configure Splunk To Use CORS

    To use CORS in Splunk you do to following.

    Edit $SPLUNK_HOME/etc/system/local/server.conf

    You can add multiple domains/ip’s as a list separated by spaces or commas. You can also use wildcards in your domain names.

    crossOriginSharingPolicy = *://, https://*

    If you wanted to open it wide up you could literally put the following. I don’t suggest it, I’m merely illustrating if you want to simplify for testing purposes.

    crossOriginSharingPolicy = *

    Copy Example

    Copy test_cors.html from the SplunkJS Stack install folder tests_and_samples to /var/www/html on your server.

    Configure The SplunkJS Stack

    Edit /var/www/html/test_cors.html and update the following code block to reflect your envrionment.

    require.config({baseUrl: "../static/"});
            scheme: 'https',
            host: 'mysplunkserver',
            port: 8089,
            authenticate: {username: 'admin', password: 'mychangedpassword' }  

    Test The Example

    Visit http://myserver/test_cors.html to to validate CORS authentication is working. You may need to add a security exception to your browser in order to get it to work. If you run into issues, try accessing your Splunk server and adding a security exception by pasting the following URL in your browser.


    If all is working you should see the following.

    Screen Shot 2015-09-17 at 4.51.38 PM

    That’s it for this post. I’ll update this blog post with links to parts 2 & 3 when they are finished.

    Scott Haskell

    Posted by