Output formats via XML
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Output formats via XML
Splunk's REST endpoints provide two different XML response formats: generic and ATOM based. In addition, some search endpoints are capable of returning other formats including CSV, raw text, XML, and JSON. Use output_mode, as described in search jobs to specify the format for search results.
Example Generic Response
<response> <parentNode> <dataNode></dataNode> <dataNode></dataNode> <dataNode></dataNode> </parentNode> </response>
Example Generic Response with Messaging
<response> <messages> <msg type="DEBUG">this is a message</msg> <msg type="INFO">this is a message</msg> <msg type="WARN">this is a message</msg> <msg type="ERROR">this is a message</msg> <msg type="SIGNAL">this is a message</msg> <msg type="PERSISTENT">this is a message</msg> </messages> </response>
Generic Response with Messaging (via error codes)
<response> <messages> <msg type="DEBUG" code="1001"></msg> <msg type="INFO" code="2038"> <param name="username">mildred</msg> <param name="action">edit</msg> </msg> </messages> </response>
Example Atom Feed Response
<?xml version="1.0" encoding="UTF-8"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest">
<title>properties</title>
<id>https://localhost:8089/services/properties</id>
<updated>2008-01-29T11:40:58-0800</updated>
<generator version="31758"/>
<author>
<name>Splunk</name>
</author>
<entry>
<title>alert_actions</title>
<id>https://localhost:8089/services/properties/alert_actions</id>
<updated>2008-01-29T11:40:58-0800</updated>
<link href="https://localhost:8089/services/properties/alert_actions" rel="alternate"/>
</entry>
<entry>
<title>api</title>
<id>https://localhost:8089/services/properties/api</id>
<updated>2008-01-29T11:40:58-0800</updated>
<link href="https://localhost:8089/services/properties/api" rel="alternate"/>
</entry>
</feed>
Example Atom Feed with Messaging
<?xml version="1.0" encoding="UTF-8"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest">
<s:messages>
<s:msg type="ERROR">this is a message</s:msg>
<s:msg type="INFO">this is a message</s:msg>
</s:messages>
<title>properties</title>
<id>https://localhost:8089/services/properties</id>
<updated>2008-01-29T11:40:58-0800</updated>
<generator version="31758"/>
<author>
<name>Splunk</name>
</author>
<entry>
<s:messages>
<s:msg type="ERROR">this is a message</s:msg>
<s:msg type="INFO">this is a message</s:msg>
</s:messages>
<title>alert_actions</title>
<id>https://localhost:8089/services/properties/alert_actions</id>
<updated>2008-01-29T11:40:58-0800</updated>
<link href="https://localhost:8089/services/properties/alert_actions" rel="alternate"/>
</entry>
<entry>
<title>api</title>
<id>https://localhost:8089/services/properties/api</id>
<updated>2008-01-29T11:40:58-0800</updated>
<link href="https://localhost:8089/services/properties/api" rel="alternate"/>
</entry>
</feed>
Example Atom Entry Response
<?xml version="1.0" encoding="UTF-8"?>
<entry xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest">
<title>alert_actions</title>
<id>https://localhost:8089/services/properties/alert_actions</id>
<updated>2008-01-29T11:40:58-0800</updated>
<link href="https://localhost:8089/services/properties/alert_actions" rel="alternate"/>
</entry>
This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.