Splunk's API is RESTful
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Splunk's API is RESTful
Splunk's API is RESTful, meaning that every communication with the API uses HTTP requests to interact with resources within Splunk. There are two main tasks you can do with Splunk's API: run searches and manage Splunk configurations and objects. The REST API is divided into endpoints, or URIs served off of splunkd. All management endpoints behave the same, meaning they take the same global parameters and return responses in the same format. The search endpoints are special cases and behave differently from the configuration endpoints.
In Splunk 4.1, only the search and auth endpoints are fully supported and certified. You can access the endpoints for other functions -- managing configurations and objects, for example -- but these endpoints will not be officially supported by Splunk until a future release.
How to use the REST API
Since Splunk's API is REST, it supports GET and POST. The management endpoints also support PUT and DELETE. Use a GET request to retrieve information from a resource and a POST to update a resource. DELETE removes an entire resource while PUT updates an entire resource. After receiving your request, Splunk's API sends back an HTTP code an a response in XML (unless otherwise specified). If you're not familiar with REST or HTTP, we suggest you check out the Wikipedia articles on Representational State Transfer and Hypertext Transfer Protocol.
You can make requests to Splunk's API from a terminal or browser, or within any code. The examples in this manual use curl, but you can use wget, libcurl or any other method to GET and POST in your preferred language. You'll probably want some way to parse the XML responses, too. Your preferred coding language should include libraries to support making HTTP requests and parsing XML responses.
There are two ways to access management endpoints, depending on whether you'll be working with an object or a configuration. Objects are configurations within Splunk that are scoped to users and apps. For example, saved searches, event types and fields are objects. Indexes, inputs, users and roles are configurations. Access objects from within a namespace -- specifying the app and user associated with the object. Access configurations directly. If you're working with objects, read more about how to Interact with objects via REST in this section. If you're working with configurations, read more about how to Manage Splunk via REST. Remember, these endpoints are not currently supported, so proceed at your own risk.
SDKs
Splunk currently provides SDKs -- wrapper functions, methods and modules for the REST API -- in Python and Java.
Python SDK
Splunk ships with a built-in SDK. You can access the available methods by running Pydoc from the command line. More on the Python SDK.
Java SDK
There is an open-source Java SDK project available at Google code. Please note that this SDK is not currently supported. You can, however, request help on the Splunk Google code forums.
Java SDK is available here: http://code.google.com/p/splunk-java-sdk/
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 View the Article History for its revisions.