About the Splunk REST API
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
About the Splunk REST API
Splunk's API is RESTful
Splunk's API is RESTful, which means it uses HTTP requests to interact with resources within Splunk. Both Splunk Web and the Splunk CLI use Splunk’s REST API to communicate with a Splunk instance. You can use the REST API to configure and manage a Splunk instance, create and run searches in Splunk, or create your own applications that interact with Splunk.
You can use any language or tool that supports HTTP calls to access the Splunk REST API.
Note: The Splunk REST API Reference examples use cURL to illustrate REST access to Splunk resources. However, you can use wget, libcurl or any other method to access the REST API.
Accessing Splunk resources
Splunk resources are identified as URLs that map to endpoints. You can access the resources using a web browser, curl or other command line tools, or through program language tools.
splunkd is the server for the REST API endpoints. The Splunk REST API Reference categorizes and lists the endpoints available for development.
You can view the endpoints available in a Splunk instance using a web browser pointing to the Splunk management port.
https://localhost:8089/services
For example, the following curl command creates a search:
curl -u admin:pass \
-k https://localhost:8089/services/search/jobs \
-d "search=search *"
Note: 8089 is the default Splunk management port. The management port in your Splunk installation may vary. Examples in this reference use the default managment port.
API differences between Splunk 4.2 and Splunk 4.3
This version of the Splunk REST API Reference contains endpoints available for Splunk 4.3. With few exceptions, endpoints available in Splunk 4.3 are also available in Splunk 4.2
Several endpoints available for Splunk 4.2 have been implemented differently for Splunk 4.3.
Endpoints available in Splunk 4.2 implemented differently in Splunk 4.3
/directory (Splunk 4.3)
/admin/directory (Splunk 4.2)
Provides access to user configurable objects.
storage/passwords (Splunk 4.3)
admin/passwords (Splunk 4.2)
Allows for management of secure credentials.
Endpoints available only in Splunk 4.3
indexing/preview
Preview events from a source file before you index the file.
indexing/preview/{job_id}
Return the props.conf settings for a data preview job.
Parameters to endpoints available only in Splunk 4.3
authentication/users
POST tz: configure the timezone for a user.
apps/local
POST configured: Determine if setup has been run for an application.
apps/local/{name}/setup
GET <arbitrary_key>
apps/local/{name}/update
GET <arbitrary_key>
data/indexes
POST enableOnlineBucketRepair
POST <code>maxRunningProcessGroupsLowPriority
data/props/lookups
POST lookup.field.input.*
POST lookup.field.output.*
data/props/fieldaliases
POST alias.*
saved/searches
POST action.*
POST args.*
POST dispatch.*
saved/searches/{name}/acknowledge
saved/searches/{name}/dispatch
POST <arbitrary_key>
saved/searches/{name}/history
saved/searches/{name}/suppress
GET <arbitrary_key>
scheduled/views/{name}
POST action.email*
scheduled/views/{name}/dispatch
POST action.email*
scheduled/views/{name}/history
GET action.email*
This documentation applies to the following versions of Splunk: 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 View the Article History for its revisions.