Inputs
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
- data/inputs/ad
- GET data/inputs/ad
- POST data/inputs/ad
- data/inputs/ad/{name}
- data/inputs/monitor
- GET data/inputs/monitor
- POST data/inputs/monitor
- data/inputs/monitor/{name}
- DELETE data/inputs/monitor/{name}
- GET data/inputs/monitor/{name}
- POST data/inputs/monitor/{name}
- data/inputs/monitor/{name}/members
- GET data/inputs/monitor/{name}/members
- data/inputs/oneshot
- GET data/inputs/oneshot
- POST data/inputs/oneshot
- data/inputs/oneshot/{name}
- GET data/inputs/oneshot/{name}
- data/inputs/registry
- GET data/inputs/registry
- POST data/inputs/registry
- data/inputs/registry/{name}
- DELETE data/inputs/registry/{name}
- GET data/inputs/registry/{name}
- POST data/inputs/registry/{name}
- data/inputs/script
- GET data/inputs/script
- POST data/inputs/script
- data/inputs/script/restart
- POST data/inputs/script/restart
- data/inputs/script/{name}
- DELETE data/inputs/script/{name}
- GET data/inputs/script/{name}
- POST data/inputs/script/{name}
- data/inputs/tcp/cooked
- GET data/inputs/tcp/cooked
- POST data/inputs/tcp/cooked
- data/inputs/tcp/cooked/{name}
- DELETE data/inputs/tcp/cooked/{name}
- GET data/inputs/tcp/cooked/{name}
- POST data/inputs/tcp/cooked/{name}
- data/inputs/tcp/cooked/{name}/connections
- GET data/inputs/tcp/cooked/{name}/connections
- data/inputs/tcp/raw
- GET data/inputs/tcp/raw
- POST data/inputs/tcp/raw
- data/inputs/tcp/raw/{name}
- DELETE data/inputs/tcp/raw/{name}
- GET data/inputs/tcp/raw/{name}
- POST data/inputs/tcp/raw/{name}
- data/inputs/tcp/raw/{name}/connections
- GET data/inputs/tcp/raw/{name}/connections
- data/inputs/tcp/ssl
- GET data/inputs/tcp/ssl
- data/inputs/tcp/ssl/{name}
- GET data/inputs/tcp/ssl/{name}
- POST data/inputs/tcp/ssl/{name}
- data/inputs/udp
- GET data/inputs/udp
- POST data/inputs/udp
- data/inputs/udp/{name}
- DELETE data/inputs/udp/{name}
- GET data/inputs/udp/{name}
- POST data/inputs/udp/{name}
- data/inputs/udp/{name}/connections
- GET data/inputs/udp/{name}/connections
- data/inputs/win-event-log-collections
- GET data/inputs/win-event-log-collections
- POST data/inputs/win-event-log-collections
- data/inputs/win-event-log-collections/{name}
- DELETE data/inputs/win-event-log-collections/{name}
- GET data/inputs/win-event-log-collections/{name}
- POST data/inputs/win-event-log-collections/{name}
- data/inputs/win-wmi-collections
- GET data/inputs/win-wmi-collections
- POST data/inputs/win-wmi-collections
- data/inputs/win-wmi-collections/{name}
- DELETE data/inputs/win-wmi-collections/{name}
- GET data/inputs/win-wmi-collections/{name}
- POST data/inputs/win-wmi-collections/{name}
- data/inputs/win-perfmon
- GET data/inputs/win-perfmon
- POST data/inputs/win-perfmon
- data/inputs/win-perfmon/{name}
- DELETE data/inputs/win-perfmon/{name}
- GET data/inputs/win-perfmon/{name}
- POST data/inputs/win-perfmon/{name}
- indexing/preview
- GET indexing/preview
- POST indexing/preview
- indexing/preview/{job_id}
- GET indexing/preview/{job_id}
- receivers/simple
- POST receivers/simple
- receivers/stream
- POST receivers/stream
Inputs
Use the Inputs endpoints to manage data sent to Splunk servers.
data/inputs/*
Create and manage data inputs to Splunk servers.
receivers/*
Create and manage HTTP streaming of events to splunk servers.
data/inputs/ad
Provides access to Active Directory monitoring input.
GET data/inputs/ad
Gets current AD monitoring configuration.
Request
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| count | Number | 30 | Indicates the maximum number of entries to return. To return all entries, specify 0. | |
| offset | Number | 0 | Index for first item to return. | |
| search | String | Boolean predicate to filter results. | ||
| sort_dir | Enum | asc | Valid values: (asc | desc)
Indicates whether to sort the entries returned in ascending or descending order. | |
| sort_key | String | name | Field to sort by. | |
| sort_mode | Enum | auto | Valid values: (auto | alpha | alpha_case | num)
Indicates the collating sequence for sorting the returned entries. |
Response Codes
| Status Code | Description |
|---|---|
| 200 | Listed successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 403 | Insufficient permissions to view AD monitoring configuration. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
Returned Values
| Attribute | Description |
|---|---|
| disabled | Indicates whether the monitoring is disabled. |
| index | The index in which to store the gathered data. |
| monitorSubtree | Whether or not to monitor the subtree(s) of a given directory tree path. 1 means yes, 0 means no. |
| startingNode | Where in the Active Directory directory tree to start monitoring. If not specified, attempts to start at the root of the directory tree. |
| targetDc | Specifies a fully qualified domain name of a valid, network-accessible DC. If not specified, Splunk obtains the local computer's DC. |
Example
Lists all configured AD monitoring stanza.
curl -k -u admin:pass https://localhost:8089/services/data/inputs/ad
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-admon</title>
<id>https://10.1.5.157:8089/services/data/inputs/ad</id>
<updated>2011-07-29T19:13:28-07:00</updated>
<generator version="104976"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/ad/_new" rel="create"/>
<link href="/services/data/inputs/ad/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
<entry>
<title>NearestDC</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/ad/NearestDC</id>
<updated>2011-07-29T19:13:28-07:00</updated>
<link href="/servicesNS/nobody/windows/data/inputs/ad/NearestDC" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/windows/data/inputs/ad/NearestDC" rel="list"/>
<link href="/servicesNS/nobody/windows/data/inputs/ad/NearestDC/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/windows/data/inputs/ad/NearestDC" rel="edit"/>
<link href="/servicesNS/nobody/windows/data/inputs/ad/NearestDC/enable" rel="enable"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">1</s:key>
<!-- eai:acl nodes elided for brevity. -->
<s:key name="index">default</s:key>
<s:key name="monitorSubtree">1</s:key>
<s:key name="startingNode"/>
<s:key name="targetDc"/>
</s:dict>
</content>
</entry>
</feed>
POST data/inputs/ad
Creates new or modifies existing performance monitoring settings.
Request
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| monitorSubtree | Number | | 1 | Whether or not to monitor the subtree(s) of a given directory tree path. 1 means yes, 0 means no. |
| name | String | | A unique name that represents a configuration or set of configurations for a specific domain controller (DC). | |
| disabled | Number | 1 | Indicates whether the monitoring is disabled. | |
| index | String | The index in which to store the gathered data. | ||
| startingNode | String | Where in the Active Directory directory tree to start monitoring. If not specified, will attempt to start at the root of the directory tree. | ||
| targetDc | String | Specifies a fully qualified domain name of a valid, network-accessible DC. If not specified, Splunk will obtain the local computer's DC. |
Response Codes
| Status Code | Description |
|---|---|
| 201 | Created successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 402 | The Splunk license in use has disabled this feature. |
| 403 | Insufficient permissions to create monitoring stanza. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
| 503 | This feature has been disabled in Splunk configuration files. |
Returned Values
No values returned for this request.
Example
Creates a new AD monitoring stanza, naming it 'newdc', without sub-tree monitoring.
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/inputs/ad \ -d monitorSubtree=0 \ -d name=newdc
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-admon</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/ad</id>
<updated>2011-07-29T19:14:57-07:00</updated>
<generator version="104976"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/ad/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/ad/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
</feed>
data/inputs/ad/{name}
DELETE data/inputs/ad/{name}
Deletes a given AD monitoring stanza.
Request
No parameters for this request.
Response Codes
| Status Code | Description |
|---|---|
| 200 | Deleted successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 403 | Insufficient permissions to delete AD monitoring stanza. |
| 404 | AD monitoring stanza does not exist. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
Returned Values
No values returned for this request.
Example
Deletes a given stanza.
curl -k -u admin:pass --request DELETE \ https://localhost:8089/servicesNS/nobody/search/data/inputs/ad/newdc
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-admon</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/ad</id>
<updated>2011-07-29T19:22:50-07:00</updated>
<generator version="104976"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/ad/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/ad/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
</feed>
GET data/inputs/ad/{name}
Gets the current configuration for a given AD monitoring stanza.
Request
| Attribute | Description |
|---|---|
| index | The index in which to store the gathered data. |
| monitorSubtree | Whether or not to monitor the subtree(s) of a given directory tree path. 1 means yes, 0 means no. |
Response Codes
| Status Code | Description |
|---|---|
| 200 | Listed successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 403 | Insufficient permissions to view AD monitoring configuration. |
| 404 | AD monitoring stanza does not exist. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
Returned Values
No values returned for this request.
Example
Gets configuration for a given AD monitoring stanza.
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/ad/newdc
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-admon</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/ad</id>
<updated>2011-07-29T19:18:18-07:00</updated>
<generator version="104976"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/ad/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/ad/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
<entry>
<title>newdc</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/ad/newdc</id>
<updated>2011-07-29T19:18:18-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/ad/newdc" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/ad/newdc" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/ad/newdc/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/ad/newdc" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/ad/newdc" rel="remove"/>
<link href="/servicesNS/nobody/search/data/inputs/ad/newdc/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">0</s:key>
<!-- eai:acl nodes elided for brevity. -->
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>disabled</s:item>
<s:item>index</s:item>
<s:item>startingNode</s:item>
<s:item>targetDc</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list>
<s:item>monitorSubtree</s:item>
</s:list>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="index">default</s:key>
<s:key name="monitorSubtree">0</s:key>
</s:dict>
</content>
</entry>
</feed>
POST data/inputs/ad/{name}
Modifies a given AD monitoring stanza.
Request
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| monitorSubtree | Number | | 1 | Whether or not to monitor the subtree(s) of a given directory tree path. 1 means yes, 0 means no. |
| disabled | Number | 1 | Indicates whether the monitoring is disabled. | |
| index | String | The index in which to store the gathered data. | ||
| startingNode | String | Where in the Active Directory directory tree to start monitoring. If not specified, will attempt to start at the root of the directory tree. | ||
| targetDc | String | Specifies a fully qualified domain name of a valid, network-accessible DC. If not specified, Splunk will obtain the local computer's DC. |
Response Codes
| Status Code | Description |
|---|---|
| 200 | Updated successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 402 | The Splunk license in use has disabled this feature. |
| 403 | Insufficient permissions to edit AD monitoring stanza. |
| 404 | AD monitoring stanza does not exist. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
| 503 | This feature has been disabled in Splunk configuration files. |
Returned Values
No values returned for this request.
Example
Modifies an existing AD monitoring stanza.
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/ad/newdc \ -d monitorSubtree=1
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-admon</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/ad</id>
<updated>2011-07-29T19:20:16-07:00</updated>
<generator version="104976"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/ad/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/ad/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
</feed>
data/inputs/monitor
Provides access to monitor inputs.
GET data/inputs/monitor
List enabled and disabled monitor inputs.
Request
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| count | Number | 30 | Indicates the maximum number of entries to return. To return all entries, specify 0. | |
| offset | Number | 0 | Index for first item to return. | |
| search | String | Search expression to filter the response. The response matches field values against the search expression. For example:
search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example. | ||
| sort_dir | Enum | asc | Valid values: (asc | desc)
Indicates whether to sort returned entries in ascending or descending order. | |
| sort_key | String | name | Field to use for sorting. | |
| sort_mode | Enum | auto | Valid values: (auto | alpha | alpha_case | num)
Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically. |
Response Codes
| Status Code | Description |
|---|---|
| 200 | Listed successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 403 | Insufficient permissions to view monitored input. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
Returned Values
| Attribute | Description |
|---|---|
| _TCP_ROUTING | List of TCP forwarding groups, as specified in outputs.conf.
|
| disabled | Indicates if inputs monitoring is disabled. |
| filecount | Number of files monitored. |
| host | Name of the Splunk host for which inputs are monitored. |
| index | The index events from this input should be stored in. |
| sourcetype | Source type being monitored.
The source type of an event is the format of the data input from which it originates, such as access_combined or cisco_syslog. The source type determines how Splunk formats your data. |
Example
Provides information on all enabled and disabled inputs for monitoring by this Splunk instance.
curl -k -u admin:pass https://localhost:8089/services/data/inputs/monitor
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>monitor</title>
<id>https://localhost:8089/services/data/inputs/monitor</id>
<updated>2011-07-10T14:25:53-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/monitor/_new" rel="create"/>
<link href="/services/data/inputs/monitor/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
<entry>
<title>$SPLUNK_HOME/etc/splunk.version</title>
<id>https://localhost:8089/servicesNS/nobody/system/data/inputs/monitor/%24SPLUNK_HOME%252Fetc%252Fsplunk.version</id>
<updated>2011-07-10T14:25:53-07:00</updated>
<link href="/servicesNS/nobody/system/data/inputs/monitor/%24SPLUNK_HOME%252Fetc%252Fsplunk.version" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/inputs/monitor/%24SPLUNK_HOME%252Fetc%252Fsplunk.version" rel="list"/>
<link href="/servicesNS/nobody/system/data/inputs/monitor/%24SPLUNK_HOME%252Fetc%252Fsplunk.version/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/inputs/monitor/%24SPLUNK_HOME%252Fetc%252Fsplunk.version" rel="edit"/>
<link href="/servicesNS/nobody/system/data/inputs/monitor/%24SPLUNK_HOME%252Fetc%252Fsplunk.version/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="_TCP_ROUTING">*</s:key>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="disabled">0</s:key>
<!-- eai:acl nodes elided for brevity. -->
<s:key name="filecount">1</s:key>
<s:key name="host">MrT</s:key>
<s:key name="index">_internal</s:key>
<s:key name="sourcetype">splunk_version</s:key>
</s:dict>
</content>
</entry>
</feed>
POST data/inputs/monitor
Create a new file or directory monitor input.
Request
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| name | String | | The file or directory path to monitor on the system. | |
| blacklist | String | Specify a regular expression for a file path. The file path that matches this regular expression is not indexed. | ||
| check-index | Boolean | If set to true, the "index" value will be checked to ensure that it is the name of a valid index. | ||
| check-path | Boolean | If set to true, the "name" value will be checked to ensure that it exists. | ||
| crc-salt | String | A string that modifies the file tracking identity for files in this input. The magic value "<SOURCE>" invokes special behavior (see admin documentation). | ||
| followTail | Boolean | If set to true, files that are seen for the first time will be read from the end. | ||
| host | String | The value to populate in the host field for events from this data input. | ||
| host_regex | String | Specify a regular expression for a file path. If the path for a file matches this regular expression, the captured value is used to populate the host field for events from this data input. The regular expression must have one capture group. | ||
| host_segment | Number | Use the specified slash-separate segment of the filepath as the host field value. | ||
| ignore-older-than | String | Specify a time value. If the modification time of a file being monitored falls outside of this rolling time window, the file is no longer being monitored. | ||
| index | String | default | Which index events from this input should be stored in. | |
| recursive | Boolean | Setting this to "false" will prevent monitoring of any subdirectories encountered within this data input. | ||
| rename-source | String | The value to populate in the source field for events from this data input. The same source should not be used for multiple data inputs. | ||
| sourcetype | String | The value to populate in the sourcetype field for incoming events. | ||
| time-before-close | Number | When Splunk reaches the end of a file that is being read, the file will be kept open for a minimum of the number of seconds specified in this value. After this period has elapsed, the file will be checked again for more data. | ||
| whitelist | String | Specify a regular expression for a file path. Only file paths that match this regular expression are indexed. |
Response Codes
| Status Code | Description |
|---|---|
| 201 | Created successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 402 | The Splunk license in use has disabled this feature. |
| 403 | Insufficient permissions to create monitored input. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
| 503 | This feature has been disabled in Splunk configuration files. |
Returned Values
No values returned for this request.
Example
Configures the Unix /var/log directory as a monitored input.
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor \ -d name=/var/log
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>monitor</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor</id>
<updated>2011-07-10T14:27:57-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/monitor/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/monitor/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
</feed>
data/inputs/monitor/{name}
DELETE data/inputs/monitor/{name}
Disable the named monitor data input and remove it from the configuration.
Request
No parameters for this request.
Response Codes
| Status Code | Description |
|---|---|
| 200 | Deleted successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 403 | Insufficient permissions to delete monitored input. |
| 404 | Monitored input does not exist. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
Returned Values
No values returned for this request.
Example
Removes the following file as a monitored input. This monitored input was created in the example for the POST operation of this endpoint.
/Applications/splunk/var/log/splunk/web_access.log
The {name} field in the DELETE operation is specially URI-encoded. See the REST API overview for details on URI encoding of filenames.
curl -k -u admin:pass --request DELETE \ https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>monitor</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor</id>
<updated>2011-07-10T14:35:35-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/monitor/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/monitor/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
</feed>
GET data/inputs/monitor/{name}
List the properties of a single monitor data input.
Request
No parameters for this request.
Response Codes
| Status Code | Description |
|---|---|
| 200 | Listed successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 403 | Insufficient permissions to view monitored input. |
| 404 | Monitored input does not exist. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
Returned Values
| Attribute | Description |
|---|---|
| disabled | Indicates if inputs monitoring is disabled. |
| eai:attributes | See Accessing Splunk resources |
| filecount | Number of files being monitored. |
| host | Name of the Splunk host for which inputs are monitored. |
| index | The index events from this input should be stored in. |
Example
Returns information on the monitored directory /var/log.
The {name} field in the GET operation is specially URI-encoded. See the REST API overview for details on URI encoding of filenames.
curl -k -u admin:pass \ https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>monitor</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor</id>
<updated>2011-07-10T14:33:54-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/monitor/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/monitor/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
<entry>
<title>/var/log</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog</id>
<updated>2011-07-10T14:33:54-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog/members" rel="members"/>
<link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog" rel="remove"/>
<link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="disabled">0</s:key>
<!-- eai:acl nodes elided for brevity. -->
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>blacklist</s:item>
<s:item>check-index</s:item>
<s:item>check-path</s:item>
<s:item>crc-salt</s:item>
<s:item>followTail</s:item>
<s:item>host</s:item>
<s:item>host_regex</s:item>
<s:item>host_segment</s:item>
<s:item>ignore-older-than</s:item>
<s:item>index</s:item>
<s:item>recursive</s:item>
<s:item>rename-source</s:item>
<s:item>sourcetype</s:item>
<s:item>time-before-close</s:item>
<s:item>whitelist</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="filecount">108</s:key>
<s:key name="host">MrT</s:key>
<s:key name="index">default</s:key>
</s:dict>
</content>
</entry>
</feed>
POST data/inputs/monitor/{name}
Update properties of the named monitor input.
Request
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| blacklist | String | Specify a regular expression for a file path. The file path that matches this regular expression is not indexed. | ||
| check-index | Boolean | If set to true, the "index" value will be checked to ensure that it is the name of a valid index. | ||
| check-path | Boolean | If set to true, the "name" value will be checked to ensure that it exists. | ||
| crc-salt | String | A string that modifies the file tracking identity for files in this input. The magic value "<SOURCE>" invokes special behavior (see admin documentation). | ||
| followTail | Boolean | If set to true, files that are seen for the first time will be read from the end. | ||
| host | String | The value to populate in the host field for events from this data input. | ||
| host_regex | String | Specify a regular expression for a file path. If the path for a file matches this regular expression, the captured value is used to populate the host field for events from this data input. The regular expression must have one capture group. | ||
| host_segment | Number | Use the specified slash-separate segment of the filepath as the host field value. | ||
| ignore-older-than | String | Specify a time value. If the modification time of a file being monitored falls outside of this rolling time window, the file is no longer being monitored. | ||
| index | String | default | Which index events from this input should be stored in. | |
| recursive | Boolean | Setting this to "false" will prevent monitoring of any subdirectories encountered within this data input. | ||
| rename-source | String | The value to populate in the source field for events from this data input. The same source should not be used for multiple data inputs. | ||
| sourcetype | String | The value to populate in the sourcetype field for incoming events. | ||
| time-before-close | Number | When Splunk reaches the end of a file that is being read, the file will be kept open for a minimum of the number of seconds specified in this value. After this period has elapsed, the file will be checked again for more data. | ||
| whitelist | String | Specify a regular expression for a file path. Only file paths that match this regular expression are indexed. |
Response Codes
| Status Code | Description |
|---|---|
| 200 | Updated successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 402 | The Splunk license in use has disabled this feature. |
| 403 | Insufficient permissions to edit monitored input. |
| 404 | Monitored input does not exist. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
| 503 | This feature has been disabled in Splunk configuration files. |
Returned Values
No values returned for this request.
Example
Updates the monitored input such that it does not recurse through subdirectories. This monitored input was created in the example for the POST operation of this endpoint.
The {name} field in the POST operation is specially URI-encoded. See the REST API overview for details on URI encoding of filenames.
curl -k -u admin:pass \ https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog \ -d recursive=false
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>monitor</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor</id>
<updated>2011-07-10T14:35:28-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/monitor/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/monitor/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
</feed>
data/inputs/monitor/{name}/members
GET data/inputs/monitor/{name}/members
Lists all files monitored under the named monitor input.
Request
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| count | Number | 30 | Indicates the maximum number of entries to return. To return all entries, specify 0. | |
| offset | Number | 0 | Index for first item to return. | |
| search | String | Search expression to filter the response. The response matches field values against the search expression. For example:
search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example. | ||
| sort_dir | Enum | asc | Valid values: (asc | desc)
Indicates whether to sort returned entries in ascending or descending order. | |
| sort_key | String | name | Field to use for sorting. | |
| sort_mode | Enum | auto | Valid values: (auto | alpha | alpha_case | num)
Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically. |
Response Codes
| Status Code | Description |
|---|---|
| 200 | Listed successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 403 | Insufficient permissions to view monitored input's files. |
| 404 | Monitor input does not exist or does not have any members. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
Returned Values
No values returned for this request.
Example
Retrieves the list of files under /var/log that this input is monitoring.
curl -k -u admin:pass \ https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog/members
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>monitor</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor</id>
<updated>2011-07-10T14:34:28-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/monitor/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/monitor/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
<entry>
<title>/var/log/acpid</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog%252Facpid</id>
<updated>2011-07-10T14:34:28-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog%252Facpid" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog%252Facpid" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog%252Facpid/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog%252Facpid" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog%252Facpid" rel="remove"/>
<content type="text/xml">
<s:dict>
<!-- eai:acl nodes elided for brevity. -->
</s:dict>
</content>
</entry>
<!-- many more file entries elided for brevity. -->
</feed>
data/inputs/oneshot
Provides access to oneshot inputs.
GET data/inputs/oneshot
Enumerates in-progress oneshot inputs. As soon as an input is complete, it is removed from this list.
Request
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| count | Number | 30 | Indicates the maximum number of entries to return. To return all entries, specify 0. | |
| offset | Number | 0 | Index for first item to return. | |
| search | String | Search expression to filter the response. The response matches field values against the search expression. For example:
search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example. | ||
| sort_dir | Enum | asc | Valid values: (asc | desc)
Indicates whether to sort returned entries in ascending or descending order. | |
| sort_key | String | name | Field to use for sorting. | |
| sort_mode | Enum | auto | Valid values: (auto | alpha | alpha_case | num)
Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically. |
Response Codes
| Status Code | Description |
|---|---|
| 200 | Listed successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 403 | Insufficient permissions to view inputs. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
Returned Values
| Attribute | Description |
|---|---|
| Bytes Indexed | Total number of bytes read and sent to the pipeline for indexing during a oneshot input.
This total includes the uncompressed byte count from a source file that is compressed on disk. |
| Offset | Current position in the source file, indicating how much of the file has been read. For compressed source files, this offset represents the position in the compressed format.
You can obtain the percentage of a source file that has been read by calculating offset/size. |
| Size | Size of the source file, in bytes.
You can obtain the percentage of a source file that has been read by calculating offset/size. |
| Sources Indexed | Indicates the number of sources read from a file in a compressed format such as tar or zip.
A value of 0 indicates the source file was not compressed. |
| Spool Time | Time that the request was made to read the source file. |
Example
Lists the in-progress one shot inputs for this Splunk instance.
curl -k -u admin:pass https://localhost:8089/services/data/inputs/oneshot
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>oneshotinput</title>
<id>https://localhost:8089/services/data/inputs/oneshot</id>
<updated>2011-07-08T01:48:04-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/oneshot/_new" rel="create"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
<entry>
<title>/var/log/distccd.log</title>
<id>https://localhost:8089/services/data/inputs/oneshot/%252Fvar%252Flog%252Fdistccd.log</id>
<updated>2011-07-08T01:48:04-07:00</updated>
<link href="/services/data/inputs/oneshot/%252Fvar%252Flog%252Fdistccd.log" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/data/inputs/oneshot/%252Fvar%252Flog%252Fdistccd.log" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="Bytes Indexed">7200768</s:key>
<s:key name="Offset">7200768</s:key>
<s:key name="Size">449630160</s:key>
<s:key name="Sources Indexed">0</s:key>
<s:key name="Spool Time">Fri Jul 8 01:47:53 PDT 2011</s:key>
<!-- eai:acl nodes elided for brevity. -->
</s:dict>
</content>
</entry>
</feed>
POST data/inputs/oneshot
Queues a file for immediate indexing by the file input subsystem. The file must be locally accessible from the server.
This endpoint can handle any single file: plain, compressed or archive. The file is indexed in full, regardless of whether it has been indexed before.
Request
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| name | String | | The path to the file to be indexed. The file must be locally accessible by the server. | |
| host | String | The value of the "host" field to be applied to data from this file. | ||
| host_regex | String | A regex to be used to extract a "host" field from the path.
If the path matches this regular expression, the captured value is used to populate the host field for events from this data input. The regular expression must have one capture group. | ||
| host_segment | Number | Use the specified slash-separate segment of the path as the host field value. | ||
| index | String | The destination index for data processed from this file. | ||
| rename-source | String | The value of the "source" field to be applied to data from this file. | ||
| sourcetype | String | The value of the "sourcetype" field to be applied to data from this file. |
Response Codes
| Status Code | Description |
|---|---|
| 201 | Created successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 402 | The Splunk license in use has disabled this feature. |
| 403 | Insufficient permissions to create input. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
| 503 | This feature has been disabled in Splunk configuration files. |
Returned Values
No values returned for this request.
Example
This example queues the file /var/log/messages for indexing.
curl -k -u admin:pass https://localhost:8089/services/data/inputs/oneshot \ -d name=/var/log/messages
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>oneshotinput</title>
<id>https://localhost:8089/services/data/inputs/oneshot</id>
<updated>2011-07-08T01:48:04-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/oneshot/_new" rel="create"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
</feed>
data/inputs/oneshot/{name}
GET data/inputs/oneshot/{name}
Finds information about a single in-flight one shot input. This is a subset of the information in the full enumeration.
Request
No parameters for this request.
Response Codes
| Status Code | Description |
|---|---|
| 200 | Listed successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 403 | Insufficient permissions to view input. |
| 404 | Input does not exist. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
Returned Values
| Attribute | Description |
|---|---|
| Bytes Indexed | Total number of bytes read and sent to the pipeline for indexing during a oneshot input.
This total includes the uncompressed byte count from a source file that is compressed on disk. |
| Offset | Current position in the source file, indicating how much of the file has been read. For compressed source files, this offset represents the position in the compressed format.
You can obtain the percentage of a source file that has been read by calculating offset/size. |
| Size | Size of the source file, in bytes.
You can obtain the percentage of a source file that has been read by calculating offset/size. |
| Sources Indexed | Indicates the number of sources read from a file in a compressed format such as tar or zip.
A value of 0 indicates the source file was not compressed. |
| Spool Time | Time that the request was made to read the source file. |
| eai:attributes | See Accessing Splunk resources |
Example
List information about the named in-progress one shot input in this Splunk instance.
curl -k -u admin:pass \ https://localhost:8089/services/data/inputs/oneshot/%252Fvar%252Flog%252Fmessages
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>oneshotinput</title>
<id>https://localhost:8089/services/data/inputs/oneshot</id>
<updated>2011-07-08T01:49:20-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/oneshot/_new" rel="create"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
<entry>
<title>/var/log/messages</title>
<id>https://localhost:8089/services/data/inputs/oneshot/%252Fvar%252Flog%252Fmessages</id>
<updated>2011-07-08T01:49:20-07:00</updated>
<link href="/services/data/inputs/oneshot/%252Fvar%252Flog%252Fmessages" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/data/inputs/oneshot/%252Fvar%252Flog%252Fmessages" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="Bytes Indexed">114822</s:key>
<s:key name="Offset">114822</s:key>
<s:key name="Size">114822</s:key>
<s:key name="Sources Indexed">0</s:key>
<s:key name="Spool Time">Fri Jul 8 01:48:04 PDT 2011</s:key>
<!-- eai:acl nodes elided for brevity. -->
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list/>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
</s:dict>
</content>
</entry>
</feed>
data/inputs/registry
Provides access to Windows registry monitoring input.
GET data/inputs/registry
Gets current registry monitoring configuration.
Request
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| count | Number | 30 | Indicates the maximum number of entries to return. To return all entries, specify 0. | |
| offset | Number | 0 | Index for first item to return. | |
| search | String | Boolean predicate to filter results. | ||
| sort_dir | Enum | asc | Valid values: (asc | desc)
Indicates whether to sort the entries returned in ascending or descending order. | |
| sort_key | String | name | Field to sort by. | |
| sort_mode | Enum | auto | Valid values: (auto | alpha | alpha_case | num)
Indicates the collating sequence for sorting the returned entries. |
Response Codes
| Status Code | Description |
|---|---|
| 200 | Listed successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 403 | Insufficient permissions to view registry monitoring configuration. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
Returned Values
No values returned for this request.
Example
Gets current registry inputs configuration.
curl -k -u admin:pass https://localhost:8089/services/data/inputs/registry
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-regmon</title>
<id>https://10.1.5.157:8089/services/data/inputs/registry</id>
<updated>2011-07-29T19:31:32-07:00</updated>
<generator version="104976"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/registry/_new" rel="create"/>
<link href="/services/data/inputs/registry/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
<entry>
<title>Machine keys</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/registry/Machine%20keys</id>
<updated>2011-07-29T19:31:32-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/registry/Machine%20keys" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/registry/Machine%20keys" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/registry/Machine%20keys/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/registry/Machine%20keys" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/registry/Machine%20keys/enable" rel="enable"/>
<content type="text/xml">
<s:dict>
<s:key name="baseline">0</s:key>
<s:key name="disabled">1</s:key>
<!-- eai:acl nodes elided for brevity. -->
<s:key name="hive">HKLM</s:key>
<s:key name="index">default</s:key>
<s:key name="monitorSubnodes">1</s:key>
<s:key name="proc">c:\.*</s:key>
<s:key name="type">
<s:list>
<s:item>set</s:item>
<s:item>create</s:item>
<s:item>delete</s:item>
<s:item>rename</s:item>
</s:list>
</s:key>
</s:dict>
</content>
</entry>
</feed>
POST data/inputs/registry
Creates new or modifies existing registry monitoring settings.
Request
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| baseline | Number | | 0 | Specifies whether or not to establish a baseline value for the registry keys. 1 means yes, 0 no. |
| hive | String | | Specifies the registry hive under which to monitor for changes. | |
| name | String | | Name of the configuration stanza. | |
| proc | String | | Specifies a regex. If specified, will only collected changes if a process name matches that regex. | |
| type | String | | A regular expression that specifies the type(s) of Registry event(s) that you want to monitor. | |
| disabled | Number | 1 | Indicates whether the monitoring is disabled. | |
| index | String | The index in which to store the gathered data. | ||
| monitorSubnodes | Number | If set to '1', will monitor all sub-nodes under a given hive. |
Response Codes
| Status Code | Description |
|---|---|
| 201 | Created successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 402 | The Splunk license in use has disabled this feature. |
| 403 | Insufficient permissions to create registry monitoring stanza. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
| 503 | This feature has been disabled in Splunk configuration files. |
Returned Values
No values returned for this request.
Example
Creates a new registry monitoring stanza.
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/registry \ -d baseline=1 \ -d hive="HKU\\.*" \ -d name=mykeys \ -d proc="c:\\.*" \ -d type="set|create|delete|rename"
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-regmon</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/registry</id>
<updated>2011-07-29T19:29:18-07:00</updated>
<generator version="104976"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/registry/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/registry/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
</feed>
data/inputs/registry/{name}
DELETE data/inputs/registry/{name}
Deletes registry monitoring configuration stanza.
Request
No parameters for this request.
Response Codes
| Status Code | Description |
|---|---|
| 200 | Deleted successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 403 | Insufficient permissions to delete registry configuration stanza. |
| 404 | Registry monitoring configuration stanza does not exist. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
Returned Values
No values returned for this request.
Example
Deletes existing configuration stanza.
curl -k -u admin:pass --request DELETE \ https://localhost:8089/servicesNS/nobody/search/data/inputs/registry/mykeys
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-regmon</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/registry</id>
<updated>2011-07-29T19:36:54-07:00</updated>
<generator version="104976"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/registry/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/registry/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
</feed>
GET data/inputs/registry/{name}
Gets current registry monitoring configuration stanza.
Request
No parameters for this request.
Response Codes
| Status Code | Description |
|---|---|
| 200 | Listed successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 403 | Insufficient permissions to view registry monitoring configuration stanza. |
| 404 | Registry monitoring stanza does not exist. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
Returned Values
No values returned for this request.
Example
Gets current configuration for a given stanza.
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/registry/mykeys
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-regmon</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/registry</id>
<updated>2011-07-29T19:33:21-07:00</updated>
<generator version="104976"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/registry/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/registry/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
<entry>
<title>mykeys</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/registry/mykeys</id>
<updated>2011-07-29T19:33:21-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/registry/mykeys" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/registry/mykeys" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/registry/mykeys/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/registry/mykeys" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/registry/mykeys" rel="remove"/>
<link href="/servicesNS/nobody/search/data/inputs/registry/mykeys/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="baseline">1</s:key>
<s:key name="disabled">0</s:key>
<!-- eai:acl nodes elided for brevity. -->
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>disabled</s:item>
<s:item>index</s:item>
<s:item>monitorSubnodes</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list>
<s:item>baseline</s:item>
<s:item>hive</s:item>
<s:item>proc</s:item>
<s:item>type</s:item>
</s:list>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="hive">HKU</s:key>
<s:key name="index">default</s:key>
<s:key name="monitorSubnodes">1</s:key>
<s:key name="proc">c:\.*</s:key>
<s:key name="type">
<s:list>
<s:item>set</s:item>
<s:item>create</s:item>
<s:item>delete</s:item>
<s:item>rename</s:item>
</s:list>
</s:key>
</s:dict>
</content>
</entry>
</feed>
POST data/inputs/registry/{name}
Modifies given registry monitoring stanza.
Request
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| baseline | Number | | 0 | Specifies whether or not to establish a baseline value for the registry keys. 1 means yes, 0 no. |
| hive | String | | Specifies the registry hive under which to monitor for changes. | |
| proc | String | | Specifies a regex. If specified, will only collected changes if a process name matches that regex. | |
| type | String | | A regular expression that specifies the type(s) of Registry event(s) that you want to monitor. | |
| disabled | Number | 1 | Indicates whether the monitoring is disabled. | |
| index | String | The index in which to store the gathered data. | ||
| monitorSubnodes | Number | If set to '1', will monitor all sub-nodes under a given hive. |
Response Codes
| Status Code | Description |
|---|---|
| 200 | Updated successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 402 | The Splunk license in use has disabled this feature. |
| 403 | Insufficient permissions to edit registry monitoring stanza. |
| 404 | Registry monitoring stanza does not exist. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
| 503 | This feature has been disabled in Splunk configuration files. |
Returned Values
No values returned for this request.
Example
Modifies existing registry configuration.
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/registry/mykeys \ -d baseline=1 \ -d hive="HKU\\.*" \ -d proc="c:\\.*" \ -d type="set|create"
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-regmon</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/registry</id>
<updated>2011-07-29T19:36:07-07:00</updated>
<generator version="104976"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/registry/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/registry/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
</feed>
data/inputs/script
Provides access to scripted inputs.
GET data/inputs/script
Gets the configuration settings for scripted inputs.
Request
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| count | Number | 30 | Indicates the maximum number of entries to return. To return all entries, specify 0. | |
| offset | Number | 0 | Index for first item to return. | |
| search | String | Search expression to filter the response. The response matches field values against the search expression. For example:
search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example. | ||
| sort_dir | Enum | asc | Valid values: (asc | desc)
Indicates whether to sort returned entries in ascending or descending order. | |
| sort_key | String | name | Field to use for sorting. | |
| sort_mode | Enum | auto | Valid values: (auto | alpha | alpha_case | num)
Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically. |
Response Codes
| Status Code | Description |
|---|---|
| 200 | Listed successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 403 | Insufficient permissions to view script. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
Returned Values
| Attribute | Description |
|---|---|
| disabled | Specifies whether the input script is disabled. |
| endtime | If available, the time when the script stopped executing. |
| group | Indicates the OS group of commands. |
| host | The host this data is identified with. |
| index | Sets the index for events from this input. Defaults to the main index. |
| interval | An integer or cron schedule.
Specifies how often to execute the specified script, in seconds or a valid cron schedule. For a cron schedule, the script is not executed on start-up. |
| source | The source key/field for events from this input. Defaults to the input file path.
Sets the source key's initial value. The key is used during parsing/indexing, in particular to set the source field during indexing. It is also the source field used at search time. As a convenience, the chosen string is prepended with 'source::'. |
| sourcetype | Sets the sourcetype key/field for events from this input. If unset, Splunk picks a source type based on various aspects of the data. There is no hard-coded default.
For more information, see the documentation for the sourcetype paramater for the POST operation. |
| starttime | If available, the time the when the script was executed. |
Example
Lists configuration settings for all scripted inputs for this Splunk instance.
curl -k -u admin:pass https://localhost:8089/services/data/inputs/script
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>script</title>
<id>https://localhost:8089/services/data/inputs/script</id>
<updated>2011-07-09T20:16:11-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/script/_new" rel="create"/>
<link href="/services/data/inputs/script/_reload" rel="_reload"/>
<link href="/services/data/inputs/script/restart" rel="restart"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
<entry>
<title>/Applications/splunk4.3/etc/apps/unix/bin/cpu.sh</title>
<id>https://localhost:8089/servicesNS/nobody/unix/data/inputs/script/.%252Fbin%252Fcpu.sh</id>
<updated>2011-07-09T20:16:11-07:00</updated>
<link href="/servicesNS/nobody/unix/data/inputs/script/.%252Fbin%252Fcpu.sh" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/unix/data/inputs/script/.%252Fbin%252Fcpu.sh" rel="list"/>
<link href="/servicesNS/nobody/unix/data/inputs/script/.%252Fbin%252Fcpu.sh/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/unix/data/inputs/script/.%252Fbin%252Fcpu.sh" rel="edit"/>
<link href="/servicesNS/nobody/unix/data/inputs/script/.%252Fbin%252Fcpu.sh/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="disabled">0</s:key>
<!-- eai:acl nodes elided for brevity. -->
<s:key name="endtime">Sat Jul 9 20:15:54 2011</s:key>
<s:key name="group">exec commands</s:key>
<s:key name="host">vgenovese-mbp15.splunk.com</s:key>
<s:key name="index">os</s:key>
<s:key name="interval">30</s:key>
<s:key name="source">cpu</s:key>
<s:key name="sourcetype">cpu</s:key>
<s:key name="starttime">Sat Jul 9 20:15:52 2011</s:key>
</s:dict>
</content>
</entry>
</feed>
POST data/inputs/script
Configures settings for new scripted inputs.
Request
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| interval | Number | | 60 | Specify an integer or cron schedule. This parameter specifies how often to execute the specified script, in seconds or a valid cron schedule. If you specify a cron schedule, the script is not executed on start-up. |
| name | String | | Specify the name of the scripted input. | |
| disabled | Boolean | Specifies whether the input script is disabled. | ||
| host | String | Sets the host for events from this input. Defaults to whatever host sent the event. | ||
| index | String | default | Sets the index for events from this input. Defaults to the main index. | |
| passAuth | String | User to run the script as.
If you provide a username, Splunk generates an auth token for that user and passes it to the script. | ||
| rename-source | String | Specify a new name for the source field for the script. | ||
| source | String | Sets the source key/field for events from this input. Defaults to the input file path.
Sets the source key's initial value. The key is used during parsing/indexing, in particular to set the source field during indexing. It is also the source field used at search time. As a convenience, the chosen string is prepended with 'source::'. Note: Overriding the source key is generally not recommended. Typically, the input layer provides a more accurate string to aid in problem analysis and investigation, accurately recording the file from which the data was retreived. Consider use of source types, tagging, and search wildcards before overriding this value.
| ||
| sourcetype | String | Sets the sourcetype key/field for events from this input. If unset, Splunk picks a source type based on various aspects of the data. As a convenience, the chosen string is prepended with 'sourcetype::'. There is no hard-coded default.
Sets the sourcetype key's initial value. The key is used during parsing/indexing, in particular to set the source type field during indexing. It is also the source type field used at search time. Primarily used to explicitly declare the source type for this data, as opposed to allowing it to be determined via automated methods. This is typically important both for searchability and for applying the relevant configuration for this type of data during parsing and indexing. |
Response Codes
| Status Code | Description |
|---|---|
| 201 | Created successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 402 | The Splunk license in use has disabled this feature. |
| 403 | Insufficient permissions to create script. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
| 503 | This feature has been disabled in Splunk configuration files. |
Returned Values
No values returned for this request.
Example
Configures a new script, myScript.sh, as a disabled scripted input with an interval of 3600 seconds (one hour).
This example assumes there is a script located at:
/Applications/splunk/etc/apps/myApp/bin/myScript.sh
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/script \ -d name=/Applications/splunk4.3/etc/apps/myApp/bin/myScript.sh \ -d disabled=true \ -d interval=3600
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>script</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/script</id>
<updated>2011-07-09T20:25:17-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/script/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/script/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/script/restart" rel="restart"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
</feed>
data/inputs/script/restart
Allows for restarting scripted inputs.
POST data/inputs/script/restart
Causes a restart on a given scripted input.
Request
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| script | String | | Path to the script to be restarted. This path must match an already-configured existing scripted input. |
Response Codes
| Status Code | Description |
|---|---|
| 200 | Scripted input restarted successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 402 | The Splunk license in use has disabled this feature. |
| 403 | Insufficient permissions to restart scripted input. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
| 503 | This feature has been disabled in Splunk configuration files. |
Returned Values
No values returned for this request.
Example
Causes the running script named by the "script" parameter to restart.
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/script/restart \ -d script=/Applications/splunk/bin/scripts/myScript.sh
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>script</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/script</id>
<updated>2011-07-09T20:38:38-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/script/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/script/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/script/restart" rel="restart"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
</feed>
data/inputs/script/{name}
DELETE data/inputs/script/{name}
Removes the scripted input specified by {name}.
Request
No parameters for this request.
Response Codes
| Status Code | Description |
|---|---|
| 200 | Deleted successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 403 | Insufficient permissions to delete script. |
| 404 | Script does not exist. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
Returned Values
No values returned for this request.
Example
Delete the configuration for the scripted input, myScript.sh.
This example assumes there is a script located at:
/Applications/splunk/etc/apps/myApp/bin/myScript.sh
The {name} field in the DELETE operation is specially URI-encoded. See the REST API overview for details on URI encoding of filenames.
curl -k -u admin:pass --request DELETE \ https://localhost:8089/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk4.3%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>script</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/script</id>
<updated>2011-07-09T20:29:18-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/script/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/script/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/script/restart" rel="restart"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
</feed>
GET data/inputs/script/{name}
Returns the configuration settings for the scripted input specified by {name}.
Request
No parameters for this request.
Response Codes
| Status Code | Description |
|---|---|
| 200 | Listed successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 403 | Insufficient permissions to view script. |
| 404 | Script does not exist. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
Returned Values
| Attribute | Description |
|---|---|
| disabled | Specifies whether the input script is disabled. |
| eai:attributes | See Accessing Splunk resources |
| group | Indicates the group of OS commands. |
| host | The host this data is identified with. |
| index | Sets the index for events from this input. Defaults to the main index. |
| interval | An integer or cron schedule.
Specifies how often to execute the specified script, in seconds or a valid cron schedule. For a cron schedule, the script is not executed on start-up. |
Example
Return information about the scripted input, myScript.sh.
This example assumes there is a script located at:
/Applications/splunk/etc/apps/myApp/bin/myScript.sh
The {name} field in the POST operation is specially URI-encoded. See the REST API overview for details on URI encoding of filenames.
curl -k -u admin:pass \ https://localhost:8089/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>script</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/script</id>
<updated>2011-07-09T21:53:43-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/script/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/script/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/script/restart" rel="restart"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
<entry>
<title>/Applications/splunk/etc/apps/myApp/bin/myScript.sh</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh</id>
<updated>2011-07-09T21:53:43-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh" rel="remove"/>
<link href="/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="disabled">0</s:key>
<!-- eai:acl nodes elided for brevity. -->
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>disabled</s:item>
<s:item>host</s:item>
<s:item>index</s:item>
<s:item>interval</s:item>
<s:item>rename-source</s:item>
<s:item>source</s:item>
<s:item>sourcetype</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="group">exec commands</s:key>
<s:key name="host">ombroso-mbp15.splunk.com</s:key>
<s:key name="index">default</s:key>
<s:key name="interval">3600</s:key>
</s:dict>
</content>
</entry>
</feed>
POST data/inputs/script/{name}
Configures settings for scripted input specified by {name}.
Request
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| disabled | Boolean | Specifies whether the input script is disabled. | ||
| host | String | Sets the host for events from this input. Defaults to whatever host sent the event. | ||
| index | String | default | Sets the index for events from this input. Defaults to the main index. | |
| interval | Number | 60 | Specify an integer or cron schedule. This parameter specifies how often to execute the specified script, in seconds or a valid cron schedule. If you specify a cron schedule, the script is not executed on start-up. | |
| passAuth | String | User to run the script as.
If you provide a username, Splunk generates an auth token for that user and passes it to the script. | ||
| rename-source | String | Specify a new name for the source field for the script. | ||
| source | String | Sets the source key/field for events from this input. Defaults to the input file path.
Sets the source key's initial value. The key is used during parsing/indexing, in particular to set the source field during indexing. It is also the source field used at search time. As a convenience, the chosen string is prepended with 'source::'. Note: Overriding the source key is generally not recommended. Typically, the input layer provides a more accurate string to aid in problem analysis and investigation, accurately recording the file from which the data was retreived. Consider use of source types, tagging, and search wildcards before overriding this value.
| ||
| sourcetype | String | Sets the sourcetype key/field for events from this input. If unset, Splunk picks a source type based on various aspects of the data. As a convenience, the chosen string is prepended with 'sourcetype::'. There is no hard-coded default.
Sets the sourcetype key's initial value. The key is used during parsing/indexing, in particular to set the source type field during indexing. It is also the source type field used at search time. Primarily used to explicitly declare the source type for this data, as opposed to allowing it to be determined via automated methods. This is typically important both for searchability and for applying the relevant configuration for this type of data during parsing and indexing. |
Response Codes
| Status Code | Description |
|---|---|
| 200 | Updated successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 402 | The Splunk license in use has disabled this feature. |
| 403 | Insufficient permissions to edit script. |
| 404 | Script does not exist. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
| 503 | This feature has been disabled in Splunk configuration files. |
Returned Values
No values returned for this request.
Example
Update the script, myScript.sh by setting the interval to 24 hours (86,400 seconds).
This example assumes there is a script located at:
/Applications/splunk/etc/apps/myApp/bin/myScript.sh
The {name} field in the POST operation is specially URI-encoded. See the REST API overview for details on URI encoding of filenames.
curl -k -u admin:pass \ https://localhost:8089/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh \ -d interval=86400
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>script</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/script</id>
<updated>2011-07-09T20:27:59-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/script/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/script/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/script/restart" rel="restart"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
</feed>
wiki/data.inputs.script.restart.wiki IS MISSING
data/inputs/tcp/cooked
Provides access to tcp inputs from forwarders.
Forwarders can transmit three types of data: raw, unparsed, or parsed. Cooked data refers to parsed and unparsed formats.
GET data/inputs/tcp/cooked
Returns information about all cooked TCP inputs.
Request
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| count | Number | 30 | Indicates the maximum number of entries to return. To return all entries, specify 0. | |
| offset | Number | 0 | Index for first item to return. | |
| search | String | Search expression to filter the response. The response matches field values against the search expression. For example:
search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example. | ||
| sort_dir | Enum | asc | Valid values: (asc | desc)
Indicates whether to sort returned entries in ascending or descending order. | |
| sort_key | String | name | Field to use for sorting. | |
| sort_mode | Enum | auto | Valid values: (auto | alpha | alpha_case | num)
Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically. |
Response Codes
| Status Code | Description |
|---|---|
| 200 | Listed successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 403 | Insufficient permissions to view inputs. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
Returned Values
| Attribute | Description |
|---|---|
| _rcvbuf | Deprecated. This is not used anymore. |
| disabled | Indicates if the input is disabled. |
| group | Set to 'listenerports' for listening ports. |
| host | The default value to fill in for events lacking a host value. |
| index | The index in which to store generated events. |
Example
Retrieves all cooked TCP inputs in this instance of Splunk.
curl -k -u admin:pass https://localhost:8089/services/data/inputs/tcp/cooked
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>cooked</title>
<id>https://localhost:8089/services/data/inputs/tcp/cooked</id>
<updated>2011-07-10T14:50:50-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/tcp/cooked/_new" rel="create"/>
<link href="/services/data/inputs/tcp/cooked/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
<entry>
<title>9993</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked/9993</id>
<updated>2011-07-10T14:50:50-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9993" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9993" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9993/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9993" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9993" rel="remove"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9993/connections" rel="connections"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9993/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="disabled">0</s:key>
<!-- eai:acl nodes elided for brevity. -->
<s:key name="group">listenerports</s:key>
<s:key name="host">MrT</s:key>
<s:key name="index">default</s:key>
</s:dict>
</content>
</entry>
</feed>
POST data/inputs/tcp/cooked
Creates a new container for managing cooked data.
Request
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| name | Number | | The port number of this input. | |
| SSL | Boolean | If SSL is not already configured, error is returned | ||
| connection_host | Enum | Valid values: (ip | dns | none)
Set the host for the remote server that is sending data.
Default value is | ||
| disabled | Boolean | Indicates whether the input is disabled. | ||
| host | String | The default value to fill in for events lacking a host value. | ||
| restrictToHost | String | Restrict incoming connections on this port to the host specified here. |
Response Codes
| Status Code | Description |
|---|---|
| 201 | Created successfully. |
| 400 | Some arguments were invalid |
| 401 | Authentication failure: must pass valid credentials with request. |
| 402 | The Splunk license in use has disabled this feature. |
| 403 | Insufficient permissions to create input. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | There was an error; see body contents for messages |
| 503 | This feature has been disabled in Splunk configuration files. |
Returned Values
No values returned for this request.
Example
Create a cooked TCP data input listening on port 9998.
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked \ -d name=9998
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>cooked</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked</id>
<updated>2011-07-10T14:52:33-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
</feed>
data/inputs/tcp/cooked/{name}
DELETE data/inputs/tcp/cooked/{name}
Removes the cooked TCP inputs for port or host:port specified by {name}
Request
No parameters for this request.
Response Codes
| Status Code | Description |
|---|---|
| 200 | Deleted successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 403 | Insufficient permissions to delete input. |
| 404 | Input does not exist. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
Returned Values
No values returned for this request.
Example
Remove the cooked TCP input listening on port 9998. Note that the name of this input changed due to the example that restricted incoming connections by host.
curl -k -u admin:pass --request DELETE \ https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked/tiny:9998
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>cooked</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked</id>
<updated>2011-07-10T14:54:45-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
</feed>
GET data/inputs/tcp/cooked/{name}
Returns information for the cooked TCP input specified by {name}.
If port is restricted to a host, name should be URI-encoded host:port.
Request
No parameters for this request.
Response Codes
| Status Code | Description |
|---|---|
| 200 | OK |
| 400 | TO DO: provide the rest of the status codes |
| 401 | Authentication failure: must pass valid credentials with request. |
| 403 | Insufficient permissions to view input. |
| 404 | Input does not exist. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
Returned Values
| Attribute | Description |
|---|---|
| _rcvbuf | Deprecated. This is not used anymore. |
| disabled | Indicates if the input is disabled. |
| eai:attributes | See Accessing Splunk resources |
| group | Set to 'listenerports' for listening ports. |
| host | The default value to fill in for events lacking a host value. |
| index | The index in which to store generated events. |
| restrictToHost | Restrict incoming connections on this port to the specified host. |
Example
Retrieve settings for the cooked TCP data port.
First request displays settings for cooked TCP data listening on port 9998.
Second request displays settings for TCP data input listening on port 9997 but restricting data from host fwd1.splunk.com.
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked/9998
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>cooked</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked</id>
<updated>2011-07-10T14:52:40-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
<entry>
<title>9998</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked/9998</id>
<updated>2011-07-10T14:52:40-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9998" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9998" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9998/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9998" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9998" rel="remove"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9998/connections" rel="connections"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9998/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="disabled">0</s:key>
<!-- eai:acl nodes elided for brevity. -->
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>SSL</s:item>
<s:item>connection_host</s:item>
<s:item>disabled</s:item>
<s:item>host</s:item>
<s:item>index</s:item>
<s:item>queue</s:item>
<s:item>restrictToHost</s:item>
<s:item>source</s:item>
<s:item>sourcetype</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="group">listenerports</s:key>
<s:key name="host">MrT</s:key>
<s:key name="index">default</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass \ https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked/fwd1.splunk.com%3A9997
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>cooked</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked</id>
<updated>2011-07-14T11:32:03-0700</updated>
<generator version="101277"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
<entry>
<title>fwd1.splunk.com:9997</title>
<id>https://localhost:8089/servicesNS/nobody/system/data/inputs/tcp/cooked/fwd1.splunk.com%3A9997</id>
<updated>2011-07-14T11:32:03-0700</updated>
<link href="/servicesNS/nobody/system/data/inputs/tcp/cooked/fwd1.splunk.com%3A9997" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/inputs/tcp/cooked/fwd1.splunk.com%3A9997" rel="list"/>
<link href="/servicesNS/nobody/system/data/inputs/tcp/cooked/fwd1.splunk.com%3A9997/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/inputs/tcp/cooked/fwd1.splunk.com%3A9997" rel="edit"/>
<link href="/servicesNS/nobody/system/data/inputs/tcp/cooked/fwd1.splunk.com%3A9997" rel="remove"/>
<link href="/servicesNS/nobody/system/data/inputs/tcp/cooked/fwd1.splunk.com%3A9997/connections" rel="connections"/>
<link href="/servicesNS/nobody/system/data/inputs/tcp/cooked/fwd1.splunk.com%3A9997/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="disabled">0</s:key>
<!-- eai:acl nodes elided for brevity. -->
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>SSL</s:item>
<s:item>connection_host</s:item>
<s:item>disabled</s:item>
<s:item>host</s:item>
<s:item>index</s:item>
<s:item>queue</s:item>
<s:item>restrictToHost</s:item>
<s:item>source</s:item>
<s:item>sourcetype</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="group">listenerports</s:key>
<s:key name="index">default</s:key>
<s:key name="restrictToHost">fwd1.splunk.com</s:key>
</s:dict>
</content>
</entry>
</feed>
POST data/inputs/tcp/cooked/{name}
Updates the container for managaing cooked data.
Request
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| SSL | Boolean | If SSL is not already configured, error is returned | ||
| connection_host | Enum | Valid values: (ip | dns | none)
Set the host for the remote server that is sending data.
Default value is | ||
| disabled | Boolean | Indicates whether the input is disabled. | ||
| host | String | The default value to fill in for events lacking a host value. | ||
| restrictToHost | String | Restrict incoming connections on this port to the host specified here. |
Response Codes
| Status Code | Description |
|---|---|
| 200 | Updated successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 402 | The Splunk license in use has disabled this feature. |
| 403 | Insufficient permissions to edit input. |
| 404 | Input does not exist. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
| 503 | This feature has been disabled in Splunk configuration files. |
Returned Values
No values returned for this request.
Example
Restrict the cooked TCP input listening on port 9998 to only accept data from the host "tiny".
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked/9998 \ -d restrictToHost=tiny
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>cooked</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked</id>
<updated>2011-07-10T14:52:54-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
</feed>
data/inputs/tcp/cooked/{name}/connections
GET data/inputs/tcp/cooked/{name}/connections
Retrieves list of active connections to the named port.
Request
No parameters for this request.
Response Codes
| Status Code | Description |
|---|---|
| 200 | Listed connections successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 403 | Insufficient permissions to view input's connections. |
| 404 | TCP input does not exist. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
Returned Values
| Attribute | Description |
|---|---|
| connection | Identifies the connection to port. |
| servername | Server name of forwarder connecting to this port. |
Example
Displays all connections to this cooked TCP input.
curl -k -u admin:pass \ https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked/9998/connections
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>cooked</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked</id>
<updated>2011-07-13T14:55:18-0700</updated>
<generator version="101277"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_reload" rel="_reload"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>Cooked:9998:127.0.0.1:20089</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked/Cooked%3A9998%3A127.0.0.1%3A20089</id>
<updated>2011-07-13T14:55:18-0700</updated>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/Cooked%3A9998%3A127.0.0.1%3A20089" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/Cooked%3A9998%3A127.0.0.1%3A20089" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/Cooked%3A9998%3A127.0.0.1%3A20089/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/Cooked%3A9998%3A127.0.0.1%3A20089" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/Cooked%3A9998%3A127.0.0.1%3A20089" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="connection">9998:127.0.0.1:20089</s:key>
<!-- eai:acl nodes elided for brevity. -->
<s:key name="servername">fool03.splunk.com</s:key>
</s:dict>
</content>
</entry>
</feed>
data/inputs/tcp/raw
Container for managing raw tcp inputs from forwarders.
Forwarders can tramsmit three types of data: raw, unparsed, or parsed. Cooked data refers to parsed and unparsed formats.
GET data/inputs/tcp/raw
Returns information about all raw TCP inputs.
Request
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| count | Number | 30 | Indicates the maximum number of entries to return. To return all entries, specify 0. | |
| offset | Number | 0 | Index for first item to return. | |
| search | String | Search expression to filter the response. The response matches field values against the search expression. For example:
search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example. | ||
| sort_dir | Enum | asc | Valid values: (asc | desc)
Indicates whether to sort returned entries in ascending or descending order. | |
| sort_key | String | name | Field to use for sorting. | |
| sort_mode | Enum | auto | Valid values: (auto | alpha | alpha_case | num)
Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically. |
Response Codes
| Status Code | Description |
|---|---|
| 200 | Listed successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 403 | Insufficient permissions to view input. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
Returned Values
| Attribute | Description |
|---|---|
| _rcvbuf | Deprecated. This is not used anymore. |
| disabled | Indicates whether the inputs are disabled. |
| group | Set to 'listenerports' for listening ports. |
| host | The host from which the indexer gets data. |
| index | The index in which to store generated events. |
Example
Display all raw TCP inputs in this Splunk instance.
curl -k -u admin:pass https://localhost:8089/services/data/inputs/tcp/raw
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>raw</title>
<id>https://localhost:8089/services/data/inputs/tcp/raw</id>
<updated>2011-07-08T02:30:30-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/tcp/raw/_new" rel="create"/>
<link href="/services/data/inputs/tcp/raw/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
<entry>
<title>44000</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw/44000</id>
<updated>2011-07-08T02:30:30-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44000" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44000" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44000/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44000" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44000" rel="remove"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44000/connections" rel="connections"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44000/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="disabled">0</s:key>
<!-- eai:acl nodes elided for brevity. -->
<s:key name="group">listenerports</s:key>
<s:key name="host">MrT</s:key>
<s:key name="index">default</s:key>
</s:dict>
</content>
</entry>
</feed>
POST data/inputs/tcp/raw
Creates a new data input for accepting raw TCP data.
Request
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| name | String | | The input port which splunk receives raw data in. | |
| SSL | Boolean | |||
| connection_host | Enum | Valid values: (ip | dns | none)
Set the host for the remote server that is sending data.
Default value is | ||
| disabled | Boolean | Indicates whether the inputs are disabled. | ||
| host | String | The host from which the indexer gets data. | ||
| index | String | default | The index in which to store all generated events. | |
| queue | Enum | Valid values: (parsingQueue | indexQueue)
Specifies where the input processor should deposit the events it reads. Defaults to parsingQueue. Set queue to Set queue to | ||
| rawTcpDoneTimeout | Number | Specifies in seconds the timeout value for adding a Done-key. Default value is 10 seconds.
If a connection over the port specified by | ||
| restrictToHost | String | Allows for restricting this input to only accept data from the host specified here. | ||
| source | String | Sets the source key/field for events from this input. Defaults to the input file path.
Sets the source key's initial value. The key is used during parsing/indexing, in particular to set the source field during indexing. It is also the source field used at search time. As a convenience, the chosen string is prepended with 'source::'. Note: Overriding the source key is generally not recommended. Typically, the input layer provides a more accurate string to aid in problem analysis and investigation, accurately recording the file from which the data was retreived. Consider use of source types, tagging, and search wildcards before overriding this value. | ||
| sourcetype | String | Set the source type for events from this input.
"sourcetype=" is automatically prepended to <string>. Defaults to audittrail (if signedaudit=true) or fschange (if signedaudit=false). |
Response Codes
| Status Code | Description |
|---|---|
| 201 | Created successfully. |
| 400 | Some arguments were invalid |
| 401 | Authentication failure: must pass valid credentials with request. |
| 402 | The Splunk license in use has disabled this feature. |
| 403 | Insufficient permissions to create input. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | There was an error; see body contents for messages |
| 503 | This feature has been disabled in Splunk configuration files. |
Returned Values
No values returned for this request.
Example
Create a TCP input on port 44343 listening for raw data.
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw \ -d name=44343
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>raw</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw</id>
<updated>2011-07-08T02:30:30-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
</feed>
data/inputs/tcp/raw/{name}
DELETE data/inputs/tcp/raw/{name}
Removes the raw inputs for port or host:port specified by {name}
Request
No parameters for this request.
Response Codes
| Status Code | Description |
|---|---|
| 200 | Deleted successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 403 | Insufficient permissions to delete input. |
| 404 | Input does not exist. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
Returned Values
No values returned for this request.
Example
Disable the raw TCP data input listening on port 44343.
curl -k -u admin:pass --request DELETE \ https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw/44343
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>raw</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw</id>
<updated>2011-07-08T02:30:31-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
</feed>
GET data/inputs/tcp/raw/{name}
Returns information about raw TCP input port {name}.
If port is restricted to a host, name should be URI-encoded host:port.
Request
No parameters for this request.
Response Codes
| Status Code | Description |
|---|---|
| 200 | OK |
| 400 | TO DO: provide the rest of the status codes |
| 401 | Authentication failure: must pass valid credentials with request. |
| 403 | Insufficient permissions to view input. |
| 404 | Input does not exist. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
Returned Values
| Attribute | Description |
|---|---|
| _rcvbuf | Deprecated. This is not used anymore. |
| disabled | Indicates whether the inputs are disabled. |
| eai:attributes | See Accessing Splunk resources |
| group | Set to 'listenerports' for listening ports. |
| host | The host from which the indexer gets data. |
| index | The index in which to store generated events. |
| restrictToHost | Restrict incoming connections on this port to the specified host. |
Example
Display only the settings for the TCP data input port.
First request displays settings for TCP data input listening on port 44343.
Second request displays settings for TCP data input listening on port 9998 but restricting data from host host1.splunk.com.
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw/44343
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>raw</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw</id>
<updated>2011-07-08T02:37:09-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
<entry>
<title>44343</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw/44343</id>
<updated>2011-07-08T02:37:09-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44343" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44343" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44343/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44343" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44343" rel="remove"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44343/connections" rel="connections"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44343/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="disabled">0</s:key>
<!-- eai:acl nodes elided for brevity. -->
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>SSL</s:item>
<s:item>connection_host</s:item>
<s:item>disabled</s:item>
<s:item>host</s:item>
<s:item>index</s:item>
<s:item>queue</s:item>
<s:item>restrictToHost</s:item>
<s:item>source</s:item>
<s:item>sourcetype</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="group">listenerports</s:key>
<s:key name="host">MrT</s:key>
<s:key name="index">default</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass \ https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw/host1.splunk.com%3A9998
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>raw</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw</id>
<updated>2011-07-14T11:28:39-0700</updated>
<generator version="101277"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
<entry>
<title>host1.splunk.com:9998</title>
<id>https://localhost:8089/servicesNS/nobody/system/data/inputs/tcp/raw/host1.splunk.com%3A9998</id>
<updated>2011-07-14T11:28:39-0700</updated>
<link href="/servicesNS/nobody/system/data/inputs/tcp/raw/host1.splunk.com%3A9998" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/inputs/tcp/raw/host1.splunk.com%3A9998" rel="list"/>
<link href="/servicesNS/nobody/system/data/inputs/tcp/raw/host1.splunk.com%3A9998/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/inputs/tcp/raw/host1.splunk.com%3A9998" rel="edit"/>
<link href="/servicesNS/nobody/system/data/inputs/tcp/raw/host1.splunk.com%3A9998" rel="remove"/>
<link href="/servicesNS/nobody/system/data/inputs/tcp/raw/host1.splunk.com%3A9998/connections" rel="connections"/>
<link href="/servicesNS/nobody/system/data/inputs/tcp/raw/host1.splunk.com%3A9998/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="disabled">0</s:key>
<!-- eai:acl nodes elided for brevity. -->
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>SSL</s:item>
<s:item>connection_host</s:item>
<s:item>disabled</s:item>
<s:item>host</s:item>
<s:item>index</s:item>
<s:item>queue</s:item>
<s:item>restrictToHost</s:item>
<s:item>source</s:item>
<s:item>sourcetype</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="group">listenerports</s:key>
<s:key name="index">default</s:key>
<s:key name="restrictToHost">host1.splunk.com</s:key>
</s:dict>
</content>
</entry>
</feed>
POST data/inputs/tcp/raw/{name}
Updates the container for managing raw data.
Request
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| SSL | Boolean | |||
| connection_host | Enum | Valid values: (ip | dns | none)
Set the host for the remote server that is sending data.
Default value is | ||
| disabled | Boolean | Indicates whether the inputs are disabled. | ||
| host | String | The host from which the indexer gets data. | ||
| index | String | default | The index in which to store all generated events. | |
| queue | Enum | Valid values: (parsingQueue | indexQueue)
Specifies where the input processor should deposit the events it reads. Defaults to parsingQueue. Set queue to Set queue to | ||
| rawTcpDoneTimeout | Number | Specifies in seconds the timeout value for adding a Done-key. Default value is 10 seconds.
If a connection over the port specified by | ||
| restrictToHost | String | Allows for restricting this input to only accept data from the host specified here. | ||
| source | String | Sets the source key/field for events from this input. Defaults to the input file path.
Sets the source key's initial value. The key is used during parsing/indexing, in particular to set the source field during indexing. It is also the source field used at search time. As a convenience, the chosen string is prepended with 'source::'. Note: Overriding the source key is generally not recommended. Typically, the input layer provides a more accurate string to aid in problem analysis and investigation, accurately recording the file from which the data was retreived. Consider use of source types, tagging, and search wildcards before overriding this value. | ||
| sourcetype | String | Set the source type for events from this input.
"sourcetype=" is automatically prepended to <string>. Defaults to audittrail (if signedaudit=true) or fschange (if signedaudit=false). |
Response Codes
| Status Code | Description |
|---|---|
| 200 | Updated successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 402 | The Splunk license in use has disabled this feature. |
| 403 | Insufficient permissions to edit input. |
| 404 | Inpuat does not exist. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
| 503 | This feature has been disabled in Splunk configuration files. |
Returned Values
No values returned for this request.
Example
Change the sourcetype to syslog for incoming events on the TCP data input listening on port 44343.
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw/44343 \ -d sourcetype=syslog
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>raw</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw</id>
<updated>2011-07-08T02:30:30-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
</feed>
data/inputs/tcp/raw/{name}/connections
GET data/inputs/tcp/raw/{name}/connections
View all connections to the named data input.
Request
No parameters for this request.
Response Codes
| Status Code | Description |
|---|---|
| 200 | Listed connections successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 403 | Insufficient permissions to view input's connections. |
| 404 | TCP input does not exist. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
Returned Values
| Attribute | Description |
|---|---|
| connection | IP address and port of the source connecting to this TCP input port. |
| servername | DNS name of the source connecting to this TCP input port. |
Example
Displays all connections to this raw TCP input.
curl -k -u admin:pass https://localhost:8089/services/data/inputs/tcp/raw/9998/connections
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>raw</title>
<id>https://localhost:8089/services/data/inputs/tcp/raw</id>
<updated>2011-07-13T16:14:33-07:00</updated>
<generator version="103477"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/tcp/raw/_new" rel="create"/>
<link href="/services/data/inputs/tcp/raw/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
<entry>
<title>Raw:9998:127.0.0.1</title>
<id>https://localhost:8089/services/data/inputs/tcp/raw/Raw%3A9998%3A127.0.0.1</id>
<updated>2011-07-13T16:14:33-07:00</updated>
<link href="/services/data/inputs/tcp/raw/Raw%3A9998%3A127.0.0.1" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/data/inputs/tcp/raw/Raw%3A9998%3A127.0.0.1" rel="list"/>
<link href="/services/data/inputs/tcp/raw/Raw%3A9998%3A127.0.0.1/_reload" rel="_reload"/>
<link href="/services/data/inputs/tcp/raw/Raw%3A9998%3A127.0.0.1" rel="edit"/>
<link href="/services/data/inputs/tcp/raw/Raw%3A9998%3A127.0.0.1" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="connection">9998:127.0.0.1</s:key>
<!-- eai:acl nodes elided for brevity. -->
<s:key name="servername"></s:key>
</s:dict>
</content>
</entry>
</feed>
data/inputs/tcp/ssl
Provides access to the SSL configuration of a Splunk server.
GET data/inputs/tcp/ssl
Returns SSL configuration. There is only one SSL configuration for all input ports.
Request
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| count | Number | 30 | Indicates the maximum number of entries to return. To return all entries, specify 0. | |
| offset | Number | 0 | Index for first item to return. | |
| search | String | Search expression to filter the response. The response matches field values against the search expression. For example:
search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example. | ||
| sort_dir | Enum | asc | Valid values: (asc | desc)
Indicates whether to sort returned entries in ascending or descending order. | |
| sort_key | String | name | Field to use for sorting. | |
| sort_mode | Enum | auto | Valid values: (auto | alpha | alpha_case | num)
Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically. |
Response Codes
| Status Code | Description |
|---|---|
| 200 | Listed successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 403 | Insufficient permissions to view inputs. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
Returned Values
| Attribute | Description |
|---|---|
| _rcvbuf | Deprecated. This is not used anymore. |
| cipherSuite | Specifies list of acceptable ciphers to use in ssl. |
| disabled | Indicates whether this input is disabled. |
| host | The host from which the indexer gets data. |
| index | The index in which to store generated events. |
Example
Return the SSL attributes for this instance of Splunk.
curl -k -u admin:pass https://localhost:8089/services/data/inputs/tcp/ssl
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>ssl</title>
<id>https://localhost:8089/services/data/inputs/tcp/ssl</id>
<updated>2011-07-12T15:02:58-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/tcp/ssl/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
<entry>
<title/>
<id>https://localhost:8089/servicesNS/nobody/system/data/inputs/tcp/ssl/</id>
<updated>2011-07-12T15:02:58-07:00</updated>
<link href="/servicesNS/nobody/system/data/inputs/tcp/ssl/" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/inputs/tcp/ssl/" rel="list"/>
<link href="/servicesNS/nobody/system/data/inputs/tcp/ssl//_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/inputs/tcp/ssl/" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="cipherSuite">ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM</s:key>
<s:key name="disabled">1</s:key>
<!-- eai:acl nodes elided for brevity. -->
<s:key name="host">ombroso-mbp15.splunk.com</s:key>
<s:key name="index">default</s:key>
</s:dict>
</content>
</entry>
</feed>
data/inputs/tcp/ssl/{name}
GET data/inputs/tcp/ssl/{name}
Returns the SSL configuration for the host {name}.
Request
No parameters for this request.
Response Codes
| Status Code | Description |
|---|---|
| 200 | Listed successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 403 | Insufficient permissions to view input. |
| 404 | Input does not exist. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
Returned Values
| Attribute | Description |
|---|---|
| _rcvbuf | Deprecated. This is not used anymore. |
| cipherSuite | Specifies list of acceptable ciphers to use in ssl. |
| disabled | Indicates whether this input is disabled. |
| host | The host from which the indexer gets data. |
| index | The index in which to store generated events. |
Example
Return the SSL attributes for tcp input. Note that "ssl" is the only valid name here.
curl -k -u admin:pass https://localhost:8089/services/data/inputs/tcp/ssl/ssl
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>ssl</title>
<id>https://localhost:8089/services/data/inputs/tcp/ssl</id>
<updated>2011-07-12T15:04:41-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/tcp/ssl/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
<entry>
<title/>
<id>https://localhost:8089/servicesNS/nobody/system/data/inputs/tcp/ssl/</id>
<updated>2011-07-12T15:04:41-07:00</updated>
<link href="/servicesNS/nobody/system/data/inputs/tcp/ssl/" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/inputs/tcp/ssl/" rel="list"/>
<link href="/servicesNS/nobody/system/data/inputs/tcp/ssl//_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/inputs/tcp/ssl/" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="cipherSuite">ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM</s:key>
<s:key name="disabled">1</s:key>
<!-- eai:acl nodes elided for brevity. -->
<s:key name="host">ombroso-mbp15.splunk.com</s:key>
<s:key name="index">default</s:key>
</s:dict>
</content>
</entry>
</feed>
POST data/inputs/tcp/ssl/{name}
Configures SSL attributes for the host {name}.
Request
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| disabled | Boolean | Indicates whether the inputs are disabled. | ||
| password | String | Server certifcate password, if any. | ||
| requireClientCert | Boolean | Determines whether a client must authenticate. | ||
| rootCA | String | Certificate authority list (root file) | ||
| serverCert | String | Full path to the server certificate. |
Response Codes
| Status Code | Description |
|---|---|
| 200 | Updated successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 402 | The Splunk license in use has disabled this feature. |
| 403 | Insufficient permissions to edit input. |
| 404 | Input does not exist. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
| 503 | This feature has been disabled in Splunk configuration files. |
Returned Values
No values returned for this request.
Example
Disable inputs for this SSL server configuration. Note that "ssl" is the only valid name here.
curl -k -u admin:pass https://localhost:8089/services/data/inputs/tcp/ssl/ssl \ -d disabled=true
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>ssl</title>
<id>https://localhost:8089/services/data/inputs/tcp/ssl</id>
<updated>2011-07-12T15:05:42-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/tcp/ssl/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
</feed>
data/inputs/udp
Provides access to UPD data inputs.
GET data/inputs/udp
List enabled and disabled UDP data inputs.
Request
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| count | Number | 30 | Indicates the maximum number of entries to return. To return all entries, specify 0. | |
| offset | Number | 0 | Index for first item to return. | |
| search | String | Search expression to filter the response. The response matches field values against the search expression. For example:
search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example. | ||
| sort_dir | Enum | asc | Valid values: (asc | desc)
Indicates whether to sort returned entries in ascending or descending order. | |
| sort_key | String | name | Field to use for sorting. | |
| sort_mode | Enum | auto | Valid values: (auto | alpha | alpha_case | num)
Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically. |
Response Codes
| Status Code | Description |
|---|---|
| 200 | Listed successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 403 | Insufficient permissions to view inputs. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
Returned Values
| Attribute | Description |
|---|---|
| _rcvbuf | Specifies socket receive buffer size in bytes. |
| disabled | Indicates whether the inputs are disabled. |
| group | Set to 'listenerports' for listening ports. |
| host | The host from which the indexer gets data. |
| index | The index in which to store generated events. |
Example
Returns a list of configured UDP data inputs.
curl -k -u admin:pass https://localhost:8089/services/data/inputs/udp
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>udp</title>
<id>https://localhost:8089/services/data/inputs/udp</id>
<updated>2011-07-08T14:11:57-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/udp/_new" rel="create"/>
<link href="/services/data/inputs/udp/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
<entry>
<title>44000</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp/44000</id>
<updated>2011-07-08T14:11:57-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/udp/44000" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/udp/44000" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/44000/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/44000" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/44000" rel="remove"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/44000/connections" rel="connections"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/44000/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="disabled">0</s:key>
<!-- eai:acl nodes elided for brevity. -->
<s:key name="group">listenerports</s:key>
<s:key name="host">MrT</s:key>
<s:key name="index">default</s:key>
</s:dict>
</content>
</entry>
</feed>
POST data/inputs/udp
Create a new UDP data input.
Request
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| name | String | | The UDP port that this input should listen on. | |
| connection_host | Enum | Valid values: (ip | dns | none)
Set the host for the remote server that is sending data.
Default value is | ||
| host | String | The value to populate in the host field for incoming events.
This is used during parsing/indexing, in particular to set the host field. It is also the host field used at search time. | ||
| index | String | default | Which index events from this input should be stored in. | |
| no_appending_timestamp | Boolean | If set to true, prevents Splunk from prepending a timestamp and hostname to incoming events. | ||
| no_priority_stripping | Boolean | If set to true, Splunk will not remove the priority field from incoming syslog events. | ||
| queue | String | Which queue events from this input should be sent to. Generally this does not need to be changed. | ||
| restrictToHost | String | Restrict incoming connections on this port to the host specified here.
If this is not set, the value specified in [udp://<remote server>:<port>] in inputs.conf is used. | ||
| source | String | The value to populate in the source field for incoming events. The same source should not be used for multiple data inputs. | ||
| sourcetype | String | The value to populate in the sourcetype field for incoming events. |
Response Codes
| Status Code | Description |
|---|---|
| 201 | Created successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 402 | The Splunk license in use has disabled this feature. |
| 403 | Insufficient permissions to create input. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
| 503 | This feature has been disabled in Splunk configuration files. |
Returned Values
No values returned for this request.
Example
Creates a UDP data input listening on port 44321.
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/udp \ -d name=44321
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>udp</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp</id>
<updated>2011-07-08T14:12:13-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/udp/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
</feed>
data/inputs/udp/{name}
DELETE data/inputs/udp/{name}
Disable the named UDP data input and remove it from the configuration.
Request
No parameters for this request.
Response Codes
| Status Code | Description |
|---|---|
| 200 | Deleted successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 403 | Insufficient permissions to delete input. |
| 404 | Input does not exist. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
Returned Values
No values returned for this request.
Example
Removes the UDP data input listening on port 44321.
curl -k -u admin:pass --request DELETE \ https://localhost:8089/servicesNS/nobody/search/data/inputs/udp/44321
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>udp</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp</id>
<updated>2011-07-08T14:12:53-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/udp/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
</feed>
GET data/inputs/udp/{name}
List the properties of a single UDP data input port or host:port {name}.
If port is restricted to a host, name should be URI-encoded host:port.
Request
No parameters for this request.
Response Codes
| Status Code | Description |
|---|---|
| 200 | Listed successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 403 | Insufficient permissions to view input configuration. |
| 404 | Input does not exist. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
Returned Values
| Attribute | Description |
|---|---|
| _rcvbuf | Specifies socket receive buffer size in bytes. |
| disabled | Indicates whether the inputs are disabled. |
| eai:attributes | See Accessing Splunk resources |
| group | Set to 'listenerports' for listening ports. |
| host | The host from which the indexer gets data. |
| index | The index in which to store generated events. |
Example
Returns only configuration information for the UDP data input port.
First request displays settings for UDP data input listening on port 44321.
Second request displays settings for UDP data input listening on port 9997 but restricting data from host host1.splunk.com.
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/udp/44321
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>udp</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp</id>
<updated>2011-07-08T14:12:27-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/udp/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
<entry>
<title>44321</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp/44321</id>
<updated>2011-07-08T14:12:27-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/udp/44321" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/udp/44321" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/44321/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/44321" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/44321" rel="remove"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/44321/connections" rel="connections"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/44321/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="disabled">0</s:key>
<!-- eai:acl nodes elided for brevity. -->
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>connection_host</s:item>
<s:item>host</s:item>
<s:item>index</s:item>
<s:item>no_appending_timestamp</s:item>
<s:item>no_priority_stripping</s:item>
<s:item>queue</s:item>
<s:item>source</s:item>
<s:item>sourcetype</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="group">listenerports</s:key>
<s:key name="host">MrT</s:key>
<s:key name="index">default</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass \ https://localhost:8089/servicesNS/nobody/search/data/inputs/udp/host1.splunk.com%3A9997
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>udp</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp</id>
<updated>2011-07-14T11:40:20-0700</updated>
<generator version="101277"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/udp/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
<entry>
<title>host1.splunk.com:9997</title>
<id>https://localhost:8089/servicesNS/nobody/system/data/inputs/udp/host1.splunk.com%3A9997</id>
<updated>2011-07-14T11:40:20-0700</updated>
<link href="/servicesNS/nobody/system/data/inputs/udp/host1.splunk.com%3A9997" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/inputs/udp/host1.splunk.com%3A9997" rel="list"/>
<link href="/servicesNS/nobody/system/data/inputs/udp/host1.splunk.com%3A9997/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/inputs/udp/host1.splunk.com%3A9997" rel="edit"/>
<link href="/servicesNS/nobody/system/data/inputs/udp/host1.splunk.com%3A9997" rel="remove"/>
<link href="/servicesNS/nobody/system/data/inputs/udp/host1.splunk.com%3A9997/connections" rel="connections"/>
<link href="/servicesNS/nobody/system/data/inputs/udp/host1.splunk.com%3A9997/enable" rel="enable"/>
<content type="text/xml">
<s:dict>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="disabled">1</s:key>
<!-- eai:acl nodes elided for brevity. -->
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>connection_host</s:item>
<s:item>disabled</s:item>
<s:item>host</s:item>
<s:item>index</s:item>
<s:item>no_appending_timestamp</s:item>
<s:item>no_priority_stripping</s:item>
<s:item>queue</s:item>
<s:item>source</s:item>
<s:item>sourcetype</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="index">default</s:key>
</s:dict>
</content>
</entry>
</feed>
POST data/inputs/udp/{name}
Edit properties of the named UDP data input.
Request
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| connection_host | Enum | Valid values: (ip | dns | none)
Set the host for the remote server that is sending data.
Default value is | ||
| host | String | The value to populate in the host field for incoming events.
This is used during parsing/indexing, in particular to set the host field. It is also the host field used at search time. | ||
| index | String | default | Which index events from this input should be stored in. | |
| no_appending_timestamp | Boolean | If set to true, prevents Splunk from prepending a timestamp and hostname to incoming events. | ||
| no_priority_stripping | Boolean | If set to true, Splunk will not remove the priority field from incoming syslog events. | ||
| queue | String | Which queue events from this input should be sent to. Generally this does not need to be changed. | ||
| restrictToHost | String | Restrict incoming connections on this port to the host specified here.
If this is not set, the value specified in [udp://<remote server>:<port>] in inputs.conf is used. | ||
| source | String | The value to populate in the source field for incoming events. The same source should not be used for multiple data inputs. | ||
| sourcetype | String | The value to populate in the sourcetype field for incoming events. |
Response Codes
| Status Code | Description |
|---|---|
| 200 | Updated successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 402 | The Splunk license in use has disabled this feature. |
| 403 | Insufficient permissions to edit input. |
| 404 | Input does not exist. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
| 503 | This feature has been disabled in Splunk configuration files. |
Returned Values
No values returned for this request.
Example
Changes the sourcetype for incoming events to "syslog" for the UDP data input listening on port 44321.
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/udp/44321 \ -d sourcetype=syslog
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>udp</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp</id>
<updated>2011-07-08T14:12:47-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/udp/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
</feed>
data/inputs/udp/{name}/connections
GET data/inputs/udp/{name}/connections
Lists connections to the named UDP input.
Request
No parameters for this request.
Response Codes
| Status Code | Description |
|---|---|
| 200 | Listed connections successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 403 | Insufficient permissions to view input connections. |
| 404 | UDP input does not exist. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
Returned Values
| Attribute | Description |
|---|---|
| disabled | Indicates whether the inputs are disabled. |
| group | Set to 'listenerports' for listening ports. |
Example
Returns a list of connections to the UDP input listening on port 9998.
curl -k -u admin:pass \ https://localhost:8089/servicesNS/nobody/search/data/inputs/udp/9998/connections
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>udp</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp</id>
<updated>2011-07-13T17:08:18-07:00</updated>
<generator version="103477"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/udp/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/_reload" rel="_reload"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>127.0.0.1</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp/127.0.0.1</id>
<updated>2011-07-13T17:08:18-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/udp/127.0.0.1" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/udp/127.0.0.1" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/127.0.0.1/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/127.0.0.1" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/127.0.0.1" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">0</s:key>
<!-- eai:acl nodes elided for brevity. -->
<s:key name="group">hosts</s:key>
</s:dict>
</content>
</entry>
</feed>
data/inputs/win-event-log-collections
Provides access to all configured event log collections.
GET data/inputs/win-event-log-collections
Retrieves a list of configured event log collections.
Request
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| count | Number | 30 | Indicates the maximum number of entries to return. To return all entries, specify 0. | |
| lookup_host | String | For internal use. Used by the UI when editing the initial host from which we gather event log data. | ||
| offset | Number | 0 | Index for first item to return. | |
| search | String | Boolean predicate to filter results. | ||
| sort_dir | Enum | asc | Valid values: (asc | desc)
Indicates whether to sort the entries returned in ascending or descending order. | |
| sort_key | String | name | Field to sort by. | |
| sort_mode | Enum | auto | Valid values: Valid values: (auto | alpha | alpha_case | num)
Indicates the collating sequence for sorting the returned entries. |
Response Codes
| Status Code | Description |
|---|---|
| 200 | Listed successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 403 | Insufficient permissions to view event log collections. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
Returned Values
| Attribute | Description |
|---|---|
| disabled | Indicates if monitoring is disabled. |
| hosts | List of hosts used for monitoring in addition to lookup_host. |
| index | The index in which to store the gathered data. |
| logs | A list of event log names to gather data from. |
Example
Provides information on all Windows event log collection inputs for monitoring by this Splunk instance.
curl -k -u admin:pass https://localhost:8089/services/data/inputs/win-event-log-collections
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-event-log-collections</title>
<id>https://10.1.5.157:8089/services/data/inputs/win-event-log-collections</id>
<updated>2011-07-27T11:26:47-07:00</updated>
<generator version="103620"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/win-event-log-collections/_new" rel="create"/>
<link href="/services/data/inputs/win-event-log-collections/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
<entry>
<title>localhost</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost</id>
<updated>2011-07-27T11:26:47-07:00</updated>
<link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="list"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="edit"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost/enable" rel="enable"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">1</s:key>
<!-- eai:acl nodes elided for brevity. -->
<s:key name="hosts">localhost</s:key>
<s:key name="index">default</s:key>
<s:key name="logs">
<s:list>
<s:item>Application</s:item>
<s:item>ForwardedEvents</s:item>
<s:item>HardwareEvents</s:item>
<s:item>Internet Explorer</s:item>
<s:item>Security</s:item>
<s:item>Setup</s:item>
<s:item>System</s:item>
</s:list>
</s:key>
</s:dict>
</content>
</entry>
</feed>
POST data/inputs/win-event-log-collections
Creates of modifies existing event log collection settings. You can configure both native and WMI collection with this endpoint.
Request
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| lookup_host | String | | This is a host from which we will monitor log events. To specify additional hosts to be monitored via WMI, use the "hosts" parameter. | |
| name | String | | This is the name of the collection. This name will appear in configuration file, as well as the source and the sourcetype of the indexed data. If the value is "localhost", it will use native event log collection; otherwise, it will use WMI. | |
| hosts | String | A comma-separated list of addtional hosts to be used for monitoring. The first host should be specified with "lookup_host", and the additional ones using this parameter. | ||
| index | String | default | The index in which to store the gathered data. | |
| logs | String | A comma-separated list of event log names to gather data from. |
Response Codes
| Status Code | Description |
|---|---|
| 201 | Created successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 402 | The Splunk license in use has disabled this feature. |
| 403 | Insufficient permissions to create event log collections. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
| 503 | This feature has been disabled in Splunk configuration files. |
Returned Values
No values returned for this request.
Example
Creates a new event log monitoring collection named mylogs on the localhost, monitoring the Application and the System event logs.
curl -k -u admin:pass \ https://localhost:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections \ -d lookup_host=localhost \ -d name=mylogs \ -d logs=Application,System
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-event-log-collections</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections</id>
<updated>2011-07-27T11:56:24-07:00</updated>
<generator version="103620"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
<entry>
<title>localhost</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost</id>
<updated>2011-07-27T11:56:24-07:00</updated>
<link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="list"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">1</s:key>
<!-- eai:acl nodes elided for brevity. -->
<s:key name="hosts">localhost</s:key>
<s:key name="index">default</s:key>
<s:key name="logs">
<s:list>
<s:item>Application</s:item>
<s:item>ForwardedEvents</s:item>
<s:item>HardwareEvents</s:item>
<s:item>Internet Explorer</s:item>
<s:item>Security</s:item>
<s:item>Setup</s:item>
<s:item>System</s:item>
</s:list>
</s:key>
<s:key name="lookup_host">localhost</s:key>
<s:key name="name">localhost</s:key>
</s:dict>
</content>
</entry>
</feed>
data/inputs/win-event-log-collections/{name}
DELETE data/inputs/win-event-log-collections/{name}
Deletes a given event log collection.
Request
No parameters for this request.
Response Codes
| Status Code | Description |
|---|---|
| 200 | Deleted successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 403 | Insufficient permissions to delete event log collections. |
| 404 | Event log collection does not exist. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
Returned Values
No values returned for this request.
Example
Deletes the existing mylogs event log collection.
curl -k -u admin:pass --request DELETE \ https://localhost:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-event-log-collections</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections</id>
<updated>2011-07-27T13:45:24-07:00</updated>
<generator version="103620"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
</feed>
GET data/inputs/win-event-log-collections/{name}
Gets the configuration settings for a given event log collection.
Request
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| lookup_host | String | For internal use. Used by the UI when editing the initial host from which we gather event log data. |
Response Codes
| Status Code | Description |
|---|---|
| 200 | Listed successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 403 | Insufficient permissions to view event log collections. |
| 404 | Event log collection does not exist. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
Returned Values
No values returned for this request.
Example
Gets information about a given event log collection.
curl -k -u admin:pass \ https://localhost:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-event-log-collections</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections</id>
<updated>2011-07-27T12:00:38-07:00</updated>
<generator version="103620"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
<entry>
<title>mylogs</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs</id>
<updated>2011-07-27T12:00:38-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs" rel="remove"/>
<link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">0</s:key>
<!-- eai:acl nodes elided for brevity. -->
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>hosts</s:item>
<s:item>index</s:item>
<s:item>logs</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list>
<s:item>lookup_host</s:item>
</s:list>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="hosts"/>
<s:key name="index">default</s:key>
<s:key name="logs">
<s:list>
<s:item>Application,System</s:item>
</s:list>
</s:key>
<s:key name="lookup_host">localhost</s:key>
<s:key name="name">mylogs</s:key>
</s:dict>
</content>
</entry>
</feed>
POST data/inputs/win-event-log-collections/{name}
Modifies existing event log collection.
Request
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| lookup_host | String | | This is a host from which we will monitor log events. To specify additional hosts to be monitored via WMI, use the "hosts" parameter. | |
| hosts | String | A comma-separated list of addtional hosts to be used for monitoring. The first host should be specified with "lookup_host", and the additional ones using this parameter. | ||
| index | String | default | The index in which to store the gathered data. | |
| logs | String | A comma-separated list of event log names to gather data from. |
Response Codes
| Status Code | Description |
|---|---|
| 200 | Updated successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 402 | The Splunk license in use has disabled this feature. |
| 403 | Insufficient permissions to edit event log collections. |
| 404 | Event log collection does not exist. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
| 503 | This feature has been disabled in Splunk configuration files. |
Returned Values
No values returned for this request.
Example
Modifies the mylogs collection by making it monitor the Application log only.
curl -k -u admin:pass \ https://localhost:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs \ -d lookup_host=localhost \ -d logs=Application
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-event-log-collections</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections</id>
<updated>2011-07-27T13:43:46-07:00</updated>
<generator version="103620"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
<entry>
<title>localhost</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost</id>
<updated>2011-07-27T13:43:46-07:00</updated>
<link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="list"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">1</s:key>
<!-- eai:acl nodes elided for brevity. -->
<s:key name="hosts">localhost</s:key>
<s:key name="index">default</s:key>
<s:key name="logs">
<s:list>
<s:item>Application</s:item>
<s:item>ForwardedEvents</s:item>
<s:item>HardwareEvents</s:item>
<s:item>Internet Explorer</s:item>
<s:item>Security</s:item>
<s:item>Setup</s:item>
<s:item>System</s:item>
</s:list>
</s:key>
<s:key name="lookup_host">localhost</s:key>
<s:key name="name">localhost</s:key>
</s:dict>
</content>
</entry>
</feed>
data/inputs/win-wmi-collections
Provides access to all configured WMI collections.
GET data/inputs/win-wmi-collections
Provides access to all configure WMI collections.
Request
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| count | Number | 30 | Indicates the maximum number of entries to return. To return all entries, specify 0. | |
| offset | Number | 0 | Index for first item to return. | |
| search | String | Boolean predicate to filter results. | ||
| sort_dir | Enum | asc | Valid values: (asc | desc)
Indicates whether to sort the entries returned in ascending or descending order. | |
| sort_key | String | name | Field to sort by. | |
| sort_mode | Enum | auto | Valid values: (auto | alpha | alpha_case | num)
Indicates the collating sequence for sorting the returned entries. |
Response Codes
| Status Code | Description |
|---|---|
| 200 | Listed successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 403 | Insufficient permissions to view collections. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
Returned Values
| Attribute | Description |
|---|---|
| fields | A list of properties (fields) to gather from the given class. |
| index | The index in which to store the gathered data. |
| instances | Instances of a given class for which data is gathered. |
| interval | The interval, in seconds, at which the WMI providers are queried. |
| name | The name of the collection. This name appear in the configuration file, as well as the source and the sourcetype of the indexed data. |
| server | Additional servers that you want to gather data from. |
| wql | The WQL query used to gather data. |
Example
Lists all enabled or disabled WMI collection items.
curl -k -u admin:pass https://localhost:8089/services/data/inputs/win-wmi-collections
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-wmi-collections</title>
<id>https://10.1.5.157:8089/services/data/inputs/win-wmi-collections</id>
<updated>2011-07-27T14:00:24-07:00</updated>
<generator version="103620"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/win-wmi-collections/_new" rel="create"/>
<link href="/services/data/inputs/win-wmi-collections/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
<entry>
<title>CPUTime</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime</id>
<updated>2011-07-27T14:00:24-07:00</updated>
<link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime" rel="list"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime" rel="edit"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime/enable" rel="enable"/>
<content type="text/xml">
<s:dict>
<s:key name="class">Win32_PerfFormattedData_PerfOS_Processor</s:key>
<s:key name="disabled">1</s:key>
<!-- eai:acl nodes elided for brevity. -->
<s:key name="fields">
<s:list>
<s:item>PercentProcessorTime</s:item>
<s:item>PercentUserTime</s:item>
</s:list>
</s:key>
<s:key name="index">default</s:key>
<s:key name="instances">
<s:list>
<s:item>_Total</s:item>
</s:list>
</s:key>
<s:key name="interval">3</s:key>
<s:key name="name"/>
<s:key name="server">localhost</s:key>
<s:key name="wql">SELECT PercentProcessorTime,PercentUserTime FROM Win32_PerfFormattedData_PerfOS_Processor WHERE Name="_Total"</s:key>
</s:dict>
</content>
</entry>
</feed>
POST data/inputs/win-wmi-collections
Creates or modifies existing WMI collection settings.
Request
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| classes | String | | A valid WMI class name. | |
| interval | Number | | The interval, in seconds, at which the WMI provider(s) will be queried. | |
| lookup_host | String | | This is the server from which we will be gathering WMI data. If you need to gather data from more than one machine, additional servers can be specified in the 'server' parameter. | |
| name | String | | This is the name of the collection. This name will appear in configuration file, as well as the source and the sourcetype of the indexed data. | |
| disabled | Number | Disables the given collection. | ||
| fields | String | Properties (fields) that you want to gather from the given class.
Specify each property as a separate argument to the POST operation. | ||
| index | String | The index in which to store the gathered data. | ||
| instances | String | Instances of a given class for which data is gathered.
Specify each instance as a separate argument to the POST operation. | ||
| server | String | A comma-separated list of additional servers that you want to gather data from. Use this if you need to gather from more than a single machine. See also lookup_host parameter. |
Response Codes
| Status Code | Description |
|---|---|
| 201 | Created successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 402 | The Splunk license in use has disabled this feature. |
| 403 | Insufficient permissions to create this collection. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
| 503 | This feature has been disabled in Splunk configuration files. |
Returned Values
No values returned for this request.
Example
Creates a new WMI collection named cpu, which gathers CPU information from the class Win32_PerfFormattedData_PerfOS_Processor, with an interval of 5 from localhost.
curl -k -u admin:pass \ https://localhost:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections \ -d classes=Win32_PerfFormattedData_PerfOS_Processor \ -d interval=5 \ -d lookup_host=localhost \ -d name=cpu
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-wmi-collections</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections</id>
<updated>2011-07-27T14:05:43-07:00</updated>
<generator version="103620"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
<entry>
<title>CPUTime</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime</id>
<updated>2011-07-27T14:05:43-07:00</updated>
<link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime" rel="list"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">1</s:key>
<!-- eai:acl nodes elided for brevity. -->
<s:key name="index">default</s:key>
<s:key name="interval">3</s:key>
<s:key name="wql">SELECT PercentProcessorTime,PercentUserTime FROM Win32_PerfFormattedData_PerfOS_Processor WHERE Name="_Total"</s:key>
</s:dict>
</content>
</entry>
</feed>
data/inputs/win-wmi-collections/{name}
DELETE data/inputs/win-wmi-collections/{name}
Deletes a given collection.
Request
No parameters for this request.
Response Codes
| Status Code | Description |
|---|---|
| 200 | Deleted successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 403 | Insufficient permissions to delete a given collection. |
| 404 | Given collection does not exist. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
Returned Values
No values returned for this request.
Example
Deletes an existing WMI collection.
curl -k -u admin:pass --request DELETE \ https://localhost:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-wmi-collections</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections</id>
<updated>2011-07-27T14:21:17-07:00</updated>
<generator version="103620"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
</feed>
GET data/inputs/win-wmi-collections/{name}
Gets information about a single collection.
Request
No parameters for this request.
Response Codes
| Status Code | Description |
|---|---|
| 200 | Listed successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 403 | Insufficient permissions to view WMI collections. |
| 404 | Given collection does not exist. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
Returned Values
| Attribute | Description |
|---|---|
| classes | A valid WMI class name. |
| disabled | Indicates if retrieving information from a collection is disabled. |
| fields | A list of properties (fields) to gather from the given class. |
| index | The index in which to store the gathered data. |
| instances | Instances of a given class for which data is gathered. |
| interval | The interval, in seconds, at which the WMI providers are queried. |
| lookup_host | The server from which to gather WMI data. |
| name | The name of the collection. This name appear in the configuration file, as well as the source and the sourcetype of the indexed data. |
| server | Additional servers from which to gather data. |
| wql | The WQL query used to gather data. |
Example
Gets information about a given event log collection.
curl -k -u admin:pass \ https://localhost:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-wmi-collections</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections</id>
<updated>2011-07-27T14:09:39-07:00</updated>
<generator version="103620"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
<entry>
<title>cpu</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu</id>
<updated>2011-07-27T14:09:39-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="remove"/>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="classes">Win32_PerfFormattedData_PerfOS_Processor</s:key>
<s:key name="disabled">0</s:key>
<!-- eai:acl nodes elided for brevity. -->
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>disabled</s:item>
<s:item>fields</s:item>
<s:item>index</s:item>
<s:item>instances</s:item>
<s:item>server</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list>
<s:item>classes</s:item>
<s:item>interval</s:item>
<s:item>lookup_host</s:item>
</s:list>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="fields">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="index">default</s:key>
<s:key name="instances">
<s:list/>
</s:key>
<s:key name="interval">5</s:key>
<s:key name="lookup_host">localhost</s:key>
<s:key name="name">cpu</s:key>
<s:key name="server"/>
<s:key name="wql">Select * from Win32_PerfFormattedData_PerfOS_Processor</s:key>
</s:dict>
</content>
</entry>
</feed>
POST data/inputs/win-wmi-collections/{name}
Modifies a given WMI collection.
Request
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| classes | String | | A valid WMI class name. | |
| interval | Number | | The interval, in seconds, at which the WMI provider(s) will be queried. | |
| lookup_host | String | | This is the server from which we will be gathering WMI data. If you need to gather data from more than one machine, additional servers can be specified in the 'server' parameter. | |
| disabled | Number | Disables the given collection. | ||
| fields | String | Properties (fields) that you want to gather from the given class.
Specify each property as a separate argument to the POST operation. | ||
| index | String | The index in which to store the gathered data. | ||
| instances | String | Instances of a given class for which data is gathered.
Specify each instance as a separate argument to the POST operation. | ||
| server | String | A comma-separated list of additional servers that you want to gather data from. Use this if you need to gather from more than a single machine. See also lookup_host parameter. |
Response Codes
| Status Code | Description |
|---|---|
| 200 | Updated successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 402 | The Splunk license in use has disabled this feature. |
| 403 | Insufficient permissions to edit collection. |
| 404 | Collection does not exist. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
| 503 | This feature has been disabled in Splunk configuration files. |
Returned Values
No values returned for this request.
Example
Modifies an existing WMI collection item with the given parameters. The new setting requests monitoring of three different machines via the lookup_host and the server parameters.
curl -k -u admin:pass \ https://localhost:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu \ -d classes=Win32_PerfFormattedData_PerfOS_Processor \ -d interval=5 \ -d lookup_host=localhost \ -d server=10.1.5.157,10.1.5.158
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-wmi-collections</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections</id>
<updated>2011-07-27T14:15:33-07:00</updated>
<generator version="103620"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
<entry>
<title>cpu</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu</id>
<updated>2011-07-27T14:15:33-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="classes">Win32_PerfFormattedData_PerfOS_Processor</s:key>
<s:key name="disabled">0</s:key>
<!-- eai:acl nodes elided for brevity. -->
<s:key name="fields">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="index">default</s:key>
<s:key name="instances">
<s:list/>
</s:key>
<s:key name="interval">5</s:key>
<s:key name="lookup_host">localhost</s:key>
<s:key name="name">cpu</s:key>
<s:key name="server"/>
<s:key name="wql">Select * from Win32_PerfFormattedData_PerfOS_Processor</s:key>
</s:dict>
</content>
</entry>
</feed>
data/inputs/win-perfmon
Provides access to performance monitoring configuration. This input allows you to poll Windows performance monitor counters.
GET data/inputs/win-perfmon
Gets current performance monitoring configuration.
Request
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| count | Number | 30 | Indicates the maximum number of entries to return. To return all entries, specify 0. | |
| offset | Number | 0 | Index for first item to return. | |
| search | String | Boolean predicate to filter results. | ||
| sort_dir | Enum | asc | Valid values: (asc | desc)
Indicates whether to sort the entries returned in ascending or descending order. | |
| sort_key | String | name | Field to sort by. | |
| sort_mode | Enum | auto | Valid values: (auto | alpha | alpha_case | num)
Indicates the collating sequence for sorting the returned entries. |
Response Codes
| Status Code | Description |
|---|---|
| 200 | Listed successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 403 | Insufficient permissions to view performance monitoring configuration. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
Returned Values
| Attribute | Description |
|---|---|
| counters | A list of counters to monitor. |
| disabled | Indicates if the monitoring process is disabled. |
| index | The index in which to store the gathered data. |
| instances | A list of counter instances to monitor. |
| interval | How frequently, in seconds, to poll the performance counters. |
| object | A valid performance monitor object. |
Example
Lists all configured perfmon inputs.
curl -k -u admin:pass https://localhost:8089/services/data/inputs/win-perfmon
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-perfmon</title>
<id>https://10.1.5.157:8089/services/data/inputs/win-perfmon</id>
<updated>2011-07-29T19:42:06-07:00</updated>
<generator version="104976"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/win-perfmon/_new" rel="create"/>
<link href="/services/data/inputs/win-perfmon/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
<entry>
<title>Available Memory</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory</id>
<updated>2011-07-29T19:42:06-07:00</updated>
<link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="list"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="edit"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory/enable" rel="enable"/>
<content type="text/xml">
<s:dict>
<s:key name="counters">
<s:list>
<s:item>Available Bytes</s:item>
</s:list>
</s:key>
<s:key name="disabled">1</s:key>
<!-- eai:acl nodes elided for brevity. -->
<s:key name="index">default</s:key>
<s:key name="instances">
<s:list/>
</s:key>
<s:key name="interval">10</s:key>
<s:key name="object">Memory</s:key>
</s:dict>
</content>
</entry>
</feed>
POST data/inputs/win-perfmon
Creates new or modifies existing performance monitoring collection settings.
Request
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| interval | Number | | How frequently, in seconds, to poll the performance counters. | |
| name | String | | This is the name of the collection. This name will appear in configuration file, as well as the source and the sourcetype of the indexed data. | |
| object | String | | A valid performance monitor object (for example, 'Process,' 'Server,' 'PhysicalDisk.') | |
| counters | String | A set of counters to monitor. A '*' is equivalent to all counters.
Specify each counter as a separate argument to the POST operation. | ||
| disabled | Boolean | Disables a given monitoring stanza. | ||
| index | String | The index in which to store the gathered data. | ||
| instances | String | A set of counter instances to monitor. A '*' is equivalent to all instances.
Specify each instance as a separate argument to the POST operation. |
Response Codes
| Status Code | Description |
|---|---|
| 201 | Created successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 402 | The Splunk license in use has disabled this feature. |
| 403 | Insufficient permissions to create monitoring stanza. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
| 503 | This feature has been disabled in Splunk configuration files. |
Returned Values
No values returned for this request.
Example
Creates a memory monitoring stanza.
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/win-perfmon \ -d interval=4 \ -d name=mymemory \ -d object=Memory
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-perfmon</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-perfmon</id>
<updated>2011-07-29T19:40:38-07:00</updated>
<generator version="104976"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
<entry>
<title>Available Memory</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory</id>
<updated>2011-07-29T19:40:38-07:00</updated>
<link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="list"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="counters">Available Bytes</s:key>
<s:key name="disabled">1</s:key>
<!-- eai:acl nodes elided for brevity. -->
<s:key name="instances"/>
<s:key name="interval">10</s:key>
<s:key name="object">Memory</s:key>
</s:dict>
</content>
</entry>
</feed>
data/inputs/win-perfmon/{name}
DELETE data/inputs/win-perfmon/{name}
Deletes a given monitoring stanza.
Request
No parameters for this request.
Response Codes
| Status Code | Description |
|---|---|
| 200 | Deleted successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 403 | Insufficient permissions to delete monitoring stanza. |
| 404 | Monitoring stanza does not exist. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
Returned Values
No values returned for this request.
Example
Deletes a given perfmon stanza.
curl -k -u admin:pass --request DELETE \ https://localhost:8089/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-perfmon</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-perfmon</id>
<updated>2011-07-29T19:47:06-07:00</updated>
<generator version="104976"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
</feed>
GET data/inputs/win-perfmon/{name}
Gets settings for a given perfmon stanza.
Request
No parameters for this request.
Response Codes
| Status Code | Description |
|---|---|
| 200 | Listed successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 403 | Insufficient permissions to view configuration settings. |
| 404 | Performance stanza does not exist. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
Returned Values
No values returned for this request.
Example
Lists a given perfmon stanza.
curl -k -u admin:pass \ https://localhost:8089/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-perfmon</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-perfmon</id>
<updated>2011-07-29T19:44:21-07:00</updated>
<generator version="104976"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
<entry>
<title>mymemory</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory</id>
<updated>2011-07-29T19:44:21-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory" rel="remove"/>
<link href="/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="counters">
<s:list/>
</s:key>
<s:key name="disabled">0</s:key>
<!-- eai:acl nodes elided for brevity. -->
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>counters</s:item>
<s:item>disabled</s:item>
<s:item>index</s:item>
<s:item>instances</s:item>
<s:item>interval</s:item>
<s:item>object</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="index">default</s:key>
<s:key name="instances">
<s:list/>
</s:key>
<s:key name="interval">4</s:key>
<s:key name="object">Memory</s:key>
</s:dict>
</content>
</entry>
</feed>
POST data/inputs/win-perfmon/{name}
Modifies existing monitoring stanza
Request
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| counters | String | A set of counters to monitor. A '*' is equivalent to all counters.
Specify each counter as a separate argument to the POST operation. | ||
| disabled | Boolean | Disables a given monitoring stanza. | ||
| index | String | The index in which to store the gathered data. | ||
| instances | String | A set of counter instances to monitor. A '*' is equivalent to all instances.
Specify each instance as a separate argument to the POST operation. | ||
| interval | Number | How frequently, in seconds, to poll the performance counters. | ||
| object | String | A valid performance monitor object (for example, 'Process,' 'Server,' 'PhysicalDisk.') |
Response Codes
| Status Code | Description |
|---|---|
| 200 | Updated successfully. |
| 400 | Request error. See response body for details. |
| 401 | Authentication failure: must pass valid credentials with request. |
| 402 | The Splunk license in use has disabled this feature. |
| 403 | Insufficient permissions to edit monitoring stanza. |
| 404 | Monitoring stanza does not exist. |
| 409 | Request error: this operation is invalid for this item. See response body for details. |
| 500 | Internal server error. See response body for details. |
| 503 | This feature has been disabled in Splunk configuration files. |
Returned Values
| Attribute | Description |
|---|---|
| counters | A list of counters to monitor. |
| index | The index in which to store the gathered data. |
| instances | A list of counter instances to monitor |
| interval | How frequently, in seconds, to poll the performance counters. |
| object | A valid performance monitor object. |
Example
Modifies the interval of the given perfmon stanza.
curl -k -u admin:pass \ https://localhost:8089/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory \ -d interval=10
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-perfmon</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-perfmon</id>
<updated>2011-07-29T19:45:59-07:00</updated>
<generator version="104976"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
<entry>
<title>Available Memory</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory</id>
<updated>2011-07-29T19:45:59-07:00</updated>
<link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="list"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="counters">Available Bytes</s:key>
<s:key name="disabled">1</s:key>
<!-- eai:acl nodes elided for brevity. -->
<s:key name="instances"/>
<s:key name="interval">10</s:key>
<s:key name="object">Memory</s:key>
</s:dict>
</content>
</entry>
</feed>
indexing/preview
Preview events from a source file before you index the file.
Typically, you create a data preview job for a source file. Use the resulting data preview job ID as the search_id parameter in GET /search/jobs/{search_id}/results_preview to preview events that would be generated from indexing the source file.
You can also check the status of a data preview job with GET /search/jobs/{search_id} to obtain information such as the dispatchState, doneProgress, and eventCount. For more information, see GET /search/jobs/{search_id}.
Note: This endpoint is new in Splunk 4.3.
GET indexing/preview
Return a list of all data preview jobs. Data returned includes the Splunk management URI to access each preview job.
Use the data preview job ID as the search_id parameter in GET /search/jobs/{search_id}/results_preview to preview events from the source file.
Note: Use the POST operation of this endpoint to create a data preview job and return the corresponding data preview job ID.
Request
No parameters for this request.
Response Codes
| Status Code | Description |
|---|---|
| 200 | Listed successfully. |
Returned Values
No values returned for this request.
Example
Return the data preview job ID of all data preview jobs. Data returned includes the Splunk management URI for each data preview job.
This example shows entries for three data preview jobs.
curl -k -u admin:pass https://localhost:8089/services/indexing/preview
feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest">
<title>preview</title>
<id>https://localhost:8089/services/indexing/preview</id>
<updated>2011-11-28T14:35:35-08:00</updated>
<generator version="108769"/>
<author>
<name>Splunk</name>
</author>
<entry>
<title>1322518170.8</title>
<id>https://localhost:8089/services/indexing/preview/1322518170.8</id>
<updated>2011-11-28T14:35:35-08:00</updated>
<link href="/services/indexing/preview/1322518170.8" rel="alternate"/>
<link href="/services/search/jobs/1322518170.8" rel="job"/>
</entry>
<entry>
<title>1322519686.9</title>
<id>https://localhost:8089/services/indexing/preview/1322519686.9</id>
<updated>2011-11-28T14:35:35-08:00</updated>
<link href="/services/indexing/preview/1322519686.9" rel="alternate"/>
<link href="/services/search/jobs/1322519686.9" rel="job"/>
</entry>
<entry>
<title>1322519724.10</title>
<id>https://localhost:8089/services/indexing/preview/1322519724.10</id>
<updated>2011-11-28T14:35:35-08:00</updated>
<link href="/services/indexing/preview/1322519724.10" rel="alternate"/>
<link href="/services/search/jobs/1322519724.10" rel="job"/>
</entry>
</feed>
POST indexing/preview
Create a preview data job for the specified source file, returning the preview data job ID. Use the preview job ID as the search_id parameter in GET /search/jobs/{search_id}/results_preview to obtain a data preview.
You can optionally define sourcetypes for preview data job in props.conf.
Request
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| input.path | String | | The absolute file path to a local file that you want to preview data returned from indexing. | |
| props.<props_attr> | String | Define a new sourcetype in props.conf for preview data that you are indexing.
Typically, you first examine preveiw data events returned from GET /search/jobs/{job_id}events. Then you define new sourcetypes as needed with this endpoint. |
Response Codes
| Status Code | Description |
|---|---|
| 201 | Created successfully. |
Returned Values
No values returned for this request.
Example
Create a data preview index job for the local file, $SPLUNK_HOME/var/log/splunk/metrics.log. This operation returns the data preview job ID. Use this job ID in /search/jobs/{search_id}/results_preview to view the events that would be generated by indexing this file.
Create the data preview job:
curl -k -u admin:pass https://localhost:8089/services/indexing/preview \ -d input.path=/Applications/splunk/var/log/splunk/metrics.log
<response>
<messages>
<msg type='INFO'>1319496093.11</msg>
</messages>
</response>
Now, use the returned job ID to preview the events:
curl -k -u admin:pass https://localhost:8089/services/search/jobs/1319496093.11/results_preview
<results preview='0'>
<meta>
<fieldOrder>
<field>_raw</field>
<field>_subsecond</field>
<field>_time</field>
<field>_timelen</field>
<field>_timestartpos</field>
<field>host</field>
<field>linecount</field>
<field>source</field>
<field>sourcetype</field>
</fieldOrder>
</meta>
<result offset='0'>
<field k='_raw'><v xml:space='preserve' trunc='0'>11-28-2011 13:41:31.409 -0800 INFO Metrics - group=pipeline, name=indexerpipe, processor=indexandforward, cpu_seconds=0.000000, executes=74, cumulative_hits=26664</v></field>
<field k='_subsecond'>
<value><text>.409</text></value>
</field>
<field k='_time'>
<value><text>2011-11-28T13:41:31.409-08:00</text></value>
</field>
<field k='_timelen'>
<value><text>29</text></value>
</field>
<field k='_timestartpos'>
<value><text>0</text></value>
</field>
<field k='host'>
<value><text>vgenovese-mbp15.splunk.com</text></value>
</field>
<field k='linecount'>
<value><text>1</text></value>
</field>
<field k='source'>
<value><text>/Applications/splunk/var/log/splunk/metrics.log</text></value>
</field>
<field k='sourcetype'>
<value><text>splunkd</text></value>
</field>
</result>
. . .
<!-- result nodes 1 - 98 elided for brevity. -->
. . .
<result offset='99'>
<field k='_raw'><v xml:space='preserve' trunc='0'>11-28-2011 13:42:33.314 -0800 INFO Metrics - group=pipeline, name=typing, processor=annotator, cpu_seconds=0.000000, executes=45, cumulative_hits=17246</v></field>
<field k='_subsecond'>
<value><text>.314</text></value>
</field>
<field k='_time'>
<value><text>2011-11-28T13:42:33.314-08:00</text></value>
</field>
<field k='_timelen'>
<value><text>29</text></value>
</field>
<field k='_timestartpos'>
<value><text>0</text></value>
</field>
<field k='host'>
<value><text>vgenovese-mbp15.splunk.com</text></value>
</field>
<field k='linecount'>
<value><text>1</text></value>
</field>
<field k='source'>
<value><text>/Applications/splunk/var/log/splunk/metrics.log</text></value>
</field>
<field k='sourcetype'>
<value><text>splunkd</text></value>
</field>
</result>
</results>
indexing/preview/{job_id}
GET indexing/preview/{job_id}
Returns the props.conf settings for the data preview job specified by {job_id}.
Request
No parameters for this request.
Response Codes
| Status Code | Description |
|---|---|
| 200 | Listed successfully. |
| 404 | Specified job ID does not exist. |
Returned Values
No values returned for this request.
Example
Return the props.conf setting for the specified data preview job.
curl -k -u admin:pass https://localhost:8089/services/indexing/preview/1319496093.11
<entry xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest">
<title>1319496093.11</title>
<id>https://localhost:8089/services/indexing/preview/1319496093.11</id>
<updated>2011-10-24T15:44:09-07:00</updated>
<link href="/services/indexing/preview/1319496093.11" rel="alternate"/>
<content type="text/xml">
<s:dict>
<s:key name="explicit">
<s:dict>
<s:key name="PREFERRED_SOURCETYPE">
<s:dict>
<s:key name="value">splunkd</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
<s:key name="inherited">
<s:dict>
<s:key name="ANNOTATE_PUNCT">
<s:dict>
<s:key name="value">True</s:key>
<s:key name="stanza">default</s:key>
</s:dict>
</s:key>
. . .
<!-- additional inherited key values elided for brevity. -->
<s:key name="sourcetype">
<s:dict>
<s:key name="value">splunkd</s:key>
<s:key name="stanza">source::.../var/log/splunk/metrics.log(.\d+)?</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
</s:dict>
</content>
<link href="/services/search/jobs/1319496093.11" rel="job"/>
</entry>
receivers/simple
Allows for sending events to Splunk in an HTTP request.
POST receivers/simple
Create events from the contents contained in the HTTP body.
Request
Note that all metadata is specified via GET parameters.
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| <arbitrary_data> | String | | Raw event text. This will be the entirety of the HTTP request body. | |
| host | String | The value to populate in the host field for events from this data input. | ||
| host_regex | String | A regular expression used to extract the host value from each event. | ||
| index | String | default | The index to send events from this input to. | |
| source | String | The source value to fill in the metadata for this input's events. | ||
| sourcetype | String | The sourcetype to apply to events from this input. |
Response Codes
| Status Code | Description |
|---|---|
| 200 | Data accepted. |
| 400 | Request error. See response body for details. |
| 404 | Receiver does not exist. |
Returned Values
No values returned for this request.
Example
Sends an event with the "web_event" sourcetype and "www" source to this Splunk indexer.
curl -k -u admin:pass \ "https://localhost:8089/services/receivers/simple?source=www&sourcetype=web_event" \ -d "Sun Jul 10 15:56:02 PDT 2011 User vishalp logged in successfully."
<response>
<results>
<result>
<field k="_index">
<value>
<text>default</text>
</value>
</field>
<field k="bytes">
<value>
<text>67</text>
</value>
</field>
<field k="host">
<value>
<text>127.0.0.1</text>
</value>
</field>
<field k="source">
<value>
<text>www</text>
</value>
</field>
<field k="sourcetype">
<value>
<text>web_event</text>
</value>
</field>
</result>
</results>
</response>
receivers/stream
Opens a socket for streaming events to Splunk.
POST receivers/stream
Create events from the stream of data following HTTP headers.
Request
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| <data_stream> | String | | Raw event text. This does not need to be presented as a complete HTTP request, but can be streamed in as data is available. | |
| host | String | The value to populate in the host field for events from this data input. | ||
| host_regex | String | A regular expression used to extract the host value from each event. | ||
| index | String | The index to send events from this input to. | ||
| source | String | The source value to fill in the metadata for this input's events. | ||
| sourcetype | String | The sourcetype to apply to events from this input. |
Response Codes
| Status Code | Description |
|---|---|
| 200 | Data accepted. |
| 400 | Request error. See response body for details. |
| 404 | Receiver does not exist. |
Returned Values
No values returned for this request.
Example
Streams an arbitrary number of events to Splunk. This example is best demonstrated via a program rather than a curl request. Below is a short python script that runs indefinitely, until the user presses Ctrl-C. In the meantime, it will send one event per second to Splunk. Note that for a streaming connection, the "x-splunk-input-mode" header must be specified.
import httplib, time
conn = httplib.HTTPSConnection("localhost", 8089)
conn.connect()
conn.putrequest("POST", "/services/receivers/stream?source=www&sourcetype=web_data")
conn.putheader("Authorization", "Basic YWRtaW46cGFzcw==")
conn.putheader("x-splunk-input-mode", "streaming")
conn.endheaders()
print "Looping..."
while True:
conn.send("%s A sample event.\n" % time.asctime())
time.sleep(1)
There is no response for this request.
This documentation applies to the following versions of Splunk: 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 View the Article History for its revisions.