REST API Reference Manual

 


Inputs

NOTE - Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

Inputs

Use the Inputs endpoints to manage data sent to Splunk servers.

data/inputs/*
Create and manage data inputs to Splunk servers.


receivers/*
Create and manage HTTP streaming of events to splunk servers.


data/inputs/ad

Provides access to Active Directory monitoring input.

GET data/inputs/ad

Gets current AD monitoring configuration.

Request

Name Type Required Default Description
count Number 30 Indicates the maximum number of entries to return. To return all entries, specify 0.
offset Number 0 Index for first item to return.
search String Boolean predicate to filter results.
sort_dir Enum asc Valid values: (asc | desc)

Indicates whether to sort the entries returned in ascending or descending order.

sort_key String name Field to sort by.
sort_mode Enum auto Valid values: (auto | alpha | alpha_case | num)

Indicates the collating sequence for sorting the returned entries.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view AD monitoring configuration.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
disabled Indicates whether the monitoring is disabled.
index The index in which to store the gathered data.
monitorSubtree Whether or not to monitor the subtree(s) of a given directory tree path. 1 means yes, 0 means no.
startingNode Where in the Active Directory directory tree to start monitoring. If not specified, attempts to start at the root of the directory tree.
targetDc Specifies a fully qualified domain name of a valid, network-accessible DC. If not specified, Splunk obtains the local computer's DC.

Example

Lists all configured AD monitoring stanza.

curl -k -u admin:pass https://localhost:8089/services/data/inputs/ad
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-admon</title>
  <id>https://10.1.5.157:8089/services/data/inputs/ad</id>
  <updated>2011-07-29T19:13:28-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/ad/_new" rel="create"/>
  <link href="/services/data/inputs/ad/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>NearestDC</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/ad/NearestDC</id>
    <updated>2011-07-29T19:13:28-07:00</updated>
    <link href="/servicesNS/nobody/windows/data/inputs/ad/NearestDC" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/windows/data/inputs/ad/NearestDC" rel="list"/>
    <link href="/servicesNS/nobody/windows/data/inputs/ad/NearestDC/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/windows/data/inputs/ad/NearestDC" rel="edit"/>
    <link href="/servicesNS/nobody/windows/data/inputs/ad/NearestDC/enable" rel="enable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">1</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="index">default</s:key>
        <s:key name="monitorSubtree">1</s:key>
        <s:key name="startingNode"/>
        <s:key name="targetDc"/>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/inputs/ad

Creates new or modifies existing performance monitoring settings.

Request

Name Type Required Default Description
monitorSubtree Number
1 Whether or not to monitor the subtree(s) of a given directory tree path. 1 means yes, 0 means no.
name String
A unique name that represents a configuration or set of configurations for a specific domain controller (DC).
disabled Number 1 Indicates whether the monitoring is disabled.
index String The index in which to store the gathered data.
startingNode String Where in the Active Directory directory tree to start monitoring. If not specified, will attempt to start at the root of the directory tree.
targetDc String Specifies a fully qualified domain name of a valid, network-accessible DC. If not specified, Splunk will obtain the local computer's DC.

Response Codes

Status Code Description
201 Created successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to create monitoring stanza.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

No values returned for this request.

Example

Creates a new AD monitoring stanza, naming it 'newdc', without sub-tree monitoring.

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/inputs/ad \
	-d monitorSubtree=0 \
	-d name=newdc
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-admon</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/ad</id>
  <updated>2011-07-29T19:14:57-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/ad/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/ad/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

data/inputs/ad/{name}

DELETE data/inputs/ad/{name}

Deletes a given AD monitoring stanza.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Deleted successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to delete AD monitoring stanza.
404 AD monitoring stanza does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

No values returned for this request.

Example

Deletes a given stanza.

curl -k -u admin:pass --request DELETE \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/ad/newdc
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-admon</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/ad</id>
  <updated>2011-07-29T19:22:50-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/ad/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/ad/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

GET data/inputs/ad/{name}

Gets the current configuration for a given AD monitoring stanza.

Request

Attribute Description
index The index in which to store the gathered data.
monitorSubtree Whether or not to monitor the subtree(s) of a given directory tree path. 1 means yes, 0 means no.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view AD monitoring configuration.
404 AD monitoring stanza does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

No values returned for this request.

Example

Gets configuration for a given AD monitoring stanza.

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/ad/newdc
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-admon</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/ad</id>
  <updated>2011-07-29T19:18:18-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/ad/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/ad/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>newdc</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/ad/newdc</id>
    <updated>2011-07-29T19:18:18-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/ad/newdc" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/ad/newdc" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/ad/newdc/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/ad/newdc" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/ad/newdc" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/ad/newdc/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>disabled</s:item>
                <s:item>index</s:item>
                <s:item>startingNode</s:item>
                <s:item>targetDc</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>monitorSubtree</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="index">default</s:key>
        <s:key name="monitorSubtree">0</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/inputs/ad/{name}

Modifies a given AD monitoring stanza.

Request

Name Type Required Default Description
monitorSubtree Number
1 Whether or not to monitor the subtree(s) of a given directory tree path. 1 means yes, 0 means no.
disabled Number 1 Indicates whether the monitoring is disabled.
index String The index in which to store the gathered data.
startingNode String Where in the Active Directory directory tree to start monitoring. If not specified, will attempt to start at the root of the directory tree.
targetDc String Specifies a fully qualified domain name of a valid, network-accessible DC. If not specified, Splunk will obtain the local computer's DC.

Response Codes

Status Code Description
200 Updated successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to edit AD monitoring stanza.
404 AD monitoring stanza does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

No values returned for this request.

Example

Modifies an existing AD monitoring stanza.

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/ad/newdc \
	-d monitorSubtree=1
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-admon</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/ad</id>
  <updated>2011-07-29T19:20:16-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/ad/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/ad/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>


data/inputs/monitor

Provides access to monitor inputs.

GET data/inputs/monitor

List enabled and disabled monitor inputs.

Request

Name Type Required Default Description
count Number 30 Indicates the maximum number of entries to return. To return all entries, specify 0.
offset Number 0 Index for first item to return.
search String Search expression to filter the response. The response matches field values against the search expression. For example:

search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.

sort_dir Enum asc Valid values: (asc | desc)

Indicates whether to sort returned entries in ascending or descending order.

sort_key String name Field to use for sorting.
sort_mode Enum auto Valid values: (auto | alpha | alpha_case | num)

Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view monitored input.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
_TCP_ROUTING List of TCP forwarding groups, as specified in outputs.conf.
disabled Indicates if inputs monitoring is disabled.
filecount Number of files monitored.
host Name of the Splunk host for which inputs are monitored.
index The index events from this input should be stored in.
sourcetype Source type being monitored.

The source type of an event is the format of the data input from which it originates, such as access_combined or cisco_syslog. The source type determines how Splunk formats your data.

Example

Provides information on all enabled and disabled inputs for monitoring by this Splunk instance.


curl -k -u admin:pass https://localhost:8089/services/data/inputs/monitor


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>monitor</title>
  <id>https://localhost:8089/services/data/inputs/monitor</id>
  <updated>2011-07-10T14:25:53-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/monitor/_new" rel="create"/>
  <link href="/services/data/inputs/monitor/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>$SPLUNK_HOME/etc/splunk.version</title>
    <id>https://localhost:8089/servicesNS/nobody/system/data/inputs/monitor/%24SPLUNK_HOME%252Fetc%252Fsplunk.version</id>
    <updated>2011-07-10T14:25:53-07:00</updated>
    <link href="/servicesNS/nobody/system/data/inputs/monitor/%24SPLUNK_HOME%252Fetc%252Fsplunk.version" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/inputs/monitor/%24SPLUNK_HOME%252Fetc%252Fsplunk.version" rel="list"/>
    <link href="/servicesNS/nobody/system/data/inputs/monitor/%24SPLUNK_HOME%252Fetc%252Fsplunk.version/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/inputs/monitor/%24SPLUNK_HOME%252Fetc%252Fsplunk.version" rel="edit"/>
    <link href="/servicesNS/nobody/system/data/inputs/monitor/%24SPLUNK_HOME%252Fetc%252Fsplunk.version/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_TCP_ROUTING">*</s:key>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="filecount">1</s:key>
        <s:key name="host">MrT</s:key>
        <s:key name="index">_internal</s:key>
        <s:key name="sourcetype">splunk_version</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/inputs/monitor

Create a new file or directory monitor input.

Request

Name Type Required Default Description
name String
The file or directory path to monitor on the system.
blacklist String Specify a regular expression for a file path. The file path that matches this regular expression is not indexed.
check-index Boolean If set to true, the "index" value will be checked to ensure that it is the name of a valid index.
check-path Boolean If set to true, the "name" value will be checked to ensure that it exists.
crc-salt String A string that modifies the file tracking identity for files in this input. The magic value "<SOURCE>" invokes special behavior (see admin documentation).
followTail Boolean If set to true, files that are seen for the first time will be read from the end.
host String The value to populate in the host field for events from this data input.
host_regex String Specify a regular expression for a file path. If the path for a file matches this regular expression, the captured value is used to populate the host field for events from this data input. The regular expression must have one capture group.
host_segment Number Use the specified slash-separate segment of the filepath as the host field value.
ignore-older-than String Specify a time value. If the modification time of a file being monitored falls outside of this rolling time window, the file is no longer being monitored.
index String default Which index events from this input should be stored in.
recursive Boolean Setting this to "false" will prevent monitoring of any subdirectories encountered within this data input.
rename-source String The value to populate in the source field for events from this data input. The same source should not be used for multiple data inputs.
sourcetype String The value to populate in the sourcetype field for incoming events.
time-before-close Number When Splunk reaches the end of a file that is being read, the file will be kept open for a minimum of the number of seconds specified in this value. After this period has elapsed, the file will be checked again for more data.
whitelist String Specify a regular expression for a file path. Only file paths that match this regular expression are indexed.

Response Codes

Status Code Description
201 Created successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to create monitored input.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

No values returned for this request.

Example

Configures the Unix /var/log directory as a monitored input.


curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor \
	-d name=/var/log


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>monitor</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor</id>
  <updated>2011-07-10T14:27:57-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/monitor/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/monitor/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

data/inputs/monitor/{name}

DELETE data/inputs/monitor/{name}

Disable the named monitor data input and remove it from the configuration.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Deleted successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to delete monitored input.
404 Monitored input does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

No values returned for this request.

Example

Removes the following file as a monitored input. This monitored input was created in the example for the POST operation of this endpoint.

/Applications/splunk/var/log/splunk/web_access.log

The {name} field in the DELETE operation is specially URI-encoded. See the REST API overview for details on URI encoding of filenames.


curl -k -u admin:pass --request DELETE \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog



<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>monitor</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor</id>
  <updated>2011-07-10T14:35:35-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/monitor/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/monitor/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

GET data/inputs/monitor/{name}

List the properties of a single monitor data input.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view monitored input.
404 Monitored input does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
disabled Indicates if inputs monitoring is disabled.
eai:attributes See Accessing Splunk resources
filecount Number of files being monitored.
host Name of the Splunk host for which inputs are monitored.
index The index events from this input should be stored in.

Example

Returns information on the monitored directory /var/log.

The {name} field in the GET operation is specially URI-encoded. See the REST API overview for details on URI encoding of filenames.


curl -k -u admin:pass \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>monitor</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor</id>
  <updated>2011-07-10T14:33:54-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/monitor/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/monitor/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>/var/log</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog</id>
    <updated>2011-07-10T14:33:54-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog/members" rel="members"/>
    <link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>blacklist</s:item>
                <s:item>check-index</s:item>
                <s:item>check-path</s:item>
                <s:item>crc-salt</s:item>
                <s:item>followTail</s:item>
                <s:item>host</s:item>
                <s:item>host_regex</s:item>
                <s:item>host_segment</s:item>
                <s:item>ignore-older-than</s:item>
                <s:item>index</s:item>
                <s:item>recursive</s:item>
                <s:item>rename-source</s:item>
                <s:item>sourcetype</s:item>
                <s:item>time-before-close</s:item>
                <s:item>whitelist</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="filecount">108</s:key>
        <s:key name="host">MrT</s:key>
        <s:key name="index">default</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/inputs/monitor/{name}

Update properties of the named monitor input.

Request

Name Type Required Default Description
blacklist String Specify a regular expression for a file path. The file path that matches this regular expression is not indexed.
check-index Boolean If set to true, the "index" value will be checked to ensure that it is the name of a valid index.
check-path Boolean If set to true, the "name" value will be checked to ensure that it exists.
crc-salt String A string that modifies the file tracking identity for files in this input. The magic value "<SOURCE>" invokes special behavior (see admin documentation).
followTail Boolean If set to true, files that are seen for the first time will be read from the end.
host String The value to populate in the host field for events from this data input.
host_regex String Specify a regular expression for a file path. If the path for a file matches this regular expression, the captured value is used to populate the host field for events from this data input. The regular expression must have one capture group.
host_segment Number Use the specified slash-separate segment of the filepath as the host field value.
ignore-older-than String Specify a time value. If the modification time of a file being monitored falls outside of this rolling time window, the file is no longer being monitored.
index String default Which index events from this input should be stored in.
recursive Boolean Setting this to "false" will prevent monitoring of any subdirectories encountered within this data input.
rename-source String The value to populate in the source field for events from this data input. The same source should not be used for multiple data inputs.
sourcetype String The value to populate in the sourcetype field for incoming events.
time-before-close Number When Splunk reaches the end of a file that is being read, the file will be kept open for a minimum of the number of seconds specified in this value. After this period has elapsed, the file will be checked again for more data.
whitelist String Specify a regular expression for a file path. Only file paths that match this regular expression are indexed.

Response Codes

Status Code Description
200 Updated successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to edit monitored input.
404 Monitored input does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

No values returned for this request.

Example

Updates the monitored input such that it does not recurse through subdirectories. This monitored input was created in the example for the POST operation of this endpoint.

The {name} field in the POST operation is specially URI-encoded. See the REST API overview for details on URI encoding of filenames.


curl -k -u admin:pass \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog \
	-d recursive=false


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>monitor</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor</id>
  <updated>2011-07-10T14:35:28-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/monitor/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/monitor/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

data/inputs/monitor/{name}/members

GET data/inputs/monitor/{name}/members

Lists all files monitored under the named monitor input.

Request

Name Type Required Default Description
count Number 30 Indicates the maximum number of entries to return. To return all entries, specify 0.
offset Number 0 Index for first item to return.
search String Search expression to filter the response. The response matches field values against the search expression. For example:

search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.

sort_dir Enum asc Valid values: (asc | desc)

Indicates whether to sort returned entries in ascending or descending order.

sort_key String name Field to use for sorting.
sort_mode Enum auto Valid values: (auto | alpha | alpha_case | num)

Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view monitored input's files.
404 Monitor input does not exist or does not have any members.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

No values returned for this request.

Example

Retrieves the list of files under /var/log that this input is monitoring.


curl -k -u admin:pass \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog/members


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>monitor</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor</id>
  <updated>2011-07-10T14:34:28-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/monitor/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/monitor/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>/var/log/acpid</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog%252Facpid</id>
    <updated>2011-07-10T14:34:28-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog%252Facpid" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog%252Facpid" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog%252Facpid/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog%252Facpid" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog%252Facpid" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <!-- eai:acl nodes elided for brevity. -->
      </s:dict>
    </content>
  </entry>
  <!-- many more file entries elided for brevity. -->
</feed>


data/inputs/oneshot

Provides access to oneshot inputs.

GET data/inputs/oneshot

Enumerates in-progress oneshot inputs. As soon as an input is complete, it is removed from this list.

Request

Name Type Required Default Description
count Number 30 Indicates the maximum number of entries to return. To return all entries, specify 0.
offset Number 0 Index for first item to return.
search String Search expression to filter the response. The response matches field values against the search expression. For example:

search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.

sort_dir Enum asc Valid values: (asc | desc)

Indicates whether to sort returned entries in ascending or descending order.

sort_key String name Field to use for sorting.
sort_mode Enum auto Valid values: (auto | alpha | alpha_case | num)

Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view inputs.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
Bytes Indexed Total number of bytes read and sent to the pipeline for indexing during a oneshot input.

This total includes the uncompressed byte count from a source file that is compressed on disk.

Offset Current position in the source file, indicating how much of the file has been read. For compressed source files, this offset represents the position in the compressed format.

You can obtain the percentage of a source file that has been read by calculating offset/size.

Size Size of the source file, in bytes.

You can obtain the percentage of a source file that has been read by calculating offset/size.

Sources Indexed Indicates the number of sources read from a file in a compressed format such as tar or zip.

A value of 0 indicates the source file was not compressed.

Spool Time Time that the request was made to read the source file.

Example

Lists the in-progress one shot inputs for this Splunk instance.


curl -k -u admin:pass https://localhost:8089/services/data/inputs/oneshot


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>oneshotinput</title>
  <id>https://localhost:8089/services/data/inputs/oneshot</id>
  <updated>2011-07-08T01:48:04-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/oneshot/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>/var/log/distccd.log</title>
    <id>https://localhost:8089/services/data/inputs/oneshot/%252Fvar%252Flog%252Fdistccd.log</id>
    <updated>2011-07-08T01:48:04-07:00</updated>
    <link href="/services/data/inputs/oneshot/%252Fvar%252Flog%252Fdistccd.log" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/data/inputs/oneshot/%252Fvar%252Flog%252Fdistccd.log" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="Bytes Indexed">7200768</s:key>
        <s:key name="Offset">7200768</s:key>
        <s:key name="Size">449630160</s:key>
        <s:key name="Sources Indexed">0</s:key>
        <s:key name="Spool Time">Fri Jul  8 01:47:53 PDT 2011</s:key>
        <!-- eai:acl nodes elided for brevity. -->
      </s:dict>
    </content>
  </entry>
</feed>

POST data/inputs/oneshot

Queues a file for immediate indexing by the file input subsystem. The file must be locally accessible from the server.

This endpoint can handle any single file: plain, compressed or archive. The file is indexed in full, regardless of whether it has been indexed before.

Request

Name Type Required Default Description
name String
The path to the file to be indexed. The file must be locally accessible by the server.
host String The value of the "host" field to be applied to data from this file.
host_regex String A regex to be used to extract a "host" field from the path.

If the path matches this regular expression, the captured value is used to populate the host field for events from this data input. The regular expression must have one capture group.

host_segment Number Use the specified slash-separate segment of the path as the host field value.
index String The destination index for data processed from this file.
rename-source String The value of the "source" field to be applied to data from this file.
sourcetype String The value of the "sourcetype" field to be applied to data from this file.

Response Codes

Status Code Description
201 Created successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to create input.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

No values returned for this request.

Example

This example queues the file /var/log/messages for indexing.


curl -k -u admin:pass https://localhost:8089/services/data/inputs/oneshot \
	-d name=/var/log/messages


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>oneshotinput</title>
  <id>https://localhost:8089/services/data/inputs/oneshot</id>
  <updated>2011-07-08T01:48:04-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/oneshot/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

data/inputs/oneshot/{name}

GET data/inputs/oneshot/{name}

Finds information about a single in-flight one shot input. This is a subset of the information in the full enumeration.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view input.
404 Input does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
Bytes Indexed Total number of bytes read and sent to the pipeline for indexing during a oneshot input.

This total includes the uncompressed byte count from a source file that is compressed on disk.

Offset Current position in the source file, indicating how much of the file has been read. For compressed source files, this offset represents the position in the compressed format.

You can obtain the percentage of a source file that has been read by calculating offset/size.

Size Size of the source file, in bytes.

You can obtain the percentage of a source file that has been read by calculating offset/size.

Sources Indexed Indicates the number of sources read from a file in a compressed format such as tar or zip.

A value of 0 indicates the source file was not compressed.

Spool Time Time that the request was made to read the source file.
eai:attributes See Accessing Splunk resources

Example

List information about the named in-progress one shot input in this Splunk instance.


curl -k -u admin:pass \
	https://localhost:8089/services/data/inputs/oneshot/%252Fvar%252Flog%252Fmessages


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>oneshotinput</title>
  <id>https://localhost:8089/services/data/inputs/oneshot</id>
  <updated>2011-07-08T01:49:20-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/oneshot/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>/var/log/messages</title>
    <id>https://localhost:8089/services/data/inputs/oneshot/%252Fvar%252Flog%252Fmessages</id>
    <updated>2011-07-08T01:49:20-07:00</updated>
    <link href="/services/data/inputs/oneshot/%252Fvar%252Flog%252Fmessages" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/data/inputs/oneshot/%252Fvar%252Flog%252Fmessages" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="Bytes Indexed">114822</s:key>
        <s:key name="Offset">114822</s:key>
        <s:key name="Size">114822</s:key>
        <s:key name="Sources Indexed">0</s:key>
        <s:key name="Spool Time">Fri Jul  8 01:48:04 PDT 2011</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list/>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>


data/inputs/registry

Provides access to Windows registry monitoring input.

GET data/inputs/registry

Gets current registry monitoring configuration.

Request

Name Type Required Default Description
count Number 30 Indicates the maximum number of entries to return. To return all entries, specify 0.
offset Number 0 Index for first item to return.
search String Boolean predicate to filter results.
sort_dir Enum asc Valid values: (asc | desc)

Indicates whether to sort the entries returned in ascending or descending order.

sort_key String name Field to sort by.
sort_mode Enum auto Valid values: (auto | alpha | alpha_case | num)

Indicates the collating sequence for sorting the returned entries.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view registry monitoring configuration.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

No values returned for this request.

Example

Gets current registry inputs configuration.

curl -k -u admin:pass https://localhost:8089/services/data/inputs/registry
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-regmon</title>
  <id>https://10.1.5.157:8089/services/data/inputs/registry</id>
  <updated>2011-07-29T19:31:32-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/registry/_new" rel="create"/>
  <link href="/services/data/inputs/registry/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>Machine keys</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/registry/Machine%20keys</id>
    <updated>2011-07-29T19:31:32-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/registry/Machine%20keys" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/registry/Machine%20keys" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/registry/Machine%20keys/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/registry/Machine%20keys" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/registry/Machine%20keys/enable" rel="enable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="baseline">0</s:key>
        <s:key name="disabled">1</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="hive">HKLM</s:key>
        <s:key name="index">default</s:key>
        <s:key name="monitorSubnodes">1</s:key>
        <s:key name="proc">c:\.*</s:key>
        <s:key name="type">
          <s:list>
            <s:item>set</s:item>
            <s:item>create</s:item>
            <s:item>delete</s:item>
            <s:item>rename</s:item>
          </s:list>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/inputs/registry

Creates new or modifies existing registry monitoring settings.

Request

Name Type Required Default Description
baseline Number
0 Specifies whether or not to establish a baseline value for the registry keys. 1 means yes, 0 no.
hive String
Specifies the registry hive under which to monitor for changes.
name String
Name of the configuration stanza.
proc String
Specifies a regex. If specified, will only collected changes if a process name matches that regex.
type String
A regular expression that specifies the type(s) of Registry event(s) that you want to monitor.
disabled Number 1 Indicates whether the monitoring is disabled.
index String The index in which to store the gathered data.
monitorSubnodes Number If set to '1', will monitor all sub-nodes under a given hive.

Response Codes

Status Code Description
201 Created successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to create registry monitoring stanza.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

No values returned for this request.

Example

Creates a new registry monitoring stanza.

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/registry \
	-d baseline=1 \
	-d hive="HKU\\.*" \
	-d name=mykeys \
	-d proc="c:\\.*" \
	-d type="set|create|delete|rename"
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-regmon</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/registry</id>
  <updated>2011-07-29T19:29:18-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/registry/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/registry/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

data/inputs/registry/{name}

DELETE data/inputs/registry/{name}

Deletes registry monitoring configuration stanza.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Deleted successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to delete registry configuration stanza.
404 Registry monitoring configuration stanza does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

No values returned for this request.

Example

Deletes existing configuration stanza.

curl -k -u admin:pass --request DELETE \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/registry/mykeys
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-regmon</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/registry</id>
  <updated>2011-07-29T19:36:54-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/registry/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/registry/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

GET data/inputs/registry/{name}

Gets current registry monitoring configuration stanza.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view registry monitoring configuration stanza.
404 Registry monitoring stanza does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

No values returned for this request.

Example

Gets current configuration for a given stanza.

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/registry/mykeys
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-regmon</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/registry</id>
  <updated>2011-07-29T19:33:21-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/registry/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/registry/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>mykeys</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/registry/mykeys</id>
    <updated>2011-07-29T19:33:21-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/registry/mykeys" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/registry/mykeys" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/registry/mykeys/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/registry/mykeys" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/registry/mykeys" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/registry/mykeys/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="baseline">1</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>disabled</s:item>
                <s:item>index</s:item>
                <s:item>monitorSubnodes</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>baseline</s:item>
                <s:item>hive</s:item>
                <s:item>proc</s:item>
                <s:item>type</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="hive">HKU</s:key>
        <s:key name="index">default</s:key>
        <s:key name="monitorSubnodes">1</s:key>
        <s:key name="proc">c:\.*</s:key>
        <s:key name="type">
          <s:list>
            <s:item>set</s:item>
            <s:item>create</s:item>
            <s:item>delete</s:item>
            <s:item>rename</s:item>
          </s:list>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/inputs/registry/{name}

Modifies given registry monitoring stanza.

Request

Name Type Required Default Description
baseline Number
0 Specifies whether or not to establish a baseline value for the registry keys. 1 means yes, 0 no.
hive String
Specifies the registry hive under which to monitor for changes.
proc String
Specifies a regex. If specified, will only collected changes if a process name matches that regex.
type String
A regular expression that specifies the type(s) of Registry event(s) that you want to monitor.
disabled Number 1 Indicates whether the monitoring is disabled.
index String The index in which to store the gathered data.
monitorSubnodes Number If set to '1', will monitor all sub-nodes under a given hive.

Response Codes

Status Code Description
200 Updated successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to edit registry monitoring stanza.
404 Registry monitoring stanza does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

No values returned for this request.

Example

Modifies existing registry configuration.

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/registry/mykeys \
	-d baseline=1 \
	-d hive="HKU\\.*" \
	-d proc="c:\\.*" \
	-d type="set|create"
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-regmon</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/registry</id>
  <updated>2011-07-29T19:36:07-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/registry/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/registry/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>


data/inputs/script

Provides access to scripted inputs.

GET data/inputs/script

Gets the configuration settings for scripted inputs.

Request

Name Type Required Default Description
count Number 30 Indicates the maximum number of entries to return. To return all entries, specify 0.
offset Number 0 Index for first item to return.
search String Search expression to filter the response. The response matches field values against the search expression. For example:

search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.

sort_dir Enum asc Valid values: (asc | desc)

Indicates whether to sort returned entries in ascending or descending order.

sort_key String name Field to use for sorting.
sort_mode Enum auto Valid values: (auto | alpha | alpha_case | num)

Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view script.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
disabled Specifies whether the input script is disabled.
endtime If available, the time when the script stopped executing.
group Indicates the OS group of commands.
host The host this data is identified with.
index Sets the index for events from this input. Defaults to the main index.
interval An integer or cron schedule.

Specifies how often to execute the specified script, in seconds or a valid cron schedule. For a cron schedule, the script is not executed on start-up.

source The source key/field for events from this input. Defaults to the input file path.

Sets the source key's initial value. The key is used during parsing/indexing, in particular to set the source field during indexing. It is also the source field used at search time. As a convenience, the chosen string is prepended with 'source::'.

sourcetype Sets the sourcetype key/field for events from this input. If unset, Splunk picks a source type based on various aspects of the data. There is no hard-coded default.

For more information, see the documentation for the sourcetype paramater for the POST operation.

starttime If available, the time the when the script was executed.

Example

Lists configuration settings for all scripted inputs for this Splunk instance.

curl -k -u admin:pass https://localhost:8089/services/data/inputs/script


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>script</title>
  <id>https://localhost:8089/services/data/inputs/script</id>
  <updated>2011-07-09T20:16:11-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/script/_new" rel="create"/>
  <link href="/services/data/inputs/script/_reload" rel="_reload"/>
  <link href="/services/data/inputs/script/restart" rel="restart"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>/Applications/splunk4.3/etc/apps/unix/bin/cpu.sh</title>
    <id>https://localhost:8089/servicesNS/nobody/unix/data/inputs/script/.%252Fbin%252Fcpu.sh</id>
    <updated>2011-07-09T20:16:11-07:00</updated>
    <link href="/servicesNS/nobody/unix/data/inputs/script/.%252Fbin%252Fcpu.sh" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/unix/data/inputs/script/.%252Fbin%252Fcpu.sh" rel="list"/>
    <link href="/servicesNS/nobody/unix/data/inputs/script/.%252Fbin%252Fcpu.sh/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/unix/data/inputs/script/.%252Fbin%252Fcpu.sh" rel="edit"/>
    <link href="/servicesNS/nobody/unix/data/inputs/script/.%252Fbin%252Fcpu.sh/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="endtime">Sat Jul  9 20:15:54 2011</s:key>
        <s:key name="group">exec commands</s:key>
        <s:key name="host">vgenovese-mbp15.splunk.com</s:key>
        <s:key name="index">os</s:key>
        <s:key name="interval">30</s:key>
        <s:key name="source">cpu</s:key>
        <s:key name="sourcetype">cpu</s:key>
        <s:key name="starttime">Sat Jul  9 20:15:52 2011</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/inputs/script

Configures settings for new scripted inputs.

Request

Name Type Required Default Description
interval Number
60 Specify an integer or cron schedule. This parameter specifies how often to execute the specified script, in seconds or a valid cron schedule. If you specify a cron schedule, the script is not executed on start-up.
name String
Specify the name of the scripted input.
disabled Boolean Specifies whether the input script is disabled.
host String Sets the host for events from this input. Defaults to whatever host sent the event.
index String default Sets the index for events from this input. Defaults to the main index.
passAuth String User to run the script as.

If you provide a username, Splunk generates an auth token for that user and passes it to the script.

rename-source String Specify a new name for the source field for the script.
source String Sets the source key/field for events from this input. Defaults to the input file path.

Sets the source key's initial value. The key is used during parsing/indexing, in particular to set the source field during indexing. It is also the source field used at search time. As a convenience, the chosen string is prepended with 'source::'.

Note: Overriding the source key is generally not recommended. Typically, the input layer provides a more accurate string to aid in problem analysis and investigation, accurately recording the file from which the data was retreived. Consider use of source types, tagging, and search wildcards before overriding this value.


sourcetype String Sets the sourcetype key/field for events from this input. If unset, Splunk picks a source type based on various aspects of the data. As a convenience, the chosen string is prepended with 'sourcetype::'. There is no hard-coded default.

Sets the sourcetype key's initial value. The key is used during parsing/indexing, in particular to set the source type field during indexing. It is also the source type field used at search time.

Primarily used to explicitly declare the source type for this data, as opposed to allowing it to be determined via automated methods. This is typically important both for searchability and for applying the relevant configuration for this type of data during parsing and indexing.

Response Codes

Status Code Description
201 Created successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to create script.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

No values returned for this request.

Example

Configures a new script, myScript.sh, as a disabled scripted input with an interval of 3600 seconds (one hour).

This example assumes there is a script located at:

 /Applications/splunk/etc/apps/myApp/bin/myScript.sh


curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/script \
	-d name=/Applications/splunk4.3/etc/apps/myApp/bin/myScript.sh \
	-d disabled=true \
	-d interval=3600


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>script</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/script</id>
  <updated>2011-07-09T20:25:17-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/script/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/script/_reload" rel="_reload"/>
  <link href="/servicesNS/nobody/search/data/inputs/script/restart" rel="restart"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

data/inputs/script/restart

Allows for restarting scripted inputs.

POST data/inputs/script/restart

Causes a restart on a given scripted input.

Request

Name Type Required Default Description
script String
Path to the script to be restarted. This path must match an already-configured existing scripted input.

Response Codes

Status Code Description
200 Scripted input restarted successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to restart scripted input.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

No values returned for this request.

Example

Causes the running script named by the "script" parameter to restart.


curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/script/restart \
	-d script=/Applications/splunk/bin/scripts/myScript.sh


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>script</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/script</id>
  <updated>2011-07-09T20:38:38-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/script/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/script/_reload" rel="_reload"/>
  <link href="/servicesNS/nobody/search/data/inputs/script/restart" rel="restart"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

data/inputs/script/{name}

DELETE data/inputs/script/{name}

Removes the scripted input specified by {name}.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Deleted successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to delete script.
404 Script does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

No values returned for this request.

Example

Delete the configuration for the scripted input, myScript.sh.

This example assumes there is a script located at:

 /Applications/splunk/etc/apps/myApp/bin/myScript.sh

The {name} field in the DELETE operation is specially URI-encoded. See the REST API overview for details on URI encoding of filenames.


curl -k -u admin:pass --request DELETE \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk4.3%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>script</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/script</id>
  <updated>2011-07-09T20:29:18-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/script/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/script/_reload" rel="_reload"/>
  <link href="/servicesNS/nobody/search/data/inputs/script/restart" rel="restart"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

GET data/inputs/script/{name}

Returns the configuration settings for the scripted input specified by {name}.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view script.
404 Script does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
disabled Specifies whether the input script is disabled.
eai:attributes See Accessing Splunk resources
group Indicates the group of OS commands.
host The host this data is identified with.
index Sets the index for events from this input. Defaults to the main index.
interval An integer or cron schedule.

Specifies how often to execute the specified script, in seconds or a valid cron schedule. For a cron schedule, the script is not executed on start-up.

Example

Return information about the scripted input, myScript.sh.

This example assumes there is a script located at:

 /Applications/splunk/etc/apps/myApp/bin/myScript.sh

The {name} field in the POST operation is specially URI-encoded. See the REST API overview for details on URI encoding of filenames.


curl -k -u admin:pass \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>script</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/script</id>
  <updated>2011-07-09T21:53:43-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/script/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/script/_reload" rel="_reload"/>
  <link href="/servicesNS/nobody/search/data/inputs/script/restart" rel="restart"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>/Applications/splunk/etc/apps/myApp/bin/myScript.sh</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh</id>
    <updated>2011-07-09T21:53:43-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>disabled</s:item>
                <s:item>host</s:item>
                <s:item>index</s:item>
                <s:item>interval</s:item>
                <s:item>rename-source</s:item>
                <s:item>source</s:item>
                <s:item>sourcetype</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="group">exec commands</s:key>
        <s:key name="host">ombroso-mbp15.splunk.com</s:key>
        <s:key name="index">default</s:key>
        <s:key name="interval">3600</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/inputs/script/{name}

Configures settings for scripted input specified by {name}.

Request

Name Type Required Default Description
disabled Boolean Specifies whether the input script is disabled.
host String Sets the host for events from this input. Defaults to whatever host sent the event.
index String default Sets the index for events from this input. Defaults to the main index.
interval Number 60 Specify an integer or cron schedule. This parameter specifies how often to execute the specified script, in seconds or a valid cron schedule. If you specify a cron schedule, the script is not executed on start-up.
passAuth String User to run the script as.

If you provide a username, Splunk generates an auth token for that user and passes it to the script.

rename-source String Specify a new name for the source field for the script.
source String Sets the source key/field for events from this input. Defaults to the input file path.

Sets the source key's initial value. The key is used during parsing/indexing, in particular to set the source field during indexing. It is also the source field used at search time. As a convenience, the chosen string is prepended with 'source::'.

Note: Overriding the source key is generally not recommended. Typically, the input layer provides a more accurate string to aid in problem analysis and investigation, accurately recording the file from which the data was retreived. Consider use of source types, tagging, and search wildcards before overriding this value.


sourcetype String Sets the sourcetype key/field for events from this input. If unset, Splunk picks a source type based on various aspects of the data. As a convenience, the chosen string is prepended with 'sourcetype::'. There is no hard-coded default.

Sets the sourcetype key's initial value. The key is used during parsing/indexing, in particular to set the source type field during indexing. It is also the source type field used at search time.

Primarily used to explicitly declare the source type for this data, as opposed to allowing it to be determined via automated methods. This is typically important both for searchability and for applying the relevant configuration for this type of data during parsing and indexing.

Response Codes

Status Code Description
200 Updated successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to edit script.
404 Script does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

No values returned for this request.

Example

Update the script, myScript.sh by setting the interval to 24 hours (86,400 seconds).

This example assumes there is a script located at:

 /Applications/splunk/etc/apps/myApp/bin/myScript.sh

The {name} field in the POST operation is specially URI-encoded. See the REST API overview for details on URI encoding of filenames.


curl -k -u admin:pass \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh \
	-d interval=86400


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>script</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/script</id>
  <updated>2011-07-09T20:27:59-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/script/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/script/_reload" rel="_reload"/>
  <link href="/servicesNS/nobody/search/data/inputs/script/restart" rel="restart"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>



wiki/data.inputs.script.restart.wiki IS MISSING

data/inputs/tcp/cooked

Provides access to tcp inputs from forwarders.

Forwarders can transmit three types of data: raw, unparsed, or parsed. Cooked data refers to parsed and unparsed formats.

GET data/inputs/tcp/cooked

Returns information about all cooked TCP inputs.

Request

Name Type Required Default Description
count Number 30 Indicates the maximum number of entries to return. To return all entries, specify 0.
offset Number 0 Index for first item to return.
search String Search expression to filter the response. The response matches field values against the search expression. For example:

search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.

sort_dir Enum asc Valid values: (asc | desc)

Indicates whether to sort returned entries in ascending or descending order.

sort_key String name Field to use for sorting.
sort_mode Enum auto Valid values: (auto | alpha | alpha_case | num)

Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view inputs.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
_rcvbuf Deprecated. This is not used anymore.
disabled Indicates if the input is disabled.
group Set to 'listenerports' for listening ports.
host The default value to fill in for events lacking a host value.
index The index in which to store generated events.

Example

Retrieves all cooked TCP inputs in this instance of Splunk.


curl -k -u admin:pass https://localhost:8089/services/data/inputs/tcp/cooked


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>cooked</title>
  <id>https://localhost:8089/services/data/inputs/tcp/cooked</id>
  <updated>2011-07-10T14:50:50-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/tcp/cooked/_new" rel="create"/>
  <link href="/services/data/inputs/tcp/cooked/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>9993</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked/9993</id>
    <updated>2011-07-10T14:50:50-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9993" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9993" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9993/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9993" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9993" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9993/connections" rel="connections"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9993/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="group">listenerports</s:key>
        <s:key name="host">MrT</s:key>
        <s:key name="index">default</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/inputs/tcp/cooked

Creates a new container for managing cooked data.

Request

Name Type Required Default Description
name Number
The port number of this input.
SSL Boolean If SSL is not already configured, error is returned
connection_host Enum Valid values: (ip | dns | none)

Set the host for the remote server that is sending data.

ip sets the host to the IP address of the remote server sending data.

dns sets the host to the reverse DNS entry for the IP address of the remote server sending data.

none leaves the host as specified in inputs.conf, which is typically the Splunk system hostname.

Default value is ip.

disabled Boolean Indicates whether the input is disabled.
host String The default value to fill in for events lacking a host value.
restrictToHost String Restrict incoming connections on this port to the host specified here.

Response Codes

Status Code Description
201 Created successfully.
400 Some arguments were invalid
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to create input.
409 Request error: this operation is invalid for this item. See response body for details.
500 There was an error; see body contents for messages
503 This feature has been disabled in Splunk configuration files.

Returned Values

No values returned for this request.

Example

Create a cooked TCP data input listening on port 9998.


curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked \
	-d name=9998


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>cooked</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked</id>
  <updated>2011-07-10T14:52:33-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

data/inputs/tcp/cooked/{name}

DELETE data/inputs/tcp/cooked/{name}

Removes the cooked TCP inputs for port or host:port specified by {name}

Request

No parameters for this request.

Response Codes

Status Code Description
200 Deleted successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to delete input.
404 Input does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

No values returned for this request.

Example

Remove the cooked TCP input listening on port 9998. Note that the name of this input changed due to the example that restricted incoming connections by host.


curl -k -u admin:pass --request DELETE \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked/tiny:9998


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>cooked</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked</id>
  <updated>2011-07-10T14:54:45-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

GET data/inputs/tcp/cooked/{name}

Returns information for the cooked TCP input specified by {name}.

If port is restricted to a host, name should be URI-encoded host:port.

Request

No parameters for this request.

Response Codes

Status Code Description
200 OK
400 TO DO: provide the rest of the status codes
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view input.
404 Input does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
_rcvbuf Deprecated. This is not used anymore.
disabled Indicates if the input is disabled.
eai:attributes See Accessing Splunk resources
group Set to 'listenerports' for listening ports.
host The default value to fill in for events lacking a host value.
index The index in which to store generated events.
restrictToHost Restrict incoming connections on this port to the specified host.

Example

Retrieve settings for the cooked TCP data port.

First request displays settings for cooked TCP data listening on port 9998.

Second request displays settings for TCP data input listening on port 9997 but restricting data from host fwd1.splunk.com.


curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked/9998


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>cooked</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked</id>
  <updated>2011-07-10T14:52:40-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>9998</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked/9998</id>
    <updated>2011-07-10T14:52:40-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9998" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9998" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9998/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9998" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9998" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9998/connections" rel="connections"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9998/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>SSL</s:item>
                <s:item>connection_host</s:item>
                <s:item>disabled</s:item>
                <s:item>host</s:item>
                <s:item>index</s:item>
                <s:item>queue</s:item>
                <s:item>restrictToHost</s:item>
                <s:item>source</s:item>
                <s:item>sourcetype</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="group">listenerports</s:key>
        <s:key name="host">MrT</s:key>
        <s:key name="index">default</s:key>
      </s:dict>
    </content>
  </entry>
</feed>


curl -k -u admin:pass \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked/fwd1.splunk.com%3A9997


<feed xmlns="http://www.w3.org/2005/Atom" 
      xmlns:s="http://dev.splunk.com/ns/rest" 
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>cooked</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked</id>
  <updated>2011-07-14T11:32:03-0700</updated>
  <generator version="101277"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>fwd1.splunk.com:9997</title>
    <id>https://localhost:8089/servicesNS/nobody/system/data/inputs/tcp/cooked/fwd1.splunk.com%3A9997</id>
    <updated>2011-07-14T11:32:03-0700</updated>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/cooked/fwd1.splunk.com%3A9997" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/cooked/fwd1.splunk.com%3A9997" rel="list"/>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/cooked/fwd1.splunk.com%3A9997/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/cooked/fwd1.splunk.com%3A9997" rel="edit"/>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/cooked/fwd1.splunk.com%3A9997" rel="remove"/>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/cooked/fwd1.splunk.com%3A9997/connections" rel="connections"/>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/cooked/fwd1.splunk.com%3A9997/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>SSL</s:item>
                <s:item>connection_host</s:item>
                <s:item>disabled</s:item>
                <s:item>host</s:item>
                <s:item>index</s:item>
                <s:item>queue</s:item>
                <s:item>restrictToHost</s:item>
                <s:item>source</s:item>
                <s:item>sourcetype</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="group">listenerports</s:key>
        <s:key name="index">default</s:key>
        <s:key name="restrictToHost">fwd1.splunk.com</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/inputs/tcp/cooked/{name}

Updates the container for managaing cooked data.

Request

Name Type Required Default Description
SSL Boolean If SSL is not already configured, error is returned
connection_host Enum Valid values: (ip | dns | none)

Set the host for the remote server that is sending data.

ip sets the host to the IP address of the remote server sending data.

dns sets the host to the reverse DNS entry for the IP address of the remote server sending data.

none leaves the host as specified in inputs.conf, which is typically the Splunk system hostname.

Default value is ip.

disabled Boolean Indicates whether the input is disabled.
host String The default value to fill in for events lacking a host value.
restrictToHost String Restrict incoming connections on this port to the host specified here.

Response Codes

Status Code Description
200 Updated successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to edit input.
404 Input does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

No values returned for this request.

Example

Restrict the cooked TCP input listening on port 9998 to only accept data from the host "tiny".


curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked/9998 \
	-d restrictToHost=tiny


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>cooked</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked</id>
  <updated>2011-07-10T14:52:54-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

data/inputs/tcp/cooked/{name}/connections

GET data/inputs/tcp/cooked/{name}/connections

Retrieves list of active connections to the named port.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Listed connections successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view input's connections.
404 TCP input does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
connection Identifies the connection to port.
servername Server name of forwarder connecting to this port.

Example

Displays all connections to this cooked TCP input.


curl -k -u admin:pass \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked/9998/connections


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>cooked</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked</id>
  <updated>2011-07-13T14:55:18-0700</updated>
  <generator version="101277"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_reload" rel="_reload"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>Cooked:9998:127.0.0.1:20089</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked/Cooked%3A9998%3A127.0.0.1%3A20089</id>
    <updated>2011-07-13T14:55:18-0700</updated>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/Cooked%3A9998%3A127.0.0.1%3A20089" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/Cooked%3A9998%3A127.0.0.1%3A20089" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/Cooked%3A9998%3A127.0.0.1%3A20089/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/Cooked%3A9998%3A127.0.0.1%3A20089" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/Cooked%3A9998%3A127.0.0.1%3A20089" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="connection">9998:127.0.0.1:20089</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="servername">fool03.splunk.com</s:key>
      </s:dict>
    </content>
  </entry>
</feed>


data/inputs/tcp/raw

Container for managing raw tcp inputs from forwarders.

Forwarders can tramsmit three types of data: raw, unparsed, or parsed. Cooked data refers to parsed and unparsed formats.

GET data/inputs/tcp/raw

Returns information about all raw TCP inputs.

Request

Name Type Required Default Description
count Number 30 Indicates the maximum number of entries to return. To return all entries, specify 0.
offset Number 0 Index for first item to return.
search String Search expression to filter the response. The response matches field values against the search expression. For example:

search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.

sort_dir Enum asc Valid values: (asc | desc)

Indicates whether to sort returned entries in ascending or descending order.

sort_key String name Field to use for sorting.
sort_mode Enum auto Valid values: (auto | alpha | alpha_case | num)

Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view input.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
_rcvbuf Deprecated. This is not used anymore.
disabled Indicates whether the inputs are disabled.
group Set to 'listenerports' for listening ports.
host The host from which the indexer gets data.
index The index in which to store generated events.

Example

Display all raw TCP inputs in this Splunk instance.


curl -k -u admin:pass https://localhost:8089/services/data/inputs/tcp/raw


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>raw</title>
  <id>https://localhost:8089/services/data/inputs/tcp/raw</id>
  <updated>2011-07-08T02:30:30-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/tcp/raw/_new" rel="create"/>
  <link href="/services/data/inputs/tcp/raw/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>44000</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw/44000</id>
    <updated>2011-07-08T02:30:30-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44000" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44000" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44000/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44000" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44000" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44000/connections" rel="connections"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44000/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="group">listenerports</s:key>
        <s:key name="host">MrT</s:key>
        <s:key name="index">default</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/inputs/tcp/raw

Creates a new data input for accepting raw TCP data.

Request

Name Type Required Default Description
name String
The input port which splunk receives raw data in.
SSL Boolean
connection_host Enum Valid values: (ip | dns | none)

Set the host for the remote server that is sending data.

ip sets the host to the IP address of the remote server sending data.

dns sets the host to the reverse DNS entry for the IP address of the remote server sending data.

none leaves the host as specified in inputs.conf, which is typically the Splunk system hostname.

Default value is ip.

disabled Boolean Indicates whether the inputs are disabled.
host String The host from which the indexer gets data.
index String default The index in which to store all generated events.
queue Enum Valid values: (parsingQueue | indexQueue)

Specifies where the input processor should deposit the events it reads. Defaults to parsingQueue.

Set queue to parsingQueue to apply props.conf and other parsing rules to your data. For more information about props.conf and rules for timestamping and linebreaking, refer to props.conf and the online documentation at Edit inputs.conf

Set queue to indexQueue to send your data directly into the index.

rawTcpDoneTimeout Number Specifies in seconds the timeout value for adding a Done-key. Default value is 10 seconds.

If a connection over the port specified by name remains idle after receiving data for specified number of seconds, it adds a Done-key. This implies the last event has been completely received.

restrictToHost String Allows for restricting this input to only accept data from the host specified here.
source String Sets the source key/field for events from this input. Defaults to the input file path.

Sets the source key's initial value. The key is used during parsing/indexing, in particular to set the source field during indexing. It is also the source field used at search time. As a convenience, the chosen string is prepended with 'source::'.

Note: Overriding the source key is generally not recommended. Typically, the input layer provides a more accurate string to aid in problem analysis and investigation, accurately recording the file from which the data was retreived. Consider use of source types, tagging, and search wildcards before overriding this value.

sourcetype String Set the source type for events from this input.

"sourcetype=" is automatically prepended to <string>.

Defaults to audittrail (if signedaudit=true) or fschange (if signedaudit=false).

Response Codes

Status Code Description
201 Created successfully.
400 Some arguments were invalid
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to create input.
409 Request error: this operation is invalid for this item. See response body for details.
500 There was an error; see body contents for messages
503 This feature has been disabled in Splunk configuration files.

Returned Values

No values returned for this request.

Example

Create a TCP input on port 44343 listening for raw data.


curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw \
	-d name=44343


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>raw</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw</id>
  <updated>2011-07-08T02:30:30-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

data/inputs/tcp/raw/{name}

DELETE data/inputs/tcp/raw/{name}

Removes the raw inputs for port or host:port specified by {name}

Request

No parameters for this request.

Response Codes

Status Code Description
200 Deleted successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to delete input.
404 Input does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

No values returned for this request.

Example

Disable the raw TCP data input listening on port 44343.


curl -k -u admin:pass --request DELETE \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw/44343


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>raw</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw</id>
  <updated>2011-07-08T02:30:31-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

GET data/inputs/tcp/raw/{name}

Returns information about raw TCP input port {name}.

If port is restricted to a host, name should be URI-encoded host:port.

Request

No parameters for this request.

Response Codes

Status Code Description
200 OK
400 TO DO: provide the rest of the status codes
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view input.
404 Input does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
_rcvbuf Deprecated. This is not used anymore.
disabled Indicates whether the inputs are disabled.
eai:attributes See Accessing Splunk resources
group Set to 'listenerports' for listening ports.
host The host from which the indexer gets data.
index The index in which to store generated events.
restrictToHost Restrict incoming connections on this port to the specified host.

Example

Display only the settings for the TCP data input port.

First request displays settings for TCP data input listening on port 44343.

Second request displays settings for TCP data input listening on port 9998 but restricting data from host host1.splunk.com.


curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw/44343


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>raw</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw</id>
  <updated>2011-07-08T02:37:09-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>44343</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw/44343</id>
    <updated>2011-07-08T02:37:09-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44343" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44343" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44343/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44343" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44343" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44343/connections" rel="connections"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44343/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>SSL</s:item>
                <s:item>connection_host</s:item>
                <s:item>disabled</s:item>
                <s:item>host</s:item>
                <s:item>index</s:item>
                <s:item>queue</s:item>
                <s:item>restrictToHost</s:item>
                <s:item>source</s:item>
                <s:item>sourcetype</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="group">listenerports</s:key>
        <s:key name="host">MrT</s:key>
        <s:key name="index">default</s:key>
      </s:dict>
    </content>
  </entry>
</feed>


curl -k -u admin:pass \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw/host1.splunk.com%3A9998


<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>raw</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw</id>
  <updated>2011-07-14T11:28:39-0700</updated>
  <generator version="101277"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>host1.splunk.com:9998</title>
    <id>https://localhost:8089/servicesNS/nobody/system/data/inputs/tcp/raw/host1.splunk.com%3A9998</id>
    <updated>2011-07-14T11:28:39-0700</updated>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/raw/host1.splunk.com%3A9998" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/raw/host1.splunk.com%3A9998" rel="list"/>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/raw/host1.splunk.com%3A9998/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/raw/host1.splunk.com%3A9998" rel="edit"/>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/raw/host1.splunk.com%3A9998" rel="remove"/>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/raw/host1.splunk.com%3A9998/connections" rel="connections"/>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/raw/host1.splunk.com%3A9998/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>SSL</s:item>
                <s:item>connection_host</s:item>
                <s:item>disabled</s:item>
                <s:item>host</s:item>
                <s:item>index</s:item>
                <s:item>queue</s:item>
                <s:item>restrictToHost</s:item>
                <s:item>source</s:item>
                <s:item>sourcetype</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="group">listenerports</s:key>
        <s:key name="index">default</s:key>
        <s:key name="restrictToHost">host1.splunk.com</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/inputs/tcp/raw/{name}

Updates the container for managing raw data.

Request

Name Type Required Default Description
SSL Boolean
connection_host Enum Valid values: (ip | dns | none)

Set the host for the remote server that is sending data.

ip sets the host to the IP address of the remote server sending data.

dns sets the host to the reverse DNS entry for the IP address of the remote server sending data.

none leaves the host as specified in inputs.conf, which is typically the Splunk system hostname.

Default value is ip.

disabled Boolean Indicates whether the inputs are disabled.
host String The host from which the indexer gets data.
index String default The index in which to store all generated events.
queue Enum Valid values: (parsingQueue | indexQueue)

Specifies where the input processor should deposit the events it reads. Defaults to parsingQueue.

Set queue to parsingQueue to apply props.conf and other parsing rules to your data. For more information about props.conf and rules for timestamping and linebreaking, refer to props.conf and the online documentation at Edit inputs.conf

Set queue to indexQueue to send your data directly into the index.

rawTcpDoneTimeout Number Specifies in seconds the timeout value for adding a Done-key. Default value is 10 seconds.

If a connection over the port specified by name remains idle after receiving data for specified number of seconds, it adds a Done-key. This implies the last event has been completely received.

restrictToHost String Allows for restricting this input to only accept data from the host specified here.
source String Sets the source key/field for events from this input. Defaults to the input file path.

Sets the source key's initial value. The key is used during parsing/indexing, in particular to set the source field during indexing. It is also the source field used at search time. As a convenience, the chosen string is prepended with 'source::'.

Note: Overriding the source key is generally not recommended. Typically, the input layer provides a more accurate string to aid in problem analysis and investigation, accurately recording the file from which the data was retreived. Consider use of source types, tagging, and search wildcards before overriding this value.

sourcetype String Set the source type for events from this input.

"sourcetype=" is automatically prepended to <string>.

Defaults to audittrail (if signedaudit=true) or fschange (if signedaudit=false).

Response Codes

Status Code Description
200 Updated successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to edit input.
404 Inpuat does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

No values returned for this request.

Example

Change the sourcetype to syslog for incoming events on the TCP data input listening on port 44343.


curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw/44343 \
	-d sourcetype=syslog


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>raw</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw</id>
  <updated>2011-07-08T02:30:30-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

data/inputs/tcp/raw/{name}/connections

GET data/inputs/tcp/raw/{name}/connections

View all connections to the named data input.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Listed connections successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view input's connections.
404 TCP input does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
connection IP address and port of the source connecting to this TCP input port.
servername DNS name of the source connecting to this TCP input port.

Example

Displays all connections to this raw TCP input.


curl -k -u admin:pass https://localhost:8089/services/data/inputs/tcp/raw/9998/connections


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>raw</title>
  <id>https://localhost:8089/services/data/inputs/tcp/raw</id>
  <updated>2011-07-13T16:14:33-07:00</updated>
  <generator version="103477"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/tcp/raw/_new" rel="create"/>
  <link href="/services/data/inputs/tcp/raw/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>Raw:9998:127.0.0.1</title>
    <id>https://localhost:8089/services/data/inputs/tcp/raw/Raw%3A9998%3A127.0.0.1</id>
    <updated>2011-07-13T16:14:33-07:00</updated>
    <link href="/services/data/inputs/tcp/raw/Raw%3A9998%3A127.0.0.1" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/data/inputs/tcp/raw/Raw%3A9998%3A127.0.0.1" rel="list"/>
    <link href="/services/data/inputs/tcp/raw/Raw%3A9998%3A127.0.0.1/_reload" rel="_reload"/>
    <link href="/services/data/inputs/tcp/raw/Raw%3A9998%3A127.0.0.1" rel="edit"/>
    <link href="/services/data/inputs/tcp/raw/Raw%3A9998%3A127.0.0.1" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="connection">9998:127.0.0.1</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="servername"></s:key>
      </s:dict>
    </content>
  </entry>
</feed>


data/inputs/tcp/ssl

Provides access to the SSL configuration of a Splunk server.

GET data/inputs/tcp/ssl

Returns SSL configuration. There is only one SSL configuration for all input ports.

Request

Name Type Required Default Description
count Number 30 Indicates the maximum number of entries to return. To return all entries, specify 0.
offset Number 0 Index for first item to return.
search String Search expression to filter the response. The response matches field values against the search expression. For example:

search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.

sort_dir Enum asc Valid values: (asc | desc)

Indicates whether to sort returned entries in ascending or descending order.

sort_key String name Field to use for sorting.
sort_mode Enum auto Valid values: (auto | alpha | alpha_case | num)

Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view inputs.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
_rcvbuf Deprecated. This is not used anymore.
cipherSuite Specifies list of acceptable ciphers to use in ssl.
disabled Indicates whether this input is disabled.
host The host from which the indexer gets data.
index The index in which to store generated events.

Example

Return the SSL attributes for this instance of Splunk.


curl -k -u admin:pass https://localhost:8089/services/data/inputs/tcp/ssl


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>ssl</title>
  <id>https://localhost:8089/services/data/inputs/tcp/ssl</id>
  <updated>2011-07-12T15:02:58-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/tcp/ssl/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title/>
    <id>https://localhost:8089/servicesNS/nobody/system/data/inputs/tcp/ssl/</id>
    <updated>2011-07-12T15:02:58-07:00</updated>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/ssl/" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/ssl/" rel="list"/>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/ssl//_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/ssl/" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="cipherSuite">ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM</s:key>
        <s:key name="disabled">1</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="host">ombroso-mbp15.splunk.com</s:key>
        <s:key name="index">default</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/inputs/tcp/ssl/{name}

GET data/inputs/tcp/ssl/{name}

Returns the SSL configuration for the host {name}.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view input.
404 Input does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
_rcvbuf Deprecated. This is not used anymore.
cipherSuite Specifies list of acceptable ciphers to use in ssl.
disabled Indicates whether this input is disabled.
host The host from which the indexer gets data.
index The index in which to store generated events.

Example

Return the SSL attributes for tcp input. Note that "ssl" is the only valid name here.


curl -k -u admin:pass https://localhost:8089/services/data/inputs/tcp/ssl/ssl


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>ssl</title>
  <id>https://localhost:8089/services/data/inputs/tcp/ssl</id>
  <updated>2011-07-12T15:04:41-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/tcp/ssl/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title/>
    <id>https://localhost:8089/servicesNS/nobody/system/data/inputs/tcp/ssl/</id>
    <updated>2011-07-12T15:04:41-07:00</updated>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/ssl/" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/ssl/" rel="list"/>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/ssl//_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/ssl/" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="cipherSuite">ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM</s:key>
        <s:key name="disabled">1</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="host">ombroso-mbp15.splunk.com</s:key>
        <s:key name="index">default</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/inputs/tcp/ssl/{name}

Configures SSL attributes for the host {name}.

Request

Name Type Required Default Description
disabled Boolean Indicates whether the inputs are disabled.
password String Server certifcate password, if any.
requireClientCert Boolean Determines whether a client must authenticate.
rootCA String Certificate authority list (root file)
serverCert String Full path to the server certificate.

Response Codes

Status Code Description
200 Updated successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to edit input.
404 Input does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

No values returned for this request.

Example

Disable inputs for this SSL server configuration. Note that "ssl" is the only valid name here.


curl -k -u admin:pass https://localhost:8089/services/data/inputs/tcp/ssl/ssl \
	-d disabled=true


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>ssl</title>
  <id>https://localhost:8089/services/data/inputs/tcp/ssl</id>
  <updated>2011-07-12T15:05:42-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/tcp/ssl/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>


data/inputs/udp

Provides access to UPD data inputs.

GET data/inputs/udp

List enabled and disabled UDP data inputs.

Request

Name Type Required Default Description
count Number 30 Indicates the maximum number of entries to return. To return all entries, specify 0.
offset Number 0 Index for first item to return.
search String Search expression to filter the response. The response matches field values against the search expression. For example:

search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.

sort_dir Enum asc Valid values: (asc | desc)

Indicates whether to sort returned entries in ascending or descending order.

sort_key String name Field to use for sorting.
sort_mode Enum auto Valid values: (auto | alpha | alpha_case | num)

Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view inputs.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
_rcvbuf Specifies socket receive buffer size in bytes.
disabled Indicates whether the inputs are disabled.
group Set to 'listenerports' for listening ports.
host The host from which the indexer gets data.
index The index in which to store generated events.

Example

Returns a list of configured UDP data inputs.


curl -k -u admin:pass https://localhost:8089/services/data/inputs/udp


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>udp</title>
  <id>https://localhost:8089/services/data/inputs/udp</id>
  <updated>2011-07-08T14:11:57-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/udp/_new" rel="create"/>
  <link href="/services/data/inputs/udp/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>44000</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp/44000</id>
    <updated>2011-07-08T14:11:57-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44000" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44000" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44000/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44000" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44000" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44000/connections" rel="connections"/>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44000/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="group">listenerports</s:key>
        <s:key name="host">MrT</s:key>
        <s:key name="index">default</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/inputs/udp

Create a new UDP data input.

Request

Name Type Required Default Description
name String
The UDP port that this input should listen on.
connection_host Enum Valid values: (ip | dns | none)

Set the host for the remote server that is sending data.

ip sets the host to the IP address of the remote server sending data.

dns sets the host to the reverse DNS entry for the IP address of the remote server sending data.

none leaves the host as specified in inputs.conf, which is typically the Splunk system hostname.

Default value is ip.

host String The value to populate in the host field for incoming events.

This is used during parsing/indexing, in particular to set the host field. It is also the host field used at search time.

index String default Which index events from this input should be stored in.
no_appending_timestamp Boolean If set to true, prevents Splunk from prepending a timestamp and hostname to incoming events.
no_priority_stripping Boolean If set to true, Splunk will not remove the priority field from incoming syslog events.
queue String Which queue events from this input should be sent to. Generally this does not need to be changed.
restrictToHost String Restrict incoming connections on this port to the host specified here.

If this is not set, the value specified in [udp://<remote server>:<port>] in inputs.conf is used.

source String The value to populate in the source field for incoming events. The same source should not be used for multiple data inputs.
sourcetype String The value to populate in the sourcetype field for incoming events.

Response Codes

Status Code Description
201 Created successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to create input.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

No values returned for this request.

Example

Creates a UDP data input listening on port 44321.


curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/udp \
	-d name=44321


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>udp</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp</id>
  <updated>2011-07-08T14:12:13-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/udp/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/udp/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

data/inputs/udp/{name}

DELETE data/inputs/udp/{name}

Disable the named UDP data input and remove it from the configuration.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Deleted successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to delete input.
404 Input does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

No values returned for this request.

Example

Removes the UDP data input listening on port 44321.


curl -k -u admin:pass --request DELETE \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/udp/44321


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>udp</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp</id>
  <updated>2011-07-08T14:12:53-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/udp/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/udp/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

GET data/inputs/udp/{name}

List the properties of a single UDP data input port or host:port {name}. If port is restricted to a host, name should be URI-encoded host:port.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view input configuration.
404 Input does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
_rcvbuf Specifies socket receive buffer size in bytes.
disabled Indicates whether the inputs are disabled.
eai:attributes See Accessing Splunk resources
group Set to 'listenerports' for listening ports.
host The host from which the indexer gets data.
index The index in which to store generated events.

Example

Returns only configuration information for the UDP data input port.

First request displays settings for UDP data input listening on port 44321.

Second request displays settings for UDP data input listening on port 9997 but restricting data from host host1.splunk.com.


curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/udp/44321


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>udp</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp</id>
  <updated>2011-07-08T14:12:27-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/udp/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/udp/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>44321</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp/44321</id>
    <updated>2011-07-08T14:12:27-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44321" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44321" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44321/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44321" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44321" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44321/connections" rel="connections"/>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44321/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>connection_host</s:item>
                <s:item>host</s:item>
                <s:item>index</s:item>
                <s:item>no_appending_timestamp</s:item>
                <s:item>no_priority_stripping</s:item>
                <s:item>queue</s:item>
                <s:item>source</s:item>
                <s:item>sourcetype</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="group">listenerports</s:key>
        <s:key name="host">MrT</s:key>
        <s:key name="index">default</s:key>
      </s:dict>
    </content>
  </entry>
</feed>


curl -k -u admin:pass \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/udp/host1.splunk.com%3A9997


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>udp</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp</id>
  <updated>2011-07-14T11:40:20-0700</updated>
  <generator version="101277"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/udp/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/udp/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>host1.splunk.com:9997</title>
    <id>https://localhost:8089/servicesNS/nobody/system/data/inputs/udp/host1.splunk.com%3A9997</id>
    <updated>2011-07-14T11:40:20-0700</updated>
    <link href="/servicesNS/nobody/system/data/inputs/udp/host1.splunk.com%3A9997" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/inputs/udp/host1.splunk.com%3A9997" rel="list"/>
    <link href="/servicesNS/nobody/system/data/inputs/udp/host1.splunk.com%3A9997/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/inputs/udp/host1.splunk.com%3A9997" rel="edit"/>
    <link href="/servicesNS/nobody/system/data/inputs/udp/host1.splunk.com%3A9997" rel="remove"/>
    <link href="/servicesNS/nobody/system/data/inputs/udp/host1.splunk.com%3A9997/connections" rel="connections"/>
    <link href="/servicesNS/nobody/system/data/inputs/udp/host1.splunk.com%3A9997/enable" rel="enable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">1</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>connection_host</s:item>
                <s:item>disabled</s:item>
                <s:item>host</s:item>
                <s:item>index</s:item>
                <s:item>no_appending_timestamp</s:item>
                <s:item>no_priority_stripping</s:item>
                <s:item>queue</s:item>
                <s:item>source</s:item>
                <s:item>sourcetype</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="index">default</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/inputs/udp/{name}

Edit properties of the named UDP data input.

Request

Name Type Required Default Description
connection_host Enum Valid values: (ip | dns | none)

Set the host for the remote server that is sending data.

ip sets the host to the IP address of the remote server sending data.

dns sets the host to the reverse DNS entry for the IP address of the remote server sending data.

none leaves the host as specified in inputs.conf, which is typically the Splunk system hostname.

Default value is ip.

host String The value to populate in the host field for incoming events.

This is used during parsing/indexing, in particular to set the host field. It is also the host field used at search time.

index String default Which index events from this input should be stored in.
no_appending_timestamp Boolean If set to true, prevents Splunk from prepending a timestamp and hostname to incoming events.
no_priority_stripping Boolean If set to true, Splunk will not remove the priority field from incoming syslog events.
queue String Which queue events from this input should be sent to. Generally this does not need to be changed.
restrictToHost String Restrict incoming connections on this port to the host specified here.

If this is not set, the value specified in [udp://<remote server>:<port>] in inputs.conf is used.

source String The value to populate in the source field for incoming events. The same source should not be used for multiple data inputs.
sourcetype String The value to populate in the sourcetype field for incoming events.

Response Codes

Status Code Description
200 Updated successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to edit input.
404 Input does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

No values returned for this request.

Example

Changes the sourcetype for incoming events to "syslog" for the UDP data input listening on port 44321.


curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/udp/44321 \
	-d sourcetype=syslog


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>udp</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp</id>
  <updated>2011-07-08T14:12:47-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/udp/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/udp/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

data/inputs/udp/{name}/connections

GET data/inputs/udp/{name}/connections

Lists connections to the named UDP input.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Listed connections successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view input connections.
404 UDP input does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
disabled Indicates whether the inputs are disabled.
group Set to 'listenerports' for listening ports.

Example

Returns a list of connections to the UDP input listening on port 9998.


curl -k -u admin:pass \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/udp/9998/connections


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>udp</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp</id>
  <updated>2011-07-13T17:08:18-07:00</updated>
  <generator version="103477"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/udp/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/udp/_reload" rel="_reload"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>127.0.0.1</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp/127.0.0.1</id>
    <updated>2011-07-13T17:08:18-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/udp/127.0.0.1" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/udp/127.0.0.1" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/udp/127.0.0.1/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/udp/127.0.0.1" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/udp/127.0.0.1" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="group">hosts</s:key>
      </s:dict>
    </content>
  </entry>
</feed>


data/inputs/win-event-log-collections

Provides access to all configured event log collections.

GET data/inputs/win-event-log-collections

Retrieves a list of configured event log collections.

Request

Name Type Required Default Description
count Number 30 Indicates the maximum number of entries to return. To return all entries, specify 0.
lookup_host String For internal use. Used by the UI when editing the initial host from which we gather event log data.
offset Number 0 Index for first item to return.
search String Boolean predicate to filter results.
sort_dir Enum asc Valid values: (asc | desc)

Indicates whether to sort the entries returned in ascending or descending order.

sort_key String name Field to sort by.
sort_mode Enum auto Valid values: Valid values: (auto | alpha | alpha_case | num)

Indicates the collating sequence for sorting the returned entries.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view event log collections.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
disabled Indicates if monitoring is disabled.
hosts List of hosts used for monitoring in addition to lookup_host.
index The index in which to store the gathered data.
logs A list of event log names to gather data from.

Example

Provides information on all Windows event log collection inputs for monitoring by this Splunk instance.


curl -k -u admin:pass https://localhost:8089/services/data/inputs/win-event-log-collections


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-event-log-collections</title>
  <id>https://10.1.5.157:8089/services/data/inputs/win-event-log-collections</id>
  <updated>2011-07-27T11:26:47-07:00</updated>
  <generator version="103620"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/win-event-log-collections/_new" rel="create"/>
  <link href="/services/data/inputs/win-event-log-collections/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>localhost</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost</id>
    <updated>2011-07-27T11:26:47-07:00</updated>
    <link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="list"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="edit"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost/enable" rel="enable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">1</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="hosts">localhost</s:key>
        <s:key name="index">default</s:key>
        <s:key name="logs">
          <s:list>
            <s:item>Application</s:item>
            <s:item>ForwardedEvents</s:item>
            <s:item>HardwareEvents</s:item>
            <s:item>Internet Explorer</s:item>
            <s:item>Security</s:item>
            <s:item>Setup</s:item>
            <s:item>System</s:item>
          </s:list>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/inputs/win-event-log-collections

Creates of modifies existing event log collection settings. You can configure both native and WMI collection with this endpoint.

Request

Name Type Required Default Description
lookup_host String
This is a host from which we will monitor log events. To specify additional hosts to be monitored via WMI, use the "hosts" parameter.
name String
This is the name of the collection. This name will appear in configuration file, as well as the source and the sourcetype of the indexed data. If the value is "localhost", it will use native event log collection; otherwise, it will use WMI.
hosts String A comma-separated list of addtional hosts to be used for monitoring. The first host should be specified with "lookup_host", and the additional ones using this parameter.
index String default The index in which to store the gathered data.
logs String A comma-separated list of event log names to gather data from.

Response Codes

Status Code Description
201 Created successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to create event log collections.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

No values returned for this request.

Example

Creates a new event log monitoring collection named mylogs on the localhost, monitoring the Application and the System event logs.


curl -k -u admin:pass \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections \
	-d lookup_host=localhost \
	-d name=mylogs \
	-d logs=Application,System


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-event-log-collections</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections</id>
  <updated>2011-07-27T11:56:24-07:00</updated>
  <generator version="103620"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>localhost</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost</id>
    <updated>2011-07-27T11:56:24-07:00</updated>
    <link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="list"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">1</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="hosts">localhost</s:key>
        <s:key name="index">default</s:key>
        <s:key name="logs">
          <s:list>
            <s:item>Application</s:item>
            <s:item>ForwardedEvents</s:item>
            <s:item>HardwareEvents</s:item>
            <s:item>Internet Explorer</s:item>
            <s:item>Security</s:item>
            <s:item>Setup</s:item>
            <s:item>System</s:item>
          </s:list>
        </s:key>
        <s:key name="lookup_host">localhost</s:key>
        <s:key name="name">localhost</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/inputs/win-event-log-collections/{name}

DELETE data/inputs/win-event-log-collections/{name}

Deletes a given event log collection.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Deleted successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to delete event log collections.
404 Event log collection does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

No values returned for this request.

Example

Deletes the existing mylogs event log collection.


curl -k -u admin:pass --request DELETE \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-event-log-collections</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections</id>
  <updated>2011-07-27T13:45:24-07:00</updated>
  <generator version="103620"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

GET data/inputs/win-event-log-collections/{name}

Gets the configuration settings for a given event log collection.

Request

Name Type Required Default Description
lookup_host String For internal use. Used by the UI when editing the initial host from which we gather event log data.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view event log collections.
404 Event log collection does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

No values returned for this request.

Example

Gets information about a given event log collection.


curl -k -u admin:pass \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-event-log-collections</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections</id>
  <updated>2011-07-27T12:00:38-07:00</updated>
  <generator version="103620"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>mylogs</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs</id>
    <updated>2011-07-27T12:00:38-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>hosts</s:item>
                <s:item>index</s:item>
                <s:item>logs</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>lookup_host</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="hosts"/>
        <s:key name="index">default</s:key>
        <s:key name="logs">
          <s:list>
            <s:item>Application,System</s:item>
          </s:list>
        </s:key>
        <s:key name="lookup_host">localhost</s:key>
        <s:key name="name">mylogs</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/inputs/win-event-log-collections/{name}

Modifies existing event log collection.

Request

Name Type Required Default Description
lookup_host String
This is a host from which we will monitor log events. To specify additional hosts to be monitored via WMI, use the "hosts" parameter.
hosts String A comma-separated list of addtional hosts to be used for monitoring. The first host should be specified with "lookup_host", and the additional ones using this parameter.
index String default The index in which to store the gathered data.
logs String A comma-separated list of event log names to gather data from.

Response Codes

Status Code Description
200 Updated successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to edit event log collections.
404 Event log collection does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

No values returned for this request.

Example

Modifies the mylogs collection by making it monitor the Application log only.


curl -k -u admin:pass \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs \
	-d lookup_host=localhost \
	-d logs=Application


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-event-log-collections</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections</id>
  <updated>2011-07-27T13:43:46-07:00</updated>
  <generator version="103620"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>localhost</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost</id>
    <updated>2011-07-27T13:43:46-07:00</updated>
    <link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="list"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">1</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="hosts">localhost</s:key>
        <s:key name="index">default</s:key>
        <s:key name="logs">
          <s:list>
            <s:item>Application</s:item>
            <s:item>ForwardedEvents</s:item>
            <s:item>HardwareEvents</s:item>
            <s:item>Internet Explorer</s:item>
            <s:item>Security</s:item>
            <s:item>Setup</s:item>
            <s:item>System</s:item>
          </s:list>
        </s:key>
        <s:key name="lookup_host">localhost</s:key>
        <s:key name="name">localhost</s:key>
      </s:dict>
    </content>
  </entry>
</feed>


data/inputs/win-wmi-collections

Provides access to all configured WMI collections.

GET data/inputs/win-wmi-collections

Provides access to all configure WMI collections.

Request

Name Type Required Default Description
count Number 30 Indicates the maximum number of entries to return. To return all entries, specify 0.
offset Number 0 Index for first item to return.
search String Boolean predicate to filter results.
sort_dir Enum asc Valid values: (asc | desc)

Indicates whether to sort the entries returned in ascending or descending order.

sort_key String name Field to sort by.
sort_mode Enum auto Valid values: (auto | alpha | alpha_case | num)

Indicates the collating sequence for sorting the returned entries.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view collections.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
fields A list of properties (fields) to gather from the given class.
index The index in which to store the gathered data.
instances Instances of a given class for which data is gathered.
interval The interval, in seconds, at which the WMI providers are queried.
name The name of the collection. This name appear in the configuration file, as well as the source and the sourcetype of the indexed data.
server Additional servers that you want to gather data from.
wql The WQL query used to gather data.

Example

Lists all enabled or disabled WMI collection items.


curl -k -u admin:pass https://localhost:8089/services/data/inputs/win-wmi-collections


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-wmi-collections</title>
  <id>https://10.1.5.157:8089/services/data/inputs/win-wmi-collections</id>
  <updated>2011-07-27T14:00:24-07:00</updated>
  <generator version="103620"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/win-wmi-collections/_new" rel="create"/>
  <link href="/services/data/inputs/win-wmi-collections/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>CPUTime</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime</id>
    <updated>2011-07-27T14:00:24-07:00</updated>
    <link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime" rel="list"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime" rel="edit"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime/enable" rel="enable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="class">Win32_PerfFormattedData_PerfOS_Processor</s:key>
        <s:key name="disabled">1</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="fields">
          <s:list>
            <s:item>PercentProcessorTime</s:item>
            <s:item>PercentUserTime</s:item>
          </s:list>
        </s:key>
        <s:key name="index">default</s:key>
        <s:key name="instances">
          <s:list>
            <s:item>_Total</s:item>
          </s:list>
        </s:key>
        <s:key name="interval">3</s:key>
        <s:key name="name"/>
        <s:key name="server">localhost</s:key>
        <s:key name="wql">SELECT PercentProcessorTime,PercentUserTime FROM Win32_PerfFormattedData_PerfOS_Processor WHERE Name="_Total"</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/inputs/win-wmi-collections

Creates or modifies existing WMI collection settings.

Request

Name Type Required Default Description
classes String
A valid WMI class name.
interval Number
The interval, in seconds, at which the WMI provider(s) will be queried.
lookup_host String
This is the server from which we will be gathering WMI data. If you need to gather data from more than one machine, additional servers can be specified in the 'server' parameter.
name String
This is the name of the collection. This name will appear in configuration file, as well as the source and the sourcetype of the indexed data.
disabled Number Disables the given collection.
fields String Properties (fields) that you want to gather from the given class.

Specify each property as a separate argument to the POST operation.

index String The index in which to store the gathered data.
instances String Instances of a given class for which data is gathered.

Specify each instance as a separate argument to the POST operation.

server String A comma-separated list of additional servers that you want to gather data from. Use this if you need to gather from more than a single machine. See also lookup_host parameter.

Response Codes

Status Code Description
201 Created successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to create this collection.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

No values returned for this request.

Example

Creates a new WMI collection named cpu, which gathers CPU information from the class Win32_PerfFormattedData_PerfOS_Processor, with an interval of 5 from localhost.


curl -k -u admin:pass \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections \
	-d classes=Win32_PerfFormattedData_PerfOS_Processor \
	-d interval=5 \
	-d lookup_host=localhost \
	-d name=cpu


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-wmi-collections</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections</id>
  <updated>2011-07-27T14:05:43-07:00</updated>
  <generator version="103620"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>CPUTime</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime</id>
    <updated>2011-07-27T14:05:43-07:00</updated>
    <link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime" rel="list"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">1</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="index">default</s:key>
        <s:key name="interval">3</s:key>
        <s:key name="wql">SELECT PercentProcessorTime,PercentUserTime FROM Win32_PerfFormattedData_PerfOS_Processor WHERE Name="_Total"</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/inputs/win-wmi-collections/{name}

DELETE data/inputs/win-wmi-collections/{name}

Deletes a given collection.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Deleted successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to delete a given collection.
404 Given collection does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

No values returned for this request.

Example

Deletes an existing WMI collection.


curl -k -u admin:pass --request DELETE \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-wmi-collections</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections</id>
  <updated>2011-07-27T14:21:17-07:00</updated>
  <generator version="103620"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

GET data/inputs/win-wmi-collections/{name}

Gets information about a single collection.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view WMI collections.
404 Given collection does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
classes A valid WMI class name.
disabled Indicates if retrieving information from a collection is disabled.
fields A list of properties (fields) to gather from the given class.
index The index in which to store the gathered data.
instances Instances of a given class for which data is gathered.
interval The interval, in seconds, at which the WMI providers are queried.
lookup_host The server from which to gather WMI data.
name The name of the collection. This name appear in the configuration file, as well as the source and the sourcetype of the indexed data.
server Additional servers from which to gather data.
wql The WQL query used to gather data.

Example

Gets information about a given event log collection.


curl -k -u admin:pass \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-wmi-collections</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections</id>
  <updated>2011-07-27T14:09:39-07:00</updated>
  <generator version="103620"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>cpu</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu</id>
    <updated>2011-07-27T14:09:39-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="classes">Win32_PerfFormattedData_PerfOS_Processor</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>disabled</s:item>
                <s:item>fields</s:item>
                <s:item>index</s:item>
                <s:item>instances</s:item>
                <s:item>server</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>classes</s:item>
                <s:item>interval</s:item>
                <s:item>lookup_host</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="fields">
          <s:list>
            <s:item>*</s:item>
          </s:list>
        </s:key>
        <s:key name="index">default</s:key>
        <s:key name="instances">
          <s:list/>
        </s:key>
        <s:key name="interval">5</s:key>
        <s:key name="lookup_host">localhost</s:key>
        <s:key name="name">cpu</s:key>
        <s:key name="server"/>
        <s:key name="wql">Select * from Win32_PerfFormattedData_PerfOS_Processor</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/inputs/win-wmi-collections/{name}

Modifies a given WMI collection.

Request

Name Type Required Default Description
classes String
A valid WMI class name.
interval Number
The interval, in seconds, at which the WMI provider(s) will be queried.
lookup_host String
This is the server from which we will be gathering WMI data. If you need to gather data from more than one machine, additional servers can be specified in the 'server' parameter.
disabled Number Disables the given collection.
fields String Properties (fields) that you want to gather from the given class.

Specify each property as a separate argument to the POST operation.

index String The index in which to store the gathered data.
instances String Instances of a given class for which data is gathered.

Specify each instance as a separate argument to the POST operation.

server String A comma-separated list of additional servers that you want to gather data from. Use this if you need to gather from more than a single machine. See also lookup_host parameter.

Response Codes

Status Code Description
200 Updated successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to edit collection.
404 Collection does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

No values returned for this request.

Example

Modifies an existing WMI collection item with the given parameters. The new setting requests monitoring of three different machines via the lookup_host and the server parameters.


curl -k -u admin:pass \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu \
	-d classes=Win32_PerfFormattedData_PerfOS_Processor \
	-d interval=5 \
	-d lookup_host=localhost \
	-d server=10.1.5.157,10.1.5.158


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-wmi-collections</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections</id>
  <updated>2011-07-27T14:15:33-07:00</updated>
  <generator version="103620"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>cpu</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu</id>
    <updated>2011-07-27T14:15:33-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="classes">Win32_PerfFormattedData_PerfOS_Processor</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="fields">
          <s:list>
            <s:item>*</s:item>
          </s:list>
        </s:key>
        <s:key name="index">default</s:key>
        <s:key name="instances">
          <s:list/>
        </s:key>
        <s:key name="interval">5</s:key>
        <s:key name="lookup_host">localhost</s:key>
        <s:key name="name">cpu</s:key>
        <s:key name="server"/>
        <s:key name="wql">Select * from Win32_PerfFormattedData_PerfOS_Processor</s:key>
      </s:dict>
    </content>
  </entry>
</feed>


data/inputs/win-perfmon

Provides access to performance monitoring configuration. This input allows you to poll Windows performance monitor counters.

GET data/inputs/win-perfmon

Gets current performance monitoring configuration.

Request

Name Type Required Default Description
count Number 30 Indicates the maximum number of entries to return. To return all entries, specify 0.
offset Number 0 Index for first item to return.
search String Boolean predicate to filter results.
sort_dir Enum asc Valid values: (asc | desc)

Indicates whether to sort the entries returned in ascending or descending order.

sort_key String name Field to sort by.
sort_mode Enum auto Valid values: (auto | alpha | alpha_case | num)

Indicates the collating sequence for sorting the returned entries.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view performance monitoring configuration.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
counters A list of counters to monitor.
disabled Indicates if the monitoring process is disabled.
index The index in which to store the gathered data.
instances A list of counter instances to monitor.
interval How frequently, in seconds, to poll the performance counters.
object A valid performance monitor object.

Example

Lists all configured perfmon inputs.

curl -k -u admin:pass https://localhost:8089/services/data/inputs/win-perfmon
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-perfmon</title>
  <id>https://10.1.5.157:8089/services/data/inputs/win-perfmon</id>
  <updated>2011-07-29T19:42:06-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/win-perfmon/_new" rel="create"/>
  <link href="/services/data/inputs/win-perfmon/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>Available Memory</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory</id>
    <updated>2011-07-29T19:42:06-07:00</updated>
    <link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="list"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="edit"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory/enable" rel="enable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="counters">
          <s:list>
            <s:item>Available Bytes</s:item>
          </s:list>
        </s:key>
        <s:key name="disabled">1</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="index">default</s:key>
        <s:key name="instances">
          <s:list/>
        </s:key>
        <s:key name="interval">10</s:key>
        <s:key name="object">Memory</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/inputs/win-perfmon

Creates new or modifies existing performance monitoring collection settings.

Request

Name Type Required Default Description
interval Number
How frequently, in seconds, to poll the performance counters.
name String
This is the name of the collection. This name will appear in configuration file, as well as the source and the sourcetype of the indexed data.
object String
A valid performance monitor object (for example, 'Process,' 'Server,' 'PhysicalDisk.')
counters String A set of counters to monitor. A '*' is equivalent to all counters.

Specify each counter as a separate argument to the POST operation.

disabled Boolean Disables a given monitoring stanza.
index String The index in which to store the gathered data.
instances String A set of counter instances to monitor. A '*' is equivalent to all instances.

Specify each instance as a separate argument to the POST operation.

Response Codes

Status Code Description
201 Created successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to create monitoring stanza.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

No values returned for this request.

Example

Creates a memory monitoring stanza.

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/win-perfmon \
	-d interval=4 \
	-d name=mymemory \
	-d object=Memory
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-perfmon</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-perfmon</id>
  <updated>2011-07-29T19:40:38-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>Available Memory</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory</id>
    <updated>2011-07-29T19:40:38-07:00</updated>
    <link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="list"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="counters">Available Bytes</s:key>
        <s:key name="disabled">1</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="instances"/>
        <s:key name="interval">10</s:key>
        <s:key name="object">Memory</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/inputs/win-perfmon/{name}

DELETE data/inputs/win-perfmon/{name}

Deletes a given monitoring stanza.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Deleted successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to delete monitoring stanza.
404 Monitoring stanza does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

No values returned for this request.

Example

Deletes a given perfmon stanza.

curl -k -u admin:pass --request DELETE \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-perfmon</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-perfmon</id>
  <updated>2011-07-29T19:47:06-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

GET data/inputs/win-perfmon/{name}

Gets settings for a given perfmon stanza.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view configuration settings.
404 Performance stanza does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

No values returned for this request.

Example

Lists a given perfmon stanza.

curl -k -u admin:pass \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-perfmon</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-perfmon</id>
  <updated>2011-07-29T19:44:21-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>mymemory</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory</id>
    <updated>2011-07-29T19:44:21-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="counters">
          <s:list/>
        </s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>counters</s:item>
                <s:item>disabled</s:item>
                <s:item>index</s:item>
                <s:item>instances</s:item>
                <s:item>interval</s:item>
                <s:item>object</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="index">default</s:key>
        <s:key name="instances">
          <s:list/>
        </s:key>
        <s:key name="interval">4</s:key>
        <s:key name="object">Memory</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/inputs/win-perfmon/{name}

Modifies existing monitoring stanza

Request

Name Type Required Default Description
counters String A set of counters to monitor. A '*' is equivalent to all counters.

Specify each counter as a separate argument to the POST operation.

disabled Boolean Disables a given monitoring stanza.
index String The index in which to store the gathered data.
instances String A set of counter instances to monitor. A '*' is equivalent to all instances.

Specify each instance as a separate argument to the POST operation.

interval Number How frequently, in seconds, to poll the performance counters.
object String A valid performance monitor object (for example, 'Process,' 'Server,' 'PhysicalDisk.')

Response Codes

Status Code Description
200 Updated successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to edit monitoring stanza.
404 Monitoring stanza does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

Attribute Description
counters A list of counters to monitor.
index The index in which to store the gathered data.
instances A list of counter instances to monitor
interval How frequently, in seconds, to poll the performance counters.
object A valid performance monitor object.

Example

Modifies the interval of the given perfmon stanza.

curl -k -u admin:pass \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory \
	-d interval=10
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-perfmon</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-perfmon</id>
  <updated>2011-07-29T19:45:59-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>Available Memory</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory</id>
    <updated>2011-07-29T19:45:59-07:00</updated>
    <link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="list"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="counters">Available Bytes</s:key>
        <s:key name="disabled">1</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="instances"/>
        <s:key name="interval">10</s:key>
        <s:key name="object">Memory</s:key>
      </s:dict>
    </content>
  </entry>
</feed>


indexing/preview

Preview events from a source file before you index the file.

Typically, you create a data preview job for a source file. Use the resulting data preview job ID as the search_id parameter in GET /search/jobs/{search_id}/results_preview to preview events that would be generated from indexing the source file.

You can also check the status of a data preview job with GET /search/jobs/{search_id} to obtain information such as the dispatchState, doneProgress, and eventCount. For more information, see GET /search/jobs/{search_id}.

Note: This endpoint is new in Splunk 4.3.

GET indexing/preview

Return a list of all data preview jobs. Data returned includes the Splunk management URI to access each preview job.

Use the data preview job ID as the search_id parameter in GET /search/jobs/{search_id}/results_preview to preview events from the source file.

Note: Use the POST operation of this endpoint to create a data preview job and return the corresponding data preview job ID.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Listed successfully.

Returned Values

No values returned for this request.

Example

Return the data preview job ID of all data preview jobs. Data returned includes the Splunk management URI for each data preview job.

This example shows entries for three data preview jobs.

curl -k -u admin:pass https://localhost:8089/services/indexing/preview
feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest">
  <title>preview</title>
  <id>https://localhost:8089/services/indexing/preview</id>
  <updated>2011-11-28T14:35:35-08:00</updated>
  <generator version="108769"/>
  <author>
    <name>Splunk</name>
  </author>
  <entry>
    <title>1322518170.8</title>
    <id>https://localhost:8089/services/indexing/preview/1322518170.8</id>
    <updated>2011-11-28T14:35:35-08:00</updated>
    <link href="/services/indexing/preview/1322518170.8" rel="alternate"/>
    <link href="/services/search/jobs/1322518170.8" rel="job"/>
  </entry>
  <entry>
    <title>1322519686.9</title>
    <id>https://localhost:8089/services/indexing/preview/1322519686.9</id>
    <updated>2011-11-28T14:35:35-08:00</updated>
    <link href="/services/indexing/preview/1322519686.9" rel="alternate"/>
    <link href="/services/search/jobs/1322519686.9" rel="job"/>
  </entry>
  <entry>
    <title>1322519724.10</title>
    <id>https://localhost:8089/services/indexing/preview/1322519724.10</id>
    <updated>2011-11-28T14:35:35-08:00</updated>
    <link href="/services/indexing/preview/1322519724.10" rel="alternate"/>
    <link href="/services/search/jobs/1322519724.10" rel="job"/>
  </entry>
</feed>

POST indexing/preview

Create a preview data job for the specified source file, returning the preview data job ID. Use the preview job ID as the search_id parameter in GET /search/jobs/{search_id}/results_preview to obtain a data preview.

You can optionally define sourcetypes for preview data job in props.conf.

Request

Name Type Required Default Description
input.path String
The absolute file path to a local file that you want to preview data returned from indexing.
props.<props_attr> String Define a new sourcetype in props.conf for preview data that you are indexing.

Typically, you first examine preveiw data events returned from GET /search/jobs/{job_id}events. Then you define new sourcetypes as needed with this endpoint.

Response Codes

Status Code Description
201 Created successfully.

Returned Values

No values returned for this request.

Example

Create a data preview index job for the local file, $SPLUNK_HOME/var/log/splunk/metrics.log. This operation returns the data preview job ID. Use this job ID in /search/jobs/{search_id}/results_preview to view the events that would be generated by indexing this file.

Create the data preview job:

curl -k -u admin:pass https://localhost:8089/services/indexing/preview \
	-d input.path=/Applications/splunk/var/log/splunk/metrics.log
<response>
  <messages>
    <msg type='INFO'>1319496093.11</msg>
  </messages>
</response>

Now, use the returned job ID to preview the events:

curl -k -u admin:pass https://localhost:8089/services/search/jobs/1319496093.11/results_preview
<results preview='0'>
<meta>
<fieldOrder>
<field>_raw</field>
<field>_subsecond</field>
<field>_time</field>
<field>_timelen</field>
<field>_timestartpos</field>
<field>host</field>
<field>linecount</field>
<field>source</field>
<field>sourcetype</field>
</fieldOrder>
</meta>
  <result offset='0'>
    <field k='_raw'><v xml:space='preserve' trunc='0'>11-28-2011 13:41:31.409 -0800 INFO  Metrics - group=pipeline, name=indexerpipe, processor=indexandforward, cpu_seconds=0.000000, executes=74, cumulative_hits=26664</v></field>
    <field k='_subsecond'>
      <value><text>.409</text></value>
    </field>
    <field k='_time'>
      <value><text>2011-11-28T13:41:31.409-08:00</text></value>
    </field>
    <field k='_timelen'>
      <value><text>29</text></value>
    </field>
    <field k='_timestartpos'>
      <value><text>0</text></value>
    </field>
    <field k='host'>
      <value><text>vgenovese-mbp15.splunk.com</text></value>
    </field>
    <field k='linecount'>
      <value><text>1</text></value>
    </field>
    <field k='source'>
      <value><text>/Applications/splunk/var/log/splunk/metrics.log</text></value>
    </field>
    <field k='sourcetype'>
      <value><text>splunkd</text></value>
    </field>
  </result>
  . . .
  <!-- result nodes 1 - 98 elided for brevity. -->
  . . .
  <result offset='99'>
    <field k='_raw'><v xml:space='preserve' trunc='0'>11-28-2011 13:42:33.314 -0800 INFO  Metrics - group=pipeline, name=typing, processor=annotator, cpu_seconds=0.000000, executes=45, cumulative_hits=17246</v></field>
    <field k='_subsecond'>
      <value><text>.314</text></value>
    </field>
    <field k='_time'>
      <value><text>2011-11-28T13:42:33.314-08:00</text></value>
    </field>
    <field k='_timelen'>
      <value><text>29</text></value>
    </field>
    <field k='_timestartpos'>
      <value><text>0</text></value>
    </field>
    <field k='host'>
      <value><text>vgenovese-mbp15.splunk.com</text></value>
    </field>
    <field k='linecount'>
      <value><text>1</text></value>
    </field>
    <field k='source'>
      <value><text>/Applications/splunk/var/log/splunk/metrics.log</text></value>
    </field>
    <field k='sourcetype'>
      <value><text>splunkd</text></value>
    </field>
  </result>
</results>


indexing/preview/{job_id}

GET indexing/preview/{job_id}

Returns the props.conf settings for the data preview job specified by {job_id}.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Listed successfully.
404 Specified job ID does not exist.

Returned Values

No values returned for this request.

Example

Return the props.conf setting for the specified data preview job.


curl -k -u admin:pass https://localhost:8089/services/indexing/preview/1319496093.11
<entry xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest">
  <title>1319496093.11</title>
  <id>https://localhost:8089/services/indexing/preview/1319496093.11</id>
  <updated>2011-10-24T15:44:09-07:00</updated>
  <link href="/services/indexing/preview/1319496093.11" rel="alternate"/>
  <content type="text/xml">
    <s:dict>
      <s:key name="explicit">
        <s:dict>
          <s:key name="PREFERRED_SOURCETYPE">
            <s:dict>
              <s:key name="value">splunkd</s:key>
            </s:dict>
          </s:key>
        </s:dict>
      </s:key>
      <s:key name="inherited">
        <s:dict>
          <s:key name="ANNOTATE_PUNCT">
            <s:dict>
              <s:key name="value">True</s:key>
              <s:key name="stanza">default</s:key>
            </s:dict>
          </s:key>
          . . .
           <!-- additional inherited key values elided for brevity. -->
          <s:key name="sourcetype">
            <s:dict>
              <s:key name="value">splunkd</s:key>
              <s:key name="stanza">source::.../var/log/splunk/metrics.log(.\d+)?</s:key>
            </s:dict>
          </s:key>
        </s:dict>
      </s:key>
    </s:dict>
  </content>
  <link href="/services/search/jobs/1319496093.11" rel="job"/>
</entry>


receivers/simple

Allows for sending events to Splunk in an HTTP request.

POST receivers/simple

Create events from the contents contained in the HTTP body.

Request

Note that all metadata is specified via GET parameters.

Name Type Required Default Description
<arbitrary_data> String
Raw event text. This will be the entirety of the HTTP request body.
host String The value to populate in the host field for events from this data input.
host_regex String A regular expression used to extract the host value from each event.
index String default The index to send events from this input to.
source String The source value to fill in the metadata for this input's events.
sourcetype String The sourcetype to apply to events from this input.

Response Codes

Status Code Description
200 Data accepted.
400 Request error. See response body for details.
404 Receiver does not exist.

Returned Values

No values returned for this request.

Example

Sends an event with the "web_event" sourcetype and "www" source to this Splunk indexer.


curl -k -u admin:pass \
   "https://localhost:8089/services/receivers/simple?source=www&sourcetype=web_event" \
   -d "Sun Jul 10 15:56:02 PDT 2011  User vishalp logged in successfully."


<response>
  <results>
    <result>
      <field k="_index">
        <value>
          <text>default</text>
        </value>
      </field>
      <field k="bytes">
        <value>
          <text>67</text>
        </value>
      </field>
      <field k="host">
        <value>
          <text>127.0.0.1</text>
        </value>
      </field>
      <field k="source">
        <value>
          <text>www</text>
        </value>
      </field>
      <field k="sourcetype">
        <value>
          <text>web_event</text>
        </value>
      </field>
    </result>
  </results>
</response>

receivers/stream

Opens a socket for streaming events to Splunk.

POST receivers/stream

Create events from the stream of data following HTTP headers.

Request

Name Type Required Default Description
<data_stream> String
Raw event text. This does not need to be presented as a complete HTTP request, but can be streamed in as data is available.
host String The value to populate in the host field for events from this data input.
host_regex String A regular expression used to extract the host value from each event.
index String The index to send events from this input to.
source String The source value to fill in the metadata for this input's events.
sourcetype String The sourcetype to apply to events from this input.

Response Codes

Status Code Description
200 Data accepted.
400 Request error. See response body for details.
404 Receiver does not exist.

Returned Values

No values returned for this request.

Example

Streams an arbitrary number of events to Splunk. This example is best demonstrated via a program rather than a curl request. Below is a short python script that runs indefinitely, until the user presses Ctrl-C. In the meantime, it will send one event per second to Splunk. Note that for a streaming connection, the "x-splunk-input-mode" header must be specified.


import httplib, time

conn = httplib.HTTPSConnection("localhost", 8089)
conn.connect()
conn.putrequest("POST", "/services/receivers/stream?source=www&sourcetype=web_data")
conn.putheader("Authorization", "Basic YWRtaW46cGFzcw==")
conn.putheader("x-splunk-input-mode", "streaming")
conn.endheaders()

print "Looping..."
while True:
    conn.send("%s A sample event.\n" % time.asctime())
    time.sleep(1)


There is no response for this request.

This documentation applies to the following versions of Splunk: 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 4.3.7 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!