Using the REST API reference
Use the REST API Reference to learn about available endpoints and operations for accessing, creating, updating, or deleting resources. See the REST API User Manual to learn about the Splunk REST API basic concepts.
Splunk Cloud REST API usage
There are some REST API access and usage differences between Splunk Cloud and Splunk Enterprise. If you are using Splunk Cloud, review details in Using the REST API with Splunk Cloud.
Resources are grouped into the following categories.
|Access control||Authorize and authenticate users.|
|Applications||Install applications and application templates.|
|Clusters||Configure and manage cluster master and peer nodes.|
|Configuration||Manage configuration files and settings.|
|Deployment||Manage deployment servers and clients.|
|Inputs||Manage data input.|
|Introspection||Access system properties.|
|Knowledge||Define indexed and searched data configurations.|
|KV store||Manage app key-value store.|
|Licensing||Manage licensing configurations.|
|Outputs||Manage forwarder data configuration.|
|Search||Manage searches and search-generated alerts and view objects.|
|System||Manage server configuration.|
See the URI quick reference for a full list of endpoints.
Depending on the endpoint, GET, POST, and/or DELETE operations are available for accessing, creating, updating, or deleting resources. Some operations have specific capability requirements, as noted.
Using endpoint reference entries
Reference information for each endpoint in the REST API includes the following items.
- Usage details
- Expandable elements showing available operations (GET, POST, and/or DELETE) for the endpoint.
Expand a GET, POST, or DELETE element to show the following usage information about the operation.
- Request parameter information and requirements.
- Returned values included in the response.
- Example request and response.
Request and response details
Pagination and filtering parameters
In addition to the parameters specific to each endpoint and operation, the following request parameters are valid for some GET methods.
||Maximum number of entries to return. Set value to 0 to get all available entries.|
|f||String|| Filters the response to include only the named values. Specify multiple times to return multiple values.
||Index of first item to return.|
|search||String|| Response filter, where the response field values are matched against this search expression.
|| Response sort order:
||Field name to use for sorting.|
|| Collated ordering:
|| Response type:
The response to GET and other requests typically includes key-value pairs representing details about the resource that you are accessing. Returned values specific to the resource and/or operation are listed along with their descriptions.
HTTP status codes
Responses can include HTTP status codes. Standard HTTP status codes are not included in endpoint documentation, but status codes with specific meaning for an endpoint and/or operation are noted.
Requests with an error, such as a missing required parameter, can prompt an error response like the following example.
<response> <messages> <msg type="ERROR"> In handler 'datamodelgenerate': The following required arguments are missing: sid. </msg> </messages> </response>
EAI response data
EAI response data, the
<eai:attributes> elements, typically apply to all endpoints and are configuration-dependent, so redundant explanation is omitted. These elements are also elided from the response examples to make the documentation easier to read.
Access Control List (ACL)
The REST implementation enforces ownership and permissions for a resource based on application context namespace. The ACL includes the following parameters.
|app|| The app context for the resource. Allowed values are:
|can_list||For internal use only for the Splunk Web manager UI.|
|can_share_*|| Indicates whether or not the current user can change the sharing state. The sharing state can be one of:
|can_write||Indicates whether or not the current user can edit this item.|
|owner|| The user that owns the resource.
A value of
|modifiable|| Indicates whether or not you can change the Access Control List (ACL).
Set to false for items not controlled by ACLs, such as items under
|perms.read||Properties that indicate read permissions of the resource.|
|perms.write||Properties that indicate write permissions of the resource.|
|removable||Indicates if an admin or user with sufficient permissions can remove the entity.|
|sharing|| Indicates how the resource is shared. Allowed values are:
Note: You can append
/acl to an endpoint to access its ACL properties. For more information, see Access Control List in the REST API User Manual.
eai:attributes element shows the mandatory and optional fields.
|optionalFields||Field is optional.|
|requiredFields||Field is required.|
|wildcardFields||Field can use wildcard.|
See the following resources for more information on working with the Splunk REST API.
URI quick reference
This documentation applies to the following versions of Splunk® Enterprise: 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.1.0, 7.1.1, 7.1.2, 7.1.3