Splunk® Enterprise

REST API Reference Manual

Splunk Enterprise version 7.0 is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Introspection endpoint descriptions

Access server and instance information.

Usage details

Review ACL information for an endpoint

To check Access Control List (ACL) properties for an endpoint, append /acl to the path. For more information see Access Control List in the REST API User Manual.

Authentication and Authorization

Username and password authentication is required for access to endpoints and REST operations.

Splunk users must have role and/or capability-based authorization to use REST endpoints. Users with an administrative role, such as admin, can access authorization information in Splunk Web. To view the roles assigned to a user, select Settings > Access controls and click Users. To determine the capabilities assigned to a role, select Settings > Access controls and click Roles.

App and user context

Typically, knowledge objects, such as saved searches or event types, have an app/user context that is the namespace. For more information about specifying a namespace, see Namespace in the REST API User Manual.

Splunk Cloud limitations

If you have a managed Splunk Cloud deployment with search head clustering and index clustering, the REST API supports access to the search head only. You can use the REST API to interact with the search head in your deployment. Using the REST API to access any other cluster member nodes is not supported. For example, introspection endpoints are not applicable to Splunk Cloud deployments.

See Using the REST API in Splunk Cloud in the the Splunk REST API Tutorials for more information.


data/index-volumes

https://<host>:<mPort>/services/data/index-volumes

Get information about the volume (logical drives) in use by the Splunk deployment.


GET

List the Splunk deployment volumes.

Usage details
The default update period is 10 minutes, as defined by the collectionPeriodInSecs attribute in the following file.

$SPLUNK_HOME/etc/apps/introspection_generator_addon/default/server.conf

At least one observation period must pass after Splunk software startup for valid endpoint data to be available. The observation period is defined in the following $SPLUNK_HOME/etc/system/default/server.conf stanza.

[introspection:generator:disk_objects]
collectionPeriodInSecs = 600

Request parameters
Pagination and filtering parameters can be used with this method.

Returned values

Name Description
max_size Maximum name volume size limit (MB):

infinite = No maximum specified.

name Volume name
total_size Total name volume capacity (MB). If max_size is infinite, this field is not listed.

Example request and response


XML Request

curl -k -u admin:passwd https://localhost:8089/services/data/index-volumes

XML Response

...
<title>introspection--disk-objects--volumes</title>
 <id>https://localhost:8089/services/data/index-volumes</id>
 <updated>2014-03-25T14:41:09-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
    ... opensearch elements elided ...
 <s:messages/>
 <entry>
   <title>_splunk_summaries</title>
   <id>https://localhost:8089/services/data/index-volumes/_splunk_summaries</id>
   <updated>2014-03-25T14:41:09-07:00</updated>
   <link href="/services/data/index-volumes/_splunk_summaries" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/data/index-volumes/_splunk_summaries" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="eai:acl">
         ... elided ...
       </s:key>
       <s:key name="max_size">infinite</s:key>
       <s:key name="name">_splunk_summaries</s:key>
     </s:dict>
   </content>
 </entry>

data/index-volumes/{name}

https://<host>:<mPort>/services/data/index-volumes/{name}

Get information about the {name} volume (logical drive).


GET

List {name} volume properties.

Usage details
The default update period is 10 minutes, as defined by the collectionPeriodInSecs attribute in the following file.

$SPLUNK_HOME/etc/apps/introspection_generator_addon/default/server.conf

At least one observation period must pass after Splunk software startup for valid endpoint data to be available. The observation period is defined in the following $SPLUNK_HOME/etc/system/default/server.conf stanza.

[introspection:generator:disk_objects]
collectionPeriodInSecs = 600


Request parameters
Pagination and filtering parameters can be used with this method.

Returned values

Name Description
max_size Maximum name volume size limit (MB).

infinite = No maximum specified (i.e., 0, the default)

name Volume name.
total_size Total name volume capacity (MB). If max_size is infinite, this field is not listed.


Example request and response


XML Request

curl -k -u admin:passwd https://localhost:8089/services/data/index-volumes/_splunk_summaries

XML Response

...
 <title>introspection--disk-objects--volumes</title>
 <id>https://localhost:8089/services/data/index-volumes</id>
 <updated>2014-03-27T14:35:26-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
    ... opensearch elements elided ...
 <s:messages/>
 <entry>
   <title>_splunk_summaries</title>
   <id>https://localhost:8089/services/data/index-volumes/_splunk_summaries</id>
   <updated>2014-03-27T14:35:26-07:00</updated>
   <link href="/services/data/index-volumes/_splunk_summaries" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/data/index-volumes/_splunk_summaries" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="eai:acl">
         ... elided ...
       </s:key>
       <s:key name="eai:attributes">... elided ...</s:key>
       <s:key name="max_size">infinite</s:key>
       <s:key name="name">_splunk_summaries</s:key>
     </s:dict>
   </content>
 </entry>



data/indexes

https://<host>:<mPort>/services/data/indexes

Create and manage data indexes.

Authorization and authentication
By default, all users can list all indexes. However, if the indexes_list_all capability is enabled in authorize.conf, access to all indexes is limited to only those roles with this capability.

To enable indexes_list_all capability restrictions on the data/indexes endpoint, create a [capability::indexes_list_all] stanza in authorize.conf. Specify indexes_list_all=enabled for any role permitted to list all indexes from this endpoint.

For more information, see the authorize.conf spec file in the Admin Manual.


GET

List the recognized indexes on the server.


Request parameters
Pagination and filtering parameters can be used with this method.

Name Type Default Description
datatype String event Valid values: (all | event | metric). Specifies the type of index.

Returned values

Name Description
assureUTF8 Indicates whether all data retreived from the index is proper UTF8. If enabled (set to True), degrades indexing performance.

This is a global setting, not a per index setting.

blockSignSize Controls how many events make up a block for block signatures.

If this is set to 0, block signing is disabled for this index.

A recommended value is 100.

blockSignatureDatabase The index that stores block signatures of events.

This is a global setting, not a per index setting.

coldPath Filepath to the cold databases for the index.
coldPath_expanded Absoute filepath to the cold databases.
coldToFrozenDir Destination path for the frozen archive. Used as an alternative to a coldToFrozenScript. Splunk software automatically puts frozen buckets in this directory.

Bucket freezing policy is as follows:

  • New style buckets (4.2 and on): removes all files but the rawdata
To thaw, run splunk rebuild <bucket dir> on the bucket, then move to the thawed directory
  • Old style buckets (Pre-4.2): gzip all the .data and .tsidx files
To thaw, unzip the zipped files and move the bucket into the thawed directory

If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence.

coldToFrozenScript Path to the archiving script.

See the POST parameter description for details.

compressRawdata This value is ignored. splunkd process always compresses raw data.
currentDBSizeMB Total size, in MB, of data stored in the index. The total incudes data in the home, cold and thawed paths.
datatype The type of index (event | metric).
defaultDatabase If no index destination information is available in the input data, the index shown here is the destination of such data.
disabled Indicates if the index is disabled.
enableRealtimeSearch Indicates if this is a real-time search.

This is a global setting, not a per index setting.

frozenTimePeriodInSecs Number of seconds after which indexed data rolls to frozen. Defaults to 188697600 (6 years).

Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation.

homePath An absolute path that contains the hot and warm buckets for the index.
homePath_expanded An absolute filepath to the hot and warm buckets for the index.
indexThreads Number of threads used for indexing.

This is a global setting, not a per index setting.

isInternal Indicates if this is an internal index (for example, _internal, _audit).
isReady Indicates if the index is properly initialized.
lastInitTime Last time the index processor was successfully initialized.

This is a global setting, not a per index setting.

maxConcurrentOptimizes The number of concurrent optimize processes that can run against a hot bucket.

This number should be increased if instructed by Splunk Support. Typically the default value should suffice.

maxDataSize The maximum size in MB for a hot DB to reach before a roll to warm is triggered. Specifying "auto" or "auto_high_volume" causes Splunk software to autotune this parameter (recommended). Use "auto_high_volume" for high volume indexes (such as the main index); otherwise, use "auto". A "high volume index" is typically one that gets over 10GB of data per day.
  • "auto" sets the size to 750MB.
  • "auto_high_volume" sets the size to 10GB on 64-bit, and 1GB on 32-bit systems.

Although the maximum value you can set this is 1048576 MB, which corresponds to 1 TB, a reasonable number ranges anywhere from 100 - 50000. Any number outside this range should be approved by Splunk Support before proceeding.

If you specify an invalid number or string, maxDataSize is auto-tuned.

Note: The precise size of your warm buckets may vary from maxDataSize, due to post-processing and timing issues with the rolling policy.

maxHotBuckets Maximum hot buckets that can exist per index. Defaults to 3.

When maxHotBuckets is exceeded, Splunk software rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll.

maxHotIdleSecs Maximum life, in seconds, of a hot bucket. Defaults to 0. A value of 0 turns off the idle check (equivalent to INFINITE idle time).

If a hot bucket exceeds maxHotIdleSecs, Splunk software rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll.

maxHotSpanSecs Upper bound of target maximum timespan of hot/warm buckets in seconds. Defaults to 7776000 seconds (90 days).

Note: If set too small, you can get an explosion of hot/warm buckets in the filesystem. The system sets a lower bound implicitly for this parameter at 3600, but this is an advanced parameter that should be set with care and understanding of the characteristics of your data.

maxMemMB The amount of memory, in MB, allocated for indexing.

This is a global setting, not a per index setting.

maxMetaEntries Sets the maximum number of unique lines in .data files in a bucket, which may help to reduce memory consumption. If set to 0, this setting is ignored (it is treated as infinite).

If exceeded, a hot bucket is rolled to prevent further increase. If your buckets are rolling due to Strings.data hitting this limit, the culprit may be the punct field in your data. If you do not use punct, it may be best to simply disable this (see props.conf.spec in $SPLUNK_HOME/etc/system/README).

There is a small time delta between when maximum is exceeded and bucket is rolled. This means a bucket may end up with epsilon more lines than specified, but this is not a major concern unless excess is significant.

maxRunningProcessGroups Maximum number of processes that the indexer fires off at a time.

This is a global setting, not a per index setting.

maxTime ISO8601 timestamp of the newest event time in the index.
maxTotalDataSizeMB The maximum size of an index, in MB.
maxWarmDBCount The maximum number of warm buckets. If this number is exceeded, the warm bucket/s with the lowest value for their latest times are moved to cold.
memPoolMB Determines how much memory is given to the indexer memory pool.

This is a global setting, not a per-index setting.

minRawFileSyncSecs Can be either an integer (or "disable"). Some filesystems are very inefficient at performing sync operations, so only enable this if you are sure it is needed

The integer sets how frequently splunkd forces a filesystem sync while compressing journal slices.

During this period, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files.

If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete.

minTime ISO8601 timestamp of the oldest event time in the index.
partialServiceMetaPeriod Related to serviceMetaPeriod. By default it is turned off (zero).

If set, it enables metadata sync every <integer> seconds, but only for records where the sync can be done efficiently in-place, without requiring a full re-write of the metadata file. Records that require full re-write are be sync'ed at serviceMetaPeriod.

partialServiceMetaPeriod specifies, in seconds, how frequently it should sync. Zero means that this feature is turned off and serviceMetaPeriod is the only time when metadata sync happens.

If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect.

quarantineFutureSecs Events with timestamp of quarantineFutureSecs newer than "now" that are dropped into quarantine bucket. Defaults to 2592000 (30 days).

This is a mechanism to prevent main hot buckets from being polluted with fringe events.

quarantinePastSecs Events with timestamp of quarantinePastSecs older than "now" are dropped into quarantine bucket. Defaults to 77760000 (900 days).

This is a mechanism to prevent the main hot buckets from being polluted with fringe events.

rawChunkSizeBytes Target uncompressed size in bytes for individual raw slice in the rawdata journal of the index. Defaults to 131072 (128KB). 0 is not a valid value. If 0 is specified, rawChunkSizeBytes is set to the default value.

Note: rawChunkSizeBytes only specifies a target chunk size. The actual chunk size may be slightly larger by an amount proportional to an individual event size.

Warning: This is an advanced parameter. Only change it if instructed to do so by Splunk Support.

rotatePeriodInSecs Rotation period, in seconds, that specifies how frequently to check:
  • If a new hot bucket needs to be created.
  • If there are any cold buckets that should be frozen.
  • If there are any buckets that need to be moved out hot and cold DBs, due to size constraints.
serviceMetaPeriod Defines how frequently metadata is synced to disk, in seconds. Defaults to 25 (seconds).

You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path.

summarize If true, leaves out certain index details, which provides a faster response.
suppressBannerList List of indexes for which we suppress "index missing" warning banner messages.

This is a global setting, not a per index setting.

sync Specifies the number of events that trigger the indexer to sync events.

This is a global setting, not a per index setting.

syncMeta When true, a sync operation is called before file descriptor is closed on metadata file updates. This functionality improves integrity of metadata files, especially in regards to operating system crashes/machine failures.

Note: Do not change this parameter without the input of Splunk Support.

thawedPath An absolute path that contains the thawed (resurrected) databases for the index.
thawedPath_expanded Absolute filepath to the thawed (resurrected) databases.
throttleCheckPeriod Defines how frequently Splunk software checks for index throttling condition, in seconds. Defaults to 15 (seconds).

Note: Do not change this parameter without the input of Splunk Support.

totalEventCount Total number of events in the index.

Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/services/data/indexes

XML Response

.
.
.
<title>indexes</title>
 <id>https://localhost:8089/services/data/indexes</id>
 <updated>2011-07-11T18:09:22-07:00</updated>
 <generator version="102807"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/data/indexes/_new" rel="create"/>
 <link href="/services/data/indexes/_reload" rel="_reload"/>
    ... opensearch elements elided ...
 <s:messages/>
 <entry>
   <title>_audit</title>
   <id>https://localhost:8089/servicesNS/nobody/system/data/indexes/_audit</id>
   <updated>2011-07-11T18:09:22-07:00</updated>
   <link href="/servicesNS/nobody/system/data/indexes/_audit" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/system/data/indexes/_audit" rel="list"/>
   <link href="/servicesNS/nobody/system/data/indexes/_audit/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/system/data/indexes/_audit" rel="edit"/>
   <link href="/servicesNS/nobody/system/data/indexes/_audit/disable" rel="disable"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="assureUTF8">0</s:key>
       <s:key name="blockSignSize">0</s:key>
       <s:key name="blockSignatureDatabase">_blocksignature</s:key>
       <s:key name="coldPath">$SPLUNK_DB/audit/colddb</s:key>
       <s:key name="coldPath_expanded">/home/amrit/temp/curl/splunk/var/lib/splunk/audit/colddb</s:key>
       <s:key name="coldToFrozenDir"/>
       <s:key name="coldToFrozenScript"/>
       <s:key name="compressRawdata">1</s:key>
       <s:key name="currentDBSizeMB">1</s:key>
       <s:key name="datatype">event</s:key>
       <s:key name="defaultDatabase">main</s:key>
       <s:key name="disabled">0</s:key>
          ... eai:acl element elided ...
       <s:key name="enableRealtimeSearch">1</s:key>
       <s:key name="frozenTimePeriodInSecs">188697600</s:key>
       <s:key name="homePath">$SPLUNK_DB/audit/db</s:key>
       <s:key name="homePath_expanded">/home/amrit/temp/curl/splunk/var/lib/splunk/audit/db</s:key>
       <s:key name="indexThreads">auto</s:key>
       <s:key name="isInternal">1</s:key>
       <s:key name="lastInitTime">1310432962.424512</s:key>
       <s:key name="maxConcurrentOptimizes">3</s:key>
       <s:key name="maxDataSize">auto</s:key>
       <s:key name="maxHotBuckets">3</s:key>
       <s:key name="maxHotIdleSecs">0</s:key>
       <s:key name="maxHotSpanSecs">7776000</s:key>
       <s:key name="maxMemMB">5</s:key>
       <s:key name="maxMetaEntries">1000000</s:key>
       <s:key name="maxRunningProcessGroups">20</s:key>
       <s:key name="maxTime">2011-07-10T22:20:53-0700</s:key>
       <s:key name="maxTotalDataSizeMB">500000</s:key>
       <s:key name="maxWarmDBCount">300</s:key>
       <s:key name="memPoolMB">auto</s:key>
       <s:key name="minRawFileSyncSecs">disable</s:key>
       <s:key name="minTime">2011-07-10T14:33:00-0700</s:key>
       <s:key name="partialServiceMetaPeriod">0</s:key>
       <s:key name="quarantineFutureSecs">2592000</s:key>
       <s:key name="quarantinePastSecs">77760000</s:key>
       <s:key name="rawChunkSizeBytes">131072</s:key>
       <s:key name="rotatePeriodInSecs">60</s:key>
       <s:key name="serviceMetaPeriod">25</s:key>
       <s:key name="suppressBannerList"/>
       <s:key name="sync">0</s:key>
       <s:key name="syncMeta">1</s:key>
       <s:key name="thawedPath">$SPLUNK_DB/audit/thaweddb</s:key>
       <s:key name="thawedPath_expanded">/home/amrit/temp/curl/splunk/var/lib/splunk/audit/thaweddb</s:key>
       <s:key name="throttleCheckPeriod">15</s:key>
       <s:key name="totalEventCount">230</s:key>
     </s:dict>
   </content>
 </entry>

POST

Create a new index.

Request parameters

Name Type Default Description
blockSignSize Number 0 Controls how many events make up a block for block signatures.

If this is set to 0, block signing is disabled for this index.

A recommended value is 100.

bucketRebuildMemoryHint String auto Suggestion for the bucket rebuild process for the size of the time-series (tsidx) file to make.

Caution: This is an advanced parameter. Inappropriate use of this parameter causes splunkd to not start if rebuild is required. Do not set this parameter unless instructed by Splunk Support.

Default value, auto, varies by the amount of physical RAM on the host

  • less than 2GB RAM = 67108864 (64MB) tsidx
  • 2GB to 8GB RAM = 134217728 (128MB) tsidx
  • more than 8GB RAM = 268435456 (256MB) tsidx

Values other than "auto" must be 16MB-1GB. Highest legal value (of the numerical part) is 4294967295

You can specify the value using a size suffix: "16777216" or "16MB" are equivalent.

coldPath String An absolute path that contains the colddbs for the index. The path must be readable and writable. Cold databases are opened as needed when searching. May be defined in terms of a volume definition (see volume section below).

Required. Splunk software does not start if an index lacks a valid coldPath.

coldToFrozenDir String Destination path for the frozen archive. Use as an alternative to a coldToFrozenScript. Splunk software automatically puts frozen buckets in this directory.

Bucket freezing policy is as follows:

  • New style buckets (4.2 and on): removes all files but the rawdata
To thaw, run splunk rebuild <bucket dir> on the bucket, then move to the thawed directory
  • Old style buckets (Pre-4.2): gzip all the .data and .tsidx files
To thaw, gunzip the zipped files and move the bucket into the thawed directory

If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence

coldToFrozenScript String Path to the archiving script.

If your script requires a program to run it (for example, python), specify the program followed by the path. The script must be in $SPLUNK_HOME/bin or one of its subdirectories.

Splunk software ships with an example archiving script in $SPLUNK_HOME/bin called coldToFrozenExample.py. DO NOT use this example script directly. It uses a default path, and if modified in place any changes are overwritten on upgrade.

It is best to copy the example script to a new file in bin and modify it for your system. Most importantly, change the default archive path to an existing directory that fits your needs.

If your new script in bin/ is named myColdToFrozen.py, set this key to the following:

coldToFrozenScript = "$SPLUNK_HOME/bin/python" "$SPLUNK_HOME/bin/myColdToFrozen.py"

By default, the example script has two possible behaviors when archiving:

  • For buckets created from version 4.2 and on, it removes all files except for rawdata. To thaw: cd to the frozen bucket and type splunk rebuild ., then copy the bucket to thawed for that index. We recommend using the coldToFrozenDir parameter unless you need to perform a more advanced operation upon freezing buckets.
  • For older-style buckets, we simply gzip all the .tsidx files. To thaw: cd to the frozen bucket and unzip the tsidx files, then copy the bucket to thawed for that index
compressRawdata Boolean true This parameter is ignored. The splunkd process always compresses raw data.
datatype String event Valid values: (event | metric). Specifies the type of index.
enableOnlineBucketRepair Boolean true Enables asynchronous "online fsck" bucket repair, which runs concurrently with Splunk software.

When enabled, you do not have to wait until buckets are repaired to start the Splunk platform. However, you might observe a slight performance degratation.

frozenTimePeriodInSecs Number 188697600 Number of seconds after which indexed data rolls to frozen. Defaults to 188697600 (6 years).

Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation.

homePath String An absolute path that contains the hot and warm buckets for the index.

Required. Splunk software does not start if an index lacks a valid homePath.

Caution: The path must be readable and writable.

maxBloomBackfillBucketAge Number 30d Valid values are: Integer[m|s|h|d]

If a warm or cold bucket is older than the specified age, do not create or rebuild its bloomfilter. Specify 0 to never rebuild bloomfilters.

For example, if a bucket is older than specified with maxBloomBackfillBucketAge, and the rebuilding of its bloomfilter started but did not finish, do not rebuild it.

maxConcurrentOptimizes Number 6 The number of concurrent optimize processes that can run against a hot bucket.

This number should be increased if instructed by Splunk Support. Typically the default value should suffice.

maxDataSize Number auto The maximum size in MB for a hot DB to reach before a roll to warm is triggered. Specifying "auto" or "auto_high_volume" causes Splunk software to autotune this parameter (recommended).Use "auto_high_volume" for high volume indexes (such as the main index); otherwise, use "auto". A "high volume index" would typically be considered one that gets over 10GB of data per day.
  • "auto" sets the size to 750MB.
  • "auto_high_volume" sets the size to 10GB on 64-bit, and 1GB on 32-bit systems.

Although the maximum value you can set this is 1048576 MB, which corresponds to 1 TB, a reasonable number ranges anywhere from 100 - 50000. Any number outside this range should be approved by Splunk Support before proceeding.

If you specify an invalid number or string, maxDataSize is auto-tuned.

Note: The precise size of your warm buckets may vary from maxDataSize, due to post-processing and timing issues with the rolling policy.

maxHotBuckets Number 3 Maximum hot buckets that can exist per index. Defaults to 3.

When maxHotBuckets is exceeded, Splunk software rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll.

maxHotIdleSecs Number 0 Maximum life, in seconds, of a hot bucket. Defaults to 0.

If a hot bucket exceeds maxHotIdleSecs, Splunk software rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll. A value of 0 turns off the idle check (equivalent to INFINITE idle time).

maxHotSpanSecs Number 7776000 Upper bound of target maximum timespan of hot/warm buckets in seconds. Defaults to 7776000 seconds (90 days).

Note:I f you set this too small, you can get an explosion of hot/warm buckets in the filesystem. The system sets a lower bound implicitly for this parameter at 3600, but this is an advanced parameter that should be set with care and understanding of the characteristics of your data.

maxMemMB Number 5 The amount of memory, expressed in MB, to allocate for buffering a single tsidx file into memory before flushing to disk. Defaults to 5. The default is recommended for all environments.

IMPORTANT: Calculate this number carefully. Setting this number incorrectly may have adverse effects on your systems memory and/or splunkd stability/performance.

maxMetaEntries Number 1000000 Sets the maximum number of unique lines in .data files in a bucket, which may help to reduce memory consumption. If set to 0, this setting is ignored (it is treated as infinite).

If exceeded, a hot bucket is rolled to prevent further increase. If your buckets are rolling due to Strings.data hitting this limit, the culprit may be the punct field in your data. If you do not use punct, it may be best to simply disable this (see props.conf.spec in $SPLUNK_HOME/etc/system/README).

There is a small time delta between when maximum is exceeded and bucket is rolled. This means a bucket may end up with epsilon more lines than specified, but this is not a major concern unless excess is significant.

maxTimeUnreplicatedNoAcks Number 300 Upper limit, in seconds, on how long an event can sit in raw slice. Applies only if replication is enabled for this index. Otherwise ignored.

If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies.

Highest legal value is 2147483647. To disable this parameter, set to 0.

Note: this is an advanced parameter. Understand the consequences before changing.

maxTimeUnreplicatedWithAcks Number 60 Upper limit, in seconds, on how long events can sit unacknowledged in a raw slice. Applies only if you have enabled acks on forwarders and have replication enabled (with clustering).

Note: This is an advanced parameter. Make sure you understand the settings on all forwarders before changing this. This number should not exceed ack timeout configured on any forwarder, and should actually be set to at most half of the minimum value of that timeout. You can find this setting in outputs.conf readTimeout setting under the tcpout stanza.

To disable, set to 0, but this is NOT recommended. Highest legal value is 2147483647.

maxTotalDataSizeMB Number 500000 The maximum size of an index (in MB). If an index grows larger than the maximum size, the oldest data is frozen.
maxWarmDBCount Number 300 The maximum number of warm buckets. If this number is exceeded, the warm bucket/s with the lowest value for their latest times is moved to cold.
minRawFileSyncSecs Number disable Specify an integer (or "disable") for this parameter.

This parameter sets how frequently splunkd forces a filesystem sync while compressing journal slices.

During this period, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files.

If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete.

Note: Some filesystems are very inefficient at performing sync operations, so only enable this if you are sure it is needed

minStreamGroupQueueSize Number 2000 Minimum size of the queue that stores events in memory before committing them to a tsidx file.

Caution: Do not set this value, except under advice from Splunk Support.

name
required
String The name of the index to create.
partialServiceMetaPeriod Number 0 Related to serviceMetaPeriod. If set, it enables metadata sync every <integer> seconds, but only for records where the sync can be done efficiently in-place, without requiring a full re-write of the metadata file. Records that require full re-write are be sync'ed at serviceMetaPeriod.

partialServiceMetaPeriod specifies, in seconds, how frequently it should sync. Zero means that this feature is turned off and serviceMetaPeriod is the only time when metadata sync happens.

If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect.

By default it is turned off (zero).

processTrackerServiceInterval Number 1 Specifies, in seconds, how often the indexer checks the status of the child OS processes it launched to see if it can launch new processes for queued requests. Defaults to 15.

If set to 0, the indexer checks child process status every second.

Highest legal value is 4294967295.

quarantineFutureSecs Number 2592000 Events with timestamp of quarantineFutureSecs newer than "now" are dropped into quarantine bucket. Defaults to 2592000 (30 days).

This is a mechanism to prevent main hot buckets from being polluted with fringe events.

quarantinePastSecs Number 77760000 Events with timestamp of quarantinePastSecs older than "now" are dropped into quarantine bucket. Defaults to 77760000 (900 days).

This is a mechanism to prevent the main hot buckets from being polluted with fringe events.

rawChunkSizeBytes Number 131072 Target uncompressed size in bytes for individual raw slice in the rawdata journal of the index. Defaults to 131072 (128KB). 0 is not a valid value. If 0 is specified, rawChunkSizeBytes is set to the default value.

Note: rawChunkSizeBytes only specifies a target chunk size. The actual chunk size may be slightly larger by an amount proportional to an individual event size.

WARNING: This is an advanced parameter. Only change it if you are instructed to do so by Splunk Support.

repFactor String 0 Index replication control. This parameter applies to only clustering slaves.

auto = Use the master index replication configuration value.

0 = Turn off replication for this index.

rotatePeriodInSecs Number 60 How frequently (in seconds) to check if a new hot bucket needs to be created. Also, how frequently to check if there are any warm/cold buckets that should be rolled/frozen.
serviceMetaPeriod Number 25 Defines how frequently metadata is synced to disk, in seconds. Defaults to 25 (seconds).

You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path.

syncMeta Boolean true When true, a sync operation is called before file descriptor is closed on metadata file updates. This functionality improves integrity of metadata files, especially in regards to operating system crashes/machine failures.

Note: Do not change this parameter without the input of a Splunk Support.

thawedPath String An absolute path that contains the thawed (resurrected) databases for the index.

Cannot be defined in terms of a volume definition.

Required. Splunk software does not start if an index lacks a valid thawedPath</codePath>.


throttleCheckPeriod Number 15 Defines how frequently Splunk software checks for index throttling condition, in seconds. Defaults to 15 (seconds).

Note: Do not change this parameter without the input of Splunk Support.

tstatsHomePath String Location to store datamodel acceleration TSIDX data for this index. Restart splunkd after changing this parameter.

If specified, it must be defined in terms of a volume definition.

Caution: Path must be writable.

Default value: volume:_splunk_summaries/$_index_name/tstats

warmToColdScript String Path to a script to run when moving data from warm to cold.

This attribute is supported for backwards compatibility with Splunk software versions older than 4.0. Contact Splunk support if you need help configuring this setting.

Caution: Migrating data across filesystems is now handled natively by splunkd. If you specify a script here, the script becomes responsible for moving the event data, and Splunk-native data migration is not used.

Returned values

Name Description
assureUTF8 Boolean value indicating wheter all data retreived from the index is proper UTF8.

If enabled (set to True), degrades indexing performance

Can only be set globally.

blockSignSize Controls how many events make up a block for block signatures.

If this is set to 0, block signing is disabled for this index.

A recommended value is 100.

blockSignatureDatabase The index that stores block signatures of events.

This is a global setting, not a per index setting.

bucketRebuildMemoryHint Suggestion for the bucket rebuild process for the size of the time-series (tsidx) file to make.
coldPath Filepath to the cold databases for the index.
coldPath_expanded Absoute filepath to the cold databases.
coldToFrozenDir Destination path for the frozen archive. Used as an alternative to a coldToFrozenScript. Splunk software automatically puts frozen buckets in this directory.

Bucket freezing policy is as follows:

  • New style buckets (4.2 and on): removes all files but the rawdata
To thaw, run splunk rebuild <bucket dir> on the bucket, then move to the thawed directory
  • Old style buckets (Pre-4.2): gzip all the .data and .tsidx files
To thaw, unzip the zipped files and move the bucket into the thawed directory

If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence.

coldToFrozenScript Path to the archiving script.

See the POST parameter description for details.

compressRawdata This value is ignored. splunkd process always compresses raw data.
currentDBSizeMB Total size, in MB, of data stored in the index. The total incudes data in the home, cold and thawed paths.
datatype The type of index (event | metric).
defaultDatabase If no index destination information is available in the input data, the index shown here is the destination of such data.
enableOnlineBucketRepair Indicates whether to run asynchronous "online fsck" bucket repair, which runs in a process concurrently with Splunk software.
enableRealtimeSearch Indicates if this is a real-time search.

This is a global setting, not a per index setting.

frozenTimePeriodInSecs Number of seconds after which indexed data rolls to frozen. Defaults to 188697600 (6 years).

Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation.

homePath An absolute path that contains the hot and warm buckets for the index.
homePath_expanded An absolute filepath to the hot and warm buckets for the index.
indexThreads Number of threads used for indexing.

This is a global setting, not a per index setting.

isInternal Indicates if this is an internal index (for example, _internal, _audit).
isReady Indicates if an index is properly initialized.
lastInitTime Last time the index processor was successfully initialized.

This is a global setting, not a per index setting.

maxBloomBackfillBucketAge If a bucket (warm or cold) is older than this, Splunk software does not create (or re-create) its bloom filter.
maxConcurrentOptimizes The number of concurrent optimize processes that can run against a hot bucket.

This number should be increased if instructed by Splunk Support. Typically the default value should suffice.

maxDataSize The maximum size in MB for a hot DB to reach before a roll to warm is triggered. Specifying "auto" or "auto_high_volume" causes Splunk software to autotune this parameter (recommended). Use "auto_high_volume" for high volume indexes (such as the main index); otherwise, use "auto". A "high volume index" is typically one that gets over 10GB of data per day.
  • "auto" sets the size to 750MB.
  • "auto_high_volume" sets the size to 10GB on 64-bit, and 1GB on 32-bit systems.

Although the maximum value you can set this is 1048576 MB, which corresponds to 1 TB, a reasonable number ranges anywhere from 100 - 50000. Any number outside this range should be approved by Splunk Support before proceeding.

If you specify an invalid number or string, maxDataSize is auto-tuned.

Note: The precise size of your warm buckets may vary from maxDataSize, due to post-processing and timing issues with the rolling policy.

maxHotBuckets Maximum hot buckets that can exist per index. Defaults to 3.

When maxHotBuckets is exceeded, Splunk software rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll.

maxHotIdleSecs Maximum life, in seconds, of a hot bucket. Defaults to 0. A value of 0 turns off the idle check (equivalent to INFINITE idle time).

If a hot bucket exceeds maxHotIdleSecs, Splunk software rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll.

maxHotSpanSecs Upper bound of target maximum timespan of hot/warm buckets in seconds. Defaults to 7776000 seconds (90 days).

Note: If set too small, you can get an explosion of hot/warm buckets in the filesystem. The system sets a lower bound implicitly for this parameter at 3600, but this is an advanced parameter that should be set with care and understanding of the characteristics of your data.

maxMemMB The amount of memory, in MB, allocated for indexing.

This is a global setting, not a per index setting.

maxMetaEntries Sets the maximum number of unique lines in .data files in a bucket, which may help to reduce memory consumption. If set to 0, this setting is ignored (it is treated as infinite).

If exceeded, a hot bucket is rolled to prevent further increase. If your buckets are rolling due to Strings.data hitting this limit, the culprit may be the punct field in your data. If you do not use punct, it may be best to simply disable this (see props.conf.spec in $SPLUNK_HOME/etc/system/README).

There is a small time delta between when maximum is exceeded and bucket is rolled. This means a bucket may end up with epsilon more lines than specified, but this is not a major concern unless excess is significant.

maxTime ISO8601 timestamp of the newest event time in the index.
maxTimeUnreplicatedNoAcks Upper limit, in seconds, on how long an event can sit in raw slice. Applies only if replication is enabled for this index. Otherwise ignored.

If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies.

Highest legal value is 2147483647. To disable this parameter, set to 0.

Note: this is an advanced parameter. Understand the consequences before changing.

maxTimeUnreplicatedWithAcks Upper limit, in seconds, on how long events can sit unacknowledged in a raw slice. Applies only if you have enabled acks on forwarders and have replication enabled (with clustering).

Note: This is an advanced parameter. Make sure you understand the settings on all forwarders before changing this. This number should not exceed ack timeout configured on any forwarder, and should actually be set to at most half of the minimum value of that timeout. You can find this setting in outputs.conf readTimeout setting under the tcpout stanza.

To disable, set to 0, but this is NOT recommended. Highest legal value is 2147483647.

maxTotalDataSizeMB The maximum size of an index, in MB.
maxWarmDBCount The maximum number of warm buckets. If this number is exceeded, the warm bucket/s with the lowest value for their latest times are moved to cold.
memPoolMB Determines how much memory is given to the indexer memory pool.

This is a global setting, not a per-index setting.

minRawFileSyncSecs Can be either an integer (or "disable"). Some filesystems are very inefficient at performing sync operations, so only enable this if you are sure it is needed

The integer sets how frequently splunkd forces a filesystem sync while compressing journal slices.

During this period, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files.

If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete.

minStreamGroupQueueSize Minimum size of the queue that stores events in memory before committing them to a tsidx file.
minTime ISO8601 timestamp of the oldest event time in the index.
partialServiceMetaPeriod Related to serviceMetaPeriod. By default it is turned off (zero).

If set, it enables metadata sync every <integer> seconds, but only for records where the sync can be done efficiently in-place, without requiring a full re-write of the metadata file. Records that require full re-write are be sync'ed at serviceMetaPeriod.

partialServiceMetaPeriod specifies, in seconds, how frequently it should sync. Zero means that this feature is turned off and serviceMetaPeriod is the only time when metadata sync happens.

If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect.

processTrackerServiceInterval How often, in seconds, the indexer checks the status of the child OS processes it launched to see if it can launch new processes for queued requests.
quarantineFutureSecs Events with timestamp of quarantineFutureSecs newer than "now" are dropped into quarantine bucket. Defaults to 2592000 (30 days).

This is a mechanism to prevent main hot buckets from being polluted with fringe events.

quarantinePastSecs Events with timestamp of quarantinePastSecs older than "now" are dropped into quarantine bucket. Defaults to 77760000 (900 days).

This is a mechanism to prevent the main hot buckets from being polluted with fringe events.

rawChunkSizeBytes Target uncompressed size in bytes for individual raw slice in the rawdata journal of the index. Defaults to 131072 (128KB). 0 is not a valid value. If 0 is specified, rawChunkSizeBytes is set to the default value.

Note: rawChunkSizeBytes only specifies a target chunk size. The actual chunk size may be slightly larger by an amount proportional to an individual event size.

Warning: This is an advanced parameter. Only change it if instructed to do so by Splunk Support.

repFactor Index replication control. This parameter applies to only clustering slaves.

auto = Use the master index replication configuration value.

0 = Turn off replication for this index.

rotatePeriodInSecs Rotation period, in seconds, that specifies how frequently to check:
  • If a new hot bucket needs to be created.
  • If there are any cold buckets that should be frozen.
  • If there are any buckets that need to be moved out hot and cold DBs, due to size constraints.
serviceMetaPeriod Defines how frequently metadata is synced to disk, in seconds. Defaults to 25 (seconds).

You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path.

suppressBannerList List of indexes for which we suppress "index missing" warning banner messages.

This is a global setting, not a per index setting.

sync Specifies the number of events that trigger the indexer to sync events.

This is a global setting, not a per index setting.

syncMeta When true, a sync operation is called before file descriptor is closed on metadata file updates. This functionality improves integrity of metadata files, especially in regards to operating system crashes/machine failures.

Note: Do not change this parameter without the input of Splunk Support.

thawedPath Filepath to the thawed (resurrected) databases for the index.
thawedPath_expanded Absolute filepath to the thawed (resurrected) databases.
throttleCheckPeriod Defines how frequently Splunk software checks for index throttling condition, in seconds. Defaults to 15 (seconds).

Note: Do not change this parameter without the input of Splunk Support.

totalEventCount Total number of events in the index.
tstatsHomePath Location where datamodel acceleration TSIDX data for this index is stored.
warmToColdScript Script to run when moving data from warm to cold. See input parameter description for details.


Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/indexes -d name=Shadow

XML Response

...
 <title>indexes</title>
 <id>https://localhost:8089/servicesNS/admin/search/data/indexes</id>
 <updated>2011-05-13T13:09:27-07:00</updated>
 <generator version="98392"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/servicesNS/admin/search/data/indexes/_new" rel="create"/>
 <link href="/servicesNS/admin/search/data/indexes/_reload" rel="_reload"/>
    ... opensearch elements elided ...
 <s:messages/>
 <entry>
   <title>shadow</title>
   <id>https://localhost:8089/servicesNS/nobody/search/data/indexes/shadow</id>
   <updated>2011-05-13T13:09:27-07:00</updated>
   <link href="/servicesNS/nobody/search/data/indexes/shadow" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/search/data/indexes/shadow" rel="list"/>
   <link href="/servicesNS/nobody/search/data/indexes/shadow/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/search/data/indexes/shadow" rel="edit"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="assureUTF8">0</s:key>
       <s:key name="blockSignSize">0</s:key>
       <s:key name="blockSignatureDatabase">_blocksignature</s:key>
       <s:key name="coldPath">$SPLUNK_DB/shadow/colddb</s:key>
       <s:key name="coldPath_expanded">/Applications/splunk/var/lib/splunk/shadow/colddb</s:key>
       <s:key name="coldToFrozenDir"></s:key>
       <s:key name="coldToFrozenScript"></s:key>
       <s:key name="compressRawdata">1</s:key>
       <s:key name="currentDBSizeMB">1</s:key>
       <s:key name="datatype">event</s:key>
       <s:key name="defaultDatabase">main</s:key>
       <s:key name="eai:acl">. . .</s:key>
       <s:key name="enableRealtimeSearch">1</s:key>
       <s:key name="frozenTimePeriodInSecs">188697600</s:key>
       <s:key name="homePath">$SPLUNK_DB/shadow/db</s:key>
       <s:key name="homePath_expanded">/Applications/splunk/var/lib/splunk/shadow/db</s:key>
       <s:key name="indexThreads">auto</s:key>
       <s:key name="isInternal">0</s:key>
       <s:key name="lastInitTime">1305317367.331268</s:key>
       <s:key name="maxConcurrentOptimizes">3</s:key>
       <s:key name="maxDataSize">auto</s:key>
       <s:key name="maxHotBuckets">3</s:key>
       <s:key name="maxHotIdleSecs">0</s:key>
       <s:key name="maxHotSpanSecs">7776000</s:key>
       <s:key name="maxMemMB">5</s:key>
       <s:key name="maxMetaEntries">1000000</s:key>
       <s:key name="maxTime"></s:key>
       <s:key name="maxTotalDataSizeMB">500000</s:key>
       <s:key name="maxWarmDBCount">300</s:key>
       <s:key name="memPoolMB">auto</s:key>
       <s:key name="minRawFileSyncSecs">disable</s:key>
       <s:key name="minTime"></s:key>
       <s:key name="partialServiceMetaPeriod">0</s:key>
       <s:key name="quarantineFutureSecs">2592000</s:key>
       <s:key name="quarantinePastSecs">77760000</s:key>
       <s:key name="rawChunkSizeBytes">131072</s:key>
       <s:key name="rotatePeriodInSecs">60</s:key>
       <s:key name="serviceMetaPeriod">25</s:key>
       <s:key name="suppressBannerList"></s:key>
       <s:key name="sync">0</s:key>
       <s:key name="syncMeta">1</s:key>
       <s:key name="thawedPath">$SPLUNK_DB/shadow/thaweddb</s:key>
       <s:key name="thawedPath_expanded">/Applications/splunk/var/lib/splunk/shadow/thaweddb</s:key>
       <s:key name="throttleCheckPeriod">15</s:key>
       <s:key name="totalEventCount">0</s:key>
     </s:dict>
   </content>
 </entry>



data/indexes/{name}

https://<host>:<mPort>/services/data/indexes/{name}

Access, update, or delete the {name} index.


DELETE

Removes the {name} index and the data contained in it.

Usage details
Before executing this operation, look through all inputs.conf files (on the indexer and on any forwarders sending data to the indexer) and make sure that none of the stanzas are directing data to the index that you plan to delete.

For example, if you want to delete an index called nogood, make sure the attribute/value pair index=nogood does not appear in any input stanzas. Once the index is deleted, Splunk software discards any data sent to that index.

The method returns HTTP status code409 if the {name} index was disabled but Splunk Enterprise was not restarted. Restart Splunk Enterprise and try again.

For information on deleting indexes and deleting data from indexes, refer to Remove indexes and indexed data in Managing Indexers and Clusters of Indexers.

Request parameters
None

Returned values
None

Example request and response

XML Request

curl -k -u admin:pass --request DELETE https://localhost:8089/services/data/indexes/shadow

XML Response

.
.
.
  <title>indexes</title>
 <id>https://localhost:8089/services/data/indexes</id>
 <updated>2012-08-02T11:10:16-07:00</updated>
 <generator build="131547" version="5.0"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/data/indexes/_new" rel="create"/>
 <link href="/services/data/indexes/_reload" rel="_reload"/>
    ... opensearch elements elided ...
 <s:messages/>


GET

Access information about the {name} index.

Request parameters

Name Type Default Description
summarize Boolean false [Optional] Response type:

true = Summarized response, omitting some index details, providing a faster response.
false = full response.


Returned values

Name Description
assureUTF8 Indicates whether all data retreived from the index is proper UTF8. If enabled (set to True), degrades indexing performance.

This is a global setting, not a per index setting.

blockSignSize Controls how many events make up a block for block signatures.

If this is set to 0, block signing is disabled for this index.

A recommended value is 100.

blockSignatureDatabase The index that stores block signatures of events.

This is a global setting, not a per index setting.

bloomfilterTotalSizeKB Total size of all bloom filter files, in KB.
coldPath Filepath to the cold databases for the index.
coldPath_expanded Absoute filepath to the cold databases.
coldToFrozenDir Destination path for the frozen archive. Used as an alternative to a coldToFrozenScript. Splunk software automatically puts frozen buckets in this directory.

Bucket freezing policy is as follows:

  • New style buckets (4.2 and on): removes all files but the rawdata
To thaw, run splunk rebuild <bucket dir> on the bucket, then move to the thawed directory
  • Old style buckets (Pre-4.2): gzip all the .data and .tsidx files
To thaw, unzip the zipped files and move the bucket into the thawed directory

If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence.

coldToFrozenScript Path to the archiving script.

See the POST parameter description for details.

compressRawdata This value is ignored. splunkd process always compresses raw data.
currentDBSizeMB Total size, in MB, of data stored in the index. The total incudes data in the home, cold and thawed paths.
defaultDatabase If no index destination information is available in the input data, the index shown here is the destination of such data.
disabled Indicates if the index is disabled.
enableRealtimeSearch Indicates if this is a real-time search.

This is a global setting, not a per index setting.

frozenTimePeriodInSecs Number of seconds after which indexed data rolls to frozen. Defaults to 188697600 (6 years).

Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation.

homePath An absolute path that contains the hot and warm buckets for the index.
homePath_expanded An absolute filepath to the hot and warm buckets for the index.
indexThreads Number of threads used for indexing.

This is a global setting, not a per index setting.

isInternal Indicates if this is an internal index (for example, _internal, _audit).
lastInitTime Last time the index processor was successfully initialized.

This is a global setting, not a per index setting.

maxConcurrentOptimizes The number of concurrent optimize processes that can run against a hot bucket.

This number should be increased if instructed by Splunk Support. Typically the default value should suffice.

maxDataSize The maximum size in MB for a hot DB to reach before a roll to warm is triggered. Specifying "auto" or "auto_high_volume" causes Splunk software to autotune this parameter (recommended). Use "auto_high_volume" for high volume indexes (such as the main index); otherwise, use "auto". A "high volume index" is typically one that gets over 10GB of data per day.
  • "auto" sets the size to 750MB.
  • "auto_high_volume" sets the size to 10GB on 64-bit, and 1GB on 32-bit systems.

Although the maximum value you can set this is 1048576 MB, which corresponds to 1 TB, a reasonable number ranges anywhere from 100 - 50000. Any number outside this range should be approved by Splunk Support before proceeding.

If you specify an invalid number or string, maxDataSize is auto-tuned.

Note: The precise size of your warm buckets may vary from maxDataSize, due to post-processing and timing issues with the rolling policy.

maxHotBuckets Maximum hot buckets that can exist per index. Defaults to 3.

When maxHotBuckets is exceeded, Splunk software rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll.

maxHotIdleSecs Maximum life, in seconds, of a hot bucket. Defaults to 0. A value of 0 turns off the idle check (equivalent to INFINITE idle time).

If a hot bucket exceeds maxHotIdleSecs, Splunk software rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll.

maxHotSpanSecs Upper bound of target maximum timespan of hot/warm buckets in seconds. Defaults to 7776000 seconds (90 days).

Note: If set too small, you can get an explosion of hot/warm buckets in the filesystem. The system sets a lower bound implicitly for this parameter at 3600, but this is an advanced parameter that should be set with care and understanding of the characteristics of your data.

maxMemMB The amount of memory, in MB, allocated for indexing.

This is a global setting, not a per index setting.

maxMetaEntries Sets the maximum number of unique lines in .data files in a bucket, which may help to reduce memory consumption. If set to 0, this setting is ignored (it is treated as infinite).

If exceeded, a hot bucket is rolled to prevent further increase. If your buckets are rolling due to Strings.data hitting this limit, the culprit may be the punct field in your data. If you do not use punct, it may be best to simply disable this (see props.conf.spec in $SPLUNK_HOME/etc/system/README).

There is a small time delta between when maximum is exceeded and bucket is rolled. This means a bucket may end up with epsilon more lines than specified, but this is not a major concern unless excess is significant.

maxRunningProcessGroups Maximum number of processes that the indexer fires off at a time.

This is a global setting, not a per index setting.

maxTime UNIX timestamp of the newest event time in the index.
maxTotalDataSizeMB The maximum size of an index, in MB.
maxWarmDBCount Maximum number of warm buckets.
memPoolMB Determines how much memory is given to the indexer memory pool.

This is a global setting, not a per-index setting.

minRawFileSyncSecs Can be either an integer (or "disable"). Some filesystems are very inefficient at performing sync operations, so only enable this if you are sure it is needed

The integer sets how frequently splunkd forces a filesystem sync while compressing journal slices.

During this period, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files.

If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete.

minTime UNIX timestamp of the oldest event time in the index.
numBloomfilters The number of bloom filters created for this index.
numHotBuckets The number of hot buckets created for this index.
numWarmBuckets The number of warm buckets created for this index.
partialServiceMetaPeriod Related to serviceMetaPeriod. By default it is turned off (zero).

If set, it enables metadata sync every <integer> seconds, but only for records where the sync can be done efficiently in-place, without requiring a full re-write of the metadata file. Records that require full re-write are be sync'ed at serviceMetaPeriod.

partialServiceMetaPeriod specifies, in seconds, how frequently it should sync. Zero means that this feature is turned off and serviceMetaPeriod is the only time when metadata sync happens.

If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect.

quarantineFutureSecs Events with timestamp of quarantineFutureSecs newer than "now" that are dropped into quarantine bucket. Defaults to 2592000 (30 days).

This is a mechanism to prevent main hot buckets from being polluted with fringe events.

quarantinePastSecs Events with timestamp of quarantinePastSecs older than "now" are dropped into quarantine bucket. Defaults to 77760000 (900 days).

This is a mechanism to prevent the main hot buckets from being polluted with fringe events.

rawChunkSizeBytes Target uncompressed size in bytes for individual raw slice in the rawdata journal of the index. Defaults to 131072 (128KB). 0 is not a valid value. If 0 is specified, rawChunkSizeBytes is set to the default value.

Note: rawChunkSizeBytes only specifies a target chunk size. The actual chunk size may be slightly larger by an amount proportional to an individual event size.

Warning: This is an advanced parameter. Only change it if instructed to do so by Splunk Support.

rotatePeriodInSecs Rotation period, in seconds, that specifies how frequently to check:
  • If a new hot bucket needs to be created.
  • If there are any cold buckets that should be frozen.
  • If there are any buckets that need to be moved out hot and cold DBs, due to size constraints.
serviceMetaPeriod Defines how frequently metadata is synced to disk, in seconds. Defaults to 25 (seconds).

You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path.

summarize If true, leaves out certain index details, which provides a faster response.
suppressBannerList List of indexes for which we suppress "index missing" warning banner messages.

This is a global setting, not a per index setting.

sync Specifies the number of events that trigger the indexer to sync events.

This is a global setting, not a per index setting.

syncMeta When true, a sync operation is called before file descriptor is closed on metadata file updates. This functionality improves integrity of metadata files, especially in regards to operating system crashes/machine failures.

Note: Do not change this parameter without the input of Splunk Support.

thawedPath An absolute path that contains the thawed (resurrected) databases for the index.
thawedPath_expanded Absolute filepath to the thawed (resurrected) databases.
throttleCheckPeriod Defines how frequently Splunk software checks for index throttling condition, in seconds. Defaults to 15 (seconds).

Note: Do not change this parameter without the input of Splunk Support.

totalEventCount Total number of events in the index.

Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/indexes/shadow

XML Response

...
 <title>indexes</title>
 <id>https://localhost:8089/servicesNS/nobody/search/data/indexes</id>
 <updated>2011-08-01T12:25:34-07:00</updated>
 <generator version="105103"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/servicesNS/nobody/search/data/indexes/_new" rel="create"/>
 <link href="/servicesNS/nobody/search/data/indexes/_reload" rel="_reload"/>
    ... opensearch elements elided ...
 <s:messages/>
 <entry>
   <title>shadow</title>
   <id>https://localhost:8089/servicesNS/nobody/search/data/indexes/shadow</id>
   <updated>2011-08-01T11:47:55-07:00</updated>
   <link href="/servicesNS/nobody/search/data/indexes/shadow" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/search/data/indexes/shadow" rel="list"/>
   <link href="/servicesNS/nobody/search/data/indexes/shadow/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/search/data/indexes/shadow" rel="edit"/>
   <link href="/servicesNS/nobody/search/data/indexes/shadow/disable" rel="disable"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="assureUTF8">0</s:key>
       <s:key name="blockSignSize">0</s:key>
       <s:key name="blockSignatureDatabase">_blocksignature</s:key>
       <s:key name="bloomfilterTotalSizeKB">0</s:key>
       <s:key name="coldPath">$SPLUNK_DB/shadow/colddb</s:key>
       <s:key name="coldPath_expanded">/home/amrit/bin/splunk-current/var/lib/splunk/shadow/colddb</s:key>
       <s:key name="coldToFrozenDir"/>
       <s:key name="coldToFrozenScript"/>
       <s:key name="compressRawdata">1</s:key>
       <s:key name="currentDBSizeMB">1</s:key>
       <s:key name="defaultDatabase">main</s:key>
       <s:key name="disabled">0</s:key>
          ...eai:acl element elided ...
       <s:key name="eai:attributes">
         <s:dict>
           <s:key name="optionalFields">
             <s:list>
               <s:item>assureUTF8</s:item>
               <s:item>blockSignSize</s:item>
               <s:item>coldToFrozenDir</s:item>
               <s:item>coldToFrozenScript</s:item>
               <s:item>compressRawdata</s:item>
               <s:item>frozenTimePeriodInSecs</s:item>
               <s:item>maxConcurrentOptimizes</s:item>
               <s:item>maxDataSize</s:item>
               <s:item>maxHotBuckets</s:item>
               <s:item>maxHotIdleSecs</s:item>
               <s:item>maxHotSpanSecs</s:item>
               <s:item>maxMemMB</s:item>
               <s:item>maxMetaEntries</s:item>
               <s:item>maxRunningProcessGroups</s:item>
               <s:item>maxTotalDataSizeMB</s:item>
               <s:item>maxWarmDBCount</s:item>
               <s:item>minRawFileSyncSecs</s:item>
               <s:item>partialServiceMetaPeriod</s:item>
               <s:item>quarantineFutureSecs</s:item>
               <s:item>quarantinePastSecs</s:item>
               <s:item>rawChunkSizeBytes</s:item>
               <s:item>rotatePeriodInSecs</s:item>
               <s:item>serviceMetaPeriod</s:item>
               <s:item>suppressBannerList</s:item>
               <s:item>syncMeta</s:item>
               <s:item>throttleCheckPeriod</s:item>
             </s:list>
           </s:key>
           <s:key name="requiredFields">
             <s:list/>
           </s:key>
           <s:key name="wildcardFields">
             <s:list/>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="enableRealtimeSearch">1</s:key>
       <s:key name="frozenTimePeriodInSecs">188697600</s:key>
       <s:key name="homePath">$SPLUNK_DB/shadow/db</s:key>
       <s:key name="homePath_expanded">/home/amrit/bin/splunk-current/var/lib/splunk/shadow/db</s:key>
       <s:key name="indexThreads">auto</s:key>
       <s:key name="isInternal">0</s:key>
       <s:key name="lastInitTime">1312226552.102920</s:key>
       <s:key name="maxConcurrentOptimizes">3</s:key>
       <s:key name="maxDataSize">auto</s:key>
       <s:key name="maxHotBuckets">3</s:key>
       <s:key name="maxHotIdleSecs">0</s:key>
       <s:key name="maxHotSpanSecs">7776000</s:key>
       <s:key name="maxMemMB">5</s:key>
       <s:key name="maxMetaEntries">1000000</s:key>
       <s:key name="maxRunningProcessGroups">20</s:key>
       <s:key name="maxTime"/>
       <s:key name="maxTotalDataSizeMB">500000</s:key>
       <s:key name="maxWarmDBCount">300</s:key>
       <s:key name="memPoolMB">auto</s:key>
       <s:key name="minRawFileSyncSecs">disable</s:key>
       <s:key name="minTime"/>
       <s:key name="numBloomfilters">0</s:key>
       <s:key name="numHotBuckets">0</s:key>
       <s:key name="numWarmBuckets">0</s:key>
       <s:key name="partialServiceMetaPeriod">0</s:key>
       <s:key name="quarantineFutureSecs">2592000</s:key>
       <s:key name="quarantinePastSecs">77760000</s:key>
       <s:key name="rawChunkSizeBytes">131072</s:key>
       <s:key name="rotatePeriodInSecs">60</s:key>
       <s:key name="serviceMetaPeriod">25</s:key>
       <s:key name="suppressBannerList"/>
       <s:key name="sync">0</s:key>
       <s:key name="syncMeta">1</s:key>
       <s:key name="thawedPath">$SPLUNK_DB/shadow/thaweddb</s:key>
       <s:key name="thawedPath_expanded">/home/amrit/bin/splunk-current/var/lib/splunk/shadow/thaweddb</s:key>
       <s:key name="throttleCheckPeriod">15</s:key>
       <s:key name="totalEventCount">0</s:key>
     </s:dict>
   </content>
 </entry>



POST

Updates the {name} index.

Request parameters

Name Type Default Description
blockSignSize Number 0 Controls how many events make up a block for block signatures.

If this is set to 0, block signing is disabled for this index.

A recommended value is 100.

bucketRebuildMemoryHint String auto Suggestion for the bucket rebuild process for the size of the time-series (tsidx) file to make.

Caution: This is an advanced parameter. Inappropriate use of this parameter causes splunkd to not start if rebuild is required. Do not set this parameter unless instructed by Splunk Support.

Default value, auto, varies by the amount of physical RAM on the host

  • less than 2GB RAM = 67108864 (64MB) tsidx
  • 2GB to 8GB RAM = 134217728 (128MB) tsidx
  • more than 8GB RAM = 268435456 (256MB) tsidx

Values other than "auto" must be 16MB-1GB. Highest legal value (of the numerical part) is 4294967295

You can specify the value using a size suffix: "16777216" or "16MB" are equivalent.

coldToFrozenDir String Destination path for the frozen archive. Use as an alternative to a coldToFrozenScript. Splunk software automatically puts frozen buckets in this directory.

Bucket freezing policy is as follows:

  • New style buckets (4.2 and on): removes all files but the rawdata
To thaw, run splunk rebuild <bucket dir> on the bucket, then move to the thawed directory
  • Old style buckets (Pre-4.2): gzip all the .data and .tsidx files
To thaw, gunzip the zipped files and move the bucket into the thawed directory

If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence

coldToFrozenScript String Path to the archiving script.

If your script requires a program to run it (for example, python), specify the program followed by the path. The script must be in $SPLUNK_HOME/bin or one of its subdirectories.

Splunk software ships with an example archiving script in $SPLUNK_HOME/bin called coldToFrozenExample.py. DO NOT use this example script directly. It uses a default path, and if modified in place any changes are overwritten on upgrade.

It is best to copy the example script to a new file in bin and modify it for your system. Most importantly, change the default archive path to an existing directory that fits your needs.

If your new script in bin/ is named myColdToFrozen.py, set this key to the following:

coldToFrozenScript = "$SPLUNK_HOME/bin/python" "$SPLUNK_HOME/bin/myColdToFrozen.py"

By default, the example script has two possible behaviors when archiving:

  • For buckets created from version 4.2 and on, it removes all files except for rawdata. To thaw: cd to the frozen bucket and type splunk rebuild ., then copy the bucket to thawed for that index. We recommend using the coldToFrozenDir parameter unless you need to perform a more advanced operation upon freezing buckets.
  • For older-style buckets, we simply gzip all the .tsidx files. To thaw: cd to the frozen bucket and unzip the tsidx files, then copy the bucket to thawed for that index
compressRawdata Boolean true This parameter is ignored. The splunkd process always compresses raw data.
enableOnlineBucketRepair Boolean true Enables asynchronous "online fsck" bucket repair, which runs concurrently with Splunk software.

When enabled, you do not have to wait until buckets are repaired to start Splunk Enterprise. However, you might observe a slight performance degratation.

frozenTimePeriodInSecs Number 188697600 Number of seconds after which indexed data rolls to frozen. Defaults to 188697600 (6 years).

Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation.

maxBloomBackfillBucketAge Number 30d Valid values are: Integer[m|s|h|d]

If a warm or cold bucket is older than the specified age, do not create or rebuild its bloomfilter. Specify 0 to never rebuild bloomfilters.

For example, if a bucket is older than specified with maxBloomBackfillBucketAge, and the rebuilding of its bloomfilter started but did not finish, do not rebuild it.

maxConcurrentOptimizes Number 6 The number of concurrent optimize processes that can run against a hot bucket.

This number should be increased if instructed by Splunk Support. Typically the default value should suffice.

maxDataSize Number auto The maximum size in MB for a hot DB to reach before a roll to warm is triggered. Specifying "auto" or "auto_high_volume" causes Splunk software to autotune this parameter (recommended).Use "auto_high_volume" for high volume indexes (such as the main index); otherwise, use "auto". A "high volume index" would typically be considered one that gets over 10GB of data per day.
  • "auto" sets the size to 750MB.
  • "auto_high_volume" sets the size to 10GB on 64-bit, and 1GB on 32-bit systems.

Although the maximum value you can set this is 1048576 MB, which corresponds to 1 TB, a reasonable number ranges anywhere from 100 - 50000. Any number outside this range should be approved by Splunk Support before proceeding.

If you specify an invalid number or string, maxDataSize is auto-tuned.

Note: The precise size of your warm buckets may vary from maxDataSize, due to post-processing and timing issues with the rolling policy.

maxHotBuckets Number 3 Maximum hot buckets that can exist per index. Defaults to 3.

When maxHotBuckets is exceeded, Splunk software rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll.

maxHotIdleSecs Number 0 Maximum life, in seconds, of a hot bucket. Defaults to 0.

If a hot bucket exceeds maxHotIdleSecs, Splunk software rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll. A value of 0 turns off the idle check (equivalent to INFINITE idle time).

maxHotSpanSecs Number 7776000 Upper bound of target maximum timespan of hot/warm buckets in seconds. Defaults to 7776000 seconds (90 days).

Note:I f you set this too small, you can get an explosion of hot/warm buckets in the filesystem. The system sets a lower bound implicitly for this parameter at 3600, but this is an advanced parameter that should be set with care and understanding of the characteristics of your data.

maxMemMB Number 5 The amount of memory, expressed in MB, to allocate for buffering a single tsidx file into memory before flushing to disk. Defaults to 5. The default is recommended for all environments.

IMPORTANT: Calculate this number carefully. Setting this number incorrectly may have adverse effects on your systems memory and/or splunkd stability/performance.

maxMetaEntries Number 1000000 Sets the maximum number of unique lines in .data files in a bucket, which may help to reduce memory consumption. If set to 0, this setting is ignored (it is treated as infinite).

If exceeded, a hot bucket is rolled to prevent further increase. If your buckets are rolling due to Strings.data hitting this limit, the culprit may be the punct field in your data. If you do not use punct, it may be best to simply disable this (see props.conf.spec in $SPLUNK_HOME/etc/system/README).

There is a small time delta between when maximum is exceeded and bucket is rolled. This means a bucket may end up with epsilon more lines than specified, but this is not a major concern unless excess is significant.

maxTimeUnreplicatedNoAcks Number 300 Upper limit, in seconds, on how long an event can sit in raw slice. Applies only if replication is enabled for this index. Otherwise ignored.

If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies.

Highest legal value is 2147483647. To disable this parameter, set to 0.

Note: this is an advanced parameter. Understand the consequences before changing.

maxTimeUnreplicatedWithAcks Number 60 Upper limit, in seconds, on how long events can sit unacknowledged in a raw slice. Applies only if you have enabled acks on forwarders and have replication enabled (with clustering).

Note: This is an advanced parameter. Make sure you understand the settings on all forwarders before changing this. This number should not exceed ack timeout configured on any forwarder, and should actually be set to at most half of the minimum value of that timeout. You can find this setting in outputs.conf readTimeout setting under the tcpout stanza.

To disable, set to 0, but this is NOT recommended. Highest legal value is 2147483647.

maxTotalDataSizeMB Number 500000 The maximum size of an index (in MB). If an index grows larger than the maximum size, the oldest data is frozen.
maxWarmDBCount Number 300 The maximum number of warm buckets. If this number is exceeded, the warm bucket/s with the lowest value for their latest times are moved to cold.
minRawFileSyncSecs Number disable Specify an integer (or "disable") for this parameter.

This parameter sets how frequently splunkd forces a filesystem sync while compressing journal slices.

During this period, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files.

If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete.

Note: Some filesystems are very inefficient at performing sync operations, so only enable this if you are sure it is needed

minStreamGroupQueueSize Number 2000 Minimum size of the queue that stores events in memory before committing them to a tsidx file.

Caution: Do not set this value, except under advice from Splunk Support.

partialServiceMetaPeriod Number 0 Related to serviceMetaPeriod. If set, it enables metadata sync every <integer> seconds, but only for records where the sync can be done efficiently in-place, without requiring a full re-write of the metadata file. Records that require full re-write are be sync'ed at serviceMetaPeriod.

partialServiceMetaPeriod specifies, in seconds, how frequently it should sync. Zero means that this feature is turned off and serviceMetaPeriod is the only time when metadata sync happens.

If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect.

By default it is turned off (zero).

processTrackerServiceInterval Number 1 Specifies, in seconds, how often the indexer checks the status of the child OS processes it launched to see if it can launch new processes for queued requests. Defaults to 15.

If set to 0, the indexer checks child process status every second.

Highest legal value is 4294967295.

quarantineFutureSecs Number 2592000 Events with timestamp of quarantineFutureSecs newer than "now" are dropped into quarantine bucket. Defaults to 2592000 (30 days).

This is a mechanism to prevent main hot buckets from being polluted with fringe events.

quarantinePastSecs Number 77760000 Events with timestamp of quarantinePastSecs older than "now" are dropped into quarantine bucket. Defaults to 77760000 (900 days).

This is a mechanism to prevent the main hot buckets from being polluted with fringe events.

rawChunkSizeBytes Number 131072 Target uncompressed size in bytes for individual raw slice in the rawdata journal of the index. Defaults to 131072 (128KB). 0 is not a valid value. If 0 is specified, rawChunkSizeBytes is set to the default value.

Note: rawChunkSizeBytes only specifies a target chunk size. The actual chunk size may be slightly larger by an amount proportional to an individual event size.

WARNING: This is an advanced parameter. Only change it if you are instructed to do so by Splunk Support.

repFactor String 0 Index replication control. This parameter applies to only clustering slaves.

auto = Use the master index replication configuration value.

0 = Turn off replication for this index.

rotatePeriodInSecs Number 60 How frequently (in seconds) to check if a new hot bucket needs to be created. Also, how frequently to check if there are any warm/cold buckets that should be rolled/frozen.
serviceMetaPeriod Number 25 Defines how frequently metadata is synced to disk, in seconds. Defaults to 25 (seconds).

You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path.

syncMeta Boolean true When true, a sync operation is called before file descriptor is closed on metadata file updates. This functionality improves integrity of metadata files, especially in regards to operating system crashes/machine failures.

Note: Do not change this parameter without the input of a Splunk Support.

throttleCheckPeriod Number 15 Defines how frequently Splunk software checks for index throttling condition, in seconds. Defaults to 15 (seconds).

Note: Do not change this parameter without the input of Splunk Support.

tstatsHomePath String Location to store datamodel acceleration TSIDX data for this index. Restart splunkd after changing this parameter.

If specified, it must be defined in terms of a volume definition.

Caution: Path must be writable.

Default value: volume:_splunk_summaries/$_index_name/tstats

warmToColdScript String Path to a script to run when moving data from warm to cold.

This attribute is supported for backwards compatibility with Splunk software versions older than 4.0. Contact Splunk support if you need help configuring this setting.

Caution: Migrating data across filesystems is now handled natively by splunkd. If you specify a script here, the script becomes responsible for moving the event data, and Splunk-native data migration are not used.

Returned values

Name Description
assureUTF8 Boolean value indicating wheter all data retreived from the index is proper UTF8.

If enabled (set to True), degrades indexing performance

Can only be set globally.

blockSignSize Controls how many events make up a block for block signatures.

If this is set to 0, block signing is disabled for this index.

A recommended value is 100.

blockSignatureDatabase The index that stores block signatures of events.

This is a global setting, not a per index setting.

bucketRebuildMemoryHint Suggestion for the bucket rebuild process for the size of the time-series (tsidx) file to make.
coldPath Filepath to the cold databases for the index.
coldPath_expanded Absoute filepath to the cold databases.
coldToFrozenDir Destination path for the frozen archive. Used as an alternative to a coldToFrozenScript. Splunk Enterprise automatically puts frozen buckets in this directory.

Bucket freezing policy is as follows:

  • New style buckets (4.2 and on): removes all files but the rawdata
To thaw, run splunk rebuild <bucket dir> on the bucket, then move to the thawed directory
  • Old style buckets (Pre-4.2): gzip all the .data and .tsidx files
To thaw, gunzip the zipped files and move the bucket into the thawed directory

If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence.

coldToFrozenScript Path to the archiving script.

See the POST parameter description for details.

compressRawdata This value is ignored. splunkd process always compresses raw data.
currentDBSizeMB Total size, in MB, of data stored in the index. The total incudes data in the home, cold and thawed paths.
defaultDatabase If no index destination information is available in the input data, the index shown here is the destination of such data.
enableOnlineBucketRepair Indicates whether to run asynchronous "online fsck" bucket repair, which runs in a process concurrently with Splunk software.
enableRealtimeSearch Indicates if this is a real-time search.

This is a global setting, not a per index setting.

frozenTimePeriodInSecs Number of seconds after which indexed data rolls to frozen. Defaults to 188697600 (6 years).

Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation.

homePath An absolute path that contains the hot and warm buckets for the index.
homePath_expanded An absolute filepath to the hot and warm buckets for the index.
indexThreads Number of threads used for indexing.

This is a global setting, not a per index setting.

isInternal Indicates if this is an internal index (for example, _internal, _audit).
lastInitTime Last time the index processor was successfully initialized.

This is a global setting, not a per index setting.

maxBloomBackfillBucketAge If a bucket (warm or cold) is older than this, Splunk Enterprise does not create (or re-create) its bloom filter.
maxConcurrentOptimizes The number of concurrent optimize processes that can run against a hot bucket.

This number should be increased if instructed by Splunk Support. Typically the default value should suffice.

maxDataSize The maximum size in MB for a hot DB to reach before a roll to warm is triggered. Specifying "auto" or "auto_high_volume" causes Splunk software to autotune this parameter (recommended). Use "auto_high_volume" for high volume indexes (such as the main index); otherwise, use "auto". A "high volume index" is typically one that gets over 10GB of data per day.
  • "auto" sets the size to 750MB.
  • "auto_high_volume" sets the size to 10GB on 64-bit, and 1GB on 32-bit systems.

Although the maximum value you can set this is 1048576 MB, which corresponds to 1 TB, a reasonable number ranges anywhere from 100 - 50000. Any number outside this range should be approved by Splunk Support before proceeding.

If you specify an invalid number or string, maxDataSize is auto-tuned.

Note: The precise size of your warm buckets may vary from maxDataSize, due to post-processing and timing issues with the rolling policy.

maxHotBuckets Maximum hot buckets that can exist per index. Defaults to 3.

When maxHotBuckets is exceeded, Splunk software rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll.

maxHotIdleSecs Maximum life, in seconds, of a hot bucket. Defaults to 0. A value of 0 turns off the idle check (equivalent to INFINITE idle time).

If a hot bucket exceeds maxHotIdleSecs, Splunk software rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll.

maxHotSpanSecs Upper bound of target maximum timespan of hot/warm buckets in seconds. Defaults to 7776000 seconds (90 days).

Note: If set too small, you can get an explosion of hot/warm buckets in the filesystem. The system sets a lower bound implicitly for this parameter at 3600, but this is an advanced parameter that should be set with care and understanding of the characteristics of your data.

maxMemMB The amount of memory, in MB, allocated for indexing.

This is a global setting, not a per index setting.

maxMetaEntries Sets the maximum number of unique lines in .data files in a bucket, which may help to reduce memory consumption. If set to 0, this setting is ignored (it is treated as infinite).

If exceeded, a hot bucket is rolled to prevent further increase. If your buckets are rolling due to Strings.data hitting this limit, the culprit may be the punct field in your data. If you do not use punct, it may be best to simply disable this (see props.conf.spec in $SPLUNK_HOME/etc/system/README).

There is a small time delta between when maximum is exceeded and bucket is rolled. This means a bucket may end up with epsilon more lines than specified, but this is not a major concern unless excess is significant.

maxTime UNIX timestamp of the newest event time in the index.
maxTimeUnreplicatedNoAcks Upper limit, in seconds, on how long an event can sit in raw slice. Applies only if replication is enabled for this index. Otherwise ignored.

If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies.

Highest legal value is 2147483647. To disable this parameter, set to 0.

Note: this is an advanced parameter. Understand the consequences before changing.

maxTimeUnreplicatedWithAcks Upper limit, in seconds, on how long events can sit unacknowledged in a raw slice. Applies only if you have enabled acks on forwarders and have replication enabled (with clustering).

Note: This is an advanced parameter. Make sure you understand the settings on all forwarders before changing this. This number should not exceed ack timeout configured on any forwarder, and should actually be set to at most half of the minimum value of that timeout. You can find this setting in outputs.conf readTimeout setting under the tcpout stanza.

To disable, set to 0, but this is NOT recommended. Highest legal value is 2147483647.

maxTotalDataSizeMB The maximum size of an index, in MB.
maxWarmDBCount The maximum number of warm buckets. If this number is exceeded, the warm bucket/s with the lowest value for their latest times are moved to cold.
memPoolMB Determines how much memory is given to the indexer memory pool.

This is a global setting, not a per-index setting.

minRawFileSyncSecs Can be either an integer (or "disable"). Some filesystems are very inefficient at performing sync operations, so only enable this if you are sure it is needed

The integer sets how frequently splunkd forces a filesystem sync while compressing journal slices.

During this period, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files.

If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete.

minStreamGroupQueueSize Minimum size of the queue that stores events in memory before committing them to a tsidx file.
minTime UNIX timestamp of the oldest event time in the index.
partialServiceMetaPeriod Related to serviceMetaPeriod. By default it is turned off (zero).

If set, it enables metadata sync every <integer> seconds, but only for records where the sync can be done efficiently in-place, without requiring a full re-write of the metadata file. Records that require full re-write are be sync'ed at serviceMetaPeriod.

partialServiceMetaPeriod specifies, in seconds, how frequently it should sync. Zero means that this feature is turned off and serviceMetaPeriod is the only time when metadata sync happens.

If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect.

processTrackerServiceInterval How often, in seconds, the indexer checks the status of the child OS processes it launched to see if it can launch new processes for queued requests.
quarantineFutureSecs Events with timestamp of quarantineFutureSecs newer than "now" are dropped into quarantine bucket. Defaults to 2592000 (30 days).

This is a mechanism to prevent main hot buckets from being polluted with fringe events.

quarantinePastSecs Events with timestamp of quarantinePastSecs older than "now" are dropped into quarantine bucket. Defaults to 77760000 (900 days).

This is a mechanism to prevent the main hot buckets from being polluted with fringe events.

rawChunkSizeBytes Target uncompressed size in bytes for individual raw slice in the rawdata journal of the index. Defaults to 131072 (128KB). 0 is not a valid value. If 0 is specified, rawChunkSizeBytes is set to the default value.

Note: rawChunkSizeBytes only specifies a target chunk size. The actual chunk size may be slightly larger by an amount proportional to an individual event size.

Warning: This is an advanced parameter. Only change it if instructed to do so by Splunk Support.

repFactor Index replication control. This parameter applies to only clustering slaves.

auto = Use the master index replication configuration value.

0 = Turn off replication for this index.

rotatePeriodInSecs Rotation period, in seconds, that specifies how frequently to check:
  • If a new hot bucket needs to be created.
  • If there are any cold buckets that should be frozen.
  • If there are any buckets that need to be moved out hot and cold DBs, due to size constraints.
serviceMetaPeriod Defines how frequently metadata is synced to disk, in seconds. Defaults to 25 (seconds).

You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path.

suppressBannerList List of indexes for which we suppress "index missing" warning banner messages.

This is a global setting, not a per index setting.

sync Specifies the number of events that trigger the indexer to sync events.

This is a global setting, not a per index setting.

syncMeta When true, a sync operation is called before file descriptor is closed on metadata file updates. This functionality improves integrity of metadata files, especially in regards to operating system crashes/machine failures.

Note: Do not change this parameter without the input of Splunk Support.

thawedPath Filepath to the thawed (resurrected) databases for the index.
thawedPath_expanded Absolute filepath to the thawed (resurrected) databases.
throttleCheckPeriod Defines how frequently Splunk software checks for index throttling condition, in seconds. Defaults to 15 (seconds).

Note: Do not change this parameter without the input of Splunk Support.

totalEventCount Total number of events in the index.
tstatsHomePath Location where datamodel acceleration TSIDX data for this index is stored.
warmToColdScript Script to run when moving data from warm to cold. See input parameter description for details.


Example request and response


XML Request

curl -k -u admin:pass -d maxTotalDataSizeMB=400000 https://localhost:8089/servicesNS/nobody/search/data/indexes/shadow

XML Response

...
<title>indexes</title>
 <id>https://localhost:8089/servicesNS/nobody/search/data/indexes</id>
 <updated>2011-05-16T12:20:06-07:00</updated>
 <generator version="98392"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/servicesNS/nobody/search/data/indexes/_new" rel="create"/>
 <link href="/servicesNS/nobody/search/data/indexes/_reload" rel="_reload"/>
    ... opensearch elements elided ...
 <s:messages/>
 <entry>
   <title>shadow</title>
   <id>https://localhost:8089/servicesNS/nobody/search/data/indexes/shadow</id>
   <updated>2011-05-16T12:18:56-07:00</updated>
   <link href="/servicesNS/nobody/search/data/indexes/shadow" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/search/data/indexes/shadow" rel="list"/>
   <link href="/servicesNS/nobody/search/data/indexes/shadow/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/search/data/indexes/shadow" rel="edit"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="assureUTF8">0</s:key>
       <s:key name="blockSignSize">0</s:key>
       <s:key name="blockSignatureDatabase">_blocksignature</s:key>
       <s:key name="coldPath">$SPLUNK_DB/shadow/colddb</s:key>
       <s:key name="coldPath_expanded">/Applications/splunk4.3/var/lib/splunk/shadow/colddb</s:key>
       <s:key name="coldToFrozenDir"></s:key>
       <s:key name="coldToFrozenScript"></s:key>
       <s:key name="compressRawdata">1</s:key>
       <s:key name="currentDBSizeMB">1</s:key>
       <s:key name="defaultDatabase">main</s:key>
       <s:key name="eai:acl">. . .</s:key>
       <s:key name="enableRealtimeSearch">1</s:key>
       <s:key name="frozenTimePeriodInSecs">188697600</s:key>
       <s:key name="homePath">$SPLUNK_DB/shadow/db</s:key>
       <s:key name="homePath_expanded">/Applications/splunk4.3/var/lib/splunk/shadow/db</s:key>
       <s:key name="indexThreads">auto</s:key>
       <s:key name="isInternal">0</s:key>
       <s:key name="lastInitTime">1305573611.118477</s:key>
       <s:key name="maxConcurrentOptimizes">3</s:key>
       <s:key name="maxDataSize">auto</s:key>
       <s:key name="maxHotBuckets">3</s:key>
       <s:key name="maxHotIdleSecs">0</s:key>
       <s:key name="maxHotSpanSecs">7776000</s:key>
       <s:key name="maxMemMB">5</s:key>
       <s:key name="maxMetaEntries">1000000</s:key>
       <s:key name="maxTime"></s:key>
       <s:key name="maxTotalDataSizeMB">400000</s:key>
       <s:key name="maxWarmDBCount">300</s:key>
       <s:key name="memPoolMB">auto</s:key>
       <s:key name="minRawFileSyncSecs">disable</s:key>
       <s:key name="minTime"></s:key>
       <s:key name="partialServiceMetaPeriod">0</s:key>
       <s:key name="quarantineFutureSecs">2592000</s:key>
       <s:key name="quarantinePastSecs">77760000</s:key>
       <s:key name="rawChunkSizeBytes">131072</s:key>
       <s:key name="rotatePeriodInSecs">60</s:key>
       <s:key name="serviceMetaPeriod">25</s:key>
       <s:key name="suppressBannerList"></s:key>
       <s:key name="sync">0</s:key>
       <s:key name="syncMeta">1</s:key>
       <s:key name="thawedPath">$SPLUNK_DB/shadow/thaweddb</s:key>
       <s:key name="thawedPath_expanded">/Applications/splunk4.3/var/lib/splunk/shadow/thaweddb</s:key>
       <s:key name="throttleCheckPeriod">15</s:key>
       <s:key name="totalEventCount">0</s:key>
     </s:dict>
   </content>
 </entry>




data/indexes-extended

https://<host>:<mPort>/services/data/indexes-extended


Access index bucket-level information. There are three bucket super-directories per index.

  • home
  • cold
  • thawed


GET

List bucket attributes for all indexes.

Usage details
The default update period is 10 minutes, as defined by the collectionPeriodInSecs attribute in the $SPLUNK_HOME/etc/apps/introspection_generator_addon/default/server.conf file.

Note: At least one observation period must pass after startup for valid endpoint data to be available. The observation period is defined in the following $SPLUNK_HOME/etc/system/default/server.conf stanza.

[introspection:generator:disk_objects]
collectionPeriodInSecs = 600

The default period is 10 seconds, but 10 minutes (600 seconds) on a Universal Forwarder.

Request parameters

Pagination and filtering parameters can be used with this method.

Name Type Default Description
datatype String all Valid values: (all | event | metric). Specifies the type of index.

Returned values

Name Description
bucket_dirs (If total_size > 0) Lists the following attributes for each index bucket super-directory (home, cold, thawed).
AttributeDescriptionhomecoldthawed
bucket_countNumber of buckets.XX
event_count(If size > 0) Number of events in this bucket super-directory.XXX
event_max_time(If size > 0) Highest time value (Unix epoch seconds) of all events in this bucket super-directory, commonly called latest time.XXX
event_min_time(If size > 0) Lowest time value (Unix epoch seconds) of all events in this bucket super-directory, commonly called earliest time.XXX
hot_bucket_count(If size > 0) Number of hot buckets.X
sizeSize (fractional MB) on disk of this bucket super-directory.XXX
warm_bucket_count(If size > 0) Number of warm buckets.X
name Index name.
total_bucket_count (If total_size > 0) Number of index buckets.
total_event_count (If total_size > 0) Number of events for index, excluding frozen events. Approximately equal to the event_count sum of all buckets.
total_raw_size (If total_size > 0) Cumulative size (fractional MB) on disk of the <bucket>/rawdata/ directories of all buckets in this index, excluding frozen.
total_size Size (fractional MB) on disk of this index.

Example request and response


XML Request

curl -k -u admin:passwd https://localhost:8089/services/data/indexes-extended

XML Response

...
<title>introspection--disk-objects--indexes</title>
 <id>https://localhost:8089/services/data/indexes-extended</id>
 <updated>2014-03-31T12:41:09-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
   ... opensearch elements elided ...
 <s:messages/>
 <entry>
   <title>_audit</title>
   <id>https://localhost:8089/services/data/indexes-extended/_audit</id>
   <updated>2014-03-31T12:41:09-07:00</updated>
   <link href="/services/data/indexes-extended/_audit" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/data/indexes-extended/_audit" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="bucket_dirs">
         <s:dict>
           <s:key name="cold">
             <s:dict>
               <s:key name="bucket_count">0</s:key>
               <s:key name="size">0.000</s:key>
             </s:dict>
           </s:key>
           <s:key name="home">
             <s:dict>
               <s:key name="event_count">6169</s:key>
               <s:key name="event_max_time">1395246673</s:key>
               <s:key name="event_min_time">1394732683</s:key>
               <s:key name="hot_bucket_count">1</s:key>
               <s:key name="size">1.000</s:key>
               <s:key name="warm_bucket_count">5</s:key>
             </s:dict>
           </s:key>
           <s:key name="thawed">
             <s:dict>
               <s:key name="bucket_count">0</s:key>
               <s:key name="size">0.000</s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="eai:acl">
         ... elided ...
       </s:key>
       <s:key name="name">_audit</s:key>
       <s:key name="total_bucket_count">6</s:key>
       <s:key name="total_event_count">18096</s:key>
       <s:key name="total_raw_size">1.000</s:key>
       <s:key name="total_size">1.000</s:key>
     </s:dict>
   </content>
 </entry>
     .
     .
     .
   elided
     .
     .
     .
 <entry>
   <title>summary</title>
   <id>https://localhost:8089/services/data/indexes-extended/summary</id>
   <updated>2014-03-31T12:41:09-07:00</updated>
   <link href="/services/data/indexes-extended/summary" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/data/indexes-extended/summary" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="eai:acl">
         ... elided ...
       </s:key>
       <s:key name="name">summary</s:key>
       <s:key name="total_size">0.000</s:key>
     </s:dict>
   </content>
 </entry>



data/indexes-extended/{name}

https://<host>:<mPort>/services/data/indexes-extended/{name}


Access bucket-level information for the {name} index. There are three bucket super-directories per index.

  • home
  • cold
  • thawed


GET

Get {name} bucket information.


Usage details
The default update period is 10 minutes, as defined by the collectionPeriodInSecs attribute in the $SPLUNK_HOME/etc/apps/introspection_generator_addon/default/server.conf file.

Note: At least one observation period must pass after startup for valid endpoint data to be available. The observation period is defined in the following $SPLUNK_HOME/etc/system/default/server.conf stanza.

[introspection:generator:disk_objects]
collectionPeriodInSecs = 600


Request parameters
None


Returned values

Name Description
bucket_dirs (If total_size > 0) List the following attributes for each index bucket super-directory (home, cold, thawed) as indicated:
AttributeDescriptionhomecoldthawed
bucket_countNumber of buckets.XX
event_count(If size > 0) Number of events in this bucket super-directory.XXX
event_max_time(If size > 0) Highest time value (Unix epoc seconds) of all events in this bucket super-directory, commonly called latest time.XXX
event_min_time(If size > 0) Lowest time value (Unix epoc seconds) of all events in this bucket super-directory, commonly called earliest time.XXX
hot_bucket_count(If size > 0) Number of hot buckets.X
sizeSize (fractional MB) on disk of this bucket super-directory.XXX
warm_bucket_count(If size > 0) Number of warm buckets.X
name Index name.
total_bucket_count (If total_size > 0) Number of index buckets.
total_event_count (If total_size > 0) Number of events for index, excluding frozen events. Approximately equal to the event_count sum of all buckets.
total_raw_size (If total_size > 0) Cumulative size (fractional MB) on disk of the <bucket>/rawdata/ directories of all buckets in this index, excluding frozen.
total_size Size (fractional MB) on disk of this index.

Example request and response


XML Request

curl -k -u admin:passwd https://localhost:8089/services/data/indexes-extended/history

XML Response

...
<title>introspection--disk-objects--indexes</title>
 <id>https://localhost:8089/services/data/indexes-extended</id>
 <updated>2014-03-31T12:42:29-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
   ... opensearch elements elided ...
 <s:messages/>
 <entry>
   <title>_internal</title>
   <id>https://localhost:8089/services/data/indexes-extended/_internal</id>
   <updated>2014-03-31T12:42:29-07:00</updated>
   <link href="/services/data/indexes-extended/_internal" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/data/indexes-extended/_internal" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="bucket_dirs">
         <s:dict>
           <s:key name="cold">
             <s:dict>
               <s:key name="bucket_count">0</s:key>
               <s:key name="size">0.000</s:key>
             </s:dict>
           </s:key>
           <s:key name="home">
             <s:dict>
               <s:key name="event_count">180492</s:key>
               <s:key name="event_max_time">1395246673</s:key>
               <s:key name="event_min_time">1392167582</s:key>
               <s:key name="hot_bucket_count">3</s:key>
               <s:key name="size">9.000</s:key>
               <s:key name="warm_bucket_count">6</s:key>
             </s:dict>
           </s:key>
           <s:key name="thawed">
             <s:dict>
               <s:key name="bucket_count">0</s:key>
               <s:key name="size">0.000</s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="eai:acl">
         ... elided ...
       </s:key>
       <s:key name="eai:attributes">
         ... elided ...
       </s:key>
       <s:key name="name">_internal</s:key>
       <s:key name="total_bucket_count">9</s:key>
       <s:key name="total_event_count">556322</s:key>
       <s:key name="total_raw_size">28.000</s:key>
       <s:key name="total_size">22.000</s:key>
     </s:dict>
   </content>
 </entry>



data/summaries

https://<host>:<mPort>/services/data/summaries

Get disk usage information about all summaries in an indexer.


GET

Gets current summary disk usage information.

Usage details
By default, this information is available five minutes after starting the Splunk deployment. Adjust this availability timing in server.conf.


Request parameters

Name Description
report_acceleration Optional. Use "report_acceleration=1" to access disk usage by report acceleration summary.
data_model_acceleration Optional. Use "data_model_acceleration=1" to access disk usage by data model acceleration summary.

Pagination and filtering parameters can be used with this method.


Returned values
For each summary, the following values are returned.

Name Description
name Summary name.
related_indexes Lists up to 10 indexes that contribute to this summary.
related_indexes_count Provides total count of related indexes for this summary.
search_head_guid GUID for the search head that created the summary data.
total_bucket_count Number of buckets for this summary.
total_size Total disk size for this summary, in MB.
type Summary type, either "report_acceleration" or "data_model_acceleration".

Example request and response


XML Request

curl -k -u username:password https://localhost:8089/services/data/summaries

XML Response

...
<title>introspection--disk-objects--summaries</title>
  <id>https://localhost:8089/services/data/summaries</id>
  <updated>2015-09-16T16:05:35-07:00</updated>
  <generator build="8a67aa2a9bd9cced535484eb781ded292ae81b7a" version="20150914"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/summaries/_acl" rel="_acl"/>
  <opensearch:totalResults>3</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>DM_launcher_mydatamodel</title>
    <id>https://localhost:8089/services/data/summaries/DM_launcher_mydatamodel</id>
    <updated>2015-09-16T16:05:35-07:00</updated>
    <link href="/services/data/summaries/DM_launcher_mydatamodel" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/data/summaries/DM_launcher_mydatamodel" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list/>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="name">DM_launcher_mydatamodel</s:key>
        <s:key name="related_indexes">_internal</s:key>
        <s:key name="related_indexes_count">1</s:key>
        <s:key name="search_head_guid">A6FF485E-7AA5-412D-8E03-BE3ED42BA327</s:key>
        <s:key name="total_bucket_count">13</s:key>
        <s:key name="total_size">2.000</s:key>
        <s:key name="type">data_model_acceleration</s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>search_admin_NS13c34e21cf577d62</title>
    <id>https://localhost:8089/services/data/summaries/search_admin_NS13c34e21cf577d62</id>
    <updated>2015-09-16T16:05:35-07:00</updated>
    <link href="/services/data/summaries/search_admin_NS13c34e21cf577d62" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/data/summaries/search_admin_NS13c34e21cf577d62" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list/>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="name">search_admin_NS13c34e21cf577d62</s:key>
        <s:key name="related_indexes">_internal</s:key>
        <s:key name="related_indexes_count">1</s:key>
        <s:key name="search_head_guid">A6FF485E-7AA5-412D-8E03-BE3ED42BA327</s:key>
        <s:key name="total_bucket_count">9</s:key>
        <s:key name="total_size">2.000</s:key>
        <s:key name="type">report_acceleration</s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>search_admin_NS6f37597da0cade4c</title>
    <id>https://localhost:8089/services/data/summaries/search_admin_NS6f37597da0cade4c</id>
    <updated>2015-09-16T16:05:35-07:00</updated>
    <link href="/services/data/summaries/search_admin_NS6f37597da0cade4c" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/data/summaries/search_admin_NS6f37597da0cade4c" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list/>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="name">search_admin_NS6f37597da0cade4c</s:key>
        <s:key name="related_indexes">_internal</s:key>
        <s:key name="related_indexes_count">1</s:key>
        <s:key name="search_head_guid">A6FF485E-7AA5-412D-8E03-BE3ED42BA327</s:key>
        <s:key name="total_bucket_count">9</s:key>
        <s:key name="total_size">4.000</s:key>
        <s:key name="type">report_acceleration</s:key>
      </s:dict>
    </content>
  </entry>



data/summaries/{summary_name}

https://<host>:<mPort>/services/data/summaries/{summary_name}

Get disk usage information about the {name} indexer summary.


GET

Get disk usage information for the {name} summary.

Request parameters
None.

Returned values

Name Description
name Summary name.
related_indexes Lists up to 10 indexes that contribute to this summary.
related_indexes_count Provides total count of related indexes for this summary.
search_head_guid GUID for search head creating the summary data.
total_bucket_count Number of buckets for this summary.
total_size Total summary disk size in MB.


Example request and response


XML Request

curl -k -u username:password  https://localhost:8089/services/data/summaries/my_summary

XML Response

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>introspection--disk-objects--summaries</title>
  <id>https://localhost:8089/services/data/summaries</id>
  <updated>2015-09-11T15:27:46-07:00</updated>
  <generator build="049b19239844e1f7e09be3d55713c1aae663e7ae" version="20150910"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/summaries/_acl" rel="_acl"/>
  <opensearch:totalResults>3</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/> 
   ... opensearch elements elided ...
 <entry>
    <title>DM_launcher_mydatamodel</title>
    <id>https://localhost:8089/services/data/summaries/DM_launcher_mydatamodel</id>
    <updated>2015-09-11T15:27:46-07:00</updated>
    <link href="/services/data/summaries/DM_launcher_mydatamodel" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/data/summaries/DM_launcher_mydatamodel" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list/>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="name">DM_launcher_mydatamodel</s:key>
        <s:key name="related_indexes">_audit,_internal</s:key>
        <s:key name="related_indexes_count">2</s:key>
        <s:key name="search_head_guid">58F60B1E-F098-41F7-BFEC-FE285489E67D</s:key>
        <s:key name="total_bucket_count">88</s:key>
        <s:key name="total_size">312.000</s:key>
      </s:dict>
    </content>
  </entry>

</feed>



server/info

https://<host>:<mPort>/services/server/info


Access information about the currently running Splunk instance.

Note: This endpoint provides information on the currently running Splunk instance. Some values returned in the GET response reflect server status information. However, this endpoint is meant to provide information on the currently running instance, not the machine where the instance is running. Server status values returned by this endpoint should be considered deprecated and might not continue to be accessible from this endpoint. Use server/sysinfo to access server status instead. For more information, see server/sysinfo.

GET

Get Splunk instance information.


Request parameters
Pagination and filtering parameters can be used with this method.

Returned values

Name Description
activeLicenseGroup Type of Splunk software license.
Enterprise
Forwarder
Free
Invalid
Trial
addOns Names of active add-ons.
build The build number for this Splunk instance version.
cpu_arch The architecture type for the CPU hosting splunkd. The value returned in the server/info response should be considered deprecated. Use server/sysinfo to access this response key and value instead.
guid Globally unique identifier for this server.
host Server name.
host_fqdn host fully-qualified domain name.
isFree Indicates if this server is running the Splunk instance under a free license.
isTrial Indicates if this server is using a trial license.
kv_store_status App KV store availability.
license_labels Labels associated with the license used on this server.
licenseKeys License key unique for each license.
licenseSignature Hash signature for the license used on this server.
licenseState Specifies the status of the license, which can be either OK or Expired.
master_guid Globally unique identifier for this server.
max_users Maximum number of users on the instance.
mode Indicates whether the server is a dedicated forwarder. Possible values are:
normal
dedicated forwarder
numberOfCores Server number of processor cores. The value returned in the server/info response should be considered deprecated. Use server/sysinfo to access this response key and value instead.
os_build Software build for the server os_version. The value returned in the server/info response should be considered deprecated. Use server/sysinfo to access this response key and value instead.
os_name Server operating system. The value returned in the server/info response should be considered deprecated. Use server/sysinfo to access this response key and value instead.
os_version Server operating system version. The value returned in the server/info response should be considered deprecated. Use server/sysinfo to access this response key and value instead.
physicalMemoryMB Server physical memory (MB). The value returned in the server/info response should be considered deprecated. Use server/sysinfo to access this response key and value instead.
product_type Splunk software product type. One of the following values.
enterprise
hunk
lite
lite_free
splunk
rtsearch_enabled Indicates if real-time search is enabled for the instance on this server.
server_roles Zero or more of the following possible server roles.
indexer
universal_forwarder
heavyweight_forwarder
lightweight_forwarder
license_master
license_slave
cluster_master
cluster_slave
cluster_search_head
deployment_server
deployment_client
search_head
search_peer
shc_captain
shc_deployer
shc_member

See also: server/roles endpoint.

serverName Server DNS domain name.
startup_time Server platform start time, in seconds since January 1, 1970 (UNIX epoch).
version os_build software version number. The value returned in the server/info response should be considered deprecated. Use server/sysinfo to access this response key and value instead.

Example request and response


XML Request

curl -k -u admin:changed https://10.140.53.114:8089/services/server/info

XML Response


  <title>server-info</title>
  <id>https://localhost:8089/services/server/info</id>
  <updated>2016-09-08T17:49:52-07:00</updated>
  <generator build="19e4b5854495" version="6.5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/server/info/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>server-info</title>
    <id>https://localhost:8089/services/server/info/server-info</id>
    <updated>2016-09-08T17:49:52-07:00</updated>
    <link href="/services/server/info/server-info" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/server/info/server-info" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="activeLicenseGroup">Trial</s:key>
        <s:key name="activeLicenseSubgroup">Production</s:key>
        <s:key name="addOns">
          <s:dict>
            <s:key name="hadoop">
              <s:dict>
                <s:key name="parameters">
                  <s:dict>
                    <s:key name="erp_type">report</s:key>
                    <s:key name="guid">C6AAF586-93E0-451B-914B-F63A8BBC7282</s:key>
                    <s:key name="maxNodes">200</s:key>
                  </s:dict>
                </s:key>
                <s:key name="type">external_results_provider</s:key>
              </s:dict>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="build">19e4b5854495</s:key>
        <s:key name="cpu_arch">x86_64</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">0</s:key>
            <s:key name="can_write">0</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list/>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="guid">B4E173F1-034A-4D46-9DDC-ECF0016F165E</s:key>
        <s:key name="host">docs-unix-4</s:key>
        <s:key name="host_fqdn">docs-unix-4</s:key>
        <s:key name="isForwarding">0</s:key>
        <s:key name="isFree">0</s:key>
        <s:key name="isTrial">1</s:key>
        <s:key name="kvStoreStatus">ready</s:key>
        <s:key name="licenseKeys">
          <s:list>
            <s:item>6D234F85995D32F1830F3123AF3826FCC7F0B3DF7CFE460562773A3ECD08DA51</s:item>
          </s:list>
        </s:key>
        <s:key name="licenseSignature">81239ffa950c89dde6de2970bb25438c4</s:key>
        <s:key name="licenseState">OK</s:key>
        <s:key name="license_labels">
          <s:list>
            <s:item>Splunk Enterprise + Hunk Download Trial</s:item>
          </s:list>
        </s:key>
        <s:key name="master_guid">B4E234F1-02AA-4D46-9DDC-ECF0016F165E</s:key>
        <s:key name="max_users">4294967295</s:key>
        <s:key name="mode">normal</s:key>
        <s:key name="numberOfCores">8</s:key>
        <s:key name="numberOfVirtualCores">8</s:key>
        <s:key name="os_build">#1 SMP Thu Feb 9 12:45:44 EST 2012</s:key>
        <s:key name="os_name">Linux</s:key>
        <s:key name="os_name_extended">Linux</s:key>
        <s:key name="os_version">2.6.18-274.18.1.el5</s:key>
        <s:key name="physicalMemoryMB">7982</s:key>
        <s:key name="product_type">enterprise</s:key>
        <s:key name="rtsearch_enabled">1</s:key>
        <s:key name="serverName">docs-unix-4</s:key>
        <s:key name="server_roles">
          <s:list>
            <s:item>indexer</s:item>
            <s:item>license_master</s:item>
            <s:item>kv_store</s:item>
          </s:list>
        </s:key>
        <s:key name="startup_time">1473344210</s:key>
        <s:key name="staticAssetId">630EA7F9747711232091234BF3B6F9916315C2C368C8D61EF4B986BE1F28E7E0</s:key>
        <s:key name="version">6.5.0</s:key>
      </s:dict>
    </content>
  </entry>



server/introspection

https://<host>:<mPort>/services/server/introspection

Access system introspection artifacts.

See also the following associated endpoints.


GET

List introspection resources.

Request parameters
None

Returned values
The endpoint returns a list of introspection artifacts.


Example request and response


XML Request

curl -k -u admin:changeme https://localhost:8089/services/server/introspection

XML Response

...
<title></title>
 <id>https://localhost:8089/services/server/introspection</id>
 <updated>2014-08-04T11:40:23-07:00</updated>
 <generator build="221120" version="6.2"/>
 <author>
   <name>Splunk</name>
 </author>
 <s:messages/>
 <entry>
   <title>indexer</title>
   <id>https://localhost:8089/services/server/introspection/indexer</id>
   <updated>2014-08-04T11:40:23-07:00</updated>
   <link href="/services/server/introspection/indexer" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/introspection/indexer" rel="list"/>
   <content type="text/xml">
     <s:dict/>
   </content>
 </entry>
 <entry>
   <title>kvstore</title>
   <id>https://localhost:8089/services/server/introspection/kvstore</id>
   <updated>2014-08-04T11:40:23-07:00</updated>
   <link href="/services/server/introspection/kvstore" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/introspection/kvstore" rel="list"/>
   <link href="/services/server/introspection/kvstore/_reload" rel="_reload"/>
   <content type="text/xml">
     <s:dict/>
   </content>
 </entry>
 <entry>
   <title>pipelines</title>
   <id>https://localhost:8089/services/server/introspection/pipelines</id>
   <updated>2014-08-04T11:40:23-07:00</updated>
   <link href="/services/server/introspection/pipelines" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/introspection/pipelines" rel="list"/>
   <content type="text/xml">
     <s:dict/>
   </content>
 </entry>
 <entry>
   <title>processors</title>
   <id>https://localhost:8089/services/server/introspection/processors</id>
   <updated>2014-08-04T11:40:23-07:00</updated>
   <link href="/services/server/introspection/processors" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/introspection/processors" rel="list"/>
   <content type="text/xml">
     <s:dict/>
   </content>
 </entry>
 <entry>
   <title>queues</title>
   <id>https://localhost:8089/services/server/introspection/queues</id>
   <updated>2014-08-04T11:40:23-07:00</updated>
   <link href="/services/server/introspection/queues" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/introspection/queues" rel="list"/>
   <content type="text/xml">
     <s:dict/>
   </content>
 </entry>



server/introspection/indexer

https://<host>:<mPort>/services/server/introspection/indexer

Access the current indexer status.

See also server/introspection.

GET

Get indexer status information.


Request parameters
None


Returned values

Name Description
average_KBps Average indexer throughput (kbps).
reason Status explanation. For a normal status, returns . . The following examples show possible abnormal status reasons.
"idx=<indexerName> Throttling indexer, too many tsidx files in bucket=<bucketName>. Is splunk-optimize working? If not, low disk space may be the cause."
"You are low in disk space on partition <partitionName>. Indexing is paused. Will resume when free disk space rises above <minFreeMB>."
status Current indexer status. One of the following values.
  • normal
  • throttled
  • stopped

Example request and response


XML Request

curl -k -u admin:changeme https://localhost:8089/services/server/introspection/indexer

XML Response

...
 <title>introspection-indexer</title>
 <id>https://localhost:8089/services/server/introspection/indexer</id>
 <updated>2014-08-04T11:43:04-07:00</updated>
 <generator build="221120" version="6.2"/>
 <author>
   <name>Splunk</name>
 </author>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>indexer</title>
   <id>https://localhost:8089/services/server/introspection/indexer/indexer</id>
   <updated>2014-08-04T11:43:04-07:00</updated>
   <link href="/services/server/introspection/indexer/indexer" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/introspection/indexer/indexer" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="average_KBps">0.517667</s:key>
       <s:key name="eai:acl">... elided ...</s:key>
       <s:key name="reason">.</s:key>
       <s:key name="status">nominal</s:key>
     </s:dict>
   </content>
 </entry>



server/introspection/kvstore

https://<host>:<mPort>/services/server/introspection/kvstore


Access app KV store resources.

See also server/introspection.


GET

List app KV store resources.


Request parameters
None

Returned values
Lists the following app /server/introspection/kvstore resources.


Example request and response

XML Request

curl -k -u admin:changeme https://localhost:8089/services/server/introspection/kvstore

XML Response

...
 <title></title>
 <id>https://localhost:8089/services/server/introspection/kvstore</id>
 <updated>2014-08-20T14:06:12-07:00</updated>
 <generator build="221120" version="6.2"/>
 <author>
   <name>Splunk</name>
 </author>
 <s:messages/>
 <entry>
   <title>collectionstats</title>
   <id>https://localhost:8089/services/server/introspection/kvstore/collectionstats</id>
   <updated>2014-08-20T14:06:12-07:00</updated>
   <link href="/services/server/introspection/kvstore/collectionstats" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/introspection/kvstore/collectionstats" rel="list"/>
   <content type="text/xml">
     <s:dict/>
   </content>
 </entry>
 <entry>
   <title>replicasetstats</title>
   <id>https://localhost:8089/services/server/introspection/kvstore/replicasetstats</id>
   <updated>2014-08-20T14:06:12-07:00</updated>
   <link href="/services/server/introspection/kvstore/replicasetstats" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/introspection/kvstore/replicasetstats" rel="list"/>
   <content type="text/xml">
     <s:dict/>
   </content>
 </entry>
 <entry>
   <title>serverstatus</title>
   <id>https://localhost:8089/services/server/introspection/kvstore/serverstatus</id>
   <updated>2014-08-20T14:06:12-07:00</updated>
   <link href="/services/server/introspection/kvstore/serverstatus" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/introspection/kvstore/serverstatus" rel="list"/>
   <content type="text/xml">
     <s:dict/>
   </content>
 </entry>



server/introspection/kvstore/collectionstats

https://<host>:<mPort>/services/server/introspection/kvstore/collectionstats


Get storage statistics for a collection.

See also the following associated endpoints.


GET

Get collection storage statistics.


Request parameters
None


Returned values

Name Description
data Returns the following JSON document.
  • count - Number of collection documents or objects.
  • indexSizes - Key and size of every index on the collection.
  • lastExtentSize - Size of last allocated extent.
  • nindexes - Number of indexes on the collection.
  • ns - Current collection namespace.
  • numExtents - Number of contiguously allocated data file regions.
  • paddingFactor - Amount of space added to each document.
  • size - Collection records total size.
  • storageSize- Collection document storage allocation.
  • systemFlags - Collection flags that reflect internal server options.
  • totalIndexSize - Size of all indexes.
  • userFlags - Collection flags set by user.

Example request and response


XML Request

curl -k -u admin:changeme https://localhost:8089/services/server/introspection/kvstore/collectionstats

XML Response

<title>kvstore-collectionstats</title> 
<id>https://localhost:8089/services/server/introspection/kvstore/collectionstats</id> <updated>2014-08-20T14:31:42-07:00</updated> <generator build="226873" version="6.2"/> <author>
 <name>Splunk</name>
</author> 
... opensearch nodes elided ... 
 <title>collectionStats</title>
 <id>https://localhost:8089/services/server/introspection/kvstore/collectionstats/collectionStats</id>
 <updated>2014-08-20T14:31:42-07:00</updated>
 <link href="/services/server/introspection/kvstore/collectionstats/collectionStats" rel="alternate"/>
 <author>
   <name>system</name>
 </author>
 <link href="/services/server/introspection/kvstore/collectionstats/collectionStats" rel="list"/>
 <content type="text/xml">
   <s:dict>
     <s:key name="data">
       <s:list>
         <s:item>
         {"ns":"search.kvstoredemo",
          "count":0,
          "size":0,
          "storageSize":8192,
          "numExtents":1,
          "nindexes":2,
          "lastExtentSize":8192,
          "paddingFactor":1,
          "systemFlags":1,
          "userFlags":1,
          "totalIndexSize":16352,
          "indexSizes":{"_id_":8176,"_UserAndKeyUniqueIndex":8176},
          "ok":1}
         </s:item>
       </s:list>
     </s:key>
     <s:key name="eai:acl"> ... elided ...</s:key>
   </s:dict>
 </content>
</entry>



server/introspection/kvstore/replicasetstats

https://<host>:<mPort>/services/server/introspection/kvstore/replicasetstats


Get the status of the replica set from the point of view of the current server.

See also the following associated endpoints.


GET

Get the status of the replica set from the point of view of the current server.

Request parameters
None

Returned values

data Returns the following JSON document.
  • set - Replicate Set Name set in the server.conf file.
  • date - Current time in ISO format.
  • myState - Startup process, basic operations, and potential error states:
    • 0 STARTUP Initial member state. Cannot vote.
    • 1 PRIMARY Only member that can accept write operations. Can vote.
    • 2 SECONDARY Data store replication member. Can vote.
    • 3 RECOVERING Members perform startup self-checks, or transition from completing a rollback or resync. Can vote.
    • 4 FATAL Unrecoverable error encountered. Cannot vote.
    • 5 STARTUP2 Forks replication and election threads before becoming a secondary. Cannot vote.
    • 6 UNKNOWN Never connected to replica set. Cannot vote.
    • 7 ARBITER Participate in elections, do not replicate data. Can vote.
    • 8 DOWN Cannot be accessed by the set. Cannot vote.
    • 9 ROLLBACK Performs rollback. Can vote.
    • 10 REMOVED Removed from the replica set. Cannot vote.
  • members - Descriptions of members of replica set:
    • _id - Member ID.
    • name - Server name.
    • health - Status: 1 = up, 0 = down.
    • state - Replica state (See MyState).
    • stateStr - String representation of state.
    • uptime - Online interval (seconds).
    • optime - Information about last operations log operation.
      • t - 32-bit timestamp of last operation.
      • i - Number of operations since the last timestamp.
    • optimeDate - Time of last operations log operation in ISO format.
    • lastHeartbeat - Transmission time of last heartbeat in ISO format.
    • lastHeartbeatRecv - Time last heartbeat received in ISO format.
    • pingMs - Round-trip packet time (msec).
    • syncingTo - On secondary and recovering members, hostname of member from which this instance is syncing.
  • ok - Command return status: 1 = Success, 0 = Failure.
  • oplogInfo - Operations log information:
    • start - Start time.
    • end - End time.
    • collectionStats - Collection storage statistics:
      • ns - Current collection namespace.
      • count - Number of collection documents or objects.
      • size - Collection records total size.
      • avgObjSize - Average object size in collection (bytes).
      • storageSize - Collection document storage allocation.
      • numExtents - Number of contiguously allocated data file regions.
      • nindexes - Number of indexes on the collection.
      • lastExtentSize - Size of last allocated extent.
      • paddingFactor - Amount of space added to each document.
      • systemFlags - Collection flags that reflect internal server options.
      • userFlags - Collection flags set by user.
      • totalIndexSize - Size of all indexes.
      • indexSizes - Key and size of every index on the collection.
      • capped - Capped setting: true = capped, false = not capped.
      • max - Max collection size.
      • ok - Command return status: 1 = Success, 0 = Failure.
    • sources - Operations log sources.
Name Description


Example request and response


XML Request

curl -k -u admin:changeme https://localhost:8089/services/server/introspection/kvstore/replicasetstats

XML Response

...
<title>replicasetstats</title>
<id>https://localhost:8089/services/server/introspection/kvstore/replicasetstats/replicasetstats</id>
<updated>2014-08-20T14:31:42-07:00</updated>
<link href="/services/server/introspection/kvstore/replicasetstats/replicasetstats" rel="alternate"/>
<author>
  <name>system</name>
</author>
<link href="/services/server/introspection/kvstore/replicasetstats/replicasetstats" rel="list"/>
<content type="text/xml">
  <s:dict>
    <s:key name="data">
      <s:list>
        <s:item>
           {
             "replSetStats": {
               "set": "splunkrs",
               "date": 1412203576000, 
               "myState": 2,
               "syncingTo": "54.xxx.xxx.xxx:8191",
               "members": [
                 {
                   "_id": 2,
                   "name": "54.xxx.xxx.xxx:8191",
                   "health": 1,
                   "state": 2,
                   "stateStr": "SECONDARY",
                   "uptime": 102409,
                   "optime": {
                     "t": 1412101153,
                     "i": 1
                   },
                   "optimeDate": 1412101153000,
                   "lastHeartbeat": 1412203575000,
                   "lastHeartbeatRecv": 1412203575000,
                   "pingMs": 1,
                   "syncingTo": "54.xxx.xxx.xxx:8191"
                 },
                 {
                   "_id": 3,
                   "name": "54.xxx.xxx.yyy:8191",
                   "health": 1,
                   "state": 2,
                   "stateStr": "SECONDARY",
                   "uptime": 102409,
                   "optime": {
                     "t": 1412101153,
                     "i": 1
                   },
                   "optimeDate": 1412101153000,
                   "lastHeartbeat": 1412203576000,
                   "lastHeartbeatRecv": 1412203575000,
                   "pingMs": 1,
                   "syncingTo": "54.xxx.xxx.yyy:8191"
                 },
                         .
                         .
                         .
                       elided
                         .
                         .
                         .
                 {
                   "_id": 17,
                   "name": "54.xxx.xxx.zzz:8191",
                   "health": 1,
                   "state": 2,
                   "stateStr": "SECONDARY",
                   "uptime": 102409,
                   "optime": {
                     "t": 1412101153,
                     "i": 1
                   },
                   "optimeDate": 1412101153000,
                   "lastHeartbeat": 1412203574000,
                   "lastHeartbeatRecv": 1412203575000,
                   "pingMs": 1,
                   "syncingTo": "54.xxx.xxx.zzz:8191"
                 }
               ],
               "ok": 1
             },
             "oplogInfo": {
               "start": 1412022009000,
               "end": 1412101153000,
               "collectionStats": {
                 "ns": "local.oplog.rs",
                 "count": 631,
                 "size": 166964,
                 "avgObjSize": 264,
                 "storageSize": 1048580080,
                 "numExtents": 3,
                 "nindexes": 0,
                 "lastExtentSize": 4096,
                 "paddingFactor": 1,
                 "systemFlags": 0,
                 "userFlags": 0,
                 "totalIndexSize": 0,
                 "indexSizes": {},
                 "capped": true,
                 "max": 9223372036854775808.000000,
                 "ok": 1
               },
               "sources": {}
             }
           }
       </s:item>
      </s:list>
    </s:key>
    <s:key name="eai:acl"> ... elided ...</s:key>
  </s:dict>
</content>
</entry>



server/introspection/kvstore/serverstatus

https://<host>:<mPort>/services/server/introspection/kvstore/serverstatus

Get an overview of the database process state.

Monitoring applications periodically run this command to get statistical information about the database instance.

See also the following associated endpoints.


GET

Get an overview of the database process state.


Request parameters
None

Returned values
The response data is platform-dependent.

Name Description
data Returns the following CDATA items.
  • asserts - Number of database assertions since the server process started, for each of the following levels/types:
    • regular
    • warning
    • msg
    • user
    • rollovers
  • backgroundFlushing - Write to disk flush metrics:
    • flushes - Number of times writes flushed.
    • total_ms - Number of msec processes used to flush writes.
    • average_ms - Relationship between flushes and total_ms, in msec.
    • last_ms - Number of msec the last flush took.
    • last_finished (date) - ISO time of last completed write flush operation.
  • connections - Current incoming connections status and database availability:
    • current - Number of active client connections.
    • available - Number of unused connections available.
    • totalCreated - Total number of connections created, including closed connections.
  • cursors - [DEPRECATED] Current cursor and state. Use metrics, instead.
  • dur - (Durability) Journaling-related operations and performance. Journaling must be enabled.:
    • commits - Number of transactions written to the journal during the last group commit interval.
    • journaledMB - Amount of data (MB) written to the journal during the last group commit interval.
    • writeToDataFilesMB - Amount of data (MB) written from journal to data files during the last group commit interval.
    • compression - Compression ratio of data written to journal: (journaled_size_of_data / uncompressed_size_of_data)
    • commitsInWriteLock - Number of commits that occurred during a write lock.
    • earlyCommits - Number of commits requested before scheduled group commit time.
    • timeMs: Performance during various journaling phases.
      • dt - Data collection interval (msec).
      • prepLogBuffer - Time spend preparing to write to journal (msec).
      • writeToJournal - Time spent writing to journal (msec).
      • writeToDataFiles - Time spent writing to data files after journaling (msec).
      • remapPrivateView - Time spent remapping copy-on-write memory mapped views (msec).
  • extra_info - Platform-specific information:
    • note - Platform-specific information.
    • heap_usage_bytes - Total heap space size used by database (bytes). Applicable to *nix systems, only.
    • page_faults - Total number of page faults that require disk operations.
  • globalLock - Information about the current database lock state, historical lock status, and active clients:
    • totalTime - Time since database started and globalLock creation (usec).
    • lockTime - Time since database started that globalLock has been held (usec).
    • currentQueue: Information about operations queued because of a lock.
      • total - Total number of operations queued waiting on readers and writers locks.
      • readers - Number of operations queued waiting for read lock.
      • writers - Number of operations queued waiting for write lock.
    • activeClients: Information about number and operation types of connected clients.
      • total - Total number of readers and writers connections.
      • readers - Number of connected clients performing read operations.
      • writers - Number of connected clients performing write operations.
  • host - Hostname and port number.
  • indexCounters - Index usage counters:
    • accesses - Number of times operations accessed indexes.
    • hits - Number of times index accessed and returned from memory.
    • misses - Number of attempts to access index not in memory.
    • resets - Number of times index counters reset since database last started.
    • missRatio - Ratio of hits to misses.
  • localTime - ISO-formatted local time.
  • locks - State and read/write use of global and database-specific locks:
    • timeLockedMicros - Amount of time a lock existed, for all databases of this server instance (usec).
    • timeAcquiringMicros - Amount of time operations spend waiting, for lock for all databases of this server instance (usec).
    • admin: Lock use in the admin database.
      • timeLockedMicros - Amount of time locks existed in the admin database context (usec).
      • timeAcquiringMicros - Amount of time spent waiting to acquire a lock in the admin database context (usec).
    • local: Lock use in the local database.
      • timeLockedMicros - Amount of time locks existed in the local database context (usec).
      • timeAcquiringMicros - Amount of time spent waiting to acquire a lock in the local database context (usec).
    • search.<collection>: Locks used in each collection.
      • timeLockedMicros - Amount of time locks exist in the collection context (usec).
      • timeAcquiringMicros - Amount of time spent waiting to acquire a lock in the collection context (usec).
  • mem - Memory usage: System architecture and memory usage metrics.
    • bits - System address architecture: 32 or 64 bit architecture.
    • resident - Amount of RAM currently used by the database process (MB).
    • virtual - Amount of virtual memroy used (MB).
    • supported: true = supports extended memory information, false = does not support extended memory information.
    • mapped - Amount of mapped memory for database (MB).
    • mappedWithJournal - Amount of mapped memory, including journaling memory (MB). Always twice the size of mapped.
  • metrics - Current instance use and state:
    • cursor: Cursor state and use.
      • timedOut - Total number of cursors that have timed out since the server process started.
      • open: - Information about open cursors.
        • noTimeout - Number of open cursors with option set to prevent timeout after a period of inactivity.
        • pinned - Number of pinned open cursors.
        • total - Number of cursors maintained for clients, typically less than zero.
    • document: Information about document access and modification patterns and data use. Compare these values to opcounters data, which track total number of operations.
      • deleted - Total number of deleted documents.
      • inserted - Total number of inserted documents.
      • returned - Total number of documents returned by queries.
      • updated - Total number of updated documents.
    • getLastError: Information about getLastError use.
      • wtime: getLastError operation counts with a specified write concern that wait for one or more members of a replica set to acknowledge the write operation.
        • num - getLastError operation counts with a specified write concern that wait for one or more members of a replica set to acknowledge the write operation.
        • totalMillis - Amount of time spent performing getLastError operations with write concern that wait for one or more members of a replica set to acknowledge the write operation (msec).
      • wtimeouts - Number of times write concern operations timed out as a result of the wtimeout threshold to getLastError.
    • operation: Counters for several types of update and query operations handled using special operation types.
      • fastmod - Number of update operations that neither cause documents to grow nor require updates to the index.
      • idhack - Number of queries that contain the _key field.
      • scanAndOrder - Number of queries that return sorted numbers that cannot perform the sort operation using an index.
    • queryExecutor: Data from the query execution system.
      • scanned - Number of index items scanned during queries and query-plan evaluation.
      • scannedObjects - Total number of documents scanned during the query.
    • record: Data related to record allocation in the on-disk memory files.
      • moves - Number of times documents move within the on-disk representation of the data set. Documents move as a result of operations that increase the size of the document beyond their allocated record size.
    • repl: Metrics related to the ordered history of logical writes.
      • apply: - Information about the application of ordered history of logical writes.
        • batches: Information on the ordered history of logical writes application process on secondaries members of replica sets.
          • num - Number of batches applied across all databases.
          • totalMillis - Amount of time spent applying ordered history of logical write operations (msec).
        • ops - Number of ordered history of logical write operations.
      • buffer: Information to track the ordered history of logical write operations buffer.
        • count - Number of operations on the ordered history of logical writes buffer.
        • maxSizeBytes/ - Maximum size of the ordered history of logical writes buffer.
        • sizeBytes - Current size of the contents of the ordered history of logical writes buffer.
      • network: Network use information for the replication process.
        • bytes - Amount of data read from the replication sync source (bytes).
        • getmores: Information about queries for additional results from the ordered history of logical write operations cursor as part of the replication process.
          • num - Number of queries for additional results from the ordered history of logical write operations, which are operations that request an additional set of operations from the replication sync source.
          • totalMillis - Amount of time to collect data from queries for additional results from the ordered history of logical write operations (msec).
        • ops - Number of operations read from the replication source.
        • readersCreated - Number of queries for additional results from the ordered history of logical write operations processes created.
      • preload: Information about replication pre-fetch.
        • docs: Information about documents loaded into memory during replication pre-fetch.
          • num - Number of documents loaded during replication pre-fetch.
          • totalMillis - Amount of time spent loading documents as part of replication pre-fetch (msec).
        • indexes: Information about index items loaded into memory during replication pre-fetch.
          • num - Number of index entries loaded by members before updating documents as part of replication pre-fetch.
          • totalMillis - Amount of time spent loading index entries as part of replication pre-fetch (msec).
    • storage: Freelist behavior monitoring statistics.
      • freelist: Freelist bucket behavior monitoring statistics.
        • search: Freelist bucket behavior monitoring search statistics.
          • bucketExhausted - Number of times bucket fully searched, requiring advance to next bucket.
          • requests - Number of times the allocation function was called.
          • scanned - Number of freelist bucket entries examined.
    • ttl: Information about resource use of the ttl index process.
      • deletedDocuments - Number of documents deleted from collections with a ttl index.
      • passes - Number of times background process removes documents from collections with a ttl index.
  • network - Network use and state:
    • bytesIn - Amount of network traffic received by this database (bytes).
    • bytesOut- Amount of network traffic sent from this database (bytes).
    • numRequests - Number of distinct requests received by the server.
  • ok - Command return status: 1 = Success, 0 = Failure.
  • opcounters - Overview of database operations by type, similar to opcountersRepl:
    • insert - Number of insert operations since instance started.
    • query - Number of queries since instance started.
    • update - Number of update operations since instance started.
    • delete - Number of delete operations since instance started.
    • getmore - Number of getmore operations since instance started.
    • command - Number of commands issued since instance started.
  • opcountersRepl - Overview of replication operations by type, similar to opcounters:
    • insert - Number of replicated insert operations since instance started.
    • query - Number of replicated queries since instance started.
    • update - Number of replicated update operations since instance started.
    • delete - Number of replicated delete operations since instance started.
    • getmore - Number of replicated getmore operations since instance started.
    • command - Number of replicated commands issued since instance started.
  • pid - Process ID.
  • recordStats - Page fault statistics:
    • accessesNotInMemory - Number of times memory page accessed that was not resident in memory, for all databases.
    • pageFaultExceptionsThrown - Number of page fault exceptions thrown when accessing data for all databases.
    • admin: Admin database page fault statistics.
      • accessesNotInMemory - Number of times memory page accessed that was not resident in memory, for the admin database.
      • pageFaultExceptionsThrown - Number of page fault exceptions thrown when accessing data for the admin database.
    • local: Local database page fault statistics.
      • accessesNotInMemory - Number of times memory page accessed that was not resident in memory, for the local database.
      • pageFaultExceptionsThrown - Number of page fault exceptions thrown when accessing data for the local database.
    • search.<collection>: Search database page fault statistics.
      • accessesNotInMemory - Number of times memory page accessed that was not resident in memory, for the search database.
      • pageFaultExceptionsThrown - Number of page fault exceptions thrown when accessing data for the search database.
  • uptime - Amount of time database process has been active (seconds).
  • uptimeEstimate - Amount of time database process has been active as calculated from the internal, course-grained time keeping system (seconds).
  • uptimeMillis - Amount of time database process has been active (msec).
  • version - Version number (not used).
  • writeBacksQueued - Write-backs queued status: true = write-backs queued, false = write-backs not queued.


Example request and response


XML Request

curl -k -u admin:changeme https://localhost:8089/services/server/introspection/kvstore/serverstatus

XML Response

...
 <title>serverStatus</title>
 <id>https://localhost:8089/services/server/introspection/kvstore/serverstatus/serverStatus</id>
 <updated>2014-08-20T14:26:42-07:00</updated>
 <link href="/services/server/introspection/kvstore/serverstatus/serverStatus" rel="alternate"/>
 <author>
   <name>system</name>
 </author>
 <link href="/services/server/introspection/kvstore/serverstatus/serverStatus" rel="list"/>
 <content type="text/xml">
   <s:dict>
     <s:key name="data">
       <![CDATA[{
"host":"localhost:8089", "version":"2.6.3", "pid":23009, "uptime":19049, "uptimeMillis":19049447, "uptimeEstimate":18295, "localTime":{"$date":1408570002615}, "asserts":{ "regular":0, "warning":0, "msg":0, "user":0, "rollovers":0}, "backgroundFlushing":{ "flushes":317, "total_ms":11523, "average_ms":36.350158, "last_ms":0, "last_finished":{"$date":1408569973325}}, "connections":{ "current":7, "available":3269, "totalCreated":7}, "cursors":{ "note":"deprecated, use server status metrics", "clientCursors_size":0, "totalOpen":0, "pinned":0, "totalNoTimeout":0, "timedOut":0}, "dur":{ "commits":30, "journaledMB":0, "writeToDataFilesMB":0, "compression":0, "commitsInWriteLock":0, "earlyCommits":0, "timeMs":{ "dt":3072, "prepLogBuffer":0, "writeToJournal":0, "writeToDataFiles":0, "remapPrivateView":0}}, "extra_info":{ "note":"fields vary by platform", "heap_usage_bytes":67624592, "page_faults":3}, "globalLock":{ "totalTime":19049447000, "lockTime":1491098, "currentQueue":{ "total":0, "readers":0, "writers":0}, "activeClients":{ "total":0, "readers":0, "writers":0}}, "indexCounters":{ "accesses":2, "hits":2, "misses":0, "resets":0, "missRatio":0}, "locks":{ ".":{ "timeLockedMicros":{ "R":2926340, "W":1491098}, "timeAcquiringMicros":{ "R":1458997, "W":342703}}, "admin":{ "timeLockedMicros":{ "r":103638, "w":0}, "timeAcquiringMicros":{ "r":13202, "w":0}}, "local":{ "timeLockedMicros":{ "r":426518, "w":237}, "timeAcquiringMicros":{ "r":185505, "w":12}}, "search.kvstoredemo":{ "timeLockedMicros":{ "r":2832888, "w":292}, "timeAcquiringMicros":{ "r":1310820, "w":17}}}, "network":{ "bytesIn":1133611, "bytesOut":11628162, "numRequests":12070}, "opcounters":{ "insert":1, "query":4760, "update":0, "delete":0, "getmore":0, "command":8264}, "opcountersRepl":{ "insert":0, "query":0, "update":0, "delete":0, "getmore":0, "command":0}, "recordStats":{ "accessesNotInMemory":0, "pageFaultExceptionsThrown":0, "admin":{ "accessesNotInMemory":0, "pageFaultExceptionsThrown":0}, "local":{ "accessesNotInMemory":0, "pageFaultExceptionsThrown":0}, "search.kvstoredemo":{ "accessesNotInMemory":0, "pageFaultExceptionsThrown":0}}, "writeBacksQueued":false, "mem":{ "bits":64, "resident":58, "virtual":325, "supported":true, "mapped":64, "mappedWithJournal":128}, "metrics":{ "cursor":{ "timedOut":0, "open":{ "noTimeout":0, "pinned":0, "total":0}}, "document":{ "deleted":0, "inserted":1, "returned":2, "updated":0}, "getLastError":{ "wtime":{ "num":0, "totalMillis":0}, "wtimeouts":0}, "operation":{ "fastmod":0, "idhack":0, "scanAndOrder":0}, "queryExecutor":{ "scanned":0, "scannedObjects":0}, "record":{"moves":0}, "repl":{ "apply":{ "batches":{ "num":0, "totalMillis":0}, "ops":0}, "buffer":{ "count":0, "maxSizeBytes":268435456, "sizeBytes":0}, "network":{ "bytes":0, "getmores":{ "num":0, "totalMillis":0}, "ops":0, "readersCreated":0}, "preload":{ "docs":{ "num":0, "totalMillis":0}, "indexes":{ "num":0, "totalMillis":0}}}, "storage":{ "freelist":{ "search":{ "bucketExhausted":0, "requests":0, "scanned":0}}}, "ttl":{ "deletedDocuments":0, "passes":317}}, "ok":1}]]>

     </s:key>
     <s:key name="eai:acl"> ... elided ... </s:key>
   </s:dict>
 </content>
</entry>



server/introspection/search/dispatch

https://<host>:<mPort>/services/server/introspection/search/dispatch 

Provides vital statistics for distributed search framework, including details on search peer performance.


GET

Enumerate scheduled search details.


Request parameters
None

Returned values

Name Description
Bundle_Directory_Reaper_Average_Time(ms) Average time for dispatch reaper to walk search peer directory and reap obsolete bundles.
Bundle_Directory_Reaper_Max_Time(ms) Maximum time for dispatch reaper to walk search peer directory and reap obsolete bundles.
Compute_User_Search_Quota_Average_Time(ms) Average time for computing user search quota.
Compute_User_Search_Quota_Max_Time(ms) Maximum time for computing user search quota.
Dispatch_Directory_Reaper_Average_Time(ms) Average time for dispatch reaper to walk dispatch directory and reap stale artifacts.
Dispatch_Directory_Reaper_Max_Time(ms) Maximum time for dispatch reaper to walk dispatch directory and reap stale artifacts.
Search_StartUp_Time_Average_Time(ms) Average time for preprocessing before search startup. Counted from time search state is set to RUNNING.

Startup time indicates that parsing is complete and the distributed search infrastructure is set up. At startup, the Splunk platform is ready to wait for responses from indexers.

Search_StartUp_Time_Max_Time(ms) Maximum time for preprocessing before search startup. Counted from time search state is set to RUNNING.

Startup time indicates that parsing is complete and the distributed search infrastructure is set up. At startup, the Splunk platform is ready to wait for responses from indexers.


Example request and response


XML Request

curl -k -u username:password https://localhost:8089/services/server/introspection/search/dispatch

XML Response

<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>introspection-dispatchreaper</title>
  <id>https://localhost:8089/services/server/introspection/search/dispatch</id>
  <updated>2015-08-27T13:49:04-07:00</updated>
  <generator build="ced4408678cc212328ba3550d23cba87c24339d4" version="20150826"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/server/introspection/search/dispatch/_acl" rel="_acl"/>
  <opensearch:totalResults>4</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>Bundle_Directory_Reaper</title>
    <id>https://localhost:8089/services/server/introspection/search/dispatch/Bundle_Directory_Reaper</id>
    <updated>2015-08-27T13:49:04-07:00</updated>
    <link href="/services/server/introspection/search/dispatch/Bundle_Directory_Reaper" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/server/introspection/search/dispatch/Bundle_Directory_Reaper" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="Bundle_Directory_Reaper_Average_Time(ms)">1.000000</s:key>
        <s:key name="Bundle_Directory_Reaper_Max_Time(ms)">1</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>Compute_User_Search_Quota</title>  <id>https://localhost:8089/services/server/introspection/search/dispatch/Compute_User_Search_Quota</id>
    <updated>2015-08-27T13:49:04-07:00</updated>
    <link href="/services/server/introspection/search/dispatch/Compute_User_Search_Quota" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/server/introspection/search/dispatch/Compute_User_Search_Quota" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="Compute_User_Search_Quota_Average_Time(ms)">2.500000</s:key>
        <s:key name="Compute_User_Search_Quota_Max_Time(ms)">4</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>Dispatch_Directory_Reaper</title>
    <id>https://localhost:8089/services/server/introspection/search/dispatch/Dispatch_Directory_Reaper</id>
    <updated>2015-08-27T13:49:04-07:00</updated>
    <link href="/services/server/introspection/search/dispatch/Dispatch_Directory_Reaper" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/server/introspection/search/dispatch/Dispatch_Directory_Reaper" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="Dispatch_Directory_Reaper_Average_Time(ms)">5.400000</s:key>
        <s:key name="Dispatch_Directory_Reaper_Max_Time(ms)">16</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>Search_StartUp_Time</title>
    <id>https://localhost:8089/services/server/introspection/search/dispatch/Search_StartUp_Time</id>
    <updated>2015-08-27T13:49:04-07:00</updated>
    <link href="/services/server/introspection/search/dispatch/Search_StartUp_Time" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/server/introspection/search/dispatch/Search_StartUp_Time" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="Search_StartUp_Time_Average_Time(ms)">136.750000</s:key>
        <s:key name="Search_StartUp_Time_Max_Time(ms)">185</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>



server/introspection/search/dispatch/Bundle_Directory_Reaper

https://<host>:<mPort>/services/server/introspection/search/dispatch/Bundle_Directory_Reaper

Get average and maximum time for the dispatch reaper to walk the search peer directory and reap obsolete bundles.


GET

Enumerate routine distributed search method execution times for each peer.

Request parameters
None

Returned values

Name Description
Bundle_Directory_Reaper_Average_Time(ms) Average time for dispatch reaper to walk search peer directory and reap obsolete bundles.
Bundle_Directory_Reaper_Max_Time(ms) Maximum time for dispatch reaper to walk search peer directory and reap obsolete bundles.

Example request and response


XML Request

curl -k -u username:password https://localhost:8089/services/server/introspection/search/dispatch/Bundle_Directory_Reaper

XML Response

...
  <title>introspection-dispatchreaper</title>
  <id>https://localhost:8089/services/server/introspection/search//dispatch</id>
  <updated>2015-08-26T14:24:43-07:00</updated>
  <generator build="ced4408678cc212328ba3550d23cba87c24339d4" version="20150826"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/server/introspection/search//dispatch/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>Bundle_Directory_Reaper</title>
    <id>https://localhost:8089/services/server/introspection/search//dispatch/Bundle_Directory_Reaper</id>
    <updated>2015-08-26T14:24:43-07:00</updated>
    <link href="/services/server/introspection/search//dispatch/Bundle_Directory_Reaper" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/server/introspection/search//dispatch/Bundle_Directory_Reaper" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="Bundle_Directory_Reaper_Average_Time(ms)">1.000000</s:key>
        <s:key name="Bundle_Directory_Reaper_Max_Time(ms)">1</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list/>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
      </s:dict>
    </content>
  </entry>



server/introspection/search/dispatch/Compute_User_Search_Quota

https://<host>:<mPort>/services/server/introspection/search/dispatch/Compute_User_Search_Quota

Provides average and maximum time for computing user search quotas.


GET

Enumerate average and maximum time for user search quota computation.

Request parameters
None

Returned values

Name Description
Compute_User_Search_Quota_Average_Time(ms) Average time for computing user search quota.
Compute_User_Search_Quota_Max_Time(ms) Maximum time for computing user search quota.

XML Request

curl -k -u username:password https://localhost:8089/services/server/introspection/search/dispatch/Compute_User_Search_Quota

XML Response

...
<title>introspection-dispatchreaper</title>
  <id>https://localhost:8089/services/server/introspection/search/dispatch</id>
  <updated>2015-08-26T14:33:46-07:00</updated>
  <generator build="ced4408678cc212328ba3550d23cba87c24339d4" version="20150826"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/server/introspection/search/dispatch/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>Compute_User_Search_Quota</title>
    <id>https://localhost:8089/services/server/introspection/search/dispatch/Compute_User_Search_Quota</id>
    <updated>2015-08-26T14:33:46-07:00</updated>
    <link href="/services/server/introspection/search/dispatch/Compute_User_Search_Quota" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/server/introspection/search/dispatch/Compute_User_Search_Quota" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="Compute_User_Search_Quota_Average_Time(ms)">1.950000</s:key>
        <s:key name="Compute_User_Search_Quota_Max_Time(ms)">4</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list/>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
      </s:dict>
    </content>
  </entry>



server/introspection/search/dispatch/Dispatch_Directory_Reaper

https://<host>:<mPort>/services/server/introspection/search/dispatch/Dispatch_Directory_Reaper


Get average and maximum time for the dispatch reaper to walk the dispatch directory and reap stale artifacts.


GET

Show dispatch directory reaper times for reaping stale artifacts.

Request parameters
None

Returned values

Name Description
Dispatch_Directory_Reaper_Average_Time(ms) Average time for dispatch reaper to walk dispatch directory and reap stale artifacts.
Dispatch_Directory_Reaper_Max_Time(ms) Maximum time for dispatch reaper to walk dispatch directory and reap stale artifacts.

Example request and response


XML Request

curl -k -u username:password https://localhost:8089/services/server/introspection/search/dispatch/Dispatch_Directory_Reaper


XML Response

...
  <title>introspection-dispatchreaper</title>
  <id>https://localhost:8089/services/server/introspection/search/dispatch</id>
  <updated>2015-08-26T14:34:41-07:00</updated>
  <generator build="ced4408678cc212328ba3550d23cba87c24339d4" version="20150826"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/server/introspection/search/dispatch/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>Dispatch_Directory_Reaper</title>
    <id>https://localhost:8089/services/server/introspection/search/dispatch/Dispatch_Directory_Reaper</id>
    <updated>2015-08-26T14:34:41-07:00</updated>
    <link href="/services/server/introspection/search/dispatch/Dispatch_Directory_Reaper" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/server/introspection/search/dispatch/Dispatch_Directory_Reaper" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="Dispatch_Directory_Reaper_Average_Time(ms)">4.500000</s:key>
        <s:key name="Dispatch_Directory_Reaper_Max_Time(ms)">10</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list/>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
      </s:dict>
    </content>
  </entry>



server/introspection/search/dispatch/Search_StartUp_Time

https://<host>:<mPort>/services/server/introspection/search/dispatch/Search_StartUp_Time

Get average and maximum time for search preprocessing before startup.

Startup time indicates that parsing is complete and the distributed search infrastructure is set up. At startup, Splunk software is ready to wait for responses from indexers.


GET

Enumerate average and maximum time for search preprocessing before startup.

Request parameters
None

Returned values

Name Description
Search_StartUp_Time_Average_Time(ms) Average time for preprocessing before search startup. Counted from time search state is set to RUNNING.
Search_StartUp_Time_Max_Time(ms) Maximum time for preprocessing before search startup. Counted from time search state is set to RUNNING.

Example request and response


XML Request

curl -k -u username:password https://localhost:8089/services/server/introspection/search/dispatch/Search_StartUp_Time

XML Response

...
<title>introspection-dispatchreaper</title>
  <id>https://localhost:8089/services/server/introspection/search//dispatch</id>
  <updated>2015-08-26T14:25:14-07:00</updated>
  <generator build="ced4408678cc212328ba3550d23cba87c24339d4" version="20150826"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/server/introspection/search//dispatch/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>Search_StartUp_Time</title>
    <id>https://localhost:8089/services/server/introspection/search//dispatch/Search_StartUp_Time</id>
    <updated>2015-08-26T14:25:14-07:00</updated>
    <link href="/services/server/introspection/search//dispatch/Search_StartUp_Time" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/server/introspection/search//dispatch/Search_StartUp_Time" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="Search_StartUp_Time_Average_Time(ms)">128.619048</s:key>
        <s:key name="Search_StartUp_Time_Max_Time(ms)">171</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list/>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
      </s:dict>
    </content>
  </entry>



server/introspection/search/distributed

https://<host>:<mPort>/services/server/introspection/search/distributed

Get information about the search knowledge bundle replication, if the current instance is the search head. Provides details about maximum and average time to execute routine distributed search methods, including peer info, peer bundles list, and authentication token requests from search heads.


GET

Enumerate routine distributed search method execution times for each peer.

Usage details
The default update period is ten minutes, as defined by the collectionPeriodInSecs attribute in the $SPLUNK_HOME/etc/apps/introspection_generator_addon/default/server.conf file. If startup occurs within the last ten minutes, counts are shown from startup to the current time.


Request parameters
Pagination and filtering parameters can be used with this method.


Returned values

The following values are listed for each peer.

Name Description
Get_Authentication_Max_Time(ms) Maximum time for search head to get authentication from this peer.
Get_Authentication_Mean_Time(ms) Average time for search head to get authentication from this peer.
Get_BundleList_Max_Time(ms) Maximum time for search head to get bundle list from this peer.
Get_ServerInfo_Max_Time(ms) Maximum time for search head to get server information back from this peer.
Get_ServerInfo_Mean_Time(ms) Average time for search head to get server information back from this peer.

Example request and response


XML Request

curl -k -u username:password https://localhost:8089/services/server/introspection/search/distributed

XML Response

...
 <title>search-distributedmetrics</title>
  <id>https://localhost:8089/services/server/introspection/search/distributed</id>
  <updated>2015-08-26T14:35:48-07:00</updated>
  <generator build="ced4408678cc212328ba3550d23cba87c24339d4" version="20150826"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/server/introspection/search/distributed/_acl" rel="_acl"/>
  <opensearch:totalResults>3</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>per_searchhead_metrics</title>
    <id>https://localhost:8089/services/server/introspection/search/distributed/per_searchhead_metrics</id>
    <updated>2015-08-26T14:35:48-07:00</updated>
    <link href="/services/server/introspection/search/distributed/per_searchhead_metrics" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/server/introspection/search/distributed/per_searchhead_metrics" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">0</s:key>
            <s:key name="can_write">0</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list/>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>localhost:8089</title>
    <id>https://localhost:8089/services/server/introspection/search/distributed/peer.sv.splunk.com%3A10017</id>
    <updated>2015-08-26T14:35:48-07:00</updated>
    <link href="/services/server/introspection/search/distributed/peer.sv.splunk.com%3A10017" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/server/introspection/search/distributed/peer.sv.splunk.com%3A10017" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="Get_Authentication_Max_Time(ms)">4</s:key>
        <s:key name="Get_Authentication_Mean_Time(ms)">3.400000</s:key>
        <s:key name="Get_BundleList_Max_Time(ms)">5</s:key>
        <s:key name="Get_BundleList_Mean_Time(ms)">3.800000</s:key>
        <s:key name="Get_ServerInfo_Max_Time(ms)">14</s:key>
        <s:key name="Get_ServerInfo_Mean_Time(ms)">9.300000</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">0</s:key>
            <s:key name="can_write">0</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list/>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>window_metrics</title>
    <id>https://localhost:8089/services/server/introspection/search/distributed/window_metrics</id>
    <updated>2015-08-26T14:35:48-07:00</updated>
    <link href="/services/server/introspection/search/distributed/window_metrics" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/server/introspection/search/distributed/window_metrics" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="average_bytes">0.000000</s:key>
        <s:key name="average_msecs">0.000000</s:key>
        <s:key name="count">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">0</s:key>
            <s:key name="can_write">0</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list/>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
      </s:dict>
    </content>
  </entry>



server/introspection/search/saved

https://<host>:<mPort>/services/server/introspection/search/saved

Access most recent scheduled search priority scores and score calculation adjustments.


GET

Enumerate scheduled search details.

Request parameters
None

Returned values
'Note: 'These response data keys are for informational purposes only. They are subject to change or removal at any time.

Name Description
final_score Most recent calculated priority score, based on adjustments and original score.
name Scheduled search name.
orig_score A score based on a search's originally scheduled run time.
owner Search scope or context owner. This could be a specific user or "nobody" for a search defined in an app or system-level scope.
priority_no Most recent calculated priority number for this search.
real_time_adj Real-time search priority adjustment. Real-time searches default to -80000 and continuous scheduled searches default to 0. This particular value is for internal purposes only and is subject to change.
runtime_adj Calculated value based on average search runtime.
skipped_adj Adjustment for number of times search has been skipped and search period. 0 means the search has not been skipped.
window_adj Adjustment for remaining time in search run window.

Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/services/server/introspection/search/saved

XML Response

  <title>introspection-savedsearches</title>
  <id>https://localhost:8089/services/server/introspection/search/saved</id>
  <updated>2015-06-03T16:41:21-07:00</updated>
  <generator build="6cfc0237739f" version="6.3.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/server/introspection/search/saved/_acl" rel="_acl"/>
  <opensearch:totalResults>2</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>admin;search;search_1</title>
    <id>https://localhost:8089/services/server/introspection/search/saved/admin%3Bsearch%3Bsearch_1</id>
    <updated>2015-06-03T16:41:21-07:00</updated>
    <link href="/services/server/introspection/search/saved/admin%3Bsearch%3Bsearch_1" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/server/introspection/search/saved/admin%3Bsearch%3Bsearch_1" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list/>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="final_score">1433294868</s:key>
        <s:key name="name">search_1</s:key>
        <s:key name="orig_score">1433374860</s:key>
        <s:key name="owner">admin</s:key>
        <s:key name="priority_no">1</s:key>
        <s:key name="real_time_adj">-80000</s:key>
        <s:key name="runtime_adj">8</s:key>
        <s:key name="skipped_adj">0</s:key>
        <s:key name="window_adj">0</s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>nobody;search;Errors in the last hour</title>
    <id>https://localhost:8089/services/server/introspection/search/saved/nobody%3Bsearch%3BErrors%20in%20the%20last%20hour</id>
    <updated>2015-06-03T16:41:21-07:00</updated>
    <link href="/services/server/introspection/search/saved/nobody%3Bsearch%3BErrors%20in%20the%20last%20hour" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/server/introspection/search/saved/nobody%3Bsearch%3BErrors%20in%20the%20last%20hour" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list/>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="final_score">1433294980</s:key>
        <s:key name="name">Errors in the last hour</s:key>
        <s:key name="orig_score">1433374860</s:key>
        <s:key name="owner">nobody</s:key>
        <s:key name="priority_no">2</s:key>
        <s:key name="real_time_adj">-80000</s:key>
        <s:key name="runtime_adj">1</s:key>
        <s:key name="skipped_adj">0</s:key>
        <s:key name="window_adj">119</s:key>
      </s:dict>
    </content>
  </entry>



server/status

https://<host>:<mPort>/services/server/status

List server/status child resources.


GET

Enumerate server/status endpoints.


Request parameters
None

Returned values
Returns /server/status/ child endpoints.

Example request and response


XML Request

curl -k -u admin:changeme https://localhost:8089/services/server/status

XML Response

...
 <title></title>
 <id>https://localhost:8089/services/server/status</id>
 <updated>2014-03-25T13:52:59-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <s:messages/>
 <entry>
   <title>dispatch-artifacts</title>
   <id>https://localhost:8089/services/server/status/dispatch-artifacts</id>
   <updated>2014-03-25T13:52:59-07:00</updated>
   <link href="/services/server/status/dispatch-artifacts" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/status/dispatch-artifacts" rel="list"/>
   <content type="text/xml">
     <s:dict/>
   </content>
 </entry>
 <entry>
   <title>fishbucket</title>
   <id>https://localhost:8089/services/server/status/fishbucket</id>
   <updated>2014-03-25T13:52:59-07:00</updated>
   <link href="/services/server/status/fishbucket" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/status/fishbucket" rel="list"/>
   <content type="text/xml">
     <s:dict/>
   </content>
 </entry>
 <entry>
   <title>partitions-space</title>
   <id>https://localhost:8089/services/server/status/partitions-space</id>
   <updated>2014-03-25T13:52:59-07:00</updated>
   <link href="/services/server/status/partitions-space" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/status/partitions-space" rel="list"/>
   <content type="text/xml">
     <s:dict/>
   </content>
 </entry>



server/status/dispatch-artifacts

https://<host>:<mPort>/services/server/status/dispatch-artifacts

Access search job information.


GET

Get information about dispatched search jobs.

Usage details
At least one observation period must pass after startup for valid endpoint data to be available. The observation period is defined in the following $SPLUNK_HOME/etc/system/default/server.conf stanza.

[introspection:generator:disk_objects]
collectionPeriodInSecs = 600

The default period is 10 seconds, but 10 minutes (600 seconds) on a Universal Forwarder.


Request parameters
None

Returned values

Name Description
count_realtime Jobs active in the immediate past observation period, not including historical jobs.
count_scheduled Jobs active in the immediate past observation period, not including real-time jobs.
count_summary Jobs active in the immediate past observation period, not including non-summary jobs.
top_apps Top 15 apps in the past observation period, inapp:count key-value pair format.
top_named_searches Top 15 named searches in the past observation period, in savedSearchName:count key-value pair format.
top_users Top 15 users in the past observation period, in username:count key-value pair format, with count as the number of app contexts for the user.
total_count Number of dispatched search jobs since start-up.


Example request and response


XML Request

curl -k -u admin:changeme https://localhost:8089/services/server/status/dispatch-artifacts

XML Response

...
<title>introspection--disk-objects--search-dispatch-artifacts</title>
 <id>https://localhost:8089/services/server/status/dispatch-artifacts</id>
 <updated>2014-03-25T11:10:33-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
    ... opensearch elements elided ...
 <s:messages/>
 <entry>
   <title>result</title>
   <id>https://localhost:8089/services/server/status/dispatch-artifacts/result</id>
   <updated>2014-03-25T11:10:33-07:00</updated>
   <link href="/services/server/status/dispatch-artifacts/result" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/status/dispatch-artifacts/result" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="count_realtime">0</s:key>
       <s:key name="count_scheduled">0</s:key>
       <s:key name="count_summary">0</s:key>
       <s:key name="eai:acl">
         ... elided ...
       </s:key>
       <s:key name="top_apps"/>
       <s:key name="top_named_searches"/>
       <s:key name="top_users"/>
       <s:key name="total_count">0</s:key>
     </s:dict>
   </content>
 </entry>



server/status/fishbucket

https://<host>:<mPort>/services/server/status/fishbucket

Access information about the private BTree database.


GET

Access private BTree database information.

Usage details
At least one observation period must pass after startup for valid endpoint data to be available. The observation period is defined in the following $SPLUNK_HOME/etc/system/default/server.conf stanza.

[introspection:generator:disk_objects]
collectionPeriodInSecs = 600

The default period is 10 seconds, but 10 minutes (600 seconds) on a Universal Forwarder.


Request parameters
None

Returned values

Name Description
key_count Number of file input records (keys) seen since start-up.
total_size Total number of file input records (keys).

Example request and response


XML Request

curl -k -u admin:changeme https://localhost:8089/services/server/status/fishbucket

XML Response

...
 <title>introspection--disk-objects--fishbucket</title>
 <id>https://localhost:8089/services/server/status/fishbucket</id>
 <updated>2014-03-25T11:31:10-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
    ... opensearch elements elided ...
 <s:messages/>
 <entry>
   <title>result</title>
   <id>https://localhost:8089/services/server/status/fishbucket/result</id>
   <updated>2014-03-25T11:31:10-07:00</updated>
   <link href="/services/server/status/fishbucket/result" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/status/fishbucket/result" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="eai:acl">
         ... elided ...
       </s:key>
       <s:key name="key_count">0</s:key>
       <s:key name="total_size">0.000</s:key>
     </s:dict>
   </content>
 </entry>



server/status/installed-file-integrity

Check for system file irregularities.

https://<host>:<mPort>/services/server/status/installed-file-integrity


GET

Check file integrity status.

Usage details
The GET request returns cached results for an automatic check of all files installed with the currently running Splunk software version. The check compares currently installed files against the manifest file located in the $SPLUNK_HOME directory. Based on this comparison, the GET response shows an integrity status indicator for each installed file.

By default, this check runs at startup and results are cached when the check completes. The check takes a few minutes to run and results are available after it completes. The response indicates if initial results are not yet ready when the GET request is performed or if the check is disabled.

You can prompt a new check to run by passing in ?refresh=true with the GET request.

To disable the file integrity check, edit the installed_files_integrity setting in the limits.conf file.

Note: Changing or removing the manifest file prevents the check from working.

Request parameters

Name Type Description
refresh Boolean Set to true to perform a new file integrity check. Only one such check can be performed at a time.
regex_filter PCRE regular expression Specify a regular expression to filter results of the check. For example, use regex_filter=\.conf$ to filter results for configuration files.

Returned values
For each installed file, one of the following integrity status indicators is returned.

Indicator Description
<empty> Indicates complete file integrity. No irregularities were found.
access_failed The splunkd process does not have permissions to read the file.
differs The installed file differs from the manifest file.
missing The installed file was not found.
read_failed The installed file comparison failed.
other_open_failed A failure other than failure to access or read was encountered when trying to open the file.

Example request and response


XML Request

curl -k -u admin:changed https://localhost:8089/services/server/status/installed-file-integrity?refresh=true

XML Response
The following example is a portion of the response data. The full response lists all installed files and their integrity status.

...

<s:key name="/opt/splunktest/etc/system/README/inputs.conf.example">differs</s:key>
<s:key name="/opt/splunktest/etc/system/README/inputs.conf.spec">differs</s:key>
<s:key name="/opt/splunktest/etc/system/README/limits.conf.example">differs</s:key>
<s:key name="/opt/splunktest/etc/system/README/limits.conf.spec">differs</s:key>
<s:key name="/opt/splunktest/etc/system/README/messages.conf.example">differs</s:key>
<s:key name="/opt/splunktest/etc/system/README/props.conf.spec">differs</s:key>
<s:key name="/opt/splunktest/etc/system/README/savedsearches.conf.spec">differs</s:key>
<s:key name="/opt/splunktest/etc/system/README/server.conf.spec">differs</s:key>
<s:key name="/opt/splunktest/etc/system/README/user-prefs.conf.spec">differs</s:key>
<s:key name="/opt/splunktest/etc/system/README/web.conf.spec">differs</s:key>
<s:key name="/opt/splunktest/etc/system/bin/field_extractor.py">differs</s:key>
<s:key name="/opt/splunktest/etc/system/default/app.conf">differs</s:key>
<s:key name="/opt/splunktest/etc/system/default/authorize.conf">differs</s:key>
<s:key name="/opt/splunktest/etc/system/default/indexes.conf">differs</s:key>
<s:key name="/opt/splunktest/etc/system/default/inputs.conf">differs</s:key>
<s:key name="/opt/splunktest/etc/system/default/limits.conf">differs</s:key>

...

server/status/limits/search-concurrency

https://<host>:<mPort>/services/server/status/limits/search-concurrency

Access search concurrency metrics for a standalone Splunk Enterprise instance.


GET

Get search concurrency limits for a standalone Splunk Enterprise instance.

Request parameters
None


Returned values

Name Description
max_auto_summary_searches Maximum number of auto summary searches.
max_hist_scheduled_searches Maximum number of historical scheduled searches.
max_hist_searches Maximum number of historical searches.
max_rt_scheduled_searches Maximum number of scheduled searches.
max_rt_searches Maximum number of real-time searches.

Example request and response


XML Request

curl -k -u admin:changeme https://localhost:8089/services/server/status/limits/search-concurrency

XML Response

...
 <title>server-status-limits-concurrency</title>
 <id>https://localhost:8089/services/server/status/limits/search-concurrency</id>
 <updated>2014-03-25T11:40:16-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
    ... opensearch elements elided ...
 <s:messages/>
 <entry>
   <title>search-concurrency</title>
   <id>https://localhost:8089/services/server/status/limits/search-concurrency/search-concurrency</id>
   <updated>2014-03-25T11:40:16-07:00</updated>
   <link href="/services/server/status/limits/search-concurrency/search-concurrency" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/status/limits/search-concurrency/search-concurrency" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="eai:acl">
         ... elided ...
       </s:key>
       <s:key name="max_auto_summary_searches">2</s:key>
       <s:key name="max_hist_scheduled_searches">5</s:key>
       <s:key name="max_hist_searches">10</s:key>
       <s:key name="max_rt_scheduled_searches">5</s:key>
       <s:key name="max_rt_searches">10</s:key>
     </s:dict>
   </content>
 </entry>



server/status/partitions-space

https://<host>:<mPort>/services/server/status/partitions-space


Access disk utilization information for filesystems that have Splunk objects, such as indexes, volumes, and logs. A filesystem can span multiple physical disk partitions.


GET

Get disk utilization information.


Usage details
At least one observation period must pass after startup for valid endpoint data to be available. The observation period is defined in the following $SPLUNK_HOME/etc/system/default/server.conf stanza.

[introspection:generator:disk_objects]
collectionPeriodInSecs = 600

The default period is 10 seconds, but 10 minutes (600 seconds) on a Universal Forwarder.


Request parameters
Pagination and filtering parameters can be used with this method.


Returned values

Name Description
capacity Disk capacity (MB).
free Disk free space (MB).
fs_type File system type. Example values:
  • Linux: ext2, ext3, ext4, qnx4
  • Solaris: ufs, zfs
  • Windows: ntfs, fat32
  • AIX: jfs
  • (not OS-specific) WORM: ISO9660, UDF13346
  • (not OS-specific); network-shared: SMB, CIFS, NFS
  • (not OS-specific) Veritas: VxFS.
mount_point Absolute path of the directory where this partition is mounted.

Example request and response


XML Request

curl -k -u admin:changeme https://localhost:8089/services/server/status/partitions-space

XML Response

...
<title>introspection--disk-objects--partitions-space</title>
 <id>https://localhost:8089/services/server/status/partitions-space</id>
 <updated>2014-03-25T11:43:39-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
    ... opensearch elements elided ...
 <s:messages/>
 <entry>
   <title>0</title>
   <id>https://localhost:8089/services/server/status/partitions-space/0</id>
   <updated>2014-03-25T11:43:39-07:00</updated>
   <link href="/services/server/status/partitions-space/0" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/status/partitions-space/0" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="capacity">104901.000</s:key>
       <s:key name="eai:acl">
         ... elided ...
       </s:key>
       <s:key name="free">7774.000</s:key>
       <s:key name="fs_type">ntfs</s:key>
       <s:key name="mount_point">C:\</s:key>
     </s:dict>
   </content>
 </entry>



server/status/resource-usage

https://<host>:<mPort>/services/server/status/resource-usage

Get current resource (CPU, RAM, VM, I/O, file handle) utilization for entire host, and per Splunk-related processes.


GET

Get resource utilization information.

Usage details
At least one observation period must pass after startup for valid endpoint data to be available. The observation period is defined in the following $SPLUNK_HOME/etc/system/default/server.conf stanza.

[introspection:generator:disk_objects]
collectionPeriodInSecs = 600

The default period is 10 seconds, but 10 minutes (600 seconds) on a Universal Forwarder.

Request parameters
Pagination and filtering parameters can be used with this method.

Returned values
Returns a list of server/status/resource-usage/ endpoints.


Example request and response


XML Request

curl -k -u admin:changeme https://localhost:8089/services/server/status/resource-usage

XML Response

...
<title></title>
 <id>https://localhost:8089/services/server/status/resource-usage</id>
 <updated>2014-03-25T11:53:26-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <s:messages/>
 <entry>
   <title>hostwide</title>
   <id>https://localhost:8089/services/server/status/resource-usage/hostwide</id>
   <updated>2014-03-25T11:53:26-07:00</updated>
   <link href="/services/server/status/resource-usage/hostwide" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/status/resource-usage/hostwide" rel="list"/>
   <content type="text/xml">
     <s:dict/>
   </content>
 </entry>
 <entry>
   <title>splunk-processes</title>
   <id>https://localhost:8089/services/server/status/resource-usage/splunk-processes</id>
   <updated>2014-03-25T11:53:26-07:00</updated>
   <link href="/services/server/status/resource-usage/splunk-processes" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/status/resource-usage/splunk-processes" rel="list"/>
   <content type="text/xml">
     <s:dict/>
   </content>
 </entry>



server/status/resource-usage/hostwide

https://<host>:<mPort>/services/server/status/resource-usage/hostwide

Access host-level dynamic CPU utilization and paging information.


GET

Get host-level, dynamic CPU utilization and paging information.

Usage details
At least one observation period must pass after startup for valid endpoint data to be available. The observation period is defined in the following $SPLUNK_HOME/etc/system/default/server.conf stanza.

[introspection:generator:disk_objects]
collectionPeriodInSecs = 600

The default period is 10 seconds, but 10 minutes (600 seconds) on a Universal Forwarder.

Request parameters

None

Returned values

Name Description
cpu_arch CPU architecture
cpu_count CPU count
cpu_idle_pct Percentage of time CPU is idle. Value reported as 100.0 on Windows except for Vista+ and XP/Win2003 English-only operating systems.
cpu_system_pct Percentage of time CPU is running in system mode. Missing from Windows except for Vista+ and XP/Win2003 English-only operating systems.
cpu_user_pct Percentage of time CPU is running in user mode. Missing from Windows except for Vista+ and XP/Win2003 English-only operating systems.
forks Cumulative number of forked processes since OS startup. Not available on Windows.
mem Total physical memory available (MB)
mem_used Total physical memory used (MB). This value represents the amount of actual physical memory minus the amount of physical memory currently available. This is the amount of physical memory that can be immediately reused without having to first write its contents to disk.

On Unix, mem_used =
total_phys_ram - (free_mem + buffer_mem + cached_mem)

On Windows, mem_used =
(memoryStatus.ullTotalPhys - memoryStatus.ullAvailPhys)
See GlobalMemoryStatusEx function for more information.
normalized_load_avg_1min Normalized load average of runnable_process_count across all cores (cumulative_load_avg / number_of_cores). This value is not reliable for a VM guest.
os_build Software build for the os_version
os_name Operating system name
os_name_ext Extended operating system name
os_version Operating system version
pg_paged_out Cumulative VM page count paged since OS startup. Not available on Windows.
pg_swapped_out Cumulative pages swapped out since OS startup. Not available on Windows.
runnable_process_count Number of process running or in the runnable queue. Value reported as 1 on Windows except for Vista+ and XP/Win2003 English-only operating systems.
splunk_version Currently installed Splunk software version
swap Amount of disk allocated to swap (fractional MB)
swap_used Swap space currently in use (fractional MB)
virtual_cpu_count Virtual CPU count


Example request and response


XML Request

curl -k -u admin:changeme https://localhost:8089/services/server/status/resource-usage/hostwide

XML Response

  <title>introspection--resource-usage--hostwide</title>
  <id>https://localhost:8089/services/server/status/resource-usage/hostwide</id>
  <updated>2016-09-19T12:56:56-07:00</updated>
  <generator build="bf83e168dd2e" version="6.5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/server/status/resource-usage/hostwide/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>result</title>
    <id>https://localhost:8089/services/server/status/resource-usage/hostwide/result</id>
    <updated>2016-09-19T12:56:56-07:00</updated>
    <link href="/services/server/status/resource-usage/hostwide/result" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/server/status/resource-usage/hostwide/result" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="cpu_arch">x86_64</s:key>
        <s:key name="cpu_count">4</s:key>
        <s:key name="cpu_idle_pct">99.37</s:key>
        <s:key name="cpu_system_pct">0.25</s:key>
        <s:key name="cpu_user_pct">0.38</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list/>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="forks">16462040</s:key>
        <s:key name="instance_guid">88F85972-368E-45F8-A123-FDB14AE9701E</s:key>
        <s:key name="mem">7872.781</s:key>
        <s:key name="mem_used">929.883</s:key>
        <s:key name="normalized_load_avg_1min">0.00</s:key>
        <s:key name="os_build">#1 SMP Fri Aug 24 01:07:11 UTC 2012</s:key>
        <s:key name="os_name">Linux</s:key>
        <s:key name="os_name_ext">Linux</s:key>
        <s:key name="os_version">2.6.32-279.5.2.el6.x86_64</s:key>
        <s:key name="pg_paged_out">732923572</s:key>
        <s:key name="pg_swapped_out">0</s:key>
        <s:key name="runnable_process_count">1</s:key>
        <s:key name="splunk_version">6.5.0</s:key>
        <s:key name="swap">4031.992</s:key>
        <s:key name="swap_used">0.000</s:key>
        <s:key name="virtual_cpu_count">4</s:key>
      </s:dict>
    </content>
  </entry>



server/status/resource-usage/iostats

https://<host>:<mPort>/services/server/status/resource-usage/iostats


Access the most recent disk I/O statistics for each disk. This endpoint is currently supported for Linux, Windows, and Solaris. By default this endpoint is updated every 60s seconds.


GET

Get disk I/O statistics.


Request parameters
None

Returned values

Name Description
avg_service_ms Average time requests caused the CPU to be in use, in milliseconds.
avg_total_ms Average queue + execution time for requests to be completed, in milliseconds.
cpu_pct Percentage of time the CPU was servicing requests.
device Device name (e.g., as listed under /dev on UNIX).
fs_type Mounted device file system type.
interval Interval over which sampling occurred, in seconds.
mount_point Mount point(s) of the underlying device.
reads_kb_ps Total number of kb read per second.
reads_ps Number of read requests per second.
writes_kb_ps Total number of kb written per second.
writes_ps Number of write requests per second.

Example request and response


XML Request

curl -k -u username:password https://localhost:8089/services/server/status/resource-usage/iostats

XML Response

...
<title>introspection--resource-usage--iostats</title>
  <id>https://localhost:8089/services/server/status/resource-usage/iostats</id>
  <updated>2015-09-11T14:10:45-04:00</updated>
  <generator build="78167cb4239c44472aa42425ebc83481b2d83433" version="20150910"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/server/status/resource-usage/iostats/_acl" rel="_acl"/>
  <opensearch:totalResults>2</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>0</title>
    <id>https://localhost:8089/services/server/status/resource-usage/iostats/0</id>
    <updated>2015-09-11T14:10:45-04:00</updated>
    <link href="/services/server/status/resource-usage/iostats/0" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/server/status/resource-usage/iostats/0" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="avg_service_ms">0.142</s:key>
        <s:key name="avg_total_ms">4.110</s:key>
        <s:key name="cpu_pct">0.05</s:key>
        <s:key name="device">dm-1</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list/>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="fs_type">xfs</s:key>
        <s:key name="interval">60</s:key>
        <s:key name="mount_point">/</s:key>
        <s:key name="reads_kb_ps">0.000</s:key>
        <s:key name="reads_ps">0.000</s:key>
        <s:key name="writes_kb_ps">43.050</s:key>
        <s:key name="writes_ps">3.633</s:key>
      </s:dict>
    </content>
  </entry>



server/status/resource-usage/splunk-processes

https://<host>:<mPort>/services/server/status/resource-usage/splunk-processes

Access operating system resource utilization information.


GET

Get process operating system resource utilization information.

Usage details
At least one observation period must pass after startup for valid endpoint data to be available. The observation period is defined in the following $SPLUNK_HOME/etc/system/default/server.conf stanza.

[introspection:generator:disk_objects]
collectionPeriodInSecs = 600

The default period is 10 seconds, but 10 minutes (600 seconds) on a Universal Forwarder.


Request parameters
None


Returned values

Name Description
args Non-search process arguments.
cpu_system_time Cumulative time this process has spent executing in kernel (incl. system calls). Extra field.
cpu_user_time Cumulative time this process has spent executing in user space (incl. library functions). Extra field.
elapsed Elapsed wall time, accurate to within the collection period.
fd_used Number of currently open files used by this process.
label Human-readable label for the saved search.
mem_unshared_data_used Amount of heap and stack used. Not available on Windows. Extra field.
mem_used Current amount of resident physical memory used (KB). (Usually far less deceiving than virtual memory because operating systems can be liberal with virtual memory size but never with resident memory size.)
On Windows, mem_used is obtained by reading the WorkingSetSize property returned by the GetProcessMemoryInfo() function (see GetProcessMemoryInfo function and PROCESS_MEMORY_COUNTERS structure).
normalized_pct_cpu Percentage of CPU usage across all cores. 100% is equivalent to all CPU resources on the machine.
page_faults Number of major page faults. Extra field.
pct_cpu Percentage of CPU usage, relative to one core. 100% is equivalent to 1 core.
pct_memory Percentage of physical memory used hostwide ((mem_used/available_host_memory) * 100).
pid Process ID.
ppid Parent process ID. Not available for all processes.
process Process name. The .exe suffix is stripped on Windows operating systems.
read_mb Amount of data read (MB), excluding cache reads.
search_head Dispatching search head for processes running saved searches.
search_props Search properties map of the following key value pairs.
  • acceleration_id: Acceleration ID
  • app: App name
  • mode: One of the following search modes.
    • historical
    • historical batch
    • RT
    • RT indexed
  • provenance: One of the following search sources.
    • cli
    • rest
    • ui:<App>:<View>
  • role: Splunk Enterprise platform role. Either head or peer.
  • scan_count: Event scan count for running process. Available only in Linux systems. This property is offered experimentally and might be changed or removed in a future release.
  • delta_scan_count: Delta event scan count for running process. Available only in Linux systems. This property is offered experimentally and might be changed or removed in a future release.
  • sid: Search ID (SID).
  • type: One of the following search types.
    • ad-hoc
    • datamodel acceleration
    • other
    • report acceleration
    • scheduled
    • summary indexing
  • user: Splunk username who initiated the search
status Status from the OS scheduler. Can be R (runnable or running), W (waiting), stopped, Z (zombie), or O (other). W includes voluntary sleep or blocking on I/O. O means status is knowable but does not fit into one of those categories. Not available on Windows.
t_count Current number of threads.
written_mb Amount of data written (MB), excluding canceled writes.


Example request and response


XML Request

curl -k -u admin:changeme https://localhost:8089/services/server/status/resource-usage/splunk-processes/0

XML Response

<title>introspection--resource-usage--splunk-processes</title>
 <id>https://localhost:8089/services/server/status/resource-usage/splunk-processes</id>
 <updated>2014-03-26T13:35:52-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
    ... opensearch elements elided ...
 <s:messages/>
 <entry>
   <title>0</title>
   <id>https://localhost:8089/services/server/status/resource-usage/splunk-processes/0</id>
   <updated>2014-03-26T13:35:52-07:00</updated>
   <link href="/services/server/status/resource-usage/splunk-processes/0" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/status/resource-usage/splunk-processes/0" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="args"> instrument-resource-usage</s:key>
       <s:key name="eai:acl">
           ... elided ...
       </s:key>
       <s:key name="eai:attributes">
         <s:dict>
           <s:key name="optionalFields">
             <s:list/>
           </s:key>
           <s:key name="requiredFields">
             <s:list/>
           </s:key>
           <s:key name="wildcardFields">
             <s:list/>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="elapsed">619262.3610</s:key>
       <s:key name="mem_used">15.762</s:key>
       <s:key name="page_faults">12001684</s:key>
       <s:key name="pct_memory">0.40</s:key>
       <s:key name="pid">4256</s:key>
       <s:key name="ppid">2476</s:key>
       <s:key name="process">splunkd</s:key>
       <s:key name="t_count">4</s:key>
     </s:dict>
   </content>
 </entry>



server/sysinfo

https://<host>:<mPort>/services/server/sysinfo

Exposes relevant information about the resources and OS settings of the machine where Splunk Enterprise is running.


Usage details
This endpoint provides status information for the server where the current Splunk instance is running. The GET request response includes Kernel Transparent Huge Pages (THP) and ulimit status.


Note: Some properties returned by this endpoint are also returned by server/info. However, the server/info endpoint is meant to provide information on the currently running Splunk instance and not the machine where the instance is running. Server status values returned by server/info should be considered deprecated and might not continue to be accessible from this endpoint. Use the server/sysinfo endpoint for server information instead.


GET

Access server details.

Request parameters
None.

Returned values

Name Description
cpu_arch Server CPU architecture.
numberOfCores Number of server processor cores. Not applicable if host is a VM guest. A value of 0 is returned if the number cannot be accessed and the access failure reason is logged to splunkd.log.
numberOfVirtualCores Number of server virtual cores.
os_build Software build for the server os_version.
os_name Server operating system name.
os_name_extended Server operating system name.
os_version Server operating system version.
physicalMemoryMB Server physical memory (MB). The same value is returned as the mem field from server/status/resource-usage/hostwide. A value of 0 is returned if the number cannot be accessed and the access failure reason is logged to splunkd.log.
transparent_hugepages For Linux systems, includes the following THP status indicators.
  • defrag
  • effective_state
  • enabled

For non-Linux systems, effective_state is set to ok

ulimits On all UNIX systems, lists settings for the following ulimits in place on splunkd at runtime.
  • core_file_size
  • cpu_time
  • data_file_size
  • data_segment_size
  • nice
  • open_files
  • resident_memory_size
  • stack_size
  • user_processes
  • virtual_address_space_size

Example request and response


XML Request

curl -k -u admin:changed https://localhost:8089/services/server/sysinfo

XML Response

...
  <title>system-info</title>
  <id>https://localhost:8089/services/server/sysinfo</id>
  <updated>2016-09-08T15:28:11-07:00</updated>
  <generator build="19e4b5854495" version="6.5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/server/sysinfo/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>system-info</title>
    <id>https://localhost:8089/services/server/sysinfo/system-info</id>
    <updated>2016-09-08T15:28:11-07:00</updated>
    <link href="/services/server/sysinfo/system-info" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/server/sysinfo/system-info" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="cpu_arch">x86_64</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list/>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="numberOfCores">8</s:key>
        <s:key name="numberOfVirtualCores">8</s:key>
        <s:key name="os_build">#1 SMP Thu Feb 9 12:45:44 EST 2012</s:key>
        <s:key name="os_name">Linux</s:key>
        <s:key name="os_name_extended">Linux</s:key>
        <s:key name="os_version">2.6.18-274.18.1.el5</s:key>
        <s:key name="physicalMemoryMB">7982</s:key>
        <s:key name="transparent_hugepages">
          <s:dict>
            <s:key name="defrag"></s:key>
            <s:key name="effective_state">ok</s:key>
            <s:key name="enabled"></s:key>
          </s:dict>
        </s:key>
        <s:key name="ulimits">
          <s:dict>
            <s:key name="core_file_size">0</s:key>
            <s:key name="cpu_time">-1</s:key>
            <s:key name="data_file_size">-1</s:key>
            <s:key name="data_segment_size">-1</s:key>
            <s:key name="nice">0</s:key>
            <s:key name="open_files">1024</s:key>
            <s:key name="resident_memory_size">-1</s:key>
            <s:key name="stack_size">10485760</s:key>
            <s:key name="user_processes">73728</s:key>
            <s:key name="virtual_address_space_size">-1</s:key>
          </s:dict>
        </s:key>
      </s:dict>
    </content>
  </entry>



Last modified on 11 January, 2021
Input endpoint descriptions   Knowledge endpoint descriptions

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters