Splunk® Enterprise

REST API Reference Manual

Acrobat logo Download manual as PDF


Splunk Enterprise version 7.3 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Acrobat logo Download topic as PDF

Using the REST API reference

Use the REST API Reference to learn about available endpoints and operations for accessing, creating, updating, or deleting resources. See the REST API User Manual to learn about the Splunk REST API basic concepts.

See the Endpoints reference list for an alphabetical list of endpoints.

Splunk Cloud Platform REST API usage

There are some REST API access and usage differences between Splunk Cloud Platform and Splunk Enterprise. If you are using Splunk Cloud Platform, review details in Access requirements and limitations for the Splunk Cloud Platform REST API.

Splunk REST API admin endpoints

Splunk does not support or document REST API endpoints that contain /admin/ in their URIs. Use the corresponding publicly documented endpoint instead.

Resource groups

Resources are grouped into the following categories.

Category Description
Access control Authorize and authenticate users.
Applications Install applications and application templates.
Clusters Configure and manage indexer clusters and search head clusters.
Configuration Manage configuration files and settings.
Deployment Manage deployment servers and clients.
Inputs Manage data input.
Introspection Access system properties.
Knowledge Define indexed and searched data configurations.
KV store Manage app key-value store.
Licensing Manage licensing configurations.
Outputs Manage forwarder data configuration.
Search Manage searches and search-generated alerts and view objects.
System Manage server configuration.
Workload management Manage system resources for search workloads.

See the Endpoints reference list for an alphabetical list of endpoints.

Available operations

Depending on the endpoint, GET, POST, and/or DELETE operations are available for accessing, creating, updating, or deleting resources. Some operations have specific capability requirements, as noted.

Using endpoint reference entries

Reference information for each endpoint in the REST API includes the following items.

  • URL
  • Usage details
  • Expandable elements showing available operations (GET, POST, and/or DELETE) for the endpoint.


Expand a GET, POST, or DELETE element to show the following usage information about the operation.

  • Request parameter information and requirements.
  • Returned values included in the response.
  • Example request and response.

Request and response details

Pagination and filtering parameters

In addition to the parameters specific to each endpoint and operation, the following request parameters are valid for some GET methods.

Name Datatype Default Description
count Number 30 Maximum number of entries to return. Set value to 0 to get all available entries.
f String Filters the response to include only the named values. Specify multiple times to return multiple values.

Examples:

f=qualifiedSearch returns only the value for qualifiedSearch.
f=s* returns all the values that have names beginning with s. f=qualifiedSearch&f=is_visible returns the values for qualifiedSearch as well as is_visible.

offset Number 0 Index of first item to return.
search String Response filter, where the response field values are matched against this search expression.

Example:

search=foo matches on any field with the string foo in the name.
search=field_name%3Dfield_value restricts the match to a single field. (Requires URI-encoding.)

sort_dir Enum asc Response sort order:

asc = ascending
desc = descending

sort_key String name Field name to use for sorting.
sort_mode Enum auto Collated ordering:

auto = If all field values are numeric, collate numerically. Otherwise, collate alphabetically.
alpha = Collate alphabetically, not case-sensitive.
alpha_case = Collate alphabetically, case-sensitive.
num = Collate numerically.

summarize Bool false Response type:

true = Summarized response, omitting some index details, providing a faster response.
false = full response.

Returned values

The response to GET and other requests typically includes key-value pairs representing details about the resource that you are accessing. Returned values specific to the resource and/or operation are listed along with their descriptions.

HTTP status codes

Responses can include HTTP status codes. Standard HTTP status codes are not included in endpoint documentation, but status codes with specific meaning for an endpoint and/or operation are noted.

Error messages

Requests with an error, such as a missing required parameter, can prompt an error response like the following example.

<response>
  <messages>
    <msg type="ERROR">
      In handler 'datamodelgenerate': The following required arguments are missing: sid.
    </msg>
  </messages>
</response>

EAI response data

EAI response data, the <eai:acl> and <eai:attributes> elements, typically apply to all endpoints and are configuration-dependent, so redundant explanation is omitted. These elements are also elided from the response examples to make the documentation easier to read.

Access Control List (ACL) [eai:acl]

The REST implementation enforces ownership and permissions for a resource based on application context namespace. The ACL includes the following parameters.

Parameter Description
app The app context for the resource. Allowed values are:
  • The name of an app
  • system
can_list For internal use only for the Splunk Web manager UI.
can_share_* Indicates whether or not the current user can change the sharing state. The sharing state can be one of:
  • can_share_app = App-level sharing
  • can_share_global = Global sharing
  • can_share_user = User-level sharing
can_write Indicates whether or not the current user can edit this item.
owner The user that owns the resource.

A value of nobody indicates that all users have access to the resource, but that write access to the resource might be restricted.

modifiable Indicates whether or not you can change the Access Control List (ACL).

Set to false for items not controlled by ACLs, such as items under /server/logger.

perms.read Properties that indicate read permissions of the resource.
perms.write Properties that indicate write permissions of the resource.
removable Indicates if an admin or user with sufficient permissions can remove the entity.
sharing Indicates how the resource is shared. Allowed values are:
  • app = Shared through an app.
  • global = Shared to all apps.
  • user = Private to a user.

Note: You can append /_acl to an endpoint to access its ACL properties. For more information, see Access Control List in the REST API User Manual.


EAI attributes [eai:attributes]

The eai:attributes element shows the mandatory and optional fields.

Attribute Description
optionalFields Field is optional.
requiredFields Field is required.
wildcardFields Field can use wildcard.

References

See the following resources for more information on working with the Splunk REST API.

Last modified on 11 October, 2021
  NEXT
Endpoints reference list

This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.2.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters