Skip to main content
Splunk® Enterprise

REST API Reference Manual

Splunk® Enterprise
8.2.1
Splunk Enterprise version 8.2 is no longer supported as of September 30, 2023. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.


Search endpoint descriptions

Manage search resources including:

  • Alerts triggered by searches.
  • Python search command information.
  • Saved searches.
  • Search results.
  • Scheduled view objects.

Usage details

Review ACL information for an endpoint

To check Access Control List (ACL) properties for an endpoint, append /acl to the path. For more information see Access Control List in the REST API User Manual.

Authentication and Authorization

Username and password authentication is required for access to endpoints and REST operations.

Splunk users must have role and/or capability-based authorization to use REST endpoints. Users with an administrative role, such as admin, can access authorization information in Splunk Web. To view the roles assigned to a user, select Settings > Access controls and click Users. To determine the capabilities assigned to a role, select Settings > Access controls and click Roles.

App and user context

Typically, knowledge objects, such as saved searches or event types, have an app/user context that is the namespace. For more information about specifying a namespace, see Namespace in the REST API User Manual.

Splunk Cloud URL for REST API access

Splunk Cloud has a different host and management port syntax than Splunk Enterprise. Use the following URL for Splunk Cloud deployments. If necessary, submit a support case using the Splunk Support Portal to open port 8089 on your deployment.

https://<deployment-name>.splunkcloud.com:8089

Free trial Splunk Cloud accounts cannot access the REST API.

See Using the REST API in Splunk Cloud in the the Splunk REST API Tutorials for more information.



alerts/alert_actions

https://<host>:<mPort>/services/alerts/alert_actions

Access alert actions.

GET

Expand

Access a list of alert actions.


alerts/fired_alerts

https://<host>:<mPort>/services/alerts/fired_alerts

Access fired alerts.

GET

Expand

Access a fired alerts summary.



alerts/fired_alerts/{name}

https://<host>:<mPort>/services/alerts/fired_alerts/{name}

Access or delete the {name} triggered alert.

GET

Expand

List unexpired triggered instances of this alert.


DELETE

Expand

Delete the record of this triggered alert.


alerts/metric_alerts

https://<host>:<mPort>/services/alerts/metric_alerts

This endpoint lets you access and create streaming metric alerts.

Authentication and authorization
Only users whose roles have the metric_alerts capability can use this endpoint.

GET

Expand

Access streaming metric alert configurations.

POST

Expand

Create a streaming metric alert.


alerts/metric_alerts/{alert_name}

https://<host>:<mPort>/services/alerts/metric_alerts/{alert_name}

This endpoint lets you create, update, delete, enable, and disable streaming metric alerts.

Authentication and authorization
Only users whose roles have the metric_alerts capability can use this endpoint.

GET

Expand

Access the named streaming metric alert.

POST

Expand

Update the named streaming metric alert.

DELETE

Expand

Deletes the named metric alert.


data/commands

https://<host>:<mPort>/services/data/commands

Access Python search commands.

GET

Expand

Access Python search commands.



data/commands/{name}

https://<host>:<mPort>/services/data/commands/{name}

Get information about the {name} python search command.

GET

Expand

Access search command information.



saved/searches

https://<host>:<mPort>/services/saved/searches

Access and create saved searches.

GET

Expand

Access saved search configurations.

POST

Expand

Create a saved search.




saved/searches/{name}

https://<host>:<mPort>/services/saved/searches/{name}

Manage the {name} saved search.


DELETE

Expand

Delete the named saved search.

GET

Expand

Access the named saved search.

POST

Expand

Update the named saved search.



saved/searches/{name}/acknowledge

https://<host>:<mPort>/services/saved/searches/{name}/acknowledge

Acknowledge the {name} saved search alert suppression.

POST

Expand

Acknowledge the {name} saved search alert suppression and resume alerting.



saved/searches/{name}/dispatch

https://<host>:<mPort>/services/saved/searches/{name}/dispatch

Dispatch the {name} saved search.

POST

Expand

Dispatch the {name} saved search.



saved/searches/{name}/history

https://<host>:<mPort>/services/saved/searches/{name}/history

List available search jobs created from the {name} saved search.

GET

Expand

List available search jobs created from the {name} saved search.



saved/searches/{name}/reschedule

https://<host>:<mPort>/services/saved/searches/{name}/reschedule

Set {name} scheduled saved search to start at a specific time and then run on its schedule thereafter.

POST

Expand

Define a new start time for a scheduled saved search.



saved/searches/{name}/scheduled_times

https://<host>:<mPort>/services/saved/searches/{name}/scheduled_times

Get the {name} saved search scheduled time.

GET

Expand

Access {name} saved search scheduled time.



saved/searches/{name}/suppress

https://<host>:<mPort>/services/saved/searches/{name}/suppress

Get the {name} saved search alert suppression state.

GET

Expand

Get the {name} saved search alert suppression state.



scheduled/views

https://<host>:<mPort>/services/scheduled/views

Access views scheduled for PDF delivery. Scheduled views are dummy noop scheduled saved searches that email a PDF of a dashboard.

GET

Expand

List all scheduled view objects.



scheduled/views/{name}

https://<host>:<mPort>/services/scheduled/views/{name}

Manage the {name} scheduled view.

DELETE

Expand

Delete a scheduled view.


GET

Expand

Access a scheduled view.


POST

Expand

Update a scheduled view.



scheduled/views/{name}/dispatch

https://<host>:<mPort>/services/scheduled/views/{name}/dispatch

Dispatch the scheduled search associated with the {name} scheduled view.


POST

Expand

Dispatch the scheduled search associated with the {name} scheduled view.



scheduled/views/{name}/history

https://<host>:<mPort>/services/scheduled/views/{name}/history

List search jobs used to render the {name} scheduled view.

GET

Expand

List search jobs used to render the {name} scheduled view.



scheduled/views/{name}/reschedule

https://<host>:<mPort>/services/scheduled/views/{name}/reschedule

Schedule the {name} view PDF delivery.


POST

Expand

Schedule the {name} view PDF delivery.



scheduled/views/{name}/scheduled_times

https://<host>:<mPort>/services/scheduled/views/{name}/scheduled_times

Get scheduled view times.


GET

Expand

Get scheduled view times.



search/concurrency-settings

https://<host>:<mPort>/services/search/concurrency-settings


GET

Expand

List search concurrency settings.



search/concurrency-settings/scheduler

https://<host>:<mPort>/services/search/concurrency-settings/scheduler

Edit settings that determine concurrent scheduled search limits.


Authentication and Authorization
The edit_search_concurrency_scheduled capability is required for this endpoint.


POST

Expand

Edit settings that determine concurrent scheduled search limits.



search/concurrency-settings/search

https://<host>:<mPort>/services/search/concurrency-settings/search

Edit settings that determine the maximum number of concurrent scheduled searches.

Authentication and Authorization
The edit_search_concurrency_all capability is required for this endpoint.


POST

Expand

Edit settings that determine the maximum number of concurrent scheduled searches.


search/jobs

https://<host>:<mPort>/services/search/jobs

List search jobs.

For more information about this and other search endpoints, see Creating searches using the REST API in the REST API Tutorial.


GET

Expand

Get details of all current searches.

POST

Expand

Start a new search and return the search ID (<sid>)



search/jobs/export

https://<host>:<mPort>/services/search/jobs/export

Stream search results as they become available.

The GET and POST operations on this endpoint perform a search identical to a POST to search/jobs. For parameter and returned value descriptions, see search/jobs.


GET

Expand

Performs a search identical to POST search/jobs

POST

Expand

Performs a search identical to POST search/jobs. For parameter and returned value descriptions, see the POST parameter descriptions for search/jobs.



search/jobs/{search_id}

https://<host>:<mPort>/services/search/jobs/{search_id}

Manage the {search_id} search job.

DELETE

Expand

Delete the {search_id} search job.


GET

Expand

Get information about the {search_id} search job.

POST

Expand

Update the {search_id} search job.



search/jobs/{search_id}/control

https://<host>:<mPort>/services/search/jobs/{search_id}/control

Run a job control command for the {search_id} search.


POST

Expand

Run a job control command for the {search_id} search.



search/jobs/{search_id}/events

https://<host>:<mPort>/services/search/jobs/{search_id}/events

Get {search_id} search events.


GET

Expand

Access {search_id} search events.



search/jobs/{search_id}/results

https://<host>:<mPort>/services/search/jobs/{search_id}/results

Get {search_id} search results.


GET

Expand

Get {search_id} search results.



search/jobs/{search_id}/results_preview

https://<host>:<mPort>/services/search/jobs/{search_id}/results_preview

Preview {search_id} search results.


GET

Expand

Preview {search_id} search results.



search/jobs/{search_id}/search.log

https://<host>:<mPort>/services/search/jobs/{search_id}/search.log

Get the {search_id} search log.

GET

Expand

Get the {search_id} search log.



search/jobs/{search_id}/summary

https://<host>:<mPort>/services/search/jobs/{search_id}/summary

Get the getFieldsAndStats output of the events to-date, for the search_id search.

GET

Expand

Get the getFieldsAndStats output of the events to-date, for the search_id search.



search/jobs/{search_id}/timeline

https://<host>:<mPort>/services/search/jobs/{search_id}/timeline

Get event distribution over time of the untransformed events read to-date, for the search_id search.

GET

Expand

Get event distribution over time of the untransformed events read to-date, for the search_id search.



search/parser

https://<host>:<mPort>/services/search/parser

Get search language parsing.

GET

Expand

Parses Splunk search language and returns semantic map.



search/scheduler

https://<host>:<mPort>/services/search/scheduler

GET

Expand

Get current search scheduler enablement status.



search/scheduler/status

https://<host>:<mPort>/services/search/scheduler/status

Enable or disable the search scheduler.


POST

Expand

Enable or disable the search scheduler.



search/timeparser

https://<host>:<mPort>/services/search/timeparser

Get time argument parsing.

GET

Expand

Get a lookup table of time arguments to absolute timestamps.



search/typeahead

https://<host>:<mPort>/services/search/typeahead

Get search string auto-complete suggestions.

GET

Expand

Get a list of words or descriptions for possible auto-complete terms.

Last modified on 29 September, 2023
Output endpoint descriptions   System endpoint descriptions

This documentation applies to the following versions of Splunk® Enterprise: 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters