Splunk® Enterprise

REST API Reference Manual

Splunk Enterprise version 8.2 is no longer supported as of September 30, 2023. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Application endpoint descriptions

Manage applications.

Usage details

Review ACL information for an endpoint

To check Access Control List (ACL) properties for an endpoint, append /acl to the path. For more information see Access Control List in the REST API User Manual.

Authentication and Authorization

Username and password authentication is required for access to endpoints and REST operations.

Splunk users must have role and/or capability-based authorization to use REST endpoints. Users with an administrative role, such as admin, can access authorization information in Splunk Web. To view the roles assigned to a user, select Settings > Access controls and click Users. To determine the capabilities assigned to a role, select Settings > Access controls and click Roles.

App and user context

Typically, knowledge objects, such as saved searches or event types, have an app/user context that is the namespace. For more information about specifying a namespace, see Namespace in the REST API User Manual.

Splunk Cloud Platform limitations

As a Splunk Cloud Platform user, you are restricted to interacting with the search tier only with the REST API. Application endpoints are generally not accessible in Splunk Cloud Platform.

Authorized users can access and configure applications in the Splunk Cloud Platform user interface.

See Access requirements and limitations for the Splunk Cloud Platform REST API in the the REST API Tutorials manual for more information.


apps/apptemplates

https://<host>:<port>/services/apps/apptemplates


List installed app templates. You can use an app template as the template parameter in a POST to /services/apps/local.

For additional information, see apps/local.


GET

List installed app templates.

Request parameters

Pagination and filtering parameters can be used with this method.


Response keys
None


Each <entry> element includes a <link> reference to an app template. The barebones and sample_app templates are installed by default.


Example request and response

XML Request

curl -k -u admin:changeme https://localhost:8089/services/apps/apptemplates


XML Response

.
.
.
<title></title>
 <id>https://localhost:8089/services/apps/apptemplates</id>
 <updated>2014-07-01T09:50:36-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <opensearch:totalResults>2</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>barebones</title>
   <id>https://localhost:8089/services/apps/apptemplates/barebones</id>
   <updated>2014-07-01T09:50:36-07:00</updated>
   <link href="/services/apps/apptemplates/barebones" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/apps/apptemplates/barebones" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="lol">wut</s:key>
     </s:dict>
   </content>
 </entry>
 <entry>
   <title>sample_app</title>
   <id>https://localhost:8089/services/apps/apptemplates/sample_app</id>
   <updated>2014-07-01T09:50:36-07:00</updated>
   <link href="/services/apps/apptemplates/sample_app" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/apps/apptemplates/sample_app" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="lol">wut</s:key>
     </s:dict>
   </content>
 </entry>

apps/apptemplates/{name}

https://<host>:<port>/services/apps/apptemplates/{name}


Get the {name} app template descriptor.

For additional information, see apps/apptemplates.


GET

Get the {name} app template descriptor.


Request parameters
Pagination and filtering parameters can be used with this method.


Response keys
None


Example request and response


XML Request

curl -k -u admin:changeme https://localhost:8089/services/apps/apptemplates/sample_app

XML Response

.
.
.
 <title></title>
 <id>https://localhost:8089/services/apps/apptemplates</id>
 <updated>2014-07-01T09:54:23-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>sample_app</title>
   <id>https://localhost:8089/services/apps/apptemplates/sample_app</id>
   <updated>2014-07-01T09:54:23-07:00</updated>
   <link href="/services/apps/apptemplates/sample_app" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/apps/apptemplates/sample_app" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="eai:attributes">
         <s:dict>
           <s:key name="optionalFields">
             <s:list/>
           </s:key>
           <s:key name="requiredFields">
             <s:list/>
           </s:key>
           <s:key name="wildcardFields">
             <s:list/>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="lol">wut</s:key>
     </s:dict>
   </content>
 </entry>

apps/local

https://<host>:<port>/services/apps/local


Create an app or list installed apps and properties.

The capabilities that this endpoint requires change based on the enable_install_apps setting in limits.conf. If this setting is true, the install_apps and edit_local_apps settings are required. If this setting is false, the admin_all_objects capability is required. By default, this setting value is false but you can change it on your system to improve security.

GET

List installed apps and properties.

Request parameters
Pagination and filtering parameters can be used with this method.

Response keys

Name Description
author App author and optional contact information. For apps deployed on Splunkbase, the Splunkbase account username.
check_for_updates Indicates whether to check for updates.
true = Check Splunkbase for app updates.
false = Do not check Splunkbase for app updates.
configured Custom setup complete indication:
true = Custom app setup complete.
false = Custom app setup not complete.
description App description.
details URL to use for detailed information about the app.
disabled App state indication.
true = App is disabled.
false = App is enabled.
label App name.
state_change_requires_restart Indicates whether to require restart on state change.
true = App state change requires restart.
false = App state change might not require restart depending on other restart requirements.
version App version.
visible Indicates whether app is visible and navigable from Splunk Web.
true = App is visible and navigable.
false = App is not visible and navigable.

Application usage
Splunkbase can correlate locally-installed apps with the same app on Splunkbase for update notifications.


Example request and response


XML Request

curl -k -u admin:changeme https://localhost:8089/services/apps/local


XML Response

<title>localapps</title>
  <id>https://localhost:17001/services/apps/local</id>
  <updated>2015-10-13T17:53:03-07:00</updated>
  <generator build="a1c9b18fdcfc" version="6.3.0"/>
  <author>
  <name>Splunk</name>
  </author>
  <link href="/services/apps/local/_new" rel="create"/>
  <link href="/services/apps/local/_reload" rel="_reload"/>
  <link href="/services/apps/local/_acl" rel="_acl"/>
  <opensearch:totalResults>16</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>alert_logevent</title>
    <id>https://localhost:17001/servicesNS/nobody/system/apps/local/alert_logevent</id>
    <updated>2015-10-13T17:53:03-07:00</updated>
    <link href="/servicesNS/nobody/system/apps/local/alert_logevent" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/apps/local/alert_logevent" rel="list"/>
    <link href="/servicesNS/nobody/system/apps/local/alert_logevent/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/apps/local/alert_logevent" rel="edit"/>
    <link href="/servicesNS/nobody/system/apps/local/alert_logevent" rel="remove"/>
    <link href="/servicesNS/nobody/system/apps/local/alert_logevent/disable" rel="disable"/>
    <link href="/servicesNS/nobody/system/apps/local/alert_logevent/package" rel="package"/>
<content type="text/xml">
      <s:dict>
        <s:key name="author">Splunk</s:key>
        <s:key name="check_for_updates">1</s:key>
        <s:key name="configured">1</s:key>
        <s:key name="core">1</s:key>
        <s:key name="description">Log Event Alert Action</s:key>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">system</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
           <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">app</s:key>
          </s:dict>
        </s:key>
        <s:key name="label">Log Event Alert Action</s:key>
        <s:key name="managed_by_deployment_client">0</s:key>
        <s:key name="show_in_nav">1</s:key>
        <s:key name="state_change_requires_restart">0</s:key>
        <s:key name="version">6.4.0</s:key>
        <s:key name="visible">0</s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>alert_webhook</title>
    <id>https://localhost:17001/servicesNS/nobody/system/apps/local/alert_webhook</id>
<updated>2015-10-13T17:53:03-07:00</updated>
    <link href="/servicesNS/nobody/system/apps/local/alert_webhook" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/apps/local/alert_webhook" rel="list"/>
    <link href="/servicesNS/nobody/system/apps/local/alert_webhook/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/apps/local/alert_webhook" rel="edit"/>
    <link href="/servicesNS/nobody/system/apps/local/alert_webhook" rel="remove"/>
    <link href="/servicesNS/nobody/system/apps/local/alert_webhook/disable" rel="disable"/>
    <link href="/servicesNS/nobody/system/apps/local/alert_webhook/package" rel="package"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="author">Splunk</s:key>
        <s:key name="check_for_updates">1</s:key>
        <s:key name="configured">1</s:key>
        <s:key name="core">1</s:key>
        <s:key name="description">Webhook Alert Action</s:key>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">system</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">app</s:key>
          </s:dict>
        </s:key>
        <s:key name="label">Webhook Alert Action</s:key>
        <s:key name="managed_by_deployment_client">0</s:key>
        <s:key name="show_in_nav">1</s:key>
        <s:key name="state_change_requires_restart">0</s:key>
        <s:key name="version">6.4.0</s:key>
        <s:key name="visible">0</s:key>
      </s:dict>
    </content>
  </entry>
<entry>
    <title>appsbrowser</title>
    <id>https://localhost:17001/servicesNS/nobody/system/apps/local/appsbrowser</id>
    <updated>2015-10-13T17:53:03-07:00</updated>
    <link href="/servicesNS/nobody/system/apps/local/appsbrowser" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/apps/local/appsbrowser" rel="list"/>
    <link href="/servicesNS/nobody/system/apps/local/appsbrowser/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/apps/local/appsbrowser" rel="edit"/>
    <link href="/servicesNS/nobody/system/apps/local/appsbrowser/package" rel="package"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="author">Splunk</s:key>
        <s:key name="check_for_updates">1</s:key>
        <s:key name="configured">1</s:key>
        <s:key name="core">1</s:key>
        <s:key name="description">Browse apps available to install.</s:key>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">system</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>power</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">app</s:key>
          </s:dict>
        </s:key>
        <s:key name="label">Apps Browser</s:key>
        <s:key name="managed_by_deployment_client">0</s:key>
        <s:key name="show_in_nav">0</s:key>
        <s:key name="state_change_requires_restart">0</s:key>
        <s:key name="version">6.4.0</s:key>
        <s:key name="visible">1</s:key>
      </s:dict>
    </content>
  </entry>
 <entry>
    <title>framework</title>
    <id>https://localhost:17001/servicesNS/nobody/system/apps/local/framework</id>
    <updated>2015-10-13T17:53:03-07:00</updated>
    <link href="/servicesNS/nobody/system/apps/local/framework" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/apps/local/framework" rel="list"/>
    <link href="/servicesNS/nobody/system/apps/local/framework/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/apps/local/framework" rel="edit"/>
    <link href="/servicesNS/nobody/system/apps/local/framework" rel="remove"/>
    <link href="/servicesNS/nobody/system/apps/local/framework/disable" rel="disable"/>
    <link href="/servicesNS/nobody/system/apps/local/framework/package" rel="package"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="check_for_updates">1</s:key>
        <s:key name="configured">0</s:key>
        <s:key name="core">1</s:key>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">system</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">app</s:key>
          </s:dict>
        </s:key>
        <s:key name="label">framework</s:key>
        <s:key name="managed_by_deployment_client">0</s:key>
        <s:key name="show_in_nav">1</s:key>
        <s:key name="state_change_requires_restart">0</s:key>
        <s:key name="visible">0</s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>gettingstarted</title>
    <id>https://localhost:17001/servicesNS/nobody/system/apps/local/gettingstarted</id>
    <updated>2015-10-13T17:53:03-07:00</updated>
    <link href="/servicesNS/nobody/system/apps/local/gettingstarted" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/apps/local/gettingstarted" rel="list"/>
    <link href="/servicesNS/nobody/system/apps/local/gettingstarted/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/apps/local/gettingstarted" rel="edit"/>
    <link href="/servicesNS/nobody/system/apps/local/gettingstarted" rel="remove"/>
    <link href="/servicesNS/nobody/system/apps/local/gettingstarted/enable" rel="enable"/>
    <link href="/servicesNS/nobody/system/apps/local/gettingstarted/package" rel="package"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="author">Splunk</s:key>
        <s:key name="check_for_updates">1</s:key>
        <s:key name="configured">1</s:key>
        <s:key name="core">1</s:key>
        <s:key name="description">Get started with Splunk.  This app introduces you to many of Splunk's features.  You'll learn how to use Splunk to index data, search and investigate, add knowledge, monitor and alert, report and analyze.</s:key>
        <s:key name="disabled">1</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">system</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>power</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">app</s:key>
          </s:dict>
        </s:key>
        <s:key name="label">Getting started</s:key>
        <s:key name="managed_by_deployment_client">0</s:key>
        <s:key name="show_in_nav">1</s:key>
        <s:key name="state_change_requires_restart">0</s:key>
        <s:key name="version">1.0</s:key>
        <s:key name="visible">1</s:key>
      </s:dict>
    </content>
  </entry>
.
.
.


POST

Create an app.


Usage details

  • Splunkbase can correlate locally installed apps with the same app on Splunkbase for update notifications.
  • The app folder name cannot include spaces or special characters.


Request parameters

Name Type Description
auth String Splunkbase session token for operations like install and update that require login. Use auth or session when installing or updating an app through Splunkbase.
author String For apps posted to Splunkbase, use your Splunk account username. For internal apps, include your name and contact information.
configured Boolean Custom setup complete indication:
true = Custom app setup complete.
false = Custom app setup not complete.
description String Short app description also displayed below the app title in Splunk Web Launcher.
explicit_appname String Custom app name. Overrides name when installing an app from a file where filename is set to true. See also filename.
filename Boolean Indicates whether to use the name value as the app source location.
true indicates that name is a path to a file to install.
false indicates that name is the literal app name and that the app is created from Splunkbase using a template.
label String App name displayed in Splunk Web, from five to eighty characters excluding the prefix "Splunk for".
name String Required. Literal app name or path for the file to install, depending on the value of filename.
filename = false indicates that name is the literal app name and that the app is created from Splunkbase using a template.
filename = true indicates that name is the URL or path to the local .tar, .tgz or .spl file. If name is the Splunkbase URL, set auth or session to authenticate the request.

The app folder name cannot include spaces or special characters.

session String Login session token for installing or updating an app on Splunkbase. Alternatively, use auth.
template Enum App template to use when creating the app"
barebones - [Default] Basic app framework.
sample_app - Example views and searches.
Any custom app template.
update Boolean File-based update indication:
true specifies that filename should be used to update an existing app. If not specified, update defaults to
false, which indicates that filename should not be used to update an existing app.
version String App version.
visible Boolean Indicates whether the app is visible and navigable from Splunk Web.
true = App is visible and navigable.
false = App is not visible or navigable.

Response keys

Name Description
author For apps posted to Splunkbase, your Splunk account username. For internal apps, your full name and contact information.
check_for_updates
true = Check Splunkbase for app updates.
false = Do not check Splunkbase for app updates.
configured Custom setup completeness indication.
true = Custom app setup complete.
false = Custom app setup not complete.
description Brief app description, displayed below the app title in Splunk Web.
disabled App state indication.
true = App is disabled.
false = App is enabled.
label App name displayed in Splunk Web.
name Installed app name, which might differ from the POST name parameter.
state_change_requires_restart Indicates whether restart required on state change.
true = App state change requires restart.
false = App state change might not require restart, depending on other restart requirements.
version App version.
visible Indicates whether app is visible and navigable from Splunk Web.
true = App is visible and navigable.
false = App is not visible or navigable.


Example request and response

XML Request

curl -k -u admin:changeme https://localhost:8089/services/apps/local -d name=restDemo

XML Response

<title></title>
 <id>https://localhost:8089/services/apps/local</id>
 <updated>2014-07-01T10:09:37-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/apps/local/_new" rel="create"/>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>restDemo</title>
   <id>https://localhost:8089/servicesNS/nobody/system/apps/local/restDemo</id>
   <updated>2014-07-01T10:09:37-07:00</updated>
   <link href="/servicesNS/nobody/system/apps/local/restDemo" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/system/apps/local/restDemo" rel="list"/>
   <link href="/servicesNS/nobody/system/apps/local/restDemo" rel="edit"/>
   <link href="/servicesNS/nobody/system/apps/local/restDemo/package" rel="package"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="author"></s:key>
       <s:key name="check_for_updates">1</s:key>
       <s:key name="configured">0</s:key>
       <s:key name="description"></s:key>
       <s:key name="disabled">0</s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app">system</s:key>
           <s:key name="can_change_perms">1</s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_share_app">1</s:key>
           <s:key name="can_share_global">1</s:key>
           <s:key name="can_share_user">0</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">1</s:key>
           <s:key name="owner">nobody</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>power</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">app</s:key>
         </s:dict>
       </s:key>
       <s:key name="label">restDemo</s:key>
       <s:key name="name">restDemo</s:key>
       <s:key name="state_change_requires_restart">0</s:key>
       <s:key name="version">1.0</s:key>
       <s:key name="visible">1</s:key>
     </s:dict>
   </content>
 </entry>

apps/local/{name}

https://<host>:<port>/services/apps/local/{name}


Manage {name} app. For additional information, see "Uninstall an app" in the Admin Manual.


DELETE

Delete the {name} app.

Usage details

  • Use the /apps/local GET method to confirm that the app is no longer installed.
  • See "Uninstall an app" for additional manual cleanup that might be needed after deleting an app.


Request parameters
None


Response keys
A message is displayed that might indicate a restart is required.

Specifying the name of a non-existent app returns an error message, as shown below.

In handler 'localapps': Could not find object id=<app_name>.


Example request and response

XML Request

curl -k -u admin:changeme --request DELETE https://localhost:8089/services/apps/local/sample_app

XML Response

.
.
.
 <title>localapps</title>
 <id>https://localhost:8089/services/apps/local</id>
 <updated>2014-07-15T10:24:35-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/apps/local/_new" rel="create"/>
 <link href="/services/apps/local/_reload" rel="_reload"/>
 <opensearch:totalResults>0</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages>
   <s:msg type="INFO">Restart required by: indexes</s:msg>
 </s:messages>


GET

List information about the {name} app.

Request parameters

Name Type Description
refresh Boolean Indicates whether to reload any objects associated with the {name} app indication:
true = Reload objects.
false = Do not reload objects.

Response keys

Name Description
author For apps posted to Splunkbase, your Splunk account username. For internal apps, your full name and contact information.
check_for_updates Indicates whether to check for updates.
true = Check Splunkbase for app updates.
false = Do not check Splunkbase for app updates.
configured Custom setup completeness indication.
true = Custom app setup complete.
false = Custom app setup not complete.
description Brief app description also displayed below the app title in Splunk Web.
disabled App state indication:
true = App is disabled.
false = App is enabled.
label App name displayed in Splunk Web, from five to 80 characters and excluding the prefix "Splunk For".
state_change_requires_restart Indicates whether restart is required on state change indication:
true = App state change requires restart.
false = App state change might not require restart, depending on other restart requirements.
version App version.
visible App is visible and navigable from Splunk Web indication:
true = App is visible and navigable.
false = App is not visible or navigable.


Example request and response


XML Request

curl -k -u admin:changeme https://localhost:8089/services/apps/local/dashboard_examples

XML Response

.
.
.
<title>localapps</title>
 <id>https://localhost:8089/services/apps/local</id>
 <updated>2014-07-01T10:23:46-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/apps/local/_new" rel="create"/>
 <link href="/services/apps/local/_reload" rel="_reload"/>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>dashboard_examples</title>
   <id>https://localhost:8089/servicesNS/nobody/system/apps/local/dashboard_examples</id>
   <updated>2014-07-01T10:23:46-07:00</updated>
   <link href="/servicesNS/nobody/system/apps/local/dashboard_examples" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/system/apps/local/dashboard_examples" rel="list"/>
   <link href="/servicesNS/nobody/system/apps/local/dashboard_examples/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/system/apps/local/dashboard_examples" rel="edit"/>
   <link href="/servicesNS/nobody/system/apps/local/dashboard_examples" rel="remove"/>
   <link href="/servicesNS/nobody/system/apps/local/dashboard_examples/disable" rel="disable"/>
   <link href="/servicesNS/nobody/system/apps/local/dashboard_examples/package" rel="package"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="author">Splunk, Inc.</s:key>
       <s:key name="check_for_updates">1</s:key>
       <s:key name="configured">0</s:key>
       <s:key name="description"><![CDATA[Example dashboards, forms, and views for Splunk 5+. This is the succesor app to UI Examples 4.1+. Splunk Dashboard Examples contains over 50 examples updated for Splunk 5. Each example contains inline documenation to help get you started building Splunk dashboards.]]></s:key>
       <s:key name="details">https://splunkbase.splunk.com/apps/id/dashboard_examples</s:key>
       <s:key name="disabled">0</s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app">system</s:key>
           <s:key name="can_change_perms">1</s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_share_app">1</s:key>
           <s:key name="can_share_global">1</s:key>
           <s:key name="can_share_user">0</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">1</s:key>
           <s:key name="owner">nobody</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">app</s:key>
         </s:dict>
       </s:key>
       <s:key name="eai:attributes">
         <s:dict>
           <s:key name="optionalFields">
             <s:list>
               <s:item>author</s:item>
               <s:item>check_for_updates</s:item>
               <s:item>configured</s:item>
               <s:item>description</s:item>
               <s:item>label</s:item>
               <s:item>version</s:item>
               <s:item>visible</s:item>
             </s:list>
           </s:key>
           <s:key name="requiredFields">
             <s:list/>
           </s:key>
           <s:key name="wildcardFields">
             <s:list/>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="label">Splunk Dashboard Examples</s:key>
       <s:key name="state_change_requires_restart">0</s:key>
       <s:key name="version">5.0</s:key>
       <s:key name="visible">1</s:key>
     </s:dict>
   </content>
 </entry>


POST

Update the {name} app properties. Append /enable or /disable to enable or disable the app. See Enable and disable endpoint for more information.


Request parameters

Name Type Description
author String For apps posted to Splunkbase, use your Splunk account username. For internal apps, use your full name and contact information.
check_for_updates Boolean Check for updates indicator.
true = Check Splunkbase for app updates.
false = Do not check Splunkbase for app updates.
configured Boolean Custom setup completion indicator.
true = Custom app setup complete.
false = Custom app setup not complete.
description String Short app description also displayed below the app title in Splunk Web.
label String App name displayed in Splunk Web, from five to 80 characters and excluding the prefix "Splunk For".
version String App version.
visible Boolean Indicates whether app is visible and navigable from Splunk Web.
true = App is visible and navigable.
false = App is not visible and navigable.

Response keys

Name Description
author For apps posted to Splunkbase, your Splunk account username. For internal apps, your full name and contact information.
check_for_updates Check for updates indication:
true = Check Splunkbase for app updates.
false = Do not check Splunkbase for app updates.
configured Custom setup completion indicator.
true = Custom app setup complete.
false = Custom app setup not complete.
description App description also displayed below the app title in Splunk Web.
disabled App state indication.
true = App is disabled.
false = App is enabled.
label App name displayed in Splunk Web, from five to 80 characters and excluding the prefix "Splunk For".
state_change_requires_restart Restart required on state change indication:
true = App state change requires restart.
false = App state change might not require restart, depending on other restart requirements.
version App version.
visible Indicator of whether app is visible and navigable from Splunk Web.
true = App is visible and navigable.
false = App is not visible or navigable.


Example request and response

XML Request

curl -k -u admin:changeme https://localhost:8089/services/apps/local/restDemo -d version=1.1

XML Response

.
.
.
<title>localapps</title>
 <id>https://localhost:8089/services/apps/local</id>
 <updated>2014-07-01T10:28:35-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/apps/local/_new" rel="create"/>
 <link href="/services/apps/local/_reload" rel="_reload"/>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>restDemo</title>
   <id>https://localhost:8089/servicesNS/nobody/system/apps/local/restDemo</id>
   <updated>2014-07-01T10:28:35-07:00</updated>
   <link href="/servicesNS/nobody/system/apps/local/restDemo" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/system/apps/local/restDemo" rel="list"/>
   <link href="/servicesNS/nobody/system/apps/local/restDemo/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/system/apps/local/restDemo" rel="edit"/>
   <link href="/servicesNS/nobody/system/apps/local/restDemo" rel="remove"/>
   <link href="/servicesNS/nobody/system/apps/local/restDemo/package" rel="package"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="author"></s:key>
       <s:key name="check_for_updates">1</s:key>
       <s:key name="configured">0</s:key>
       <s:key name="description"></s:key>
       <s:key name="disabled">0</s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app">system</s:key>
           <s:key name="can_change_perms">1</s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_share_app">1</s:key>
           <s:key name="can_share_global">1</s:key>
           <s:key name="can_share_user">0</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">1</s:key>
           <s:key name="owner">nobody</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>power</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">app</s:key>
         </s:dict>
       </s:key>
       <s:key name="label">restDemo</s:key>
       <s:key name="state_change_requires_restart">0</s:key>
       <s:key name="version">1.1</s:key>
       <s:key name="visible">1</s:key>
     </s:dict>
   </content>
 </entry>

apps/local/{name}/package

https://<host>:<port>/services/apps/local/{name}/package

Archive the {name} app as a .spl file in the $SPLUNK_HOME/etc/system/static/app-packages directory.


GET

Archive the {name}.spl app.


Usage details
Download the archived app using the following URL:

https://host:<port>/static/app-packages/{name}.spl


Request parameters
None


Response keys

Name Description
name App name and name of the folder containing the app.
path Local path to an archive of the app.
url App download URL.


Example request and response

XML Request

curl -k -u admin:changeme https://localhost:8089/services/apps/local/restDemo/package

XML Response

.
.
.
 <title></title>
 <id>https://localhost:8089/services/apps/local</id>
 <updated>2014-07-01T10:46:43-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/apps/local/_new" rel="create"/>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>Package</title>
   <id>https://localhost:8089/services/apps/local/Package</id>
   <updated>2014-07-01T10:46:43-07:00</updated>
   <link href="/services/apps/local/Package" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/apps/local/Package/setup" rel="edit"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="name">restDemo</s:key>
       <s:key name="path">C:\Program Files\Splunk\etc\system\static\app-packages\restDemo.spl</s:key>
       <s:key name="url">https://localhost:8089/static/app-packages/restDemo.spl</s:key>
     </s:dict>
   </content>
 </entry>

apps/local/{name}/setup

https://<host>:<port>/services/apps/local/{name}/setup

Get the {name} app setup information.


GET

Get setup information for the {name} app.

Usage details
Some apps contain setup scripts that must be run before the app is enabled. For those apps, the setup.xml file must exist in the $SPLUNK_BASE\etc\apps\<appname>\default directory.

Request parameters
None

Response keys

Name Description
<script location> TBD
eai:setup CDATA setup script location.


Example request and response

XML Request

curl -k -u admin:changeme https://localhost:8089/services/apps/local/unix/setup

XML Response

.
.
.
 <title>localapps</title>
 <id>https://localhost:8089/services/apps/local</id>
 <updated>2011-07-13T11:24:35-07:00</updated>
 <generator version="102824"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/apps/local/_new" rel="create"/>
 ... opensearch elements elided ...
 <s:messages/>
 <entry>
   <title>unix</title>
   <id>https://localhost:8089/servicesNS/nobody/unix/apps/local/unix</id>
   <updated>2011-07-13T11:24:35-07:00</updated>
   <link href="/servicesNS/nobody/unix/apps/local/unix" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/unix/apps/local/unix/setup" rel="edit"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="/admin/script/.%252Fbin%252Fcpu.sh/enabled">1</s:key>
       <s:key name="/admin/script/.%252Fbin%252Fcpu.sh/interval">30</s:key>
       <s:key name="/admin/script/.%252Fbin%252Fdf.sh/enabled">1</s:key>
       <s:key name="/admin/script/.%252Fbin%252Fdf.sh/interval">300</s:key>
       ... elided ...
       <s:key name="/admin/script/.%252Fbin%252Fwho.sh/enabled">1</s:key>
       <s:key name="/admin/script/.%252Fbin%252Fwho.sh/interval">150</s:key>
       ... eai:acl element elided ...
       ... eai:attributes element elided ...
       <s:key name="eai:setup">
<![CDATA[<?xml version="1.0" encoding="UTF-8"?> <SetupInfo> <block title="Welcome to the Splunk for nix App"> <text>The Splunk for nix app provides some sample searches and reports to boot-strap your use of Splunk for Unix host management. To work, it needs certain inputs enabled. These system metrics drive the sample dashboards. Please review and confirm the inputs below before proceeding.</text> </block> <block title="CPU Stats (sar / mpstat / etc.)" endpoint="admin/script" entity=".%252Fbin%252Fcpu.sh"> <input field="interval" id="/admin/script/.%252Fbin%252Fcpu.sh/interval"> <label>Polling Interval (sec)</label> <type>text</type> </input> <input field="enabled" id="/admin/script/.%252Fbin%252Fcpu.sh/enabled"> <label>Enable</label> <type>bool</type> </input> </block>

. . .

<block title="Time Query (date, ntpdate -q)" endpoint="admin/script" entity=".%252Fbin%252Ftime.sh"> <input field="interval" id="/admin/script/.%252Fbin%252Ftime.sh/interval"> <label>Polling Interval (sec)</label> <type>text</type> </input> <input field="enabled" id="/admin/script/.%252Fbin%252Ftime.sh/enabled"> <label>Enable</label> <type>bool</type> </input> </block> <block title="Linux Audit Log (/var/log/audit/audit.log | ausearch)" endpoint="admin/script" entity=".%252Fbin%252Frlog.sh"> <input field="interval" id="/admin/script/.%252Fbin%252Frlog.sh/interval"> <label>Polling Interval (sec)</label> <type>text</type> </input> <input field="enabled" id="/admin/script/.%252Fbin%252Frlog.sh/enabled"> <label>Enable</label> <type>bool</type> </input> </block> <block title="Warning"> <text>Submitting this form can take a long time. Please be patient and wait for it to complete before navigating away from this page.</text> </block> </SetupInfo> ]]> </s:key>

     </s:dict>
   </content>
 </entry>

apps/local/{name}/update

https://<host>:<port>/services/apps/local/{name}/update


Get eai:acl information for the {name} app.


GET

Get {name} app eai:acl information.

Request parameters
None


Response keys
The eai:acl key of the {name} app.


Example request and response

XML Request

curl -k -u admin:changeme https://localhost:8089/services/apps/local/gettingstarted/update

XML Response

.
.
.
 <title>localapps</title>
 <id>https://localhost:8089/services/apps/local</id>
 <updated>2014-07-15T10:34:13-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/apps/local/_new" rel="create"/>
 <link href="/services/apps/local/_reload" rel="_reload"/>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>gettingstarted</title>
   <id>https://localhost:8089/services/apps/local/gettingstarted</id>
   <updated>2014-07-15T10:34:13-07:00</updated>
   <link href="/services/apps/local/gettingstarted" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/apps/local/gettingstarted" rel="list"/>
   <link href="/services/apps/local/gettingstarted/_reload" rel="_reload"/>
   <link href="/services/apps/local/gettingstarted" rel="edit"/>
   <link href="/services/apps/local/gettingstarted" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
     </s:dict>
   </content>
 </entry>

Last modified on 12 October, 2021
Access endpoint descriptions   Cluster endpoint descriptions

This documentation applies to the following versions of Splunk® Enterprise: 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters