Splunk® Enterprise

REST API Reference Manual

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Federated search endpoint descriptions

Use the Federated Search REST API endpoints to create, update, and delete definitions for federated providers and federated indexes.

See About federated search for more information.

Usage details

Review ACL information for an endpoint

To check Access Control List (ACL) properties for an endpoint, append /acl to the path. For more information see Access Control List in the REST API User Manual.

Authentication and Authorization

Username and password authentication are required for access to endpoints and REST operations.

Splunk users must have role and/or capability-based authorization to use REST endpoints, and must have the admin_all_objects and edit_indexes capabilities to use the federated search endpoints detailed in this topic.

Users with an administrative role, such as admin, can access authorization information in Splunk Web. To view the roles assigned to a user, select Settings > Access controls > Users. To determine the capabilities assigned to a role, select Settings > Access controls > Roles.

App and user context

Typically, knowledge objects, such as saved searches or event types, have an app/user context that is the namespace. For more information about specifying a namespace, see Namespace in the REST API User Manual.

Splunk Cloud Platform URL for REST API access

Splunk Cloud Platform has a different host and management port syntax than Splunk Enterprise. Paid subscribers to the Splunk Cloud Platform service use the following URL to access REST API resources:

https://<deployment-name>.splunkcloud.com:8089

See Access requirements and limitations for the Splunk Cloud Platform REST API in the the REST API Tutorials manual for more information.


data/federated/provider

https://<host>:<mPort>/services/data/federated/provider

Use this endpoint to get a list of federated providers and post new federated provider definitions. See Define a federated provider.

Authentication and authorization
Use of the GET and POST operations for this endpoint are restricted to roles that have the admin_all_objects and indexes_edit capabilities.

GET

Returns a list of federated providers.

Request parameters
None specific to this method. This method can use pagination and filtering parameters.

Returned values

Name Description
name Specifies the name of the federated provider.
appContext Specifies the Splunk application context for the federated searches that will be run with this federated provider definition. The application context ensures that federated searches using this federated provider are limited to the knowledge objects that are associated with the named application.

If useFSHKnowledgeObjects = true, appContext specifies an app that is installed on the federated search head of your local Splunk platform deployment. If useFSHKnowledgeObjects = false, appContext specifies an app that is installed on the remote search head of the federated provider.
hostPort Specifies the protocols required to connect to a federated provider. Usually follows this format <Host_Name>:<Service_Port_Number>. In some cases, an IP address is used instead of a host name.
serviceAccount Specifies the user name for a service account that has been set up on the federated provider for the purpose of facilitating secure federated searches.
type Specifies the federated provider type. At this point, only Splunk deployments are supported. Defaults to splunk.
useFSHKnowledgeObjects When set to true, specifies that federated searches with this provider use knowledge objects from the federated search head on the local deployment. When set to false, specifies that federated searches with this provider use knowledge objects from the remote deployment specified in the federated provider.

Defaults to True.

Example request and response
Return a list of federated providers. (The XML response shows an example of a single returned federated provider record.)

XML Request

curl -k -u admin:changeme  https://localhost:8089/services/data/federated/provider

XML response

...
<entry>
  <title>provider-1</title>
  <id>/servicesNS/nobody/system/data/federated/provider/provider-1</id>
  <updated>1969-12-31T16:00:00-08:00</updated>
  <link href="/servicesNS/nobody/system/data/federated/provider/provider-1" rel="alternate"/>
  <author>
    <name>nobody</name>
  </author>
  <link href="/servicesNS/nobody/system/data/federated/provider/provider-1" rel="list"/>
  <link href="/servicesNS/nobody/system/data/federated/provider/provider-1/_reload" rel="_reload"/>
  <link href="/servicesNS/nobody/system/data/federated/provider/provider-1" rel="edit"/>
  <link href="/servicesNS/nobody/system/data/federated/provider/provider-1" rel="remove"/>
  <link href="/servicesNS/nobody/system/data/federated/provider/provider-1/disable" rel="disable"/>
  <content type="text/xml">
    <s:dict>
      <s:key name="appContext">search</s:key>
      <s:key name="disabled">0</s:key>
      <s:key name="eai:acl">
        <s:dict>
          <s:key name="app">system</s:key>
          <s:key name="can_change_perms">1</s:key>
          <s:key name="can_list">1</s:key>
          <s:key name="can_share_app">1</s:key>
          <s:key name="can_share_global">1</s:key>
          <s:key name="can_share_user">0</s:key>
          <s:key name="can_write">1</s:key>
          <s:key name="modifiable">1</s:key>
          <s:key name="owner">nobody</s:key>
          <s:key name="perms">
            <s:dict>
              <s:key name="read">
                <s:list>
                  <s:item>*</s:item>
                </s:list>
              </s:key>
              <s:key name="write">
                <s:list>
                  <s:item>*</s:item>
                </s:list>
              </s:key>
            </s:dict>
          </s:key>
          <s:key name="removable">1</s:key>
          <s:key name="sharing">system</s:key>
        </s:dict>
      </s:key>
      <s:key name="hostPort">localhost:8090</s:key>
      <s:key name="serviceAccount">user1</s:key>
      <s:key name="type">splunk</s:key>
      <s:key name="useFSHKnowledgeObjects">1</s:key>
    </s:dict>
  </content>
</entry>

POST

Creates a new federated provider definition.

Request parameters

Name Type Description
name String Required. Specify a unique name for the federated provider.
appContext String Specify the short name of an app to apply an application context to federated searches on the federated provider. The application context determines which set of knowledge objects is applied to the federated searches.
  • If useFSHKnowledgeObjects = true, provide the short name of an app that is installed on the federated search head of your local Splunk provider.
  • If useFSHKnowledgeObjects = false, provide the short name of an app that is installed on the remote search head of the federated provider.

Defaults to Search.

hostPort String Required. Provide the host name and port number for the federated provider, separated by a colon character. For example: buttercupgames.splunkcloud.com:8089.
password String Required. Provide the password for a service account that is already set up on the federated provider. This dedicated user account allows the federated search head on your local instance to securely search datasets on the federated provider.
serviceAccount String Required. Provide the username for a service account that is already set up on the federated provider. This dedicated user account allows the federated search head on your local instance to securely search datasets on the federated provider.
type String Set the type of federated provider. Currently only Splunk deployments are supported. Defaults to splunk. No other values are allowed.
useFSHKnowledgeObjects Boolean When set to true, specifies that federated searches with this provider use knowledge objects from the federated search head on the local deployment. When set to false, specifies that federated searches with this provider use knowledge objects from the remote deployment specified in the federated provider.

Defaults to True.

Returned values

Name Description
name Specifies the name of the federated provider.
appContext Specifies the Splunk application context for the federated searches that will be run with this federated provider definition. The application context ensures that federated searches using this federated provider are limited to the knowledge objects that are associated with the named application.

If useFSHKnowledgeObjects = true, appContext specifies an app that is installed on the federated search head of your local Splunk platform deployment. If useFSHKnowledgeObjects = false, appContext specifies an app that is installed on the remote search head of the federated provider.
hostPort Specifies the protocols required to connect to a federated provider. Usually follows this format <Host_Name>:<Service_Port_Number>. In some cases, an IP address is used instead of a host name.
serviceAccount Specifies the user name for a service account that has been set up on the federated provider for the purpose of facilitating secure federated searches.
type Specifies the federated provider type. At this point, only Splunk deployments are supported. Defaults to splunk.
useFSHKnowledgeObjects When set to true, specifies that federated searches with this provider use knowledge objects from the federated search head on the local deployment. When set to false, specifies that federated searches with this provider use knowledge objects from the remote deployment specified in the federated provider.

Defaults to True.

Example request and response
Create a new definition for a federated provider named provider-1.

XML Request

curl -k -u admin:changeme  https://localhost:8089/services/data/federated/provider -d name=provider-1 -d type=splunk -d appContext=search -d hostPort=localhost:8090 -d serviceAccount=user1 -d password=secret1 -d useFSHKnowledgeObjects=1

XML response

...
<entry>
  <title>provider-1</title>
  <id>/servicesNS/nobody/system/data/federated/provider/provider-1</id>
  <updated>1969-12-31T16:00:00-08:00</updated>
  <link href="/servicesNS/nobody/system/data/federated/provider/provider-1" rel="alternate"/>
  <author>
    <name>nobody</name>
  </author>
  <link href="/servicesNS/nobody/system/data/federated/provider/provider-1" rel="list"/>
  <link href="/servicesNS/nobody/system/data/federated/provider/provider-1/_reload" rel="_reload"/>
  <link href="/servicesNS/nobody/system/data/federated/provider/provider-1" rel="edit"/>
  <link href="/servicesNS/nobody/system/data/federated/provider/provider-1" rel="remove"/>
  <content type="text/xml">
    <s:dict>
      <s:key name="appContext">search</s:key>
      <s:key name="eai:acl">
        <s:dict>
          <s:key name="app">system</s:key>
          <s:key name="can_change_perms">1</s:key>
          <s:key name="can_list">1</s:key>
          <s:key name="can_share_app">1</s:key>
          <s:key name="can_share_global">1</s:key>
          <s:key name="can_share_user">0</s:key>
          <s:key name="can_write">1</s:key>
          <s:key name="modifiable">1</s:key>
          <s:key name="owner">nobody</s:key>
          <s:key name="perms">
            <s:dict>
              <s:key name="read">
                <s:list>
                  <s:item>*</s:item>
                </s:list>
              </s:key>
              <s:key name="write">
                <s:list>
                  <s:item>*</s:item>
                </s:list>
              </s:key>
            </s:dict>
          </s:key>
          <s:key name="removable">1</s:key>
          <s:key name="sharing">system</s:key>
        </s:dict>
      </s:key>
      <s:key name="hostPort">localhost:8090</s:key>
      <s:key name="serviceAccount">user1</s:key>
      <s:key name="type">splunk</s:key>
      <s:key name="useFSHKnowledgeObjects">1</s:key>
    </s:dict>
  </content>
</entry>

data/federated/provider/{federated_provider_name}

https://<host>:<mPort>/services/data/federated/provider/{federated_provider_name}

Use this endpoint to:

  • Retrieve a definition for a specific {federated_provider_name}.
  • Update a definition for a specific {federated_provider_name}.
  • Delete a definition for a specific {federated_provider_name}.

See Define a federated provider.

Authentication and Authorization
Usage of the GET, POST, and DELETE operations for this endpoint require the admin_all_objects and indexes_edit capabilities.

GET

Returns a definition of a specific {federated_provider_name}.

Request parameters
None specific to this method.

Returned values

Name Description
name Specifies the name of the federated provider.
appContext Specifies the Splunk application context for the federated searches that will be run with this federated provider definition. The application context ensures that federated searches using this federated provider are limited to the knowledge objects that are associated with the named application.

If useFSHKnowledgeObjects = true, appContext specifies an app that is installed on the federated search head of your local Splunk platform deployment. If useFSHKnowledgeObjects = false, appContext specifies an app that is installed on the remote search head of the federated provider.
hostPort Specifies the protocols required to connect to a federated provider. Usually follows this format <Host_Name>:<Service_Port_Number>. In some cases, an IP address is used instead of a host name.
serviceAccount Specifies the user name for a service account that has been set up on the federated provider for the purpose of facilitating secure federated searches.
type Specifies the federated provider type. At this point, only Splunk deployments are supported. Defaults to splunk.
useFSHKnowledgeObjects When set to true, specifies that federated searches with this provider use knowledge objects from the federated search head on the local deployment. When set to false, specifies that federated searches with this provider use knowledge objects from the remote deployment specified in the federated provider.

Defaults to True.

Example request and response
Return the definition for the my_federated_provider federated provider.

XML Request

curl -k -u admin:changeme  https://localhost:8089/services/data/federated/provider/my_federated_provider

XML response

...
<entry>
  <title>my_federated_provider</title>
  <id>/servicesNS/nobody/system/data/federated/provider/my_federated_provider</id>
  <updated>1969-12-31T16:00:00-08:00</updated>
  <link href="/servicesNS/nobody/system/data/federated/provider/my_federated_provider" rel="alternate"/>
  <author>
    <name>nobody</name>
  </author>
  <link href="/servicesNS/nobody/system/data/federated/provider/my_federated_provider" rel="list"/>
  <link href="/servicesNS/nobody/system/data/federated/provider/my_federated_provider/_reload" rel="_reload"/>
  <link href="/servicesNS/nobody/system/data/federated/provider/my_federated_provider" rel="edit"/>
  <link href="/servicesNS/nobody/system/data/federated/provider/my_federated_provider" rel="remove"/>
  <link href="/servicesNS/nobody/system/data/federated/provider/my_federated_provider/disable" rel="disable"/>
  <content type="text/xml">
    <s:dict>
      <s:key name="appContext">search</s:key>
      <s:key name="disabled">0</s:key>
      <s:key name="eai:acl">
        <s:dict>
          <s:key name="app">system</s:key>
          <s:key name="can_change_perms">1</s:key>
          <s:key name="can_list">1</s:key>
          <s:key name="can_share_app">1</s:key>
          <s:key name="can_share_global">1</s:key>
          <s:key name="can_share_user">0</s:key>
          <s:key name="can_write">1</s:key>
          <s:key name="modifiable">1</s:key>
          <s:key name="owner">nobody</s:key>
          <s:key name="perms">
            <s:dict>
              <s:key name="read">
                <s:list>
                  <s:item>*</s:item>
                </s:list>
              </s:key>
              <s:key name="write">
                <s:list>
                  <s:item>*</s:item>
                </s:list>
              </s:key>
            </s:dict>
          </s:key>
          <s:key name="removable">1</s:key>
          <s:key name="sharing">system</s:key>
        </s:dict>
      </s:key>
      <s:key name="eai:attributes">
        <s:dict>
          <s:key name="optionalFields">
            <s:list>
              <s:item>appContext</s:item>
              <s:item>hostPort</s:item>
              <s:item>password</s:item>
              <s:item>serviceAccount</s:item>
              <s:item>type</s:item>
              <s:item>useFSHKnowledgeObjects</s:item>
            </s:list>
          </s:key>
          <s:key name="requiredFields">
            <s:list/>
          </s:key>
          <s:key name="wildcardFields">
            <s:list>
              <s:item>.*</s:item>
            </s:list>
          </s:key>
        </s:dict>
      </s:key>
      <s:key name="hostPort">localhost:8090</s:key>
      <s:key name="serviceAccount">user1</s:key>
      <s:key name="type">splunk</s:key>
      <s:key name="useFSHKnowledgeObjects">1</s:key>
    </s:dict>
  </content>
</entry>

POST

Updates a definition for a specific {federated_provider_name}.

Request parameters

At least one argument is required.

Name Type Description
appContext String Specify the short name of an app to apply an application context to federated searches on the federated provider. The application context determines which set of knowledge objects is applied to the federated searches.
  • If useFSHKnowledgeObjects = true, provide the short name of an app that is installed on the federated search head of your local Splunk provider.
  • If useFSHKnowledgeObjects = false, provide the short name of an app that is installed on the remote search head of the federated provider.

Defaults to Search.

hostPort String Provide the host name and port number for the federated provider, separated by a colon character. For example: buttercupgames.splunkcloud.com:8089.
password String Provide the password for a service account that is already set up on the federated provider. This dedicated user account allows the federated search head on your local instance to securely search datasets on the federated provider.
serviceAccount String Provide the username for a service account that is already set up on the federated provider. This dedicated user account allows the federated search head on your local instance to securely search datasets on the federated provider.
type String Set the type of federated provider. Currently only Splunk deployments are supported. Defaults to splunk. No other values are allowed.
useFSHKnowledgeObjects Boolean When set to true, specifies that federated searches with this provider use knowledge objects from the federated search head on the local deployment. When set to false, specifies that federated searches with this provider use knowledge objects from the remote deployment specified in the federated provider.

Defaults to True.

Returned values

Name Description
name Specifies the name of the federated provider.
appContext Specifies the Splunk application context for the federated searches that will be run with this federated provider definition. The application context ensures that federated searches using this federated provider are limited to the knowledge objects that are associated with the named application.

If useFSHKnowledgeObjects = true, appContext specifies an app that is installed on the federated search head of your local Splunk platform deployment. If useFSHKnowledgeObjects = false, appContext specifies an app that is installed on the remote search head of the federated provider.
hostPort Specifies the protocols required to connect to a federated provider. Usually follows this format <Host_Name>:<Service_Port_Number>. In some cases, an IP address is used instead of a host name.
serviceAccount Specifies the user name for a service account that has been set up on the federated provider for the purpose of facilitating secure federated searches.
type Specifies the federated provider type. At this point, only Splunk deployments are supported. Defaults to splunk.
useFSHKnowledgeObjects When set to true, specifies that federated searches with this provider use knowledge objects from the federated search head on the local deployment. When set to false, specifies that federated searches with this provider use knowledge objects from the remote deployment specified in the federated provider.

Defaults to True.

Example request and response

Change the useFSHKnowledgeObjects setting to false so that federated searches with this federated provider use knowledge objects from the remote search head on the provider.

XML Request

curl -k -u admin:changeme  https://localhost:8089/services/data/federated/provider/my_federated_provider -d useFSHKnowledgeObjects=0

XML response

  <entry>
    <title>my_federated_provider</title>
    <id>https://localhost:8089/servicesNS/nobody/system/data/federated/provider/my_federated_provider</id>
    <updated>1970-01-01T00:00:00+00:00</updated>
    <link href="/servicesNS/nobody/system/data/federated/provider/my_federated_provider" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/federated/provider/my_federated_provider" rel="list"/>
    <link href="/servicesNS/nobody/system/data/federated/provider/my_federated_provider/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/federated/provider/my_federated_provider" rel="edit"/>
    <link href="/servicesNS/nobody/system/data/federated/provider/my_federated_provider" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="appContext">search</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">system</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="hostPort">10.224.150.77:58677</s:key>
        <s:key name="serviceAccount">power01</s:key>
        <s:key name="type">splunk</s:key>
        <s:key name="useFSHKnowledgeObjects">0</s:key>
      </s:dict>
    </content>
  </entry>

DELETE

Deletes a definition for a specific {federated_provider_name}.

Request parameters
None specific to this method.

Returned values
None specific to this method.

Example request and response
Remove the my_federated_provider stanza from federated.conf.

XML Request

curl -k -u admin:changeme -X DELETE https://localhost:8089/services/data/federated/provider/my_federated_provider

XML response

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>federated-provider</title>
  <id>/services/data/federated/provider</id>
  <updated>2021-04-27T12:47:36-07:00</updated>
  <generator build="aa7e77c0d232b8ec1a8c12ceeda95e0bfe3c3f1c" version="20210423"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/federated/provider/_new" rel="create"/>
  <link href="/services/data/federated/provider/_reload" rel="_reload"/>
  <link href="/services/data/federated/provider/_acl" rel="_acl"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
</feed>

data/federated/index

https://<host>:<mPort>/services/data/federated/index

Use this endpoint to get a list of federated indexes and post new federated index definitions. See Create a federated index.

Authentication and authorization
Use of the GET and POST operations for this endpoint are restricted to roles that have the admin_all_objects and indexes_edit capabilities.

GET

Returns a list of federated indexes.

Request parameters
None specific to this method. This method can use pagination and filtering parameters.

Returned values
This table is limited to settings specific to federated indexes. For descriptions of other index settings returned by this endpoint see the entry for data/indexes.

Name Description
name Specifies the name of the federated index. Uses the syntax federated:<index_name>.
federated.provider Specifies the federated provider that contains the dataset to which this federated index maps.
federated.dataset Specifies the dataset on the federated.provider to which this federated index maps. Each federated index maps to one dataset on a federated provider. The dataset is identified by its type and name, using the following syntax: <type>:<dataset_name>.

Example request and response
Get the complete list of federated indexes. (The XML response provides a sample of one returned index record.)

XML Request

curl -k -u admin:changeme  https://localhost:8089/services/data/federated/index

XML response

...
<entry>
  <title>federated:airports-east</title>
  <id>/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east</id>
  <updated>1969-12-31T16:00:00-08:00</updated>
  <link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east" rel="alternate"/>
  <author>
    <name>nobody</name>
  </author>
  <link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east" rel="list"/>
  <link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east/_reload" rel="_reload"/>
  <link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east" rel="edit"/>
  <link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east" rel="remove"/>
  <link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east/move" rel="move"/>
  <link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east/disable" rel="disable"/>
  <content type="text/xml">
    <s:dict>
      <s:key name="assureUTF8">0</s:key>
      <s:key name="bucketMerge.maxMergeSizeMB">1000</s:key>
      <s:key name="bucketMerge.maxMergeTimeSpanSecs">7776000</s:key>
      <s:key name="bucketMerge.minMergeSizeMB">750</s:key>
      <s:key name="bucketMerging">0</s:key>
      <s:key name="coldPath.maxDataSizeMB">0</s:key>
      <s:key name="coldToFrozenDir"></s:key>
      <s:key name="coldToFrozenScript"></s:key>
      <s:key name="compressRawdata">1</s:key>
      <s:key name="datatype">event</s:key>
      <s:key name="defaultDatabase">main</s:key>
      <s:key name="disabled">0</s:key>
      <s:key name="eai:acl">
        <s:dict>
          <s:key name="app">search</s:key>
          <s:key name="can_change_perms">1</s:key>
          <s:key name="can_list">1</s:key>
          <s:key name="can_share_app">1</s:key>
          <s:key name="can_share_global">1</s:key>
          <s:key name="can_share_user">0</s:key>
          <s:key name="can_write">1</s:key>
          <s:key name="modifiable">1</s:key>
          <s:key name="owner">nobody</s:key>
          <s:key name="perms">
            <s:dict>
              <s:key name="read">
                <s:list>
                  <s:item>*</s:item>
                </s:list>
              </s:key>
              <s:key name="write">
                <s:list>
                  <s:item>*</s:item>
                </s:list>
              </s:key>
            </s:dict>
          </s:key>
          <s:key name="removable">1</s:key>
          <s:key name="sharing">app</s:key>
        </s:dict>
      </s:key>
      <s:key name="enableDataIntegrityControl">0</s:key>
      <s:key name="enableRealtimeSearch">1</s:key>
      <s:key name="enableTsidxReduction">0</s:key>
      <s:key name="federated.dataset">index:airlinedata1</s:key>
      <s:key name="federated.provider">remote_splunk_deployment</s:key>
      <s:key name="frozenTimePeriodInSecs">188697600</s:key>
      <s:key name="homePath.maxDataSizeMB">0</s:key>
      <s:key name="hotBucketStreaming.deleteHotsAfterRestart">0</s:key>
      <s:key name="hotBucketStreaming.extraBucketBuildingCmdlineArgs"></s:key>
      <s:key name="hotBucketStreaming.removeRemoteSlicesOnRoll">0</s:key>
      <s:key name="hotBucketStreaming.reportStatus">0</s:key>
      <s:key name="hotBucketStreaming.sendSlices">0</s:key>
      <s:key name="hotBucketTimeRefreshInterval">60</s:key>
      <s:key name="indexThreads">auto</s:key>
      <s:key name="journalCompression">gzip</s:key>
      <s:key name="maxConcurrentOptimizes">3</s:key>
      <s:key name="maxDataSize">auto</s:key>
      <s:key name="maxHotBuckets">1</s:key>
      <s:key name="maxHotIdleSecs">0</s:key>
      <s:key name="maxHotSpanSecs">7776000</s:key>
      <s:key name="maxMemMB">5</s:key>
      <s:key name="maxTotalDataSizeMB">500000</s:key>
      <s:key name="maxWarmDBCount">300</s:key>
      <s:key name="memPoolMB">auto</s:key>
      <s:key name="metric.compressionBlockSize">1024</s:key>
      <s:key name="metric.enableFloatingPointCompression">1</s:key>
      <s:key name="metric.maxHotBuckets">1</s:key>
      <s:key name="metric.splitByIndexKeys"></s:key>
      <s:key name="metric.stubOutRawdataJournal">1</s:key>
      <s:key name="metric.timestampResolution">s</s:key>
      <s:key name="metric.tsidxTargetSizeMB">1500</s:key>
      <s:key name="minHotIdleSecsBeforeForceRoll">auto</s:key>
      <s:key name="minStreamGroupQueueSize">2000</s:key>
      <s:key name="quarantineFutureSecs">2592000</s:key>
      <s:key name="quarantinePastSecs">77760000</s:key>
      <s:key name="rawChunkSizeBytes">131072</s:key>
      <s:key name="rotatePeriodInSecs">60</s:key>
      <s:key name="serviceInactiveIndexesPeriod">60</s:key>
      <s:key name="serviceMetaPeriod">1</s:key>
      <s:key name="splitByIndexKeys"></s:key>
      <s:key name="streamingTargetTsidxSyncPeriodMsec">5000</s:key>
      <s:key name="suspendHotRollByDeleteQuery">0</s:key>
      <s:key name="sync">0</s:key>
      <s:key name="timePeriodInSecBeforeTsidxReduction">604800</s:key>
      <s:key name="tsidxDedupPostingsListMaxTermsLimit">8388608</s:key>
      <s:key name="tsidxReductionCheckPeriodInSec">600</s:key>
      <s:key name="tsidxTargetSizeMB">1500</s:key>
      <s:key name="tsidxWritingLevel">1</s:key>
      <s:key name="tstatsHomePath">volume:_splunk_summaries/$_index_name/datamodel_summary</s:key>
    </s:dict>
  </content>
</entry>

POST

Creates a new federated index definition.

Request parameters

Name Type Description
name String Required. Specify a unique name for the federated index, using the syntax federated:<index_name>. Each federated index maps to only one remote dataset on a federated provider, so the name should reference that dataset.

Index names have the following limitations:
  • They may contain only lowercase letters, numbers, underscores, and hyphens.
  • They must begin with a letter or number.
  • They cannot be more than 2048 characters in length.
  • They cannot contain the string "kvstore".
federated.provider String Required. Specify the federated provider that contains the dataset to which this federated index maps.
federated.dataset String Required. Specify the dataset on the federated.provider to which this federated index maps. The dataset is identified by its type and name, using the following syntax: <type>:<dataset_name>.

For this version of the Splunk platform, the <type> is limited to index.

Returned values
This table is limited to settings specific to federated indexes. For descriptions of other index settings returned by this endpoint see the entry for data/indexes.

Name Description
name Specifies the name of the federated index. Uses the syntax federated:<index_name>.
federated.provider Specifies the federated provider that contains the dataset to which this federated index maps.
federated.dataset Specifies the dataset on the federated.provider to which this federated index maps. Each federated index maps to one dataset on a federated provider. The dataset is identified by its type and name, using the following syntax: <type>:<dataset_name>.

Example request and response
Create a new definition for a federated index named airports-east.

XML Request

curl -k -u admin:changeme  https://localhost:8089/services/data/federated/index -d name=federated:airports-east -d federated.provider=FenrisAirNYC -d federated.dataset=index:airports-east

XML response

<entry>
  <title>federated:fs-airports-east</title>
  <id>/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east</id>
  <updated>1969-12-31T16:00:00-08:00</updated>
  <link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east" rel="alternate"/>
  <author>
    <name>nobody</name>
  </author>
  <link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east" rel="list"/>
  <link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east/_reload" rel="_reload"/>
  <link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east" rel="edit"/>
  <link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east" rel="remove"/>
  <link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east/move" rel="move"/>
  <link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east/disable" rel="disable"/>
  <content type="text/xml">
    <s:dict>
      <s:key name="assureUTF8">0</s:key>
      <s:key name="bucketMerge.maxMergeSizeMB">1000</s:key>
      <s:key name="bucketMerge.maxMergeTimeSpanSecs">7776000</s:key>
      <s:key name="bucketMerge.minMergeSizeMB">750</s:key>
      <s:key name="bucketMerging">0</s:key>
      <s:key name="coldPath.maxDataSizeMB">0</s:key>
      <s:key name="coldToFrozenDir"></s:key>
      <s:key name="coldToFrozenScript"></s:key>
      <s:key name="compressRawdata">1</s:key>
      <s:key name="datatype">event</s:key>
      <s:key name="defaultDatabase">main</s:key>
      <s:key name="disabled">0</s:key>
      <s:key name="eai:acl">
        <s:dict>
          <s:key name="app">search</s:key>
          <s:key name="can_change_perms">1</s:key>
          <s:key name="can_list">1</s:key>
          <s:key name="can_share_app">1</s:key>
          <s:key name="can_share_global">1</s:key>
          <s:key name="can_share_user">0</s:key>
          <s:key name="can_write">1</s:key>
          <s:key name="modifiable">1</s:key>
          <s:key name="owner">nobody</s:key>
          <s:key name="perms">
            <s:dict>
              <s:key name="read">
                <s:list>
                  <s:item>*</s:item>
                </s:list>
              </s:key>
              <s:key name="write">
                <s:list>
                  <s:item>*</s:item>
                </s:list>
              </s:key>
            </s:dict>
          </s:key>
          <s:key name="removable">1</s:key>
          <s:key name="sharing">app</s:key>
        </s:dict>
      </s:key>
      <s:key name="enableDataIntegrityControl">0</s:key>
      <s:key name="enableRealtimeSearch">1</s:key>
      <s:key name="enableTsidxReduction">0</s:key>
      <s:key name="federated.dataset">index:airports-east</s:key>
      <s:key name="federated.provider">FenrisAirNYC</s:key>
      <s:key name="frozenTimePeriodInSecs">188697600</s:key>
      <s:key name="homePath.maxDataSizeMB">0</s:key>
      <s:key name="hotBucketStreaming.deleteHotsAfterRestart">0</s:key>
      <s:key name="hotBucketStreaming.extraBucketBuildingCmdlineArgs"></s:key>
      <s:key name="hotBucketStreaming.removeRemoteSlicesOnRoll">0</s:key>
      <s:key name="hotBucketStreaming.reportStatus">0</s:key>
      <s:key name="hotBucketStreaming.sendSlices">0</s:key>
      <s:key name="hotBucketTimeRefreshInterval">60</s:key>
      <s:key name="indexThreads">auto</s:key>
      <s:key name="journalCompression">gzip</s:key>
      <s:key name="maxConcurrentOptimizes">3</s:key>
      <s:key name="maxDataSize">auto</s:key>
      <s:key name="maxHotBuckets">1</s:key>
      <s:key name="maxHotIdleSecs">0</s:key>
      <s:key name="maxHotSpanSecs">7776000</s:key>
      <s:key name="maxMemMB">5</s:key>
      <s:key name="maxTotalDataSizeMB">500000</s:key>
      <s:key name="maxWarmDBCount">300</s:key>
      <s:key name="memPoolMB">auto</s:key>
      <s:key name="metric.compressionBlockSize">1024</s:key>
      <s:key name="metric.enableFloatingPointCompression">1</s:key>
      <s:key name="metric.maxHotBuckets">1</s:key>
      <s:key name="metric.splitByIndexKeys"></s:key>
      <s:key name="metric.stubOutRawdataJournal">1</s:key>
      <s:key name="metric.timestampResolution">s</s:key>
      <s:key name="metric.tsidxTargetSizeMB">1500</s:key>
      <s:key name="minHotIdleSecsBeforeForceRoll">auto</s:key>
      <s:key name="minStreamGroupQueueSize">2000</s:key>
      <s:key name="quarantineFutureSecs">2592000</s:key>
      <s:key name="quarantinePastSecs">77760000</s:key>
      <s:key name="rawChunkSizeBytes">131072</s:key>
      <s:key name="rotatePeriodInSecs">60</s:key>
      <s:key name="serviceInactiveIndexesPeriod">60</s:key>
      <s:key name="serviceMetaPeriod">1</s:key>
      <s:key name="splitByIndexKeys"></s:key>
      <s:key name="streamingTargetTsidxSyncPeriodMsec">5000</s:key>
      <s:key name="suspendHotRollByDeleteQuery">0</s:key>
      <s:key name="sync">0</s:key>
      <s:key name="timePeriodInSecBeforeTsidxReduction">604800</s:key>
      <s:key name="tsidxDedupPostingsListMaxTermsLimit">8388608</s:key>
      <s:key name="tsidxReductionCheckPeriodInSec">600</s:key>
      <s:key name="tsidxTargetSizeMB">1500</s:key>
      <s:key name="tsidxWritingLevel">1</s:key>
      <s:key name="tstatsHomePath">volume:_splunk_summaries/$_index_name/datamodel_summary</s:key>
    </s:dict>
  </content>
</entry>

data/federated/index/federated:{federated_index_name}

https://<host>:<mPort>/services/data/federated/provider/federated:{federated_index_name}

Use this endpoint to:

  • Retrieve a definition for a specific {federated_index_name}.
  • Update a definition for a specific {federated_index_name}.
  • Delete a definition for a specific {federated_index_name}.

See Create a federated index.

Authentication and Authorization
Usage of the GET, POST, and DELETE operations for this endpoint require the admin_all_objects and indexes_edit capabilities.

GET

Returns a definition of a specific {federated_index_name}.

Request parameters
None specific to this method.

Returned values
This table is limited to settings specific to federated indexes. For descriptions of other index settings returned by this endpoint see the entry for data/indexes.

Name Description
name Specifies the name of the federated index. Uses the syntax federated:<index_name>.
federated.provider Specifies the federated provider that contains the dataset to which this federated index maps.
federated.dataset Specifies the dataset on the federated.provider to which this federated index maps. Each federated index maps to one dataset on a federated provider. The dataset is identified by its type and name, using the following syntax: <type>:<dataset_name>.

Example request and response
Return the definition for the airports-east federated index. XML Request

curl -k -u admin:changeme  https://localhost:8089/services/data/federated/index/federated:airports-east

XML response

  <entry>
    <title>federated:airports-east</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east</id>
    <updated>1970-01-01T00:00:00+00:00</updated>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east" rel="list"/>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east/move" rel="move"/>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="archiver.enableDataArchive">0</s:key>
        <s:key name="archiver.maxDataArchiveRetentionPeriod">0</s:key>
        <s:key name="assureUTF8">0</s:key>
        <s:key name="bucketMerge.maxMergeSizeMB">1000</s:key>
        <s:key name="bucketMerge.maxMergeTimeSpanSecs">7776000</s:key>
        <s:key name="bucketMerge.minMergeSizeMB">750</s:key>
        <s:key name="bucketMerging">0</s:key>
        <s:key name="bucketRebuildMemoryHint">auto</s:key>
        <s:key name="coldPath.maxDataSizeMB">0</s:key>
        <s:key name="coldToFrozenDir"></s:key>
        <s:key name="coldToFrozenScript"></s:key>
        <s:key name="compressRawdata">1</s:key>
        <s:key name="datatype">event</s:key>
        <s:key name="defaultDatabase">main</s:key>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">search</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">app</s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>federated.dataset</s:item>
                <s:item>federated.provider</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list>
                <s:item>.*</s:item>
              </s:list>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="enableDataIntegrityControl">0</s:key>
        <s:key name="enableOnlineBucketRepair">1</s:key>
        <s:key name="enableRealtimeSearch">1</s:key>
        <s:key name="enableTsidxReduction">0</s:key>
        <s:key name="federated.dataset">sendmail</s:key>
        <s:key name="federated.provider">remote_deployment_1</s:key>
        <s:key name="fileSystemExecutorWorkers">5</s:key>
        <s:key name="frozenTimePeriodInSecs">188697600</s:key>
        <s:key name="homePath.maxDataSizeMB">0</s:key>
        <s:key name="hotBucketStreaming.deleteHotsAfterRestart">0</s:key>
        <s:key name="hotBucketStreaming.extraBucketBuildingCmdlineArgs"></s:key>
        <s:key name="hotBucketStreaming.removeRemoteSlicesOnRoll">0</s:key>
        <s:key name="hotBucketStreaming.reportStatus">0</s:key>
        <s:key name="hotBucketStreaming.sendSlices">0</s:key>
        <s:key name="hotBucketTimeRefreshInterval">10</s:key>
        <s:key name="indexThreads">auto</s:key>
        <s:key name="journalCompression">gzip</s:key>
        <s:key name="maxBloomBackfillBucketAge">30d</s:key>
        <s:key name="maxBucketSizeCacheEntries">0</s:key>
        <s:key name="maxConcurrentOptimizes">6</s:key>
        <s:key name="maxDataSize">auto</s:key>
        <s:key name="maxGlobalDataSizeMB">0</s:key>
        <s:key name="maxGlobalRawDataSizeMB">0</s:key>
        <s:key name="maxHotBuckets">auto</s:key>
        <s:key name="maxHotIdleSecs">0</s:key>
        <s:key name="maxHotSpanSecs">7776000</s:key>
        <s:key name="maxMemMB">5</s:key>
        <s:key name="maxMetaEntries">1000000</s:key>
        <s:key name="maxRunningProcessGroups">8</s:key>
        <s:key name="maxRunningProcessGroupsLowPriority">1</s:key>
        <s:key name="maxTimeUnreplicatedNoAcks">300</s:key>
        <s:key name="maxTimeUnreplicatedWithAcks">60</s:key>
        <s:key name="maxTotalDataSizeMB">500000</s:key>
        <s:key name="maxWarmDBCount">300</s:key>
        <s:key name="memPoolMB">auto</s:key>
        <s:key name="metric.compressionBlockSize">1024</s:key>
        <s:key name="metric.enableFloatingPointCompression">1</s:key>
        <s:key name="metric.maxHotBuckets">auto</s:key>
        <s:key name="metric.splitByIndexKeys"></s:key>
        <s:key name="metric.stubOutRawdataJournal">1</s:key>
        <s:key name="metric.timestampResolution">s</s:key>
        <s:key name="metric.tsidxTargetSizeMB">1500</s:key>
        <s:key name="minHotIdleSecsBeforeForceRoll">auto</s:key>
        <s:key name="minRawFileSyncSecs">disable</s:key>
        <s:key name="minStreamGroupQueueSize">2000</s:key>
        <s:key name="partialServiceMetaPeriod">0</s:key>
        <s:key name="processTrackerServiceInterval">1</s:key>
        <s:key name="quarantineFutureSecs">2592000</s:key>
        <s:key name="quarantinePastSecs">77760000</s:key>
        <s:key name="rawChunkSizeBytes">131072</s:key>
        <s:key name="repFactor">0</s:key>
        <s:key name="rotatePeriodInSecs">60</s:key>
        <s:key name="rtRouterQueueSize">10000</s:key>
        <s:key name="rtRouterThreads">0</s:key>
        <s:key name="selfStorageThreads">2</s:key>
        <s:key name="serviceInactiveIndexesPeriod">60</s:key>
        <s:key name="serviceMetaPeriod">25</s:key>
        <s:key name="serviceOnlyAsNeeded">1</s:key>
        <s:key name="serviceSubtaskTimingPeriod">30</s:key>
        <s:key name="splitByIndexKeys"></s:key>
        <s:key name="streamingTargetTsidxSyncPeriodMsec">5000</s:key>
        <s:key name="suppressBannerList"></s:key>
        <s:key name="suspendHotRollByDeleteQuery">0</s:key>
        <s:key name="sync">0</s:key>
        <s:key name="syncMeta">1</s:key>
        <s:key name="throttleCheckPeriod">15</s:key>
        <s:key name="timePeriodInSecBeforeTsidxReduction">604800</s:key>
        <s:key name="tsidxDedupPostingsListMaxTermsLimit">8388608</s:key>
        <s:key name="tsidxReductionCheckPeriodInSec">600</s:key>
        <s:key name="tsidxTargetSizeMB">1500</s:key>
        <s:key name="tsidxWritingLevel">2</s:key>
        <s:key name="tstatsHomePath">volume:_splunk_summaries/$_index_name/datamodel_summary</s:key>
        <s:key name="waitPeriodInSecsForManifestWrite">60</s:key>
        <s:key name="warmToColdScript"></s:key>
      </s:dict>
    </content>
  </entry>

POST

Updates a definition for a specific {federated_index_name}.

Request parameters

At least one argument is required.

Name Type Description
federated.provider String Required. Specify the federated provider that contains the dataset to which this federated index maps.
federated.dataset String Required. Specify the dataset on the federated.provider to which this federated index maps. The dataset is identified by its type and name, using the following syntax: <type>:<dataset_name>.

For this version of the Splunk platform, the <type> is limited to index.

Returned values
This table is limited to settings specific to federated indexes. For descriptions of other index settings returned by this endpoint see the entry for data/indexes.

Name Description
name Specifies the name of the federated index. Uses the syntax federated:<index_name>.
federated.provider Specifies the federated provider that contains the dataset to which this federated index maps.
federated.dataset Specifies the dataset on the federated.provider to which this federated index maps. Each federated index maps to one dataset on a federated provider. The dataset is identified by its type and name, using the following syntax: <type>:<dataset_name>.

Example request and response
Update the dataset mapping for the federated:airports-east federated index.

XML Request

curl -k -u admin:changeme  https://localhost:8089/services/data/federated/index/federated:airports-east -d federated.dataset=index:airports-west

XML response

  <entry>
    <title>federated:airports-east</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east</id>
    <updated>1970-01-01T00:00:00+00:00</updated>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east" rel="list"/>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east/move" rel="move"/>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="archiver.enableDataArchive">0</s:key>
        <s:key name="archiver.maxDataArchiveRetentionPeriod">0</s:key>
        <s:key name="assureUTF8">0</s:key>
        <s:key name="bucketMerge.maxMergeSizeMB">1000</s:key>
        <s:key name="bucketMerge.maxMergeTimeSpanSecs">7776000</s:key>
        <s:key name="bucketMerge.minMergeSizeMB">750</s:key>
        <s:key name="bucketMerging">0</s:key>
        <s:key name="bucketRebuildMemoryHint">auto</s:key>
        <s:key name="coldPath.maxDataSizeMB">0</s:key>
        <s:key name="coldToFrozenDir"></s:key>
        <s:key name="coldToFrozenScript"></s:key>
        <s:key name="compressRawdata">1</s:key>
        <s:key name="datatype">event</s:key>
        <s:key name="defaultDatabase">main</s:key>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">search</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">app</s:key>
          </s:dict>
        </s:key>
        <s:key name="enableDataIntegrityControl">0</s:key>
        <s:key name="enableOnlineBucketRepair">1</s:key>
        <s:key name="enableRealtimeSearch">1</s:key>
        <s:key name="enableTsidxReduction">0</s:key>
        <s:key name="federated.dataset">index:airports-west</s:key>
        <s:key name="federated.provider">remote_deployment_1</s:key>
        <s:key name="fileSystemExecutorWorkers">5</s:key>
        <s:key name="frozenTimePeriodInSecs">188697600</s:key>
        <s:key name="homePath.maxDataSizeMB">0</s:key>
        <s:key name="hotBucketStreaming.deleteHotsAfterRestart">0</s:key>
        <s:key name="hotBucketStreaming.extraBucketBuildingCmdlineArgs"></s:key>
        <s:key name="hotBucketStreaming.removeRemoteSlicesOnRoll">0</s:key>
        <s:key name="hotBucketStreaming.reportStatus">0</s:key>
        <s:key name="hotBucketStreaming.sendSlices">0</s:key>
        <s:key name="hotBucketTimeRefreshInterval">10</s:key>
        <s:key name="indexThreads">auto</s:key>
        <s:key name="journalCompression">gzip</s:key>
        <s:key name="maxBloomBackfillBucketAge">30d</s:key>
        <s:key name="maxBucketSizeCacheEntries">0</s:key>
        <s:key name="maxConcurrentOptimizes">6</s:key>
        <s:key name="maxDataSize">auto</s:key>
        <s:key name="maxGlobalDataSizeMB">0</s:key>
        <s:key name="maxGlobalRawDataSizeMB">0</s:key>
        <s:key name="maxHotBuckets">auto</s:key>
        <s:key name="maxHotIdleSecs">0</s:key>
        <s:key name="maxHotSpanSecs">7776000</s:key>
        <s:key name="maxMemMB">5</s:key>
        <s:key name="maxMetaEntries">1000000</s:key>
        <s:key name="maxRunningProcessGroups">8</s:key>
        <s:key name="maxRunningProcessGroupsLowPriority">1</s:key>
        <s:key name="maxTimeUnreplicatedNoAcks">300</s:key>
        <s:key name="maxTimeUnreplicatedWithAcks">60</s:key>
        <s:key name="maxTotalDataSizeMB">500000</s:key>
        <s:key name="maxWarmDBCount">300</s:key>
        <s:key name="memPoolMB">auto</s:key>
        <s:key name="metric.compressionBlockSize">1024</s:key>
        <s:key name="metric.enableFloatingPointCompression">1</s:key>
        <s:key name="metric.maxHotBuckets">auto</s:key>
        <s:key name="metric.splitByIndexKeys"></s:key>
        <s:key name="metric.stubOutRawdataJournal">1</s:key>
        <s:key name="metric.timestampResolution">s</s:key>
        <s:key name="metric.tsidxTargetSizeMB">1500</s:key>
        <s:key name="minHotIdleSecsBeforeForceRoll">auto</s:key>
        <s:key name="minRawFileSyncSecs">disable</s:key>
        <s:key name="minStreamGroupQueueSize">2000</s:key>
        <s:key name="partialServiceMetaPeriod">0</s:key>
        <s:key name="processTrackerServiceInterval">1</s:key>
        <s:key name="quarantineFutureSecs">2592000</s:key>
        <s:key name="quarantinePastSecs">77760000</s:key>
        <s:key name="rawChunkSizeBytes">131072</s:key>
        <s:key name="repFactor">0</s:key>
        <s:key name="rotatePeriodInSecs">60</s:key>
        <s:key name="rtRouterQueueSize">10000</s:key>
        <s:key name="rtRouterThreads">0</s:key>
        <s:key name="selfStorageThreads">2</s:key>
        <s:key name="serviceInactiveIndexesPeriod">60</s:key>
        <s:key name="serviceMetaPeriod">25</s:key>
        <s:key name="serviceOnlyAsNeeded">1</s:key>
        <s:key name="serviceSubtaskTimingPeriod">30</s:key>
        <s:key name="splitByIndexKeys"></s:key>
        <s:key name="streamingTargetTsidxSyncPeriodMsec">5000</s:key>
        <s:key name="suppressBannerList"></s:key>
        <s:key name="suspendHotRollByDeleteQuery">0</s:key>
        <s:key name="sync">0</s:key>
        <s:key name="syncMeta">1</s:key>
        <s:key name="throttleCheckPeriod">15</s:key>
        <s:key name="timePeriodInSecBeforeTsidxReduction">604800</s:key>
        <s:key name="tsidxDedupPostingsListMaxTermsLimit">8388608</s:key>
        <s:key name="tsidxReductionCheckPeriodInSec">600</s:key>
        <s:key name="tsidxTargetSizeMB">1500</s:key>
        <s:key name="tsidxWritingLevel">2</s:key>
        <s:key name="tstatsHomePath">volume:_splunk_summaries/$_index_name/datamodel_summary</s:key>
        <s:key name="waitPeriodInSecsForManifestWrite">60</s:key>
        <s:key name="warmToColdScript"></s:key>
      </s:dict>
    </content>
  </entry>

DELETE

Deletes a definition for a specific {federated_index_name}.

Request parameters
None specific to this method.

Returned values
None specific to this method.

Example request and response

Remove the my_federated_index stanza from indexes.conf.

XML Request

curl -k -u admin:changeme -X DELETE https://localhost:8089/services/data/federated/index/federated:my_federated_index

XML response

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>federated-index</title>
  <id>/services/data/federated/index</id>
  <updated>2021-04-27T12:57:06-07:00</updated>
  <generator build="aa7e77c0d232b8ec1a8c12ceeda95e0bfe3c3f1c" version="20210423"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/federated/index/_new" rel="create"/>
  <link href="/services/data/federated/index/_reload" rel="_reload"/>
  <link href="/services/data/federated/index/_acl" rel="_acl"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
</feed>
Last modified on 19 January, 2023
PREVIOUS
Deployment endpoint descriptions
  NEXT
Input endpoint descriptions

This documentation applies to the following versions of Splunk® Enterprise: 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters