Data object endpoints
Contents
Data object endpoints
The data object endpoints let you create indexes, add inputs and outputs to Splunk. Use these endpoints for adding data to your Splunk instance, or sending data between two Splunk instances.
All the data object endpoints exist off the ../services/data main endpoint.
Data
The ../services/data/ provides general services for data stores.
GET
Returns summary information about indexes, disk usage, free space, etc.
response status
200
OK
response body
// TBD
POST
Resurrects, unresurrects data stored in Splunk DB format.
==== form arguments ====
action
{resurrect | unresurrect} The action to perform
index
Specifies the name of the index to move data into/out of. Used with resurrect and unresurrect.
directory
Specifies the directory in which to search for data to resurrect. Only valid when action=resurrect.
start_time
Specifies the earliest time (inclusive) from which to move data. Default is earliest encountered time. Used with resurrect and unresurrect.
end_time
Specifies the latest time (exclusive) from which to move data. Default is latest encountered time. Used with resurrect and unresurrect.
response status
200
Method executed successfully
400
Some arguments were invalid
500
There was an error; see body contents for messages
response body
Sample response to a successful action:
<response>
<messages>
<msg type="INFO">Successfully resurrected data from foo into index bar</msg>
</messages>
</response>
Sample response to an unsuccessful action:
<response>
<messages>
<msg type="ERROR">Resurrection failed; directory /foo/bar/baz was not found</msg>
</messages>
</response>
Indexes
Use the endpoint at /services/data/indexes to create new indexes, or manage existing indexes.
GET
Lists the recognized indexes on the server
response status
200
OK
response body
Sample response to listing indexes:
<?xml version=\'1.0\' encoding=\'UTF-8\'?>
<feed xmlns=\'http://www.w3.org/2005/Atom\' xmlns:s=\'http://dev.splunk.com/ns/rest\'>
<title>Indexes</title>
<id>https://127.0.0.1:23424/services/data/indexes</id>
<author><name>Splunk</name></author>
<entry>
<title>_internal</title>
<id>https://127.0.0.1:23424/services/data/indexes/_internal</id>
<link href=\'https://127.0.0.1:23424/services/data/indexes/_internal\' rel=\'alternate\'/>
<updated>2008-05-29T14:20:22-0700</updated>
<content type=\'text/xml\'>
<s:dict>
<s:key name=\'blockSignSize\'>0</s:key>
<s:key name=\'coldPath\'>/home/vishalp/inst/3.2/var/lib/splunk/_internaldb/colddb</s:key>
<s:key name=\'coldToFrozenScript\'>echo $DIR</s:key>
<s:key name=\'compressRawdata\'>true</s:key>
<s:key name=\'frozenTimePeriodInSecs\'>2419200</s:key>
<s:key name=\'homePath\'>/home/vishalp/inst/3.2/var/lib/splunk/_internaldb/db</s:key>
<s:key name=\'indexThreads\'>0</s:key>
<s:key name=\'maxColdDBCount\'>10</s:key>
<s:key name=\'maxConcurrentOptimizes\'>3</s:key>
<s:key name=\'maxDataSize\'>104857600</s:key>
<s:key name=\'maxMemMB\'>10</s:key>
<s:key name=\'maxResults\'>500000</s:key>
<s:key name=\'maxTotalDataSizeMB\'>500000</s:key>
<s:key name=\'maxWarmDBCount\'>300</s:key>
<s:key name=\'rotatePeriodInSecs\'>60</s:key>
<s:key name=\'thawedPath\'>/home/vishalp/inst/3.2/var/lib/splunk/_internaldb/thaweddb</s:key>
<s:key name=\'waitForOptimize\'>false</s:key>
<s:key name=\'warmToColdScript\'></s:key>
<s:key name=\'currentDBSizeMB\'>9</s:key>
<s:key name=\'eventCount\'>353</s:key>
<s:key name=\'isReadOnly\'>false</s:key>
<s:key name=\'minTime\'>2008-05-28T11:42:00-0700</s:key>
<s:key name=\'maxTime\'>2008-05-29T14:19:28-0700</s:key>
<s:key name=\'signatureDatabase\'>_blocksignature</s:key>
<s:key name=\'totalEventCount\'>15957</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>_blocksignature</title>
<id>https://127.0.0.1:23424/services/data/indexes/_blocksignature</id>
<link href=\'https://127.0.0.1:23424/services/data/indexes/_blocksignature\' rel=\'alternate\'/>
<updated>2008-05-29T14:17:56-0700</updated>
<content type=\'text/xml\'>
<s:dict>
<s:key name=\'blockSignSize\'>0</s:key>
<s:key name=\'coldPath\'>/home/vishalp/inst/3.2/var/lib/splunk/blockSignature/colddb</s:key>
<s:key name=\'coldToFrozenScript\'>echo $DIR</s:key>
<s:key name=\'compressRawdata\'>true</s:key>
<s:key name=\'frozenTimePeriodInSecs\'>0</s:key>
<s:key name=\'homePath\'>/home/vishalp/inst/3.2/var/lib/splunk/blockSignature/db</s:key>
<s:key name=\'indexThreads\'>0</s:key>
<s:key name=\'maxColdDBCount\'>10</s:key>
<s:key name=\'maxConcurrentOptimizes\'>3</s:key>
<s:key name=\'maxDataSize\'>1048576000</s:key>
<s:key name=\'maxMemMB\'>10</s:key>
<s:key name=\'maxResults\'>500000</s:key>
<s:key name=\'maxTotalDataSizeMB\'>0</s:key>
<s:key name=\'maxWarmDBCount\'>300</s:key>
<s:key name=\'rotatePeriodInSecs\'>60</s:key>
<s:key name=\'thawedPath\'>/home/vishalp/inst/3.2/var/lib/splunk/blockSignature/thaweddb</s:key>
<s:key name=\'waitForOptimize\'>false</s:key>
<s:key name=\'warmToColdScript\'></s:key>
<s:key name=\'currentDBSizeMB\'>1</s:key>
<s:key name=\'eventCount\'>0</s:key>
<s:key name=\'isReadOnly\'>false</s:key>
<s:key name=\'minTime\'></s:key>
<s:key name=\'maxTime\'></s:key>
<s:key name=\'signatureDatabase\'>_blocksignature</s:key>
<s:key name=\'totalEventCount\'>0</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>metaevents</title>
<id>https://127.0.0.1:23424/services/data/indexes/metaevents</id>
<link href=\'https://127.0.0.1:23424/services/data/indexes/metaevents\' rel=\'alternate\'/>
<updated>2008-05-29T14:17:56-0700</updated>
<content type=\'text/xml\'>
<s:dict>
<s:key name=\'blockSignSize\'>0</s:key>
<s:key name=\'coldPath\'>/home/vishalp/inst/3.2/var/lib/splunk/metaeventdb/colddb</s:key>
<s:key name=\'coldToFrozenScript\'>echo $DIR</s:key>
<s:key name=\'compressRawdata\'>true</s:key>
<s:key name=\'frozenTimePeriodInSecs\'>188697600</s:key>
<s:key name=\'homePath\'>/home/vishalp/inst/3.2/var/lib/splunk/metaeventdb/db</s:key>
<s:key name=\'indexThreads\'>0</s:key>
<s:key name=\'maxColdDBCount\'>10</s:key>
<s:key name=\'maxConcurrentOptimizes\'>3</s:key>
<s:key name=\'maxDataSize\'>786432000</s:key>
<s:key name=\'maxMemMB\'>100</s:key>
<s:key name=\'maxResults\'>500000</s:key>
<s:key name=\'maxTotalDataSizeMB\'>500000</s:key>
<s:key name=\'maxWarmDBCount\'>300</s:key>
<s:key name=\'rotatePeriodInSecs\'>60</s:key>
<s:key name=\'thawedPath\'>/home/vishalp/inst/3.2/var/lib/splunk/metaeventdb/thaweddb</s:key>
<s:key name=\'waitForOptimize\'>false</s:key>
<s:key name=\'warmToColdScript\'></s:key>
<s:key name=\'currentDBSizeMB\'>1</s:key>
<s:key name=\'eventCount\'>0</s:key>
<s:key name=\'isReadOnly\'>false</s:key>
<s:key name=\'minTime\'></s:key>
<s:key name=\'maxTime\'></s:key>
<s:key name=\'signatureDatabase\'>_blocksignature</s:key>
<s:key name=\'totalEventCount\'>0</s:key>
</s:dict>
</content>
</entry>
<update>2008-05-29T14:20:33-0700</update>
</feed>
POST
Creates a new index.
form arguments
name
The name of the index to add
<conf parameters>
See indexes.conf.spec for all other parameters and default values
response status
201
Index created successfully; followed by header: Location: /services/data/indexes/my_new_index_name
400
Some arguments were invalid
409
The index name already eixsts
500
Unspecified error
response body
Sample response to a successful action:
<response>
<messages>
<msg type="INFO">Successfully created index my_new_index</msg>
</messages>
</response>
Access specific index
Use the endpoint at /services/data/indexes/<index_name> to access a specific index.
GET
Returns summary data about a specific index.
response status
200
OK
404
Index was not found on the server
response body
Sample response to main index
<?xml version=\'1.0\' encoding=\'UTF-8\'?>
<entry xmlns=\'http://www.w3.org/2005/Atom\' xmlns:s=\'http://dev.splunk.com/ns/rest\'>
<title>_internal</title>
<id>https://127.0.0.1:23424/services/data/indexes/_internal</id>
<author><name>Splunk</name></author>
<updated>2008-05-29T14:40:51-0700</updated>
<content type=\'text/xml\'>
<s:dict>
<s:key name=\'blockSignSize\'>0</s:key>
<s:key name=\'coldPath\'>/home/vishalp/inst/3.2/var/lib/splunk/_internaldb/colddb</s:key>
<s:key name=\'coldToFrozenScript\'>echo $DIR</s:key>
<s:key name=\'compressRawdata\'>true</s:key>
<s:key name=\'frozenTimePeriodInSecs\'>2419200</s:key>
<s:key name=\'homePath\'>/home/vishalp/inst/3.2/var/lib/splunk/_internaldb/db</s:key>
<s:key name=\'indexThreads\'>0</s:key>
<s:key name=\'maxColdDBCount\'>10</s:key>
<s:key name=\'maxConcurrentOptimizes\'>3</s:key>
<s:key name=\'maxDataSize\'>104857600</s:key>
<s:key name=\'maxMemMB\'>10</s:key>
<s:key name=\'maxResults\'>500000</s:key>
<s:key name=\'maxTotalDataSizeMB\'>500000</s:key>
<s:key name=\'maxWarmDBCount\'>300</s:key>
<s:key name=\'rotatePeriodInSecs\'>60</s:key>
<s:key name=\'thawedPath\'>/home/vishalp/inst/3.2/var/lib/splunk/_internaldb/thaweddb</s:key>
<s:key name=\'waitForOptimize\'>false</s:key>
<s:key name=\'warmToColdScript\'></s:key>
<s:key name=\'currentDBSizeMB\'>9</s:key>
<s:key name=\'eventCount\'>2385</s:key>
<s:key name=\'isReadOnly\'>false</s:key>
<s:key name=\'minTime\'>2008-05-28T11:42:00-0700</s:key>
<s:key name=\'maxTime\'>2008-05-29T14:40:13-0700</s:key>
<s:key name=\'signatureDatabase\'>_blocksignature</s:key>
<s:key name=\'totalEventCount\'>17989</s:key>
</s:dict>
</content>
</entry>
POST
Edit index properties.
form arguments
<conf parameters>
See indexes.conf.spec for configurable parameters
response status
200
Properties were updated successfully
400
Some arguments were invalid
404
Index was not found
500
Unspecified error
response body
Sample response to a successful action:
<response> <messages> <msg type="INFO">Successfully updated index my_new_index</msg> </messages> </response>
TCP inputs
Use the endpoint at /services/data/inputs/tcp to create a TCP input.
GET
Returns resources to configure raw, cooked ports and ssl configurtion.
response status
200
OK
response body
<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest">
<title></title>
<id>https://localhost:8089/services/data/inputs/tcp</id>
<updated>2009-02-12T17:50:29-0800</updated>
<generator version="50432"/>
<author>
<name>Splunk</name>
</author>
<entry>
<title>cooked</title>
<id>https://localhost:8089/services/data/inputs/tcp/cooked</id>
<updated>2009-02-12T17:50:29-0800</updated>
<link href="https://localhost:8089/services/data/inputs/tcp/cooked" rel="alternate"/>
<link href="https://localhost:8089/services/data/inputs/tcp/cooked" rel="list"/>
<content type="text/xml">
<s:dict/>
</content>
</entry>
<entry>
<title>raw</title>
<id>https://localhost:8089/services/data/inputs/tcp/raw</id>
<updated>2009-02-12T17:50:29-0800</updated>
<link href="https://localhost:8089/services/data/inputs/tcp/raw" rel="alternate"/>
<link href="https://localhost:8089/services/data/inputs/tcp/raw" rel="list"/>
<content type="text/xml">
<s:dict/>
</content>
</entry>
<entry>
<title>ssl</title>
<id>https://localhost:8089/services/data/inputs/tcp/ssl</id>
<updated>2009-02-12T17:50:29-0800</updated>
<link href="https://localhost:8089/services/data/inputs/tcp/ssl" rel="alternate"/>
<link href="https://localhost:8089/services/data/inputs/tcp/ssl" rel="list"/>
<content type="text/xml">
<s:dict/>
</content>
</entry>
</feed>
Cooked TCP
Use the /services/data/inputs/tcp/cooked endpoint to add and manage cooked tcp inputs.
GET
Returns cooked tcp inputs configured. This includes cooked tcp inputs that use SSL as well. The response shows ssl and non-ssl ports.
response status
200
OK
response body
<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>cooked</title>
<id>https://localhost:8089/services/data/inputs/tcp/cooked</id>
<updated>2009-02-12T18:30:13-0800</updated>
<generator version="50432"/>
<author>
<name>Splunk</name>
</author>
<link href="https://localhost:8089/services/data/inputs/tcp/cooked/_new" rel="create"/>
<opensearch:totalResults>2</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<entry>
<title>3333</title>
<id>https://localhost:8089/services/data/inputs/tcp/cooked/3333</id>
<updated>2009-02-12T18:30:13-0800</updated>
<link href="https://localhost:8089/services/data/inputs/tcp/cooked/3333" rel="alternate"/>
<link href="https://localhost:8089/services/data/inputs/tcp/cooked/3333" rel="list"/>
<link href="https://localhost:8089/services/data/inputs/tcp/cooked/3333" rel="edit"/>
<link href="https://localhost:8089/services/data/inputs/tcp/cooked/3333" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="_actions">new,edit,delete</s:key>
<s:key name="_rcvbuf">196608</s:key>
<s:key name="connection_host">ip</s:key>
<s:key name="disabled">false</s:key>
<s:key name="host">prod1.splunk.com</s:key>
<s:key name="index">default</s:key>
<s:key name="queue">parsingQueue</s:key>
<s:key name="source">apache-log</s:key>
<s:key name="sourcetype">httplog</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>4444</title>
<id>https://localhost:8089/services/data/inputs/tcp/cooked/4444</id>
<updated>2009-02-12T18:30:13-0800</updated>
<link href="https://localhost:8089/services/data/inputs/tcp/cooked/4444" rel="alternate"/>
<link href="https://localhost:8089/services/data/inputs/tcp/cooked/4444" rel="list"/>
<link href="https://localhost:8089/services/data/inputs/tcp/cooked/4444" rel="edit"/>
<link href="https://localhost:8089/services/data/inputs/tcp/cooked/4444" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="SSL">true</s:key>
<s:key name="_actions">new,edit,delete</s:key>
<s:key name="_rcvbuf">196608</s:key>
<s:key name="connection_host">ip</s:key>
<s:key name="disabled">false</s:key>
<s:key name="host">prod1.splunk.com</s:key>
<s:key name="index">default</s:key>
<s:key name="queue">parsingQueue</s:key>
<s:key name="source">apache-log</s:key>
<s:key name="sourcetype">httplog</s:key>
</s:dict>
</content>
</entry>
</feed>
POST
Configures cooked non-ssl and ssl input port.
form arguments
name
The input port which splunk will receive raw data in
host
host from which the indexer will get data.
index
Index where the data will show up in
sourcetype
sourcetype
source
source
queue
queue where the arriving data will be put
connection_host
connection_host
SSL
true/false. If SSL is not already configured, error is returned
disabled
true/false
response status
200
Method executed successfully
400
Some arguments were invalid
500
There was an error; see body contents for messages
response body
Sample response to a successful action:
<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>raw</title>
<id>https://localhost:8089/services/data/inputs/tcp/raw</id>
<updated>2009-02-12T18:19:36-0800</updated>
<generator version="50432"/>
<author>
<name>Splunk</name>
</author>
<link href="https://localhost:8089/services/data/inputs/tcp/raw/_new" rel="create"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
</feed>
Sample error response to a failed action: <response>
<messages>
<msg type="WARN">In handler 'raw': SSL configuration for inputs does not exist.
Please create SSL configuration before enabling SSL on input</msg>
</messages>
</pre>
TCP with SSL
Use /services/data/inputs/tcp/ssl to SSL TCP inputs.
GET
Returns SSL configuration. There is only one SSL config present for all input ports.
response status
200
OK
response body
If not configured
<?xml version="1.0" encoding="UTF-8"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>cooked</title>
<id>https://localhost:8089/services/data/inputs/tcp/cooked</id>
<updated>2009-02-12T18:47:03-0800</updated>
<generator version="50432"/>
<author>
<name>Splunk</name>
</author>
<link href="https://localhost:8089/services/data/inputs/tcp/cooked/_new" rel="create"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<entry>
<title>Cooked</title>
<id>https://localhost:8089/services/data/inputs/tcp/cooked/Cooked</id>
<updated>2009-02-12T18:47:03-0800</updated>
<link href="https://localhost:8089/services/data/inputs/tcp/cooked/Cooked" rel="alternate"/>
<link href="https://localhost:8089/services/data/inputs/tcp/cooked/Cooked" rel="list"/>
<link href="https://localhost:8089/services/data/inputs/tcp/cooked/Cooked" rel="edit"/>
<link href="https://localhost:8089/services/data/inputs/tcp/cooked/Cooked" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="connection_host"></s:key>
<s:key name="disabled">true</s:key>
<s:key name="host"></s:key>
<s:key name="index"></s:key>
<s:key name="queue"></s:key>
<s:key name="source"></s:key>
<s:key name="sourcetype"></s:key>
</s:dict>
</content>
</entry>
</feed>
If configured:
<?xml version="1.0" encoding="UTF-8"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>ssl</title>
<id>https://localhost:8089/services/data/inputs/tcp/ssl</id>
<updated>2009-02-12T18:49:25-0800</updated>
<generator version="50432"/>
<author>
<name>Splunk</name>
</author>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<entry>
<title>SSL</title>
<id>https://localhost:8089/services/data/inputs/tcp/ssl/SSL</id>
<updated>2009-02-12T18:49:25-0800</updated>
<link href="https://localhost:8089/services/data/inputs/tcp/ssl/SSL" rel="alternate"/>
<link href="https://localhost:8089/services/data/inputs/tcp/ssl/SSL" rel="list"/>
<link href="https://localhost:8089/services/data/inputs/tcp/ssl/SSL" rel="edit"/>
<link href="https://localhost:8089/services/data/inputs/tcp/ssl/SSL" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="_actions">new,edit,delete</s:key>
<s:key name="_rcvbuf">196608</s:key>
<s:key name="cipherSuite">ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM</s:key>
<s:key name="disabled">false</s:key>
<s:key name="host">localhost</s:key>
<s:key name="index">default</s:key>
<s:key name="password">changeme</s:key>
<s:key name="requireClientCert">false</s:key>
<s:key name="rootCA">/root/rootCA.crt</s:key>
<s:key name="serverCert">/root/serverCert.crt</s:key>
</s:dict>
</content>
</entry>
</feed>
POST
Configures SSL attributes.
form arguments
name
SSL. This name "SSL" should be used to configure SSL
serverCert
Pathname of server certificate
password
password to access the private keys
rootCA
Pathname for root CA certificate
requireClientCert
true/false
response status
200
Method executed successfully
400
Some arguments were invalid
500
There was an error; see body contents for messages
response body
<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>ssl</title>
<id>https://localhost:8089/services/data/inputs/tcp/ssl</id>
<updated>2009-02-12T18:48:37-0800</updated>
<generator version="50432"/>
<author>
<name>Splunk</name>
</author>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
</feed>
Windows event logs
/services/data/inputs/win-event-log-collections provides the endpoionts to be able to list, create, edit and delete a Windows Event Log collections.
GET
Returns a list of all the Windows event log collections that the system is monitoring.
form arguments
name
The name of the collection.
logs
All of the log channels that this collection represts. On _new action, for remote hosts this is a dynamic generated list
hosts
All of the hosts that this collection applies to.
lookup_host
Only used on _new action. This is where you specify which host to lookup for pulling the dynamic list of logs
response status
200
Method executed successfully
response body
POST
Adds/edits a Windows event log collection
form arguments
name
The Name of the collection. The name of the collection representing local machine will be static.
log
Windows event log channel, the actual channel selected by the user during creation of the collection.
hosts
Comma seperated likes of all the hosts.
response status
201
Collection of successfully created
response body
WMI collections
/services/data/inputs/win-wmi-collections Provides the endpoionts to be able to list, create, edit and delete a Windows WMI collections. By selecting a wmi class, one or more fields and one or more hosts, will be polling those hosts in a given interval excuting the wql query.
GET
Returns a list of all the Windows WMI collections that the system is monitoring.
form arguments
name
The name of the collection.
class
WMI class, you can only select one
fields
List of fields from the class selected above. You can select one or more fields
server
One or machine to poll
interval
The interval in which will be polling the above machine
wql
The wql string created once the user selected the class and fileds
response status
200
Method executed successfully
response body
POST
Adds/edits a Windows event log collection
form arguments
name
The Name of the collection.
class
WMI class name that the user picked
field
Field value selected by the user.
server
The machine to which this WMI collection/wql will apply to
response status
201
Collection of successfully created
response body
TCP outputs
/services/data/outputs/tcp Container for managing tcp based forwarders
GET
Returns resources to configure raw or cooked forwarders with or without ssl
response status
200
OK
response body
<?xml version="1.0" encoding="UTF-8"?>
<!--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-->
<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest">
<title></title>
<id>https://localhost:8089/services/data/outputs/tcp</id>
<updated>2009-02-13T17:22:40-0800</updated>
<generator version="50774"/>
<author>
<name>Splunk</name>
</author>
<entry>
<title>syslog</title>
<id>https://localhost:8089/services/data/outputs/tcp/syslog</id>
<updated>2009-02-13T17:22:40-0800</updated>
<link href="https://localhost:8089/services/data/outputs/tcp/syslog" rel="alternate"/>
<link href="https://localhost:8089/services/data/outputs/tcp/syslog" rel="list"/>
<content type="text/xml">
<s:dict/>
</content>
</entry>
<entry>
<title>tcpout-default:default</title>
<id>https://localhost:8089/services/data/outputs/tcp/tcpout-default%3Adefault</id>
<updated>2009-02-13T17:22:40-0800</updated>
<link href="https://localhost:8089/services/data/outputs/tcp/tcpout-default%3Adefault" rel="alternate"/>
<link href="https://localhost:8089/services/data/outputs/tcp/tcpout-default%3Adefault" rel="list"/>
<content type="text/xml">
<s:dict/>
</content>
</entry>
<entry>
<title>tcpout-group:group</title>
<id>https://localhost:8089/services/data/outputs/tcp/tcpout-group%3Agroup</id>
<updated>2009-02-13T17:22:40-0800</updated>
<link href="https://localhost:8089/services/data/outputs/tcp/tcpout-group%3Agroup" rel="alternate"/>
<link href="https://localhost:8089/services/data/outputs/tcp/tcpout-group%3Agroup" rel="list"/>
<content type="text/xml">
<s:dict/>
</content>
</entry>
<entry>
<title>tcpout-server:server</title>
<id>https://localhost:8089/services/data/outputs/tcp/tcpout-server%3Aserver</id>
<updated>2009-02-13T17:22:40-0800</updated>
<link href="https://localhost:8089/services/data/outputs/tcp/tcpout-server%3Aserver" rel="alternate"/>
<link href="https://localhost:8089/services/data/outputs/tcp/tcpout-server%3Aserver" rel="list"/>
<content type="text/xml">
<s:dict/>
</content>
</entry>
</feed>
Default output settings
/services/data/outputs/tcp/default Resource for setting the default tcpout properties
GET
Returns current tcpout properties
response status
200
OK
response body
<?xml version="1.0" encoding="UTF-8"?>
<!--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-->
<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>tcpout-default</title>
<id>https://localhost:8089/services/data/outputs/tcp/default</id>
<updated>2009-02-13T23:51:12-0800</updated>
<generator version="50823"/>
<author>
<name>Splunk</name>
</author>
<link href="https://localhost:8089/services/data/outputs/tcp/default/_new" rel="create"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<entry>
<title>tcpout</title>
<id>https://localhost:8089/services/data/outputs/tcp/default/tcpout</id>
<updated>2009-02-13T23:51:12-0800</updated>
<link href="https://localhost:8089/services/data/outputs/tcp/default/tcpout" rel="alternate"/>
<link href="https://localhost:8089/services/data/outputs/tcp/default/tcpout" rel="list"/>
<link href="https://localhost:8089/services/data/outputs/tcp/default/tcpout" rel="edit"/>
<link href="https://localhost:8089/services/data/outputs/tcp/default/tcpout" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="defaultGroup">indexer1.splunk.com_9997</s:key>
<s:key name="disabled">true</s:key>
</s:dict>
</content>
</entry>
</feed>
POST
Configures global tcpout properties. Post to url /services/data/outputs/tcp/default/tcpout.
form arguments
name
default
disabled
true/false
defaultGroup
Default group for tcpout
indexAndForward
true/false
response status
200
Method executed successfully
400
Some arguments were invalid
500
There was an error; see body contents for messages
response body
// sample response to a successful action
<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>tcpout-default</title>
<id>https://localhost:8089/services/data/outputs/tcp/default</id>
<updated>2009-02-14T00:20:16-0800</updated>
<generator version="50823"/>
<author>
<name>Splunk</name>
</author>
<link href="https://localhost:8089/services/data/outputs/tcp/default/_new" rel="create"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
</feed>
TCP server
/services/data/outputs/tcp/server Container for configuring forwarded servers
GET
Lists existing forwarded servers
response status
200
OK
response body
<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>tcpout-server</title>
<id>https://localhost:8089/services/data/outputs/tcp/server</id>
<updated>2009-02-13T23:34:09-0800</updated>
<generator version="50823"/>
<author>
<name>Splunk</name>
</author>
<link href="https://localhost:8089/services/data/outputs/tcp/server/_new" rel="create"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<entry>
<title>indexer1.splunk.com:9997</title>
<id>https://localhost:8089/services/data/outputs/tcp/server/indexer1.splunk.com%3A9997</id>
<updated>2009-02-13T23:34:09-0800</updated>
<link href="https://localhost:8089/services/data/outputs/tcp/server/indexer1.splunk.com%3A9997" rel="alternate"/>
<link href="https://localhost:8089/services/data/outputs/tcp/server/indexer1.splunk.com%3A9997" rel="list"/>
<link href="https://localhost:8089/services/data/outputs/tcp/server/indexer1.splunk.com%3A9997" rel="edit"/>
<link href="https://localhost:8089/services/data/outputs/tcp/server/indexer1.splunk.com%3A9997" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="backoffAtStartup">1</s:key>
<s:key name="disabled">false</s:key>
<s:key name="initialBackoff">3</s:key>
<s:key name="maxBackoff">50</s:key>
<s:key name="maxNumberOfRetriesAtHighestBackoff">10</s:key>
</s:dict>
</content>
</entry>
</feed>
POST
Configures forwarded server
form arguments
name
host:port
initialBackoff
Backoff in seconds at initial time
maxNumberOfRetriesAtHighestBackoff
Maximum number of retries
maxBackoff
Maximum backoff in seconds
backoffAtStartup
Backoff in seconds at startup
sslVerifyServerCert
true/false
sslCommonNameToCheck
server's common name, set only if sslVerifyServerCert is set to true
sslAltNameToCheck
server's alternate name, set only if sslVerifyServerCert is set to true
sslRootCAPath
optional path to root certificate authority file
sslCertPath sslCipher sslPassword
response status
200
Method executed successfully
400
Some arguments were invalid
500
There was an error; see body contents for messages
response body
Sample response to a successful action:
<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>tcpout-server</title>
<id>https://localhost:8089/services/data/outputs/tcp/server</id>
<updated>2009-02-13T23:32:58-0800</updated>
<generator version="50823"/>
<author>
<name>Splunk</name>
</author>
<link href="https://localhost:8089/services/data/outputs/tcp/server/_new" rel="create"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
</feed>
Sample error response to a failed action:
<response> <messages> <msg type="WARN">In handler 'raw': SSL configuration for inputs does not exist. Please create SSL configuration before enabling SSL on input</msg> </messages>
This documentation applies to the following versions of Splunk: 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.3 View the Article History for its revisions.