REST API Reference Manual

 


Inputs

Contents

Inputs

Use the Inputs endpoints to manage data sent to Splunk servers.

data/inputs/*
Create and manage data inputs to Splunk servers.


receivers/*
Create and manage HTTP streaming of events to splunk servers.


data/inputs/ad

Provides access to Active Directory monitoring input.

GET data/inputs/ad

Gets current AD monitoring configuration.

Request

Name Type Required Default Description
count Number 30 Indicates the maximum number of entries to return. To return all entries, specify 0.
offset Number 0 Index for first item to return.
search String Search expression to filter the response. The response matches field values against the search expression. For example:

search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.

sort_dir Enum asc Valid values: (asc | desc)

Indicates whether to sort returned entries in ascending or descending order.

sort_key String name Field to use for sorting.
sort_mode Enum auto Valid values: (auto | alpha | alpha_case | num)

Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view AD monitoring configuration.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
disabled Indicates whether this input is disabled.
index The index in which to store the gathered data.

If no value is present, send data to the default index.

monitorSubtree Indicates whether or not to monitor the subtrees of a given Active Directory tree path.
startingNode Tells Splunk where in the Active Directory directory tree to start monitoring.

If not specified, Splunk attempts to start at the root of the directory tree.

The user that you configure Splunk to run as at installation determines where Splunk starts monitoring.

targetDc Fully qualified domain name of a valid, network-accessible Active Directory domain controller.

If not specified, Splunk obtains the local computer's DC by default, and binds to its root Distinguished Name (DN).

Example

Lists all configured AD monitoring stanza.

curl -k -u admin:pass https://localhost:8089/services/data/inputs/ad
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-admon</title>
  <id>https://10.1.5.157:8089/services/data/inputs/ad</id>
  <updated>2011-07-29T19:13:28-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/ad/_new" rel="create"/>
  <link href="/services/data/inputs/ad/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>NearestDC</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/ad/NearestDC</id>
    <updated>2011-07-29T19:13:28-07:00</updated>
    <link href="/servicesNS/nobody/windows/data/inputs/ad/NearestDC" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/windows/data/inputs/ad/NearestDC" rel="list"/>
    <link href="/servicesNS/nobody/windows/data/inputs/ad/NearestDC/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/windows/data/inputs/ad/NearestDC" rel="edit"/>
    <link href="/servicesNS/nobody/windows/data/inputs/ad/NearestDC/enable" rel="enable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">1</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="index">default</s:key>
        <s:key name="monitorSubtree">1</s:key>
        <s:key name="startingNode"/>
        <s:key name="targetDc"/>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/inputs/ad

Creates new or modifies existing performance monitoring settings.

Request

Name Type Required Default Description
name String
A unique name that represents a configuration or set of configurations for a specific domain controller (DC).
baseline Boolean Indicates whether to query baseline objects. Defaults to true.

Baseline objects are objects which currently reside in Active Directory and include previously deleted objects.

host String Docs-W8R2-Std7 Host name for the Active Directory Monitor.
index String default The index in which to store the gathered data.

If not specified defaults to the default index.

monitorSubtree Number
Whether or not to monitor the subtree(s) of a given directory tree path. 1 means yes, 0 means no.
printSchema Boolean Indicates whether to print the Active Directory schema. Defaults to true.
source String Source for data inputs.
sourcetype String Source type of data inputs.
startingNode String Where in the Active Directory directory tree to start monitoring. If not specified, will attempt to start at the root of the directory tree.
targetDc String Specifies a fully qualified domain name of a valid, network-accessible DC. If not specified, Splunk will obtain the local computer's DC.

Response Codes

Status Code Description
201 Created successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to create monitoring stanza.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

No values returned for this request.

Example

Creates a new AD monitoring stanza, naming it 'newdc', without sub-tree monitoring.

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/inputs/ad \
	-d monitorSubtree=0 \
	-d name=newdc
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-admon</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/ad</id>
  <updated>2011-07-29T19:14:57-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/ad/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/ad/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

data/inputs/ad/{name}

DELETE data/inputs/ad/{name}

Deletes a given AD monitoring stanza.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Deleted successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to delete AD monitoring stanza.
404 AD monitoring stanza does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

No values returned for this request.

Example

Deletes a given stanza.

curl -k -u admin:pass --request DELETE \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/ad/newdc
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-admon</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/ad</id>
  <updated>2011-07-29T19:22:50-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/ad/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/ad/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

GET data/inputs/ad/{name}

Gets the current configuration for a given AD monitoring stanza.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view AD monitoring configuration.
404 AD monitoring stanza does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
disabled Indicates whether this input is disabled.
eai:attributes See Accessing Splunk resources
index The index in which to store the gathered data.

If no value is present, send data to the default index.

monitorSubtree Indicates whether or not to monitor the subtrees of a given Active Directory tree path.

Example

Gets configuration for a given AD monitoring stanza.

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/ad/newdc
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-admon</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/ad</id>
  <updated>2011-07-29T19:18:18-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/ad/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/ad/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>newdc</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/ad/newdc</id>
    <updated>2011-07-29T19:18:18-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/ad/newdc" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/ad/newdc" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/ad/newdc/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/ad/newdc" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/ad/newdc" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/ad/newdc/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>disabled</s:item>
                <s:item>index</s:item>
                <s:item>startingNode</s:item>
                <s:item>targetDc</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>monitorSubtree</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="index">default</s:key>
        <s:key name="monitorSubtree">0</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/inputs/ad/{name}

Modifies a given AD monitoring stanza.

Request

Name Type Required Default Description
baseline Boolean Indicates whether to query baseline objects. Defaults to true.

Baseline objects are objects which currently reside in Active Directory and include previously deleted objects.

host String Docs-W8R2-Std7 Host name for the Active Directory Monitor.
index String default The index in which to store the gathered data.

If not specified defaults to the default index.

monitorSubtree Number
Whether or not to monitor the subtree(s) of a given directory tree path. 1 means yes, 0 means no.
printSchema Boolean Indicates whether to print the Active Directory schema. Defaults to true.
source String Source for data inputs.
sourcetype String Source type of data inputs.
startingNode String Where in the Active Directory directory tree to start monitoring. If not specified, will attempt to start at the root of the directory tree.
targetDc String Specifies a fully qualified domain name of a valid, network-accessible DC. If not specified, Splunk will obtain the local computer's DC.

Response Codes

Status Code Description
200 Updated successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to edit AD monitoring stanza.
404 AD monitoring stanza does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

No values returned for this request.

Example

Modifies an existing AD monitoring stanza.

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/ad/newdc \
	-d monitorSubtree=1
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-admon</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/ad</id>
  <updated>2011-07-29T19:20:16-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/ad/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/ad/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>


data/inputs/all

Provides access to all inputs to the Splunk server. This includes any modular inputs that may be defined on the system.

GET data/inputs/all

Lists all inputs to the Splunk server. The list includes any modular inputs that may be defined on the system.

Request

Name Type Required Default Description
common Boolean Indicates whether to return only attributes commom to all inputs. These common attributes are:
app
disabled
host
index
owner
source
sourcetype
title
updated
count Number 30 Indicates the maximum number of entries to return. To return all entries, specify 0.
offset Number 0 Index for first item to return.
search String Search expression to filter the response. The response matches field values against the search expression. For example:

search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.

sort_dir Enum asc Valid values: (asc | desc)

Indicates whether to sort returned entries in ascending or descending order.

sort_key String name Field to use for sorting.
sort_mode Enum auto Valid values: (auto | alpha | alpha_case | num)

Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view inputs to the Splunk server.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

The returned values for this endpoint vary, depending on the inputs on your system.

It returns common fields, such as index and disabled as well as fields specific to a type, such as restrictToHost for UDP inputs. The id contains a full and valid REST "pointer" to that input.

Example

List data inputs for this Splunk server.

curl -k -u admin:pass https://localhost:8089/services/data/inputs/all
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>all</title>
  <id>https://localhost:8089/services/data/inputs/all</id>
  <updated>2012-10-01T16:08:24-07:00</updated>
  <generator build="138753" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/all/_new" rel="create"/>
  <link href="/services/data/inputs/all/_reload" rel="_reload"/>
  <link href="/services/data/inputs/all/restart" rel="restart"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title></title>
    <id>https://localhost:8089/servicesNS/nobody/system/data/inputs/all/</id>
    <updated>2012-10-01T16:08:24-07:00</updated>
    <link href="/servicesNS/nobody/system/data/inputs/all/" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/inputs/all/" rel="list"/>
    <link href="/servicesNS/nobody/system/data/inputs/all//_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/inputs/all/" rel="edit"/>
    <link href="/servicesNS/nobody/system/data/inputs/all//enable" rel="enable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="cipherSuite">ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM</s:key>
        <s:key name="disabled">1</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="host">splunks-ombra.sv.splunk.com</s:key>
        <s:key name="index">default</s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>$SPLUNK_HOME/etc/splunk.version</title>
    <id>https://localhost:8089/servicesNS/nobody/system/data/inputs/all/%24SPLUNK_HOME%252Fetc%252Fsplunk.version</id>
    <updated>2012-10-01T16:08:24-07:00</updated>
    <link href="/servicesNS/nobody/system/data/inputs/all/%24SPLUNK_HOME%252Fetc%252Fsplunk.version" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/inputs/all/%24SPLUNK_HOME%252Fetc%252Fsplunk.version" rel="list"/>
    <link href="/servicesNS/nobody/system/data/inputs/all/%24SPLUNK_HOME%252Fetc%252Fsplunk.version/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/inputs/all/%24SPLUNK_HOME%252Fetc%252Fsplunk.version" rel="edit"/>
    <link href="/servicesNS/nobody/system/data/inputs/all/%24SPLUNK_HOME%252Fetc%252Fsplunk.version/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_TCP_ROUTING">*</s:key>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="filecount">1</s:key>
        <s:key name="host">splunks-ombra.sv.splunk.com</s:key>
        <s:key name="index">_internal</s:key>
        <s:key name="sourcetype">splunk_version</s:key>
      </s:dict>
    </content>
  </entry>
   . . .
</feed>

data/inputs/all/{name}

GET data/inputs/all/{name}

Lists details for inputs for the input source specified by {name}.

Request

Name Type Required Default Description
common Boolean Indicates whether to return only attributes commom to all inputs. These common attributes are:
app
disabled
host
index
owner
source
sourcetype
title
updated

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view details for the specified input.
404 Specified input does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

No values returned for this request.

Example

List details for the modular input, twitter.

curl -k -u admin:pass https://localhost:8089/services/data/inputs/all/twitter
feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>all</title>
  <id>https://localhost:8089/services/data/inputs/all</id>
  <updated>2012-07-11T08:03:17-07:00</updated>
  <generator build="129290" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/all/restart" rel="restart"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>twitter</title>
    <id>https://localhost:8089/services/data/inputs/all/twitter</id>
    <updated>2012-07-11T08:03:17-07:00</updated>
    <link href="/services/data/inputs/all/twitter" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/data/inputs/all/twitter" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="description">Get data from Twitter.</s:key>
        <!-- eai:acl nodes and eai:attribute nodes elided for brevity. -->
        <s:key name="endpoint">
          <s:dict>
            <s:key name="args">
              <s:dict>
                <s:key name="name">
                  <s:dict>
                    <s:key name="data_type">string</s:key>
                    <s:key name="description">Name of the current feed using the user credentials supplied.</s:key>
                    <s:key name="order">0</s:key>
                    <s:key name="title">Twitter feed name</s:key>
                  </s:dict>
                </s:key>
                <s:key name="password">
                  <s:dict>
                    <s:key name="data_type">string</s:key>
                    <s:key name="description">Your twitter password</s:key>
                    <s:key name="order">2</s:key>
                    <s:key name="required_on_create">1</s:key>
                    <s:key name="required_on_edit">0</s:key>
                    <s:key name="title">Password</s:key>
                  </s:dict>
                </s:key>
                <s:key name="username">
                  <s:dict>
                    <s:key name="data_type">string</s:key>
                    <s:key name="description">Your Twitter ID.</s:key>
                    <s:key name="order">1</s:key>
                    <s:key name="required_on_create">1</s:key>
                    <s:key name="required_on_edit">0</s:key>
                    <s:key name="title">Twitter ID/Handle</s:key>
                  </s:dict>
                </s:key>
              </s:dict>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="streaming_mode">simple</s:key>
        <s:key name="title">Twitter</s:key>
      </s:dict>
    </content>
  </entry>
</feed>


data/inputs/monitor

Provides access to monitor inputs.

GET data/inputs/monitor

List enabled and disabled monitor inputs.

Request

Name Type Required Default Description
count Number 30 Indicates the maximum number of entries to return. To return all entries, specify 0.
offset Number 0 Index for first item to return.
search String Search expression to filter the response. The response matches field values against the search expression. For example:

search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.

sort_dir Enum asc Valid values: (asc | desc)

Indicates whether to sort returned entries in ascending or descending order.

sort_key String name Field to use for sorting.
sort_mode Enum auto Valid values: (auto | alpha | alpha_case | num)

Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view monitored input.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
_TCP_ROUTING List of TCP forwarding groups, as specified in outputs.conf.
disabled Indicates if inputs monitoring is disabled.
filecount Number of files monitored.
host Name of the Splunk host for which inputs are monitored.
index The index in which to store the gathered data.
sourcetype Source type being monitored.

The source type of an event is the format of the data input from which it originates, such as access_combined or cisco_syslog. The source type determines how Splunk formats your data.

Example

Provides information on all enabled and disabled inputs for monitoring by this Splunk instance.


curl -k -u admin:pass https://localhost:8089/services/data/inputs/monitor


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>monitor</title>
  <id>https://localhost:8089/services/data/inputs/monitor</id>
  <updated>2011-07-10T14:25:53-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/monitor/_new" rel="create"/>
  <link href="/services/data/inputs/monitor/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>$SPLUNK_HOME/etc/splunk.version</title>
    <id>https://localhost:8089/servicesNS/nobody/system/data/inputs/monitor/%24SPLUNK_HOME%252Fetc%252Fsplunk.version</id>
    <updated>2011-07-10T14:25:53-07:00</updated>
    <link href="/servicesNS/nobody/system/data/inputs/monitor/%24SPLUNK_HOME%252Fetc%252Fsplunk.version" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/inputs/monitor/%24SPLUNK_HOME%252Fetc%252Fsplunk.version" rel="list"/>
    <link href="/servicesNS/nobody/system/data/inputs/monitor/%24SPLUNK_HOME%252Fetc%252Fsplunk.version/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/inputs/monitor/%24SPLUNK_HOME%252Fetc%252Fsplunk.version" rel="edit"/>
    <link href="/servicesNS/nobody/system/data/inputs/monitor/%24SPLUNK_HOME%252Fetc%252Fsplunk.version/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_TCP_ROUTING">*</s:key>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="filecount">1</s:key>
        <s:key name="host">MrT</s:key>
        <s:key name="index">_internal</s:key>
        <s:key name="sourcetype">splunk_version</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/inputs/monitor

Create a new file or directory monitor input.

Request

Name Type Required Default Description
name String
The file or directory path to monitor on the system.
blacklist String Specify a regular expression for a file path. The file path that matches this regular expression is not indexed.
check-index Boolean If set to true, the "index" value will be checked to ensure that it is the name of a valid index.
check-path Boolean If set to true, the "name" value will be checked to ensure that it exists.
crc-salt String A string that modifies the file tracking identity for files in this input. The magic value "<SOURCE>" invokes special behavior (see admin documentation).
disabled Boolean Indicates if input monitoring is disabled.
followTail Boolean If set to true, files that are seen for the first time will be read from the end.
host String vgenovese-centos62x64-1 The value to populate in the host field for events from this data input.
host_regex String Specify a regular expression for a file path. If the path for a file matches this regular expression, the captured value is used to populate the host field for events from this data input. The regular expression must have one capture group.
host_segment Number Use the specified slash-separate segment of the filepath as the host field value.
ignore-older-than String Specify a time value. If the modification time of a file being monitored falls outside of this rolling time window, the file is no longer being monitored.
index String default Which index events from this input should be stored in.
recursive Boolean Setting this to "false" will prevent monitoring of any subdirectories encountered within this data input.
rename-source String The value to populate in the source field for events from this data input. The same source should not be used for multiple data inputs.
sourcetype String The value to populate in the sourcetype field for incoming events.
time-before-close Number When Splunk reaches the end of a file that is being read, the file will be kept open for a minimum of the number of seconds specified in this value. After this period has elapsed, the file will be checked again for more data.
whitelist String Specify a regular expression for a file path. Only file paths that match this regular expression are indexed.

Response Codes

Status Code Description
201 Created successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to create monitored input.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

No values returned for this request.

Example

Configures the Unix /var/log directory as a monitored input.


curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor \
	-d name=/var/log


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>monitor</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor</id>
  <updated>2011-07-10T14:27:57-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/monitor/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/monitor/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

data/inputs/monitor/{name}

DELETE data/inputs/monitor/{name}

Disable the named monitor data input and remove it from the configuration.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Deleted successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to delete monitored input.
404 Monitored input does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

No values returned for this request.

Example

Removes the following file as a monitored input. This monitored input was created in the example for the POST operation of this endpoint.

/Applications/splunk/var/log/splunk/web_access.log

The {name} field in the DELETE operation is specially URI-encoded. See the REST API overview for details on URI encoding of filenames.


curl -k -u admin:pass --request DELETE \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog



<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>monitor</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor</id>
  <updated>2011-07-10T14:35:35-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/monitor/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/monitor/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

GET data/inputs/monitor/{name}

List the properties of a single monitor data input.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view monitored input.
404 Monitored input does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
disabled Indicates if inputs monitoring is disabled.
eai:attributes See Accessing Splunk resources
filecount Number of files being monitored.
host Name of the Splunk host for which inputs are monitored.
index The index events from this input should be stored in.

Example

Returns information on the monitored directory /var/log.

The {name} field in the GET operation is specially URI-encoded. See the REST API overview for details on URI encoding of filenames.


curl -k -u admin:pass \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>monitor</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor</id>
  <updated>2011-07-10T14:33:54-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/monitor/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/monitor/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>/var/log</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog</id>
    <updated>2011-07-10T14:33:54-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog/members" rel="members"/>
    <link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>blacklist</s:item>
                <s:item>check-index</s:item>
                <s:item>check-path</s:item>
                <s:item>crc-salt</s:item>
                <s:item>followTail</s:item>
                <s:item>host</s:item>
                <s:item>host_regex</s:item>
                <s:item>host_segment</s:item>
                <s:item>ignore-older-than</s:item>
                <s:item>index</s:item>
                <s:item>recursive</s:item>
                <s:item>rename-source</s:item>
                <s:item>sourcetype</s:item>
                <s:item>time-before-close</s:item>
                <s:item>whitelist</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="filecount">108</s:key>
        <s:key name="host">MrT</s:key>
        <s:key name="index">default</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/inputs/monitor/{name}

Update properties of the named monitor input.

Request

Name Type Required Default Description
blacklist String Specify a regular expression for a file path. The file path that matches this regular expression is not indexed.
check-index Boolean If set to true, the "index" value will be checked to ensure that it is the name of a valid index.
check-path Boolean If set to true, the "name" value will be checked to ensure that it exists.
crc-salt String A string that modifies the file tracking identity for files in this input. The magic value "<SOURCE>" invokes special behavior (see admin documentation).
disabled Boolean Indicates if input monitoring is disabled.
followTail Boolean If set to true, files that are seen for the first time will be read from the end.
host String vgenovese-centos62x64-1 The value to populate in the host field for events from this data input.
host_regex String Specify a regular expression for a file path. If the path for a file matches this regular expression, the captured value is used to populate the host field for events from this data input. The regular expression must have one capture group.
host_segment Number Use the specified slash-separate segment of the filepath as the host field value.
ignore-older-than String Specify a time value. If the modification time of a file being monitored falls outside of this rolling time window, the file is no longer being monitored.
index String default Which index events from this input should be stored in.
recursive Boolean Setting this to "false" will prevent monitoring of any subdirectories encountered within this data input.
rename-source String The value to populate in the source field for events from this data input. The same source should not be used for multiple data inputs.
sourcetype String The value to populate in the sourcetype field for incoming events.
time-before-close Number When Splunk reaches the end of a file that is being read, the file will be kept open for a minimum of the number of seconds specified in this value. After this period has elapsed, the file will be checked again for more data.
whitelist String Specify a regular expression for a file path. Only file paths that match this regular expression are indexed.

Response Codes

Status Code Description
200 Updated successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to edit monitored input.
404 Monitored input does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

No values returned for this request.

Example

Updates the monitored input such that it does not recurse through subdirectories. This monitored input was created in the example for the POST operation of this endpoint.

The {name} field in the POST operation is specially URI-encoded. See the REST API overview for details on URI encoding of filenames.


curl -k -u admin:pass \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog \
	-d recursive=false


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>monitor</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor</id>
  <updated>2011-07-10T14:35:28-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/monitor/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/monitor/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

data/inputs/monitor/{name}/members

GET data/inputs/monitor/{name}/members

Lists all files monitored under the named monitor input.

Request

Name Type Required Default Description
count Number 30 Indicates the maximum number of entries to return. To return all entries, specify 0.
offset Number 0 Index for first item to return.
search String Search expression to filter the response. The response matches field values against the search expression. For example:

search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.

sort_dir Enum asc Valid values: (asc | desc)

Indicates whether to sort returned entries in ascending or descending order.

sort_key String name Field to use for sorting.
sort_mode Enum auto Valid values: (auto | alpha | alpha_case | num)

Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view monitored input's files.
404 Monitor input does not exist or does not have any members.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

No values returned for this request.

Example

Retrieves the list of files under /var/log that this input is monitoring.


curl -k -u admin:pass \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog/members


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>monitor</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor</id>
  <updated>2011-07-10T14:34:28-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/monitor/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/monitor/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>/var/log/acpid</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog%252Facpid</id>
    <updated>2011-07-10T14:34:28-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog%252Facpid" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog%252Facpid" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog%252Facpid/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog%252Facpid" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog%252Facpid" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <!-- eai:acl nodes elided for brevity. -->
      </s:dict>
    </content>
  </entry>
  <!-- many more file entries elided for brevity. -->
</feed>


data/inputs/oneshot

Provides access to oneshot inputs.

GET data/inputs/oneshot

Enumerates in-progress oneshot inputs. As soon as an input is complete, it is removed from this list.

Request

Name Type Required Default Description
count Number 30 Indicates the maximum number of entries to return. To return all entries, specify 0.
offset Number 0 Index for first item to return.
search String Search expression to filter the response. The response matches field values against the search expression. For example:

search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.

sort_dir Enum asc Valid values: (asc | desc)

Indicates whether to sort returned entries in ascending or descending order.

sort_key String name Field to use for sorting.
sort_mode Enum auto Valid values: (auto | alpha | alpha_case | num)

Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view inputs.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
Bytes Indexed Total number of bytes read and sent to the pipeline for indexing during a oneshot input.

This total includes the uncompressed byte count from a source file that is compressed on disk.

Offset Current position in the source file, indicating how much of the file has been read. For compressed source files, this offset represents the position in the compressed format.

You can obtain the percentage of a source file that has been read by calculating offset/size.

Size Size of the source file, in bytes.

You can obtain the percentage of a source file that has been read by calculating offset/size.

Sources Indexed Indicates the number of sources read from a file in a compressed format such as tar or zip.

A value of 0 indicates the source file was not compressed.

Spool Time Time that the request was made to read the source file.

Example

Lists the in-progress one shot inputs for this Splunk instance.


curl -k -u admin:pass https://localhost:8089/services/data/inputs/oneshot


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>oneshotinput</title>
  <id>https://localhost:8089/services/data/inputs/oneshot</id>
  <updated>2011-07-08T01:48:04-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/oneshot/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>/var/log/distccd.log</title>
    <id>https://localhost:8089/services/data/inputs/oneshot/%252Fvar%252Flog%252Fdistccd.log</id>
    <updated>2011-07-08T01:48:04-07:00</updated>
    <link href="/services/data/inputs/oneshot/%252Fvar%252Flog%252Fdistccd.log" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/data/inputs/oneshot/%252Fvar%252Flog%252Fdistccd.log" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="Bytes Indexed">7200768</s:key>
        <s:key name="Offset">7200768</s:key>
        <s:key name="Size">449630160</s:key>
        <s:key name="Sources Indexed">0</s:key>
        <s:key name="Spool Time">Fri Jul  8 01:47:53 PDT 2011</s:key>
        <!-- eai:acl nodes elided for brevity. -->
      </s:dict>
    </content>
  </entry>
</feed>

POST data/inputs/oneshot

Queues a file for immediate indexing by the file input subsystem. The file must be locally accessible from the server.

This endpoint can handle any single file: plain, compressed or archive. The file is indexed in full, regardless of whether it has been indexed before.

Request

Name Type Required Default Description
name String
The path to the file to be indexed. The file must be locally accessible by the server.
host String The value of the "host" field to be applied to data from this file.
host_regex String A regex to be used to extract a "host" field from the path.

If the path matches this regular expression, the captured value is used to populate the host field for events from this data input. The regular expression must have one capture group.

host_segment Number Use the specified slash-separate segment of the path as the host field value.
index String The destination index for data processed from this file.
rename-source String The value of the "source" field to be applied to data from this file.
sourcetype String The value of the "sourcetype" field to be applied to data from this file.

Response Codes

Status Code Description
201 Created successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to create input.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

No values returned for this request.

Example

This example queues the file /var/log/messages for indexing.


curl -k -u admin:pass https://localhost:8089/services/data/inputs/oneshot \
	-d name=/var/log/messages


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>oneshotinput</title>
  <id>https://localhost:8089/services/data/inputs/oneshot</id>
  <updated>2011-07-08T01:48:04-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/oneshot/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

data/inputs/oneshot/{name}

GET data/inputs/oneshot/{name}

Finds information about a single in-flight one shot input. This is a subset of the information in the full enumeration.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view input.
404 Input does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
Bytes Indexed Total number of bytes read and sent to the pipeline for indexing during a oneshot input.

This total includes the uncompressed byte count from a source file that is compressed on disk.

Offset Current position in the source file, indicating how much of the file has been read. For compressed source files, this offset represents the position in the compressed format.

You can obtain the percentage of a source file that has been read by calculating offset/size.

Size Size of the source file, in bytes.

You can obtain the percentage of a source file that has been read by calculating offset/size.

Sources Indexed Indicates the number of sources read from a file in a compressed format such as tar or zip.

A value of 0 indicates the source file was not compressed.

Spool Time Time that the request was made to read the source file.
eai:attributes See Accessing Splunk resources

Example

List information about the named in-progress one shot input in this Splunk instance.


curl -k -u admin:pass \
	https://localhost:8089/services/data/inputs/oneshot/%252Fvar%252Flog%252Fmessages


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>oneshotinput</title>
  <id>https://localhost:8089/services/data/inputs/oneshot</id>
  <updated>2011-07-08T01:49:20-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/oneshot/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>/var/log/messages</title>
    <id>https://localhost:8089/services/data/inputs/oneshot/%252Fvar%252Flog%252Fmessages</id>
    <updated>2011-07-08T01:49:20-07:00</updated>
    <link href="/services/data/inputs/oneshot/%252Fvar%252Flog%252Fmessages" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/data/inputs/oneshot/%252Fvar%252Flog%252Fmessages" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="Bytes Indexed">114822</s:key>
        <s:key name="Offset">114822</s:key>
        <s:key name="Size">114822</s:key>
        <s:key name="Sources Indexed">0</s:key>
        <s:key name="Spool Time">Fri Jul  8 01:48:04 PDT 2011</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list/>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>


data/inputs/registry

Provides access to Windows registry monitoring input.

GET data/inputs/registry

Gets current registry monitoring configuration.

Request

Name Type Required Default Description
count Number 30 Indicates the maximum number of entries to return. To return all entries, specify 0.
offset Number 0 Index for first item to return.
search String Search expression to filter the response. The response matches field values against the search expression. For example:

search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.

sort_dir Enum asc Valid values: (asc | desc)

Indicates whether to sort returned entries in ascending or descending order.

sort_key String name Field to use for sorting.
sort_mode Enum auto Valid values: (auto | alpha | alpha_case | num)

Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view registry monitoring configuration.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
baseline Indicates whether or not Splunk should get a baseline of Registry events when it starts. Defaults to false.

If true, the input captures a baseline for the specified hive when the input starts for the first time.

disabled Indicats whether this input is disabled.
hive Regular expression for Registry hives that this input should monitor for Registry access.

Matches against the Registry key which was accessed.

Events that contain hives that do not match the regular expression get filtered out. Events that contain hives that match the regular expression pass through.

index Specifies the index that this input should send the data to.

If no value is present, defaults to the default index.

monitorSubnodes Indicates whether to monitor all Registry hives beneath the specified hive.
proc Regular expression for processes this input should monitor for Registry access.

It matches against the process name which performed the Registry access.

Events generated by processes that do not match the regular expression get filtered out. Events generated by processes that match the regular expression pass through.

type A regular expression that specifies the types of Registry events to monitor.

Example

Gets current registry inputs configuration.

curl -k -u admin:pass https://localhost:8089/services/data/inputs/registry
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-regmon</title>
  <id>https://10.1.5.157:8089/services/data/inputs/registry</id>
  <updated>2011-07-29T19:31:32-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/registry/_new" rel="create"/>
  <link href="/services/data/inputs/registry/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>Machine keys</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/registry/Machine%20keys</id>
    <updated>2011-07-29T19:31:32-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/registry/Machine%20keys" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/registry/Machine%20keys" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/registry/Machine%20keys/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/registry/Machine%20keys" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/registry/Machine%20keys/enable" rel="enable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="baseline">0</s:key>
        <s:key name="disabled">1</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="hive">HKLM</s:key>
        <s:key name="index">default</s:key>
        <s:key name="monitorSubnodes">1</s:key>
        <s:key name="proc">c:\.*</s:key>
        <s:key name="type">
          <s:list>
            <s:item>set</s:item>
            <s:item>create</s:item>
            <s:item>delete</s:item>
            <s:item>rename</s:item>
          </s:list>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/inputs/registry

Creates new or modifies existing registry monitoring settings.

Request

Name Type Required Default Description
baseline Number
Specifies whether or not to establish a baseline value for the registry keys. 1 means yes, 0 no.
hive String
Specifies the registry hive under which to monitor for changes.
name String
Name of the configuration stanza.
proc String
Specifies a regex. If specified, will only collect changes if a process name matches that regex.
type String
A list of Registry events types that you want to monitor. Separate each type with a pipe ('|') character.

For example:

set|create|delete|rename

disabled Number Indicates whether the monitoring is disabled.
index String default The index in which to store the gathered data.
monitorSubnodes Boolean True Indicates whether to monitor all Registry hives beneath the specified hive.

Response Codes

Status Code Description
201 Created successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to create registry monitoring stanza.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

No values returned for this request.

Example

Creates a new registry monitoring stanza.

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/registry \
	-d baseline=1 \
	-d hive="HKU\\.*" \
	-d name=mykeys \
	-d proc="c:\\.*" \
	-d type="set|create|delete|rename"
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-regmon</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/registry</id>
  <updated>2011-07-29T19:29:18-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/registry/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/registry/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

data/inputs/registry/{name}

DELETE data/inputs/registry/{name}

Deletes registry monitoring configuration stanza.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Deleted successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to delete registry configuration stanza.
404 Registry monitoring configuration stanza does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

No values returned for this request.

Example

Deletes existing configuration stanza.

curl -k -u admin:pass --request DELETE \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/registry/mykeys
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-regmon</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/registry</id>
  <updated>2011-07-29T19:36:54-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/registry/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/registry/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

GET data/inputs/registry/{name}

Gets current registry monitoring configuration stanza.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view registry monitoring configuration stanza.
404 Registry monitoring stanza does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
baseline Indicates whether to get a baseline of Registry events when Splunk starts.
disabled Indicates if the input is disabled.
eai:attributes See Accessing Splunk resources
hive Regular expression for Registry hives that this input should monitor for Registry access.

Matches against the Registry key which was accessed.

Events that contain hives that do not match the regular expression get filtered out. Events that contain hives that match the regular expression pass through.

index Specifies the index that this input should send the data to.

If no value is present, defaults to the default index.

monitorSubnodes Indicates whether to monitor all Registry hives beneath the specified hive.
proc Regular expression for processes this input should monitor for Registry access.

It matches against the process name which performed the Registry access.

Events generated by processes that do not match the regular expression get filtered out. Events generated by processes that match the regular expression pass through.

type Regular expression that specifies the types of Registry events to monitor.

Example

Gets current configuration for a given stanza.

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/registry/mykeys
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-regmon</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/registry</id>
  <updated>2011-07-29T19:33:21-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/registry/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/registry/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>mykeys</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/registry/mykeys</id>
    <updated>2011-07-29T19:33:21-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/registry/mykeys" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/registry/mykeys" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/registry/mykeys/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/registry/mykeys" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/registry/mykeys" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/registry/mykeys/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="baseline">1</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>disabled</s:item>
                <s:item>index</s:item>
                <s:item>monitorSubnodes</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>baseline</s:item>
                <s:item>hive</s:item>
                <s:item>proc</s:item>
                <s:item>type</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="hive">HKU</s:key>
        <s:key name="index">default</s:key>
        <s:key name="monitorSubnodes">1</s:key>
        <s:key name="proc">c:\.*</s:key>
        <s:key name="type">
          <s:list>
            <s:item>set</s:item>
            <s:item>create</s:item>
            <s:item>delete</s:item>
            <s:item>rename</s:item>
          </s:list>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/inputs/registry/{name}

Modifies given registry monitoring stanza.

Request

Name Type Required Default Description
baseline Number
Specifies whether or not to establish a baseline value for the registry keys. 1 means yes, 0 no.
hive String
Specifies the registry hive under which to monitor for changes.
proc String
Specifies a regex. If specified, will only collect changes if a process name matches that regex.
type String
A list of Registry events types that you want to monitor. Separate each type with a pipe ('|') character.

For example:

set|create|delete|rename

disabled Number Indicates whether the monitoring is disabled.
index String default The index in which to store the gathered data.
monitorSubnodes Boolean True Indicates whether to monitor all Registry hives beneath the specified hive.

Response Codes

Status Code Description
200 Updated successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to edit registry monitoring stanza.
404 Registry monitoring stanza does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

No values returned for this request.

Example

Modifies existing registry configuration.

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/registry/mykeys \
	-d baseline=1 \
	-d hive="HKU\\.*" \
	-d proc="c:\\.*" \
	-d type="set|create"
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-regmon</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/registry</id>
  <updated>2011-07-29T19:36:07-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/registry/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/registry/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>


data/inputs/script

Provides access to scripted inputs.

GET data/inputs/script

Gets the configuration settings for scripted inputs.

Request

Name Type Required Default Description
count Number 30 Indicates the maximum number of entries to return. To return all entries, specify 0.
offset Number 0 Index for first item to return.
search String Search expression to filter the response. The response matches field values against the search expression. For example:

search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.

sort_dir Enum asc Valid values: (asc | desc)

Indicates whether to sort returned entries in ascending or descending order.

sort_key String name Field to use for sorting.
sort_mode Enum auto Valid values: (auto | alpha | alpha_case | num)

Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view script.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
disabled Specifies whether the input script is disabled.
endtime If available, the time when the script stopped executing.
group The name of the inputstatus group, which is always "exec commands."
host The host this data is identified with.
index Sets the index for events from this input. Defaults to the main index.
interval An integer or cron schedule.

Specifies how often to execute the specified script, in seconds or a valid cron schedule. For a cron schedule, the script is not executed on start-up.

source The source key/field for events from this input. Defaults to the input file path.

Sets the source key's initial value. The key is used during parsing/indexing, in particular to set the source field during indexing. It is also the source field used at search time. As a convenience, the chosen string is prepended with 'source::'.

sourcetype Sets the sourcetype key/field for events from this input. If unset, Splunk picks a source type based on various aspects of the data. There is no hard-coded default.

For more information, see the documentation for the sourcetype parameter for the POST operation.

starttime If available, the time the when the script was executed.

Example

Lists configuration settings for all scripted inputs for this Splunk instance.

curl -k -u admin:pass https://localhost:8089/services/data/inputs/script


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>script</title>
  <id>https://localhost:8089/services/data/inputs/script</id>
  <updated>2011-07-09T20:16:11-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/script/_new" rel="create"/>
  <link href="/services/data/inputs/script/_reload" rel="_reload"/>
  <link href="/services/data/inputs/script/restart" rel="restart"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>/Applications/splunk4.3/etc/apps/unix/bin/cpu.sh</title>
    <id>https://localhost:8089/servicesNS/nobody/unix/data/inputs/script/.%252Fbin%252Fcpu.sh</id>
    <updated>2011-07-09T20:16:11-07:00</updated>
    <link href="/servicesNS/nobody/unix/data/inputs/script/.%252Fbin%252Fcpu.sh" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/unix/data/inputs/script/.%252Fbin%252Fcpu.sh" rel="list"/>
    <link href="/servicesNS/nobody/unix/data/inputs/script/.%252Fbin%252Fcpu.sh/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/unix/data/inputs/script/.%252Fbin%252Fcpu.sh" rel="edit"/>
    <link href="/servicesNS/nobody/unix/data/inputs/script/.%252Fbin%252Fcpu.sh/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="endtime">Sat Jul  9 20:15:54 2011</s:key>
        <s:key name="group">exec commands</s:key>
        <s:key name="host">vgenovese-mbp15.splunk.com</s:key>
        <s:key name="index">os</s:key>
        <s:key name="interval">30</s:key>
        <s:key name="source">cpu</s:key>
        <s:key name="sourcetype">cpu</s:key>
        <s:key name="starttime">Sat Jul  9 20:15:52 2011</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/inputs/script

Configures settings for new scripted inputs.

Request

Name Type Required Default Description
interval Number
60.0 Specify an integer or cron schedule. This parameter specifies how often to execute the specified script, in seconds or a valid cron schedule. If you specify a cron schedule, the script is not executed on start-up.
name String
Specify the name of the scripted input.
disabled Boolean Specifies whether the input script is disabled.
host String vgenovese-centos62x64-1 Sets the host for events from this input. Defaults to whatever host sent the event.
index String default Sets the index for events from this input. Defaults to the main index.
passAuth String User to run the script as.

If you provide a username, Splunk generates an auth token for that user and passes it to the script.

rename-source String Specify a new name for the source field for the script.
source String Sets the source key/field for events from this input. Defaults to the input file path.

Sets the source key's initial value. The key is used during parsing/indexing, in particular to set the source field during indexing. It is also the source field used at search time. As a convenience, the chosen string is prepended with 'source::'.

Note: Overriding the source key is generally not recommended. Typically, the input layer provides a more accurate string to aid in problem analysis and investigation, accurately recording the file from which the data was retrieived. Consider use of source types, tagging, and search wildcards before overriding this value.


sourcetype String Sets the sourcetype key/field for events from this input. If unset, Splunk picks a source type based on various aspects of the data. As a convenience, the chosen string is prepended with 'sourcetype::'. There is no hard-coded default.

Sets the sourcetype key's initial value. The key is used during parsing/indexing, in particular to set the source type field during indexing. It is also the source type field used at search time.

Primarily used to explicitly declare the source type for this data, as opposed to allowing it to be determined using automated methods. This is typically important both for searchability and for applying the relevant configuration for this type of data during parsing and indexing.

Response Codes

Status Code Description
201 Created successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to create script.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

No values returned for this request.

Example

Configures a new script, myScript.sh, as a disabled scripted input with an interval of 3600 seconds (one hour).

This example assumes there is a script located at:

 /Applications/splunk/etc/apps/myApp/bin/myScript.sh


curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/script \
	-d name=/Applications/splunk4.3/etc/apps/myApp/bin/myScript.sh \
	-d disabled=true \
	-d interval=3600


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>script</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/script</id>
  <updated>2011-07-09T20:25:17-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/script/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/script/_reload" rel="_reload"/>
  <link href="/servicesNS/nobody/search/data/inputs/script/restart" rel="restart"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

data/inputs/script/restart

Allows for restarting scripted inputs.

POST data/inputs/script/restart

Causes a restart on a given scripted input.

Request

Name Type Required Default Description
script String
Path to the script to be restarted. This path must match an already-configured existing scripted input.

Response Codes

Status Code Description
200 Scripted input restarted successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to restart scripted input.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

No values returned for this request.

Example

Causes the running script named by the "script" parameter to restart.


curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/script/restart \
	-d script=/Applications/splunk/bin/scripts/myScript.sh


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>script</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/script</id>
  <updated>2011-07-09T20:38:38-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/script/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/script/_reload" rel="_reload"/>
  <link href="/servicesNS/nobody/search/data/inputs/script/restart" rel="restart"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

data/inputs/script/{name}

DELETE data/inputs/script/{name}

Removes the scripted input specified by {name}.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Deleted successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to delete script.
404 Script does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

No values returned for this request.

Example

Delete the configuration for the scripted input, myScript.sh.

This example assumes there is a script located at:

 /Applications/splunk/etc/apps/myApp/bin/myScript.sh

The {name} field in the DELETE operation is specially URI-encoded. See the REST API overview for details on URI encoding of filenames.


curl -k -u admin:pass --request DELETE \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk4.3%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>script</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/script</id>
  <updated>2011-07-09T20:29:18-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/script/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/script/_reload" rel="_reload"/>
  <link href="/servicesNS/nobody/search/data/inputs/script/restart" rel="restart"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

GET data/inputs/script/{name}

Returns the configuration settings for the scripted input specified by {name}.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view script.
404 Script does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
disabled Specifies whether the input script is disabled.
eai:attributes See Accessing Splunk resources
group The name of the inputstatus group, which is always "exec commands."
host The host this data is identified with.
index Sets the index for events from this input. Defaults to the main index.
interval An integer or cron schedule.

Specifies how often to execute the specified script, in seconds or a valid cron schedule. For a cron schedule, the script is not executed on start-up.

Example

Return information about the scripted input, myScript.sh.

This example assumes there is a script located at:

 /Applications/splunk/etc/apps/myApp/bin/myScript.sh

The {name} field in the POST operation is specially URI-encoded. See the REST API overview for details on URI encoding of filenames.


curl -k -u admin:pass \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>script</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/script</id>
  <updated>2011-07-09T21:53:43-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/script/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/script/_reload" rel="_reload"/>
  <link href="/servicesNS/nobody/search/data/inputs/script/restart" rel="restart"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>/Applications/splunk/etc/apps/myApp/bin/myScript.sh</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh</id>
    <updated>2011-07-09T21:53:43-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>disabled</s:item>
                <s:item>host</s:item>
                <s:item>index</s:item>
                <s:item>interval</s:item>
                <s:item>rename-source</s:item>
                <s:item>source</s:item>
                <s:item>sourcetype</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="group">exec commands</s:key>
        <s:key name="host">ombroso-mbp15.splunk.com</s:key>
        <s:key name="index">default</s:key>
        <s:key name="interval">3600</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/inputs/script/{name}

Configures settings for scripted input specified by {name}.

Request

Name Type Required Default Description
disabled Boolean Specifies whether the input script is disabled.
host String vgenovese-centos62x64-1 Sets the host for events from this input. Defaults to whatever host sent the event.
index String default Sets the index for events from this input. Defaults to the main index.
interval Number 60.0 Specify an integer or cron schedule. This parameter specifies how often to execute the specified script, in seconds or a valid cron schedule. If you specify a cron schedule, the script is not executed on start-up.
passAuth String User to run the script as.

If you provide a username, Splunk generates an auth token for that user and passes it to the script.

rename-source String Specify a new name for the source field for the script.
source String Sets the source key/field for events from this input. Defaults to the input file path.

Sets the source key's initial value. The key is used during parsing/indexing, in particular to set the source field during indexing. It is also the source field used at search time. As a convenience, the chosen string is prepended with 'source::'.

Note: Overriding the source key is generally not recommended. Typically, the input layer provides a more accurate string to aid in problem analysis and investigation, accurately recording the file from which the data was retrieived. Consider use of source types, tagging, and search wildcards before overriding this value.


sourcetype String Sets the sourcetype key/field for events from this input. If unset, Splunk picks a source type based on various aspects of the data. As a convenience, the chosen string is prepended with 'sourcetype::'. There is no hard-coded default.

Sets the sourcetype key's initial value. The key is used during parsing/indexing, in particular to set the source type field during indexing. It is also the source type field used at search time.

Primarily used to explicitly declare the source type for this data, as opposed to allowing it to be determined using automated methods. This is typically important both for searchability and for applying the relevant configuration for this type of data during parsing and indexing.

Response Codes

Status Code Description
200 Updated successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to edit script.
404 Script does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

No values returned for this request.

Example

Update the script, myScript.sh by setting the interval to 24 hours (86,400 seconds).

This example assumes there is a script located at:

 /Applications/splunk/etc/apps/myApp/bin/myScript.sh

The {name} field in the POST operation is specially URI-encoded. See the REST API overview for details on URI encoding of filenames.


curl -k -u admin:pass \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh \
	-d interval=86400


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>script</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/script</id>
  <updated>2011-07-09T20:27:59-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/script/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/script/_reload" rel="_reload"/>
  <link href="/servicesNS/nobody/search/data/inputs/script/restart" rel="restart"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>


data/inputs/tcp/cooked

Provides access to TCP inputs from forwarders.

Forwarders can transmit three types of data: raw, unparsed, or parsed. Cooked data refers to parsed and unparsed formats.

GET data/inputs/tcp/cooked

Returns information about all cooked TCP inputs.

Request

Name Type Required Default Description
count Number 30 Indicates the maximum number of entries to return. To return all entries, specify 0.
offset Number 0 Index for first item to return.
search String Search expression to filter the response. The response matches field values against the search expression. For example:

search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.

sort_dir Enum asc Valid values: (asc | desc)

Indicates whether to sort returned entries in ascending or descending order.

sort_key String name Field to use for sorting.
sort_mode Enum auto Valid values: (auto | alpha | alpha_case | num)

Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view inputs.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
_rcvbuf [Deprecated]
disabled Indicates if the input is disabled.
group Set to 'listenerports' for listening ports.
host The default value to fill in for events lacking a host value.
index The index in which to store generated events.

Example

Retrieves all cooked TCP inputs in this instance of Splunk.


curl -k -u admin:pass https://localhost:8089/services/data/inputs/tcp/cooked


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>cooked</title>
  <id>https://localhost:8089/services/data/inputs/tcp/cooked</id>
  <updated>2011-07-10T14:50:50-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/tcp/cooked/_new" rel="create"/>
  <link href="/services/data/inputs/tcp/cooked/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>9993</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked/9993</id>
    <updated>2011-07-10T14:50:50-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9993" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9993" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9993/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9993" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9993" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9993/connections" rel="connections"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9993/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="group">listenerports</s:key>
        <s:key name="host">MrT</s:key>
        <s:key name="index">default</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/inputs/tcp/cooked

Creates a new container for managing cooked data.

Request

Name Type Required Default Description
name Number
The port number of this input.
SSL Boolean If SSL is not already configured, error is returned
connection_host Enum ip Valid values: (ip | dns | none)

Set the host for the remote server that is sending data.

ip sets the host to the IP address of the remote server sending data.

dns sets the host to the reverse DNS entry for the IP address of the remote server sending data.

none leaves the host as specified in inputs.conf, which is typically the Splunk system hostname.

Default value is ip.

disabled Boolean Indicates whether the input is disabled.
host String vgenovese-centos62x64-1 The default value to fill in for events lacking a host value.
restrictToHost String Restrict incoming connections on this port to the host specified here.

Response Codes

Status Code Description
201 Created successfully.
400 Some arguments were invalid
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to create input.
409 Request error: this operation is invalid for this item. See response body for details.
500 There was an error; see body contents for messages
503 This feature has been disabled in Splunk configuration files.

Returned Values

No values returned for this request.

Example

Create a cooked TCP data input listening on port 9998.


curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked \
	-d name=9998


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>cooked</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked</id>
  <updated>2011-07-10T14:52:33-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

data/inputs/tcp/cooked/{name}

DELETE data/inputs/tcp/cooked/{name}

Removes the cooked TCP inputs for port or host:port specified by {name}

Request

No parameters for this request.

Response Codes

Status Code Description
200 Deleted successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to delete input.
404 Input does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

No values returned for this request.

Example

Remove the cooked TCP input listening on port 9998. Note that the name of this input changed due to the example that restricted incoming connections by host.


curl -k -u admin:pass --request DELETE \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked/tiny:9998


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>cooked</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked</id>
  <updated>2011-07-10T14:54:45-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

GET data/inputs/tcp/cooked/{name}

Returns information for the cooked TCP input specified by {name}.

If port is restricted to a host, name should be URI-encoded host:port.

Request

No parameters for this request.

Response Codes

Status Code Description
200 OK
400 TO DO: provide the rest of the status codes
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view input.
404 Input does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
_rcvbuf [Deprecated]
disabled Indicates if the input is disabled.
eai:attributes See Accessing Splunk resources
group Set to 'listenerports' for listening ports.
host The default value to fill in for events lacking a host value.
index The index in which to store generated events.
restrictToHost Restrict incoming connections on this port to the specified host.

Example

Retrieve settings for the cooked TCP data port.

First request displays settings for cooked TCP data listening on port 9998.

Second request displays settings for TCP data input listening on port 9997 but restricting data from host fwd1.splunk.com.


curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked/9998


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>cooked</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked</id>
  <updated>2011-07-10T14:52:40-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>9998</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked/9998</id>
    <updated>2011-07-10T14:52:40-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9998" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9998" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9998/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9998" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9998" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9998/connections" rel="connections"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9998/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>SSL</s:item>
                <s:item>connection_host</s:item>
                <s:item>disabled</s:item>
                <s:item>host</s:item>
                <s:item>index</s:item>
                <s:item>queue</s:item>
                <s:item>restrictToHost</s:item>
                <s:item>source</s:item>
                <s:item>sourcetype</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="group">listenerports</s:key>
        <s:key name="host">MrT</s:key>
        <s:key name="index">default</s:key>
      </s:dict>
    </content>
  </entry>
</feed>


curl -k -u admin:pass \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked/fwd1.splunk.com%3A9997


<feed xmlns="http://www.w3.org/2005/Atom" 
      xmlns:s="http://dev.splunk.com/ns/rest" 
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>cooked</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked</id>
  <updated>2011-07-14T11:32:03-0700</updated>
  <generator version="101277"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>fwd1.splunk.com:9997</title>
    <id>https://localhost:8089/servicesNS/nobody/system/data/inputs/tcp/cooked/fwd1.splunk.com%3A9997</id>
    <updated>2011-07-14T11:32:03-0700</updated>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/cooked/fwd1.splunk.com%3A9997" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/cooked/fwd1.splunk.com%3A9997" rel="list"/>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/cooked/fwd1.splunk.com%3A9997/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/cooked/fwd1.splunk.com%3A9997" rel="edit"/>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/cooked/fwd1.splunk.com%3A9997" rel="remove"/>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/cooked/fwd1.splunk.com%3A9997/connections" rel="connections"/>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/cooked/fwd1.splunk.com%3A9997/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>SSL</s:item>
                <s:item>connection_host</s:item>
                <s:item>disabled</s:item>
                <s:item>host</s:item>
                <s:item>index</s:item>
                <s:item>queue</s:item>
                <s:item>restrictToHost</s:item>
                <s:item>source</s:item>
                <s:item>sourcetype</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="group">listenerports</s:key>
        <s:key name="index">default</s:key>
        <s:key name="restrictToHost">fwd1.splunk.com</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/inputs/tcp/cooked/{name}

Updates the container for managing cooked data.

Request

Name Type Required Default Description
SSL Boolean If SSL is not already configured, error is returned
connection_host Enum ip Valid values: (ip | dns | none)

Set the host for the remote server that is sending data.

ip sets the host to the IP address of the remote server sending data.

dns sets the host to the reverse DNS entry for the IP address of the remote server sending data.

none leaves the host as specified in inputs.conf, which is typically the Splunk system hostname.

Default value is ip.

disabled Boolean Indicates whether the input is disabled.
host String vgenovese-centos62x64-1 The default value to fill in for events lacking a host value.
restrictToHost String Restrict incoming connections on this port to the host specified here.

Response Codes

Status Code Description
200 Updated successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to edit input.
404 Input does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

No values returned for this request.

Example

Restrict the cooked TCP input listening on port 9998 to only accept data from the host "tiny".


curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked/9998 \
	-d restrictToHost=tiny


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>cooked</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked</id>
  <updated>2011-07-10T14:52:54-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

data/inputs/tcp/cooked/{name}/connections

GET data/inputs/tcp/cooked/{name}/connections

Retrieves list of active connections to the named port.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Listed connections successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view input's connections.
404 TCP input does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
connection Identifies the connection to port.
servername Server name of forwarder connecting to this port.

Example

Displays all connections to this cooked TCP input.


curl -k -u admin:pass \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked/9998/connections


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>cooked</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked</id>
  <updated>2011-07-13T14:55:18-0700</updated>
  <generator version="101277"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_reload" rel="_reload"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>Cooked:9998:127.0.0.1:20089</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked/Cooked%3A9998%3A127.0.0.1%3A20089</id>
    <updated>2011-07-13T14:55:18-0700</updated>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/Cooked%3A9998%3A127.0.0.1%3A20089" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/Cooked%3A9998%3A127.0.0.1%3A20089" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/Cooked%3A9998%3A127.0.0.1%3A20089/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/Cooked%3A9998%3A127.0.0.1%3A20089" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/Cooked%3A9998%3A127.0.0.1%3A20089" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="connection">9998:127.0.0.1:20089</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="servername">fool03.splunk.com</s:key>
      </s:dict>
    </content>
  </entry>
</feed>


data/inputs/tcp/raw

Container for managing raw tcp inputs from forwarders.

Forwarders can transmit three types of data: raw, unparsed, or parsed. Cooked data refers to parsed and unparsed formats.

GET data/inputs/tcp/raw

Returns information about all raw TCP inputs.

Request

Name Type Required Default Description
count Number 30 Indicates the maximum number of entries to return. To return all entries, specify 0.
offset Number 0 Index for first item to return.
search String Search expression to filter the response. The response matches field values against the search expression. For example:

search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.

sort_dir Enum asc Valid values: (asc | desc)

Indicates whether to sort returned entries in ascending or descending order.

sort_key String name Field to use for sorting.
sort_mode Enum auto Valid values: (auto | alpha | alpha_case | num)

Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view input.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
_rcvbuf [Deprecated]
disabled Indicates whether the inputs are disabled.
group Set to 'listenerports' for listening ports.
host The host from which the indexer gets data.
index The index in which to store generated events.

Example

Display all raw TCP inputs in this Splunk instance.


curl -k -u admin:pass https://localhost:8089/services/data/inputs/tcp/raw


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>raw</title>
  <id>https://localhost:8089/services/data/inputs/tcp/raw</id>
  <updated>2011-07-08T02:30:30-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/tcp/raw/_new" rel="create"/>
  <link href="/services/data/inputs/tcp/raw/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>44000</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw/44000</id>
    <updated>2011-07-08T02:30:30-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44000" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44000" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44000/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44000" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44000" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44000/connections" rel="connections"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44000/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="group">listenerports</s:key>
        <s:key name="host">MrT</s:key>
        <s:key name="index">default</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/inputs/tcp/raw

Creates a new data input for accepting raw TCP data.

Request

Name Type Required Default Description
name String
The input port which splunk receives raw data in.
SSL Boolean
connection_host Enum dns Valid values: (ip | dns | none)

Set the host for the remote server that is sending data.

ip sets the host to the IP address of the remote server sending data.

dns sets the host to the reverse DNS entry for the IP address of the remote server sending data.

none leaves the host as specified in inputs.conf, which is typically the Splunk system hostname.

Default value is ip.

disabled Boolean Indicates whether the inputs are disabled.
host String vgenovese-centos62x64-1 The host from which the indexer gets data.
index String default The index in which to store all generated events.
queue Enum Valid values: (parsingQueue | indexQueue)

Specifies where the input processor should deposit the events it reads. Defaults to parsingQueue.

Set queue to parsingQueue to apply props.conf and other parsing rules to your data. For more information about props.conf and rules for timestamping and linebreaking, refer to props.conf and the online documentation at Edit inputs.conf

Set queue to indexQueue to send your data directly into the index.

rawTcpDoneTimeout Number Specifies in seconds the timeout value for adding a Done-key. Default value is 10 seconds.

If a connection over the port specified by name remains idle after receiving data for specified number of seconds, it adds a Done-key. This implies the last event has been completely received.

restrictToHost String Allows for restricting this input to only accept data from the host specified here.
source String Sets the source key/field for events from this input. Defaults to the input file path.

Sets the source key's initial value. The key is used during parsing/indexing, in particular to set the source field during indexing. It is also the source field used at search time. As a convenience, the chosen string is prepended with 'source::'.

Note: Overriding the source key is generally not recommended. Typically, the input layer provides a more accurate string to aid in problem analysis and investigation, accurately recording the file from which the data was retrieved. Consider use of source types, tagging, and search wildcards before overriding this value.

sourcetype String Set the source type for events from this input.

"sourcetype=" is automatically prepended to <string>.

Defaults to audittrail (if signedaudit=true) or fschange (if signedaudit=false).

Response Codes

Status Code Description
201 Created successfully.
400 Some arguments were invalid
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to create input.
409 Request error: this operation is invalid for this item. See response body for details.
500 There was an error; see body contents for messages
503 This feature has been disabled in Splunk configuration files.

Returned Values

No values returned for this request.

Example

Create a TCP input on port 44343 listening for raw data.


curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw \
	-d name=44343


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>raw</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw</id>
  <updated>2011-07-08T02:30:30-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

data/inputs/tcp/raw/{name}

DELETE data/inputs/tcp/raw/{name}

Removes the raw inputs for port or host:port specified by {name}

Request

No parameters for this request.

Response Codes

Status Code Description
200 Deleted successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to delete input.
404 Input does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

No values returned for this request.

Example

Disable the raw TCP data input listening on port 44343.


curl -k -u admin:pass --request DELETE \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw/44343


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>raw</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw</id>
  <updated>2011-07-08T02:30:31-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

GET data/inputs/tcp/raw/{name}

Returns information about raw TCP input port {name}.

If port is restricted to a host, name should be URI-encoded host:port.

Request

No parameters for this request.

Response Codes

Status Code Description
200 OK
400 TO DO: provide the rest of the status codes
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view input.
404 Input does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
_rcvbuf [Deprecated]
disabled Indicates whether the inputs are disabled.
eai:attributes See Accessing Splunk resources
group Set to 'listenerports' for listening ports.
host The host from which the indexer gets data.
index The index in which to store generated events.
restrictToHost Restrict incoming connections on this port to the specified host.

Example

Display only the settings for the TCP data input port.

First request displays settings for TCP data input listening on port 44343.

Second request displays settings for TCP data input listening on port 9998 but restricting data from host host1.splunk.com.


curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw/44343


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>raw</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw</id>
  <updated>2011-07-08T02:37:09-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>44343</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw/44343</id>
    <updated>2011-07-08T02:37:09-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44343" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44343" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44343/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44343" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44343" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44343/connections" rel="connections"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44343/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>SSL</s:item>
                <s:item>connection_host</s:item>
                <s:item>disabled</s:item>
                <s:item>host</s:item>
                <s:item>index</s:item>
                <s:item>queue</s:item>
                <s:item>restrictToHost</s:item>
                <s:item>source</s:item>
                <s:item>sourcetype</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="group">listenerports</s:key>
        <s:key name="host">MrT</s:key>
        <s:key name="index">default</s:key>
      </s:dict>
    </content>
  </entry>
</feed>


curl -k -u admin:pass \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw/host1.splunk.com%3A9998


<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>raw</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw</id>
  <updated>2011-07-14T11:28:39-0700</updated>
  <generator version="101277"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>host1.splunk.com:9998</title>
    <id>https://localhost:8089/servicesNS/nobody/system/data/inputs/tcp/raw/host1.splunk.com%3A9998</id>
    <updated>2011-07-14T11:28:39-0700</updated>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/raw/host1.splunk.com%3A9998" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/raw/host1.splunk.com%3A9998" rel="list"/>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/raw/host1.splunk.com%3A9998/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/raw/host1.splunk.com%3A9998" rel="edit"/>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/raw/host1.splunk.com%3A9998" rel="remove"/>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/raw/host1.splunk.com%3A9998/connections" rel="connections"/>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/raw/host1.splunk.com%3A9998/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>SSL</s:item>
                <s:item>connection_host</s:item>
                <s:item>disabled</s:item>
                <s:item>host</s:item>
                <s:item>index</s:item>
                <s:item>queue</s:item>
                <s:item>restrictToHost</s:item>
                <s:item>source</s:item>
                <s:item>sourcetype</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="group">listenerports</s:key>
        <s:key name="index">default</s:key>
        <s:key name="restrictToHost">host1.splunk.com</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/inputs/tcp/raw/{name}

Updates the container for managing raw data.

Request

Name Type Required Default Description
SSL Boolean
connection_host Enum dns Valid values: (ip | dns | none)

Set the host for the remote server that is sending data.

ip sets the host to the IP address of the remote server sending data.

dns sets the host to the reverse DNS entry for the IP address of the remote server sending data.

none leaves the host as specified in inputs.conf, which is typically the Splunk system hostname.

Default value is ip.

disabled Boolean Indicates whether the inputs are disabled.
host String vgenovese-centos62x64-1 The host from which the indexer gets data.
index String default The index in which to store all generated events.
queue Enum Valid values: (parsingQueue | indexQueue)

Specifies where the input processor should deposit the events it reads. Defaults to parsingQueue.

Set queue to parsingQueue to apply props.conf and other parsing rules to your data. For more information about props.conf and rules for timestamping and linebreaking, refer to props.conf and the online documentation at Edit inputs.conf

Set queue to indexQueue to send your data directly into the index.

rawTcpDoneTimeout Number Specifies in seconds the timeout value for adding a Done-key. Default value is 10 seconds.

If a connection over the port specified by name remains idle after receiving data for specified number of seconds, it adds a Done-key. This implies the last event has been completely received.

restrictToHost String Allows for restricting this input to only accept data from the host specified here.
source String Sets the source key/field for events from this input. Defaults to the input file path.

Sets the source key's initial value. The key is used during parsing/indexing, in particular to set the source field during indexing. It is also the source field used at search time. As a convenience, the chosen string is prepended with 'source::'.

Note: Overriding the source key is generally not recommended. Typically, the input layer provides a more accurate string to aid in problem analysis and investigation, accurately recording the file from which the data was retrieved. Consider use of source types, tagging, and search wildcards before overriding this value.

sourcetype String Set the source type for events from this input.

"sourcetype=" is automatically prepended to <string>.

Defaults to audittrail (if signedaudit=true) or fschange (if signedaudit=false).

Response Codes

Status Code Description
200 Updated successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to edit input.
404 Input does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

No values returned for this request.

Example

Change the sourcetype to syslog for incoming events on the TCP data input listening on port 44343.


curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw/44343 \
	-d sourcetype=syslog


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>raw</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw</id>
  <updated>2011-07-08T02:30:30-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

data/inputs/tcp/raw/{name}/connections

GET data/inputs/tcp/raw/{name}/connections

View all connections to the named data input.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Listed connections successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view input's connections.
404 TCP input does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
connection IP address and port of the source connecting to this TCP input port.
servername DNS name of the source connecting to this TCP input port.

Example

Displays all connections to this raw TCP input.


curl -k -u admin:pass https://localhost:8089/services/data/inputs/tcp/raw/9998/connections


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>raw</title>
  <id>https://localhost:8089/services/data/inputs/tcp/raw</id>
  <updated>2011-07-13T16:14:33-07:00</updated>
  <generator version="103477"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/tcp/raw/_new" rel="create"/>
  <link href="/services/data/inputs/tcp/raw/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>Raw:9998:127.0.0.1</title>
    <id>https://localhost:8089/services/data/inputs/tcp/raw/Raw%3A9998%3A127.0.0.1</id>
    <updated>2011-07-13T16:14:33-07:00</updated>
    <link href="/services/data/inputs/tcp/raw/Raw%3A9998%3A127.0.0.1" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/data/inputs/tcp/raw/Raw%3A9998%3A127.0.0.1" rel="list"/>
    <link href="/services/data/inputs/tcp/raw/Raw%3A9998%3A127.0.0.1/_reload" rel="_reload"/>
    <link href="/services/data/inputs/tcp/raw/Raw%3A9998%3A127.0.0.1" rel="edit"/>
    <link href="/services/data/inputs/tcp/raw/Raw%3A9998%3A127.0.0.1" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="connection">9998:127.0.0.1</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="servername"></s:key>
      </s:dict>
    </content>
  </entry>
</feed>


data/inputs/tcp/ssl

Provides access to the SSL configuration of a Splunk server.

GET data/inputs/tcp/ssl

Returns SSL configuration. There is only one SSL configuration for all input ports.

Request

Name Type Required Default Description
count Number 30 Indicates the maximum number of entries to return. To return all entries, specify 0.
offset Number 0 Index for first item to return.
search String Search expression to filter the response. The response matches field values against the search expression. For example:

search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.

sort_dir Enum asc Valid values: (asc | desc)

Indicates whether to sort returned entries in ascending or descending order.

sort_key String name Field to use for sorting.
sort_mode Enum auto Valid values: (auto | alpha | alpha_case | num)

Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view inputs.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
_rcvbuf [Deprecated]
cipherSuite Specifies list of acceptable ciphers to use in ssl.
disabled Indicates whether this input is disabled.
host The host from which the indexer gets data.
index The index in which to store generated events.

Example

Return the SSL attributes for this instance of Splunk.


curl -k -u admin:pass https://localhost:8089/services/data/inputs/tcp/ssl


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>ssl</title>
  <id>https://localhost:8089/services/data/inputs/tcp/ssl</id>
  <updated>2011-07-12T15:02:58-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/tcp/ssl/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title/>
    <id>https://localhost:8089/servicesNS/nobody/system/data/inputs/tcp/ssl/</id>
    <updated>2011-07-12T15:02:58-07:00</updated>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/ssl/" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/ssl/" rel="list"/>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/ssl//_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/ssl/" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="cipherSuite">ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM</s:key>
        <s:key name="disabled">1</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="host">ombroso-mbp15.splunk.com</s:key>
        <s:key name="index">default</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/inputs/tcp/ssl/{name}

GET data/inputs/tcp/ssl/{name}

Returns the SSL configuration for the host {name}.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view input.
404 Input does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
_rcvbuf [Deprecated]
cipherSuite Specifies list of acceptable ciphers to use in ssl.
disabled Indicates whether this input is disabled.
host The host from which the indexer gets data.
index The index in which to store generated events.

Example

Return the SSL attributes for tcp input. Note that "ssl" is the only valid name here.


curl -k -u admin:pass https://localhost:8089/services/data/inputs/tcp/ssl/ssl


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>ssl</title>
  <id>https://localhost:8089/services/data/inputs/tcp/ssl</id>
  <updated>2011-07-12T15:04:41-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/tcp/ssl/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title/>
    <id>https://localhost:8089/servicesNS/nobody/system/data/inputs/tcp/ssl/</id>
    <updated>2011-07-12T15:04:41-07:00</updated>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/ssl/" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/ssl/" rel="list"/>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/ssl//_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/ssl/" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="cipherSuite">ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM</s:key>
        <s:key name="disabled">1</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="host">ombroso-mbp15.splunk.com</s:key>
        <s:key name="index">default</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/inputs/tcp/ssl/{name}

Configures SSL attributes for the host {name}.

Request

Name Type Required Default Description
disabled Boolean Indicates whether the inputs are disabled.
password String Server certificate password, if any.
requireClientCert Boolean Determines whether a client must authenticate.
rootCA String Certificate authority list (root file)
serverCert String Full path to the server certificate.

Response Codes

Status Code Description
200 Updated successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to edit input.
404 Input does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

No values returned for this request.

Example

Disable inputs for this SSL server configuration. Note that "ssl" is the only valid name here.


curl -k -u admin:pass https://localhost:8089/services/data/inputs/tcp/ssl/ssl \
	-d disabled=true


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>ssl</title>
  <id>https://localhost:8089/services/data/inputs/tcp/ssl</id>
  <updated>2011-07-12T15:05:42-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/tcp/ssl/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>


data/inputs/udp

Provides access to UPD data inputs.

GET data/inputs/udp

List enabled and disabled UDP data inputs.

Request

Name Type Required Default Description
count Number 30 Indicates the maximum number of entries to return. To return all entries, specify 0.
offset Number 0 Index for first item to return.
search String Search expression to filter the response. The response matches field values against the search expression. For example:

search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.

sort_dir Enum asc Valid values: (asc | desc)

Indicates whether to sort returned entries in ascending or descending order.

sort_key String name Field to use for sorting.
sort_mode Enum auto Valid values: (auto | alpha | alpha_case | num)

Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view inputs.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
_rcvbuf Specifies socket receive buffer size in bytes.
disabled Indicates whether the inputs are disabled.
group Set to 'listenerports' for listening ports.
host The host from which the indexer gets data.
index The index in which to store generated events.

Example

Returns a list of configured UDP data inputs.


curl -k -u admin:pass https://localhost:8089/services/data/inputs/udp


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>udp</title>
  <id>https://localhost:8089/services/data/inputs/udp</id>
  <updated>2011-07-08T14:11:57-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/udp/_new" rel="create"/>
  <link href="/services/data/inputs/udp/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>44000</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp/44000</id>
    <updated>2011-07-08T14:11:57-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44000" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44000" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44000/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44000" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44000" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44000/connections" rel="connections"/>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44000/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="group">listenerports</s:key>
        <s:key name="host">MrT</s:key>
        <s:key name="index">default</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/inputs/udp

Create a new UDP data input.

Request

Name Type Required Default Description
name String
The UDP port that this input should listen on.
connection_host Enum ip Valid values: (ip | dns | none)

Set the host for the remote server that is sending data.

ip sets the host to the IP address of the remote server sending data.

dns sets the host to the reverse DNS entry for the IP address of the remote server sending data.

none leaves the host as specified in inputs.conf, which is typically the Splunk system hostname.

Default value is ip.

disabled Boolean Indicates if the input is disabled.
host String vgenovese-centos62x64-1 The value to populate in the host field for incoming events.

This is used during parsing/indexing, in particular to set the host field. It is also the host field used at search time.

index String default Which index events from this input should be stored in.
no_appending_timestamp Boolean If set to true, prevents Splunk from prepending a timestamp and hostname to incoming events.
no_priority_stripping Boolean If set to true, Splunk will not remove the priority field from incoming syslog events.
queue String Which queue events from this input should be sent to. Generally this does not need to be changed.
restrictToHost String Restrict incoming connections on this port to the host specified here.

If this is not set, the value specified in [udp://<remote server>:<port>] in inputs.conf is used.

source String The value to populate in the source field for incoming events. The same source should not be used for multiple data inputs.
sourcetype String The value to populate in the sourcetype field for incoming events.

Response Codes

Status Code Description
201 Created successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to create input.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

No values returned for this request.

Example

Creates a UDP data input listening on port 44321.


curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/udp \
	-d name=44321


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>udp</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp</id>
  <updated>2011-07-08T14:12:13-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/udp/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/udp/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

data/inputs/udp/{name}

DELETE data/inputs/udp/{name}

Disable the named UDP data input and remove it from the configuration.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Deleted successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to delete input.
404 Input does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

No values returned for this request.

Example

Removes the UDP data input listening on port 44321.


curl -k -u admin:pass --request DELETE \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/udp/44321


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>udp</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp</id>
  <updated>2011-07-08T14:12:53-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/udp/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/udp/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

GET data/inputs/udp/{name}

List the properties of a single UDP data input port or host:port {name}. If port is restricted to a host, name should be URI-encoded host:port.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view input configuration.
404 Input does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
_rcvbuf Specifies socket receive buffer size in bytes.
disabled Indicates whether the inputs are disabled.
eai:attributes See Accessing Splunk resources
group Set to 'listenerports' for listening ports.
host The host from which the indexer gets data.
index The index in which to store generated events.

Example

Returns only configuration information for the UDP data input port.

First request displays settings for UDP data input listening on port 44321.

Second request displays settings for UDP data input listening on port 9997 but restricting data from host host1.splunk.com.


curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/udp/44321


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>udp</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp</id>
  <updated>2011-07-08T14:12:27-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/udp/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/udp/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>44321</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp/44321</id>
    <updated>2011-07-08T14:12:27-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44321" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44321" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44321/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44321" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44321" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44321/connections" rel="connections"/>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44321/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>connection_host</s:item>
                <s:item>host</s:item>
                <s:item>index</s:item>
                <s:item>no_appending_timestamp</s:item>
                <s:item>no_priority_stripping</s:item>
                <s:item>queue</s:item>
                <s:item>source</s:item>
                <s:item>sourcetype</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="group">listenerports</s:key>
        <s:key name="host">MrT</s:key>
        <s:key name="index">default</s:key>
      </s:dict>
    </content>
  </entry>
</feed>


curl -k -u admin:pass \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/udp/host1.splunk.com%3A9997


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>udp</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp</id>
  <updated>2011-07-14T11:40:20-0700</updated>
  <generator version="101277"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/udp/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/udp/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>host1.splunk.com:9997</title>
    <id>https://localhost:8089/servicesNS/nobody/system/data/inputs/udp/host1.splunk.com%3A9997</id>
    <updated>2011-07-14T11:40:20-0700</updated>
    <link href="/servicesNS/nobody/system/data/inputs/udp/host1.splunk.com%3A9997" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/inputs/udp/host1.splunk.com%3A9997" rel="list"/>
    <link href="/servicesNS/nobody/system/data/inputs/udp/host1.splunk.com%3A9997/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/inputs/udp/host1.splunk.com%3A9997" rel="edit"/>
    <link href="/servicesNS/nobody/system/data/inputs/udp/host1.splunk.com%3A9997" rel="remove"/>
    <link href="/servicesNS/nobody/system/data/inputs/udp/host1.splunk.com%3A9997/connections" rel="connections"/>
    <link href="/servicesNS/nobody/system/data/inputs/udp/host1.splunk.com%3A9997/enable" rel="enable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">1</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>connection_host</s:item>
                <s:item>disabled</s:item>
                <s:item>host</s:item>
                <s:item>index</s:item>
                <s:item>no_appending_timestamp</s:item>
                <s:item>no_priority_stripping</s:item>
                <s:item>queue</s:item>
                <s:item>source</s:item>
                <s:item>sourcetype</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="index">default</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/inputs/udp/{name}

Edit properties of the named UDP data input.

Request

Name Type Required Default Description
connection_host Enum ip Valid values: (ip | dns | none)

Set the host for the remote server that is sending data.

ip sets the host to the IP address of the remote server sending data.

dns sets the host to the reverse DNS entry for the IP address of the remote server sending data.

none leaves the host as specified in inputs.conf, which is typically the Splunk system hostname.

Default value is ip.

disabled Boolean Indicates if the input is disabled.
host String vgenovese-centos62x64-1 The value to populate in the host field for incoming events.

This is used during parsing/indexing, in particular to set the host field. It is also the host field used at search time.

index String default Which index events from this input should be stored in.
no_appending_timestamp Boolean If set to true, prevents Splunk from prepending a timestamp and hostname to incoming events.
no_priority_stripping Boolean If set to true, Splunk will not remove the priority field from incoming syslog events.
queue String Which queue events from this input should be sent to. Generally this does not need to be changed.
restrictToHost String Restrict incoming connections on this port to the host specified here.

If this is not set, the value specified in [udp://<remote server>:<port>] in inputs.conf is used.

source String The value to populate in the source field for incoming events. The same source should not be used for multiple data inputs.
sourcetype String The value to populate in the sourcetype field for incoming events.

Response Codes

Status Code Description
200 Updated successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to edit input.
404 Input does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

No values returned for this request.

Example

Changes the sourcetype for incoming events to "syslog" for the UDP data input listening on port 44321.


curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/udp/44321 \
	-d sourcetype=syslog


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>udp</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp</id>
  <updated>2011-07-08T14:12:47-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/udp/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/udp/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

data/inputs/udp/{name}/connections

GET data/inputs/udp/{name}/connections

Lists connections to the named UDP input.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Listed connections successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view input connections.
404 UDP input does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
disabled Indicates whether the inputs are disabled.
group Set to 'listenerports' for listening ports.

Example

Returns a list of connections to the UDP input listening on port 9998.


curl -k -u admin:pass \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/udp/9998/connections


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>udp</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp</id>
  <updated>2011-07-13T17:08:18-07:00</updated>
  <generator version="103477"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/udp/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/udp/_reload" rel="_reload"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>127.0.0.1</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp/127.0.0.1</id>
    <updated>2011-07-13T17:08:18-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/udp/127.0.0.1" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/udp/127.0.0.1" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/udp/127.0.0.1/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/udp/127.0.0.1" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/udp/127.0.0.1" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="group">hosts</s:key>
      </s:dict>
    </content>
  </entry>
</feed>


data/inputs/win-event-log-collections

Provides access to all configured event log collections.

GET data/inputs/win-event-log-collections

Retrieves a list of configured event log collections.

Request

Name Type Required Default Description
count Number 30 Indicates the maximum number of entries to return. To return all entries, specify 0.
lookup_host String For internal use. Used by the UI when editing the initial host from which we gather event log data.
offset Number 0 Index for first item to return.
search String Search expression to filter the response. The response matches field values against the search expression. For example:

search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.

sort_dir Enum asc Valid values: (asc | desc)

Indicates whether to sort returned entries in ascending or descending order.

sort_key String name Field to use for sorting.
sort_mode Enum auto Valid values: (auto | alpha | alpha_case | num)

Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view event log collections.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
disabled Indicates if the input is disabled.
hosts The hosts that you are monitoring.
index The index in which to store the gathered data.

If not specified defaults to the default index.

logs List of event log channels to monitor.

Example

Provides information on all Windows event log collection inputs for monitoring by this Splunk instance.


curl -k -u admin:pass https://localhost:8089/services/data/inputs/win-event-log-collections


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-event-log-collections</title>
  <id>https://10.1.5.157:8089/services/data/inputs/win-event-log-collections</id>
  <updated>2011-07-27T11:26:47-07:00</updated>
  <generator version="103620"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/win-event-log-collections/_new" rel="create"/>
  <link href="/services/data/inputs/win-event-log-collections/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>localhost</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost</id>
    <updated>2011-07-27T11:26:47-07:00</updated>
    <link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="list"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="edit"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost/enable" rel="enable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">1</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="hosts">localhost</s:key>
        <s:key name="index">default</s:key>
        <s:key name="logs">
          <s:list>
            <s:item>Application</s:item>
            <s:item>ForwardedEvents</s:item>
            <s:item>HardwareEvents</s:item>
            <s:item>Internet Explorer</s:item>
            <s:item>Security</s:item>
            <s:item>Setup</s:item>
            <s:item>System</s:item>
          </s:list>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/inputs/win-event-log-collections

Creates of modifies existing event log collection settings. You can configure both native and WMI collection with this endpoint.

Request

Name Type Required Default Description
lookup_host String
The host from which to monitor log events. To specify additional hosts to be monitored using WMI, use the "hosts" parameter.
name String
This is the name of the collection. This name will appear in configuration file, as well as the source and the sourcetype of the indexed data. If the value is "localhost", it will use native event log collection; otherwise, it will use WMI.
hosts String A comma-separated list of additional hosts to be used for monitoring. The first host should be specified with "lookup_host", and the additional ones using this parameter.
index String default The index in which to store the gathered data.
logs String List of event log names from which to gather data:
  • WMI collection format (CSV):
    logs=Application%2CSystem%2CSetup%2CSecurity
  • Native event log collection format:
    logs=Application&logs=System&logs=Setup

Response Codes

Status Code Description
201 Created successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to create event log collections.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

Attribute Description
disabled Indicates if the input is disabled.
hosts The hosts that you are monitoring.
index The index in which to store the gathered data.
logs List of event log channels to monitor.
lookup_host The host from which to monitor log events.
name The name of the collection. This name appears in a configuration file, as well as the source and the sourcetype of the indexed data. If the value is "localhost", it uses native event log collection; otherwise, it uses WMI

Example

Creates a new event log monitoring collection named mylogs on the localhost, monitoring the Application and the System event logs.


curl -k -u admin:pass \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections \
	-d lookup_host=localhost \
	-d name=mylogs \
	-d logs=Application,System


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-event-log-collections</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections</id>
  <updated>2011-07-27T11:56:24-07:00</updated>
  <generator version="103620"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>localhost</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost</id>
    <updated>2011-07-27T11:56:24-07:00</updated>
    <link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="list"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">1</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="hosts">localhost</s:key>
        <s:key name="index">default</s:key>
        <s:key name="logs">
          <s:list>
            <s:item>Application</s:item>
            <s:item>ForwardedEvents</s:item>
            <s:item>HardwareEvents</s:item>
            <s:item>Internet Explorer</s:item>
            <s:item>Security</s:item>
            <s:item>Setup</s:item>
            <s:item>System</s:item>
          </s:list>
        </s:key>
        <s:key name="lookup_host">localhost</s:key>
        <s:key name="name">localhost</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/inputs/win-event-log-collections/{name}

DELETE data/inputs/win-event-log-collections/{name}

Deletes a given event log collection.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Deleted successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to delete event log collections.
404 Event log collection does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

No values returned for this request.

Example

Deletes the existing mylogs event log collection.


curl -k -u admin:pass --request DELETE \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-event-log-collections</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections</id>
  <updated>2011-07-27T13:45:24-07:00</updated>
  <generator version="103620"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

GET data/inputs/win-event-log-collections/{name}

Gets the configuration settings for a given event log collection.

Request

Name Type Required Default Description
lookup_host String For internal use. Used by the UI when editing the initial host from which we gather event log data.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view event log collections.
404 Event log collection does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
disabled Indicates if the input is disabled.
eai:attributes See Accessing Splunk resources
hosts The hosts that you are monitoring.
index The index in which to store the gathered data.

If not specified defaults to the default index.

logs List of event log channels to monitor.
lookup_host The host from which to monitor log events.
name The name of the collection. This name appears in a configuration file, as well as the source and the sourcetype of the indexed data. If the value is localhost, it uses native event log collection; otherwise, it uses WMI.

Example

Gets information about a given event log collection.


curl -k -u admin:pass \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-event-log-collections</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections</id>
  <updated>2011-07-27T12:00:38-07:00</updated>
  <generator version="103620"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>mylogs</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs</id>
    <updated>2011-07-27T12:00:38-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>hosts</s:item>
                <s:item>index</s:item>
                <s:item>logs</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>lookup_host</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="hosts"/>
        <s:key name="index">default</s:key>
        <s:key name="logs">
          <s:list>
            <s:item>Application,System</s:item>
          </s:list>
        </s:key>
        <s:key name="lookup_host">localhost</s:key>
        <s:key name="name">mylogs</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/inputs/win-event-log-collections/{name}

Modifies existing event log collection.

Request

Name Type Required Default Description
lookup_host String
This is a host from which we will monitor log events. To specify additional hosts to be monitored using WMI, use the "hosts" parameter.
hosts String A comma-separated list of additional hosts to be used for monitoring. The first host should be specified with "lookup_host", and the additional ones using this parameter.
index String default The index in which to store the gathered data.
logs String A comma-separated list of event log names to gather data from.

Response Codes

Status Code Description
200 Updated successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to edit event log collections.
404 Event log collection does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

Attribute Description
disabled Indicates if the input is disabled.
hosts The hosts that you are monitoring.
index The index in which to store the gathered data.
logs List of event log channels to monitor.
lookup_host The host from which to monitor log events.
name The name of the collection. This name appears in a configuration file, as well as the source and the sourcetype of the indexed data. If the value is localhost, it uses native event log collection; otherwise, it uses WMI.

Example

Modifies the mylogs collection by making it monitor the Application log only.


curl -k -u admin:pass \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs \
	-d lookup_host=localhost \
	-d logs=Application


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-event-log-collections</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections</id>
  <updated>2011-07-27T13:43:46-07:00</updated>
  <generator version="103620"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>localhost</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost</id>
    <updated>2011-07-27T13:43:46-07:00</updated>
    <link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="list"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">1</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="hosts">localhost</s:key>
        <s:key name="index">default</s:key>
        <s:key name="logs">
          <s:list>
            <s:item>Application</s:item>
            <s:item>ForwardedEvents</s:item>
            <s:item>HardwareEvents</s:item>
            <s:item>Internet Explorer</s:item>
            <s:item>Security</s:item>
            <s:item>Setup</s:item>
            <s:item>System</s:item>
          </s:list>
        </s:key>
        <s:key name="lookup_host">localhost</s:key>
        <s:key name="name">localhost</s:key>
      </s:dict>
    </content>
  </entry>
</feed>


data/inputs/win-wmi-collections

Provides access to all configured WMI collections.

GET data/inputs/win-wmi-collections

Provides access to all configure WMI collections.

Request

Name Type Required Default Description
count Number 30 Indicates the maximum number of entries to return. To return all entries, specify 0.
offset Number 0 Index for first item to return.
search String Search expression to filter the response. The response matches field values against the search expression. For example:

search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.

sort_dir Enum asc Valid values: (asc | desc)

Indicates whether to sort returned entries in ascending or descending order.

sort_key String name Field to use for sorting.
sort_mode Enum auto Valid values: (auto | alpha | alpha_case | num)

Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view collections.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
class The WMI performance object class being monitored.
disabled Indicates whther the input is disbled.
fields The WMI performance counters being monitored.
index The index to which you are sending input data.
instances Instances of the WMI performance counter.
interval The interval, in seconds, at which the WMI provider(s) are queried.
name the name of the input.
server The server you are monitoring.
wql The actual WQL query for monitoring the performance object.

Example

Lists all enabled or disabled WMI collection items.


curl -k -u admin:pass https://localhost:8089/services/data/inputs/win-wmi-collections


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-wmi-collections</title>
  <id>https://10.1.5.157:8089/services/data/inputs/win-wmi-collections</id>
  <updated>2011-07-27T14:00:24-07:00</updated>
  <generator version="103620"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/win-wmi-collections/_new" rel="create"/>
  <link href="/services/data/inputs/win-wmi-collections/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>CPUTime</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime</id>
    <updated>2011-07-27T14:00:24-07:00</updated>
    <link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime" rel="list"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime" rel="edit"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime/enable" rel="enable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="class">Win32_PerfFormattedData_PerfOS_Processor</s:key>
        <s:key name="disabled">1</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="fields">
          <s:list>
            <s:item>PercentProcessorTime</s:item>
            <s:item>PercentUserTime</s:item>
          </s:list>
        </s:key>
        <s:key name="index">default</s:key>
        <s:key name="instances">
          <s:list>
            <s:item>_Total</s:item>
          </s:list>
        </s:key>
        <s:key name="interval">3</s:key>
        <s:key name="name"/>
        <s:key name="server">localhost</s:key>
        <s:key name="wql">SELECT PercentProcessorTime,PercentUserTime FROM Win32_PerfFormattedData_PerfOS_Processor WHERE Name="_Total"</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/inputs/win-wmi-collections

Creates or modifies existing WMI collection settings.

Request

Name Type Required Default Description
classes String
A valid WMI class name.
interval Number
The interval, in seconds, at which the WMI provider(s) will be queried.
lookup_host String
This is the server from which we will be gathering WMI data. If you need to gather data from more than one machine, additional servers can be specified in the 'server' parameter.
name String
This is the name of the collection. This name will appear in configuration file, as well as the source and the sourcetype of the indexed data.
disabled Number 0 Disables the given collection.
fields String 1. * Properties (fields) that you want to gather from the given class.

Specify each property as a separate argument to the POST operation.

index String The index in which to store the gathered data.
instances String empty Instances of a given class for which data is gathered.

Specify each instance as a separate argument to the POST operation.

server String localhost A comma-separated list of additional servers that you want to gather data from. Use this if you need to gather from more than a single machine. See also lookup_host parameter.

Response Codes

Status Code Description
201 Created successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to create this collection.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

Attribute Description
classes A valid WMI class name.
disabled Indicates if the input is disabled.
fields Properties (fields) that you want to gather from the given class.
index The index in which to store the gathered data.
instances Instances of a given class for which data is gathered.
interval The interval, in seconds, at which the WMI provider(s) will be queried.
lookup_host The host from which to monitor log events.
server Servers from which to gather data. Used if you need to gather from more than a single machine. See also lookup_host.
wql The actual WQL query for monitoring the performance object.

Example

Creates a new WMI collection named cpu, which gathers CPU information from the class Win32_PerfFormattedData_PerfOS_Processor, with an interval of 5 from localhost.


curl -k -u admin:pass \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections \
	-d classes=Win32_PerfFormattedData_PerfOS_Processor \
	-d interval=5 \
	-d lookup_host=localhost \
	-d name=cpu


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-wmi-collections</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections</id>
  <updated>2011-07-27T14:05:43-07:00</updated>
  <generator version="103620"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>CPUTime</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime</id>
    <updated>2011-07-27T14:05:43-07:00</updated>
    <link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime" rel="list"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">1</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="index">default</s:key>
        <s:key name="interval">3</s:key>
        <s:key name="wql">SELECT PercentProcessorTime,PercentUserTime FROM Win32_PerfFormattedData_PerfOS_Processor WHERE Name="_Total"</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/inputs/win-wmi-collections/{name}

DELETE data/inputs/win-wmi-collections/{name}

Deletes a given collection.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Deleted successfully.
400 Request error. Given collection does not exist.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to delete a given collection.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

No values returned for this request.

Example

Deletes an existing WMI collection.


curl -k -u admin:pass --request DELETE \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-wmi-collections</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections</id>
  <updated>2011-07-27T14:21:17-07:00</updated>
  <generator version="103620"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

GET data/inputs/win-wmi-collections/{name}

Gets information about a single collection.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view WMI collections.
404 Given collection does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
classes A valid WMI class name.
disabled Indicates if the input is disabled.
eai:attributes See Accessing Splunk resources
fields Properties (fields) that you want to gather from the given class.
index The index in which to store the gathered data.
instances Instances of a given class for which data is gathered.
interval The interval, in seconds, at which the WMI provider(s) will be queried.
lookup_host The host from which to monitor log events.
name The name of the collection. This name appears in a configuration file, as well as the source and the sourcetype of the indexed data. If the value is localhost, it uses native event log collection; otherwise, it uses WMI.
server Servers frpm which to gather data from. Used if you need to gather from more than a single machine. See also lookup_host.
wql The actual WQL query for monitoring the performance object.

Example

Gets information about a given event log collection.


curl -k -u admin:pass \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-wmi-collections</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections</id>
  <updated>2011-07-27T14:09:39-07:00</updated>
  <generator version="103620"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>cpu</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu</id>
    <updated>2011-07-27T14:09:39-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="classes">Win32_PerfFormattedData_PerfOS_Processor</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>disabled</s:item>
                <s:item>fields</s:item>
                <s:item>index</s:item>
                <s:item>instances</s:item>
                <s:item>server</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>classes</s:item>
                <s:item>interval</s:item>
                <s:item>lookup_host</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="fields">
          <s:list>
            <s:item>*</s:item>
          </s:list>
        </s:key>
        <s:key name="index">default</s:key>
        <s:key name="instances">
          <s:list/>
        </s:key>
        <s:key name="interval">5</s:key>
        <s:key name="lookup_host">localhost</s:key>
        <s:key name="name">cpu</s:key>
        <s:key name="server"/>
        <s:key name="wql">Select * from Win32_PerfFormattedData_PerfOS_Processor</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/inputs/win-wmi-collections/{name}

Modifies a given WMI collection.

Request

Name Type Required Default Description
classes String
A valid WMI class name.
interval Number
The interval, in seconds, at which the WMI provider(s) will be queried.
lookup_host String
This is the server from which we will be gathering WMI data. If you need to gather data from more than one machine, additional servers can be specified in the 'server' parameter.
disabled Number Disables the given collection.
fields String Properties (fields) that you want to gather from the given class.

Specify each property as a separate argument to the POST operation.

index String The index in which to store the gathered data.
instances String Instances of a given class for which data is gathered.

Specify each instance as a separate argument to the POST operation.

server String A comma-separated list of additional servers that you want to gather data from. Use this if you need to gather from more than a single machine. See also lookup_host parameter.

Response Codes

Status Code Description
200 Updated successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to edit collection.
404 Collection does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

Attribute Description
classes A valid WMI class name.
disabled Indicates if the input is disabled.
fields Properties (fields) that you want to gather from the given class.
index The index in which to store the gathered data.
instances Instances of a given class for which data is gathered.
interval The interval, in seconds, at which the WMI provider(s) are queried.
lookup_host The host from which to monitor log events.
name The name of the collection. This name appears in a configuration file, as well as the source and the sourcetype of the indexed data. If the value is localhost, it uses native event log collection; otherwise, it uses WMI.
server Servers from which to gather data. Used if you need to gather from more than a single machine. See also lookup_host.
wql The actual WQL query for monitoring the performance object.

Example

Modifies an existing WMI collection item with the given parameters. The new setting requests monitoring of three different machines using the lookup_host and the server parameters.


curl -k -u admin:pass \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu \
	-d classes=Win32_PerfFormattedData_PerfOS_Processor \
	-d interval=5 \
	-d lookup_host=localhost \
	-d server=10.1.5.157,10.1.5.158


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-wmi-collections</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections</id>
  <updated>2011-07-27T14:15:33-07:00</updated>
  <generator version="103620"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>cpu</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu</id>
    <updated>2011-07-27T14:15:33-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="classes">Win32_PerfFormattedData_PerfOS_Processor</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="fields">
          <s:list>
            <s:item>*</s:item>
          </s:list>
        </s:key>
        <s:key name="index">default</s:key>
        <s:key name="instances">
          <s:list/>
        </s:key>
        <s:key name="interval">5</s:key>
        <s:key name="lookup_host">localhost</s:key>
        <s:key name="name">cpu</s:key>
        <s:key name="server"/>
        <s:key name="wql">Select * from Win32_PerfFormattedData_PerfOS_Processor</s:key>
      </s:dict>
    </content>
  </entry>
</feed>


data/inputs/win-perfmon

Provides access to performance monitoring configuration. This input allows you to poll Windows performance monitor counters.

GET data/inputs/win-perfmon

Gets current performance monitoring configuration.

Request

Name Type Required Default Description
count Number 30 Indicates the maximum number of entries to return. To return all entries, specify 0.
offset Number 0 Index for first item to return.
search String Search expression to filter the response. The response matches field values against the search expression. For example:

search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.

sort_dir Enum asc Valid values: (asc | desc)

Indicates whether to sort returned entries in ascending or descending order.

sort_key String name Field to use for sorting.
sort_mode Enum auto Valid values: (auto | alpha | alpha_case | num)

Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view performance monitoring configuration.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
counters List of valid Performance Monitor counters.
disabled Indicates whether the input is disabled.
index The index that this input should send data to.

If no value is present, send data to the default index.

instances List of valid instances for a Performance Monitor counter.
interval How often, in seconds, to poll for new data.
object A valid Performance Monitor object as defined within Performance Monitor.

Example

Lists all configured perfmon inputs.

curl -k -u admin:pass https://localhost:8089/services/data/inputs/win-perfmon
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-perfmon</title>
  <id>https://10.1.5.157:8089/services/data/inputs/win-perfmon</id>
  <updated>2011-07-29T19:42:06-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/win-perfmon/_new" rel="create"/>
  <link href="/services/data/inputs/win-perfmon/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>Available Memory</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory</id>
    <updated>2011-07-29T19:42:06-07:00</updated>
    <link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="list"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="edit"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory/enable" rel="enable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="counters">
          <s:list>
            <s:item>Available Bytes</s:item>
          </s:list>
        </s:key>
        <s:key name="disabled">1</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="index">default</s:key>
        <s:key name="instances">
          <s:list/>
        </s:key>
        <s:key name="interval">10</s:key>
        <s:key name="object">Memory</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/inputs/win-perfmon

Creates new or modifies existing performance monitoring collection settings.

Request

Name Type Required Default Description
name String
This is the name of the collection. This name will appear in configuration file, as well as the source and the sourcetype of the indexed data.
counters String A set of counters to monitor. A '*' is equivalent to all counters.

Specify each counter as a separate argument to the POST operation.

host String Docs-W8R2-Std7 Name of the host for the Windows Performance Monitor.
index String default The index in which to store the gathered data.
instances String A set of counter instances to monitor. A '*' is equivalent to all instances.

Specify each instance as a separate argument to the POST operation.

interval Number How frequently, in seconds, to poll for new data.
object String A valid performance monitor object (for example, 'Process,' 'Server,' 'PhysicalDisk.')
source String Source for inputs.
sourcetype String Source type of input.

Response Codes

Status Code Description
201 Created successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to create monitoring stanza.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

Attribute Description
counters List of valid Performance Monitor counters.
disabled Indicates whether the input is disabled.
host Name of the host for the Windows Performance Monitor.
index The index that this input should send data to.

If no value is present, send data to the default index.

instances List of valid instances for a Performance Monitor counter.
interval How frequently, in seconds, to poll for new data.
object A valid Performance Monitor object as defined within Performance Monitor.
source Source for inputs.
sourcetype Source type of the input.

Example

Creates a memory monitoring stanza.

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/win-perfmon \
	-d interval=4 \
	-d name=mymemory \
	-d object=Memory
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-perfmon</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-perfmon</id>
  <updated>2011-07-29T19:40:38-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>Available Memory</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory</id>
    <updated>2011-07-29T19:40:38-07:00</updated>
    <link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="list"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="counters">Available Bytes</s:key>
        <s:key name="disabled">1</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="instances"/>
        <s:key name="interval">10</s:key>
        <s:key name="object">Memory</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/inputs/win-perfmon/{name}

DELETE data/inputs/win-perfmon/{name}

Deletes a given monitoring stanza.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Deleted successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to delete monitoring stanza.
404 Monitoring stanza does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

No values returned for this request.

Example

Deletes a given perfmon stanza.

curl -k -u admin:pass --request DELETE \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-perfmon</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-perfmon</id>
  <updated>2011-07-29T19:47:06-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

GET data/inputs/win-perfmon/{name}

Gets settings for a given perfmon stanza.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view configuration settings.
404 Performance stanza does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
counters List of valid Performance Monitor counters.
disabled Indicates whether the input is disabled.
eai:attributes See Accessing Splunk resources
index The index that this input should send data to.

If no value is present, send data to the default index.

instances List of valid instances for a Performance Monitor counter.
interval How often, in seconds, to poll for new data.
object A valid Performance Monitor object as defined within Performance Monitor.

Example

Lists a given perfmon stanza.

curl -k -u admin:pass \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-perfmon</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-perfmon</id>
  <updated>2011-07-29T19:44:21-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>mymemory</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory</id>
    <updated>2011-07-29T19:44:21-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="counters">
          <s:list/>
        </s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>counters</s:item>
                <s:item>disabled</s:item>
                <s:item>index</s:item>
                <s:item>instances</s:item>
                <s:item>interval</s:item>
                <s:item>object</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="index">default</s:key>
        <s:key name="instances">
          <s:list/>
        </s:key>
        <s:key name="interval">4</s:key>
        <s:key name="object">Memory</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/inputs/win-perfmon/{name}

Modifies existing monitoring stanza

Request

Name Type Required Default Description
counters String A set of counters to monitor. A '*' is equivalent to all counters.

Specify each counter as a separate argument to the POST operation.

host String Docs-W8R2-Std7 Name of the host for the Windows Performance Monitor.
index String default The index in which to store the gathered data.
instances String A set of counter instances to monitor. A '*' is equivalent to all instances.

Specify each instance as a separate argument to the POST operation.

interval Number How frequently, in seconds, to poll for new data.
object String A valid performance monitor object (for example, 'Process,' 'Server,' 'PhysicalDisk.')
source String Source for inputs.
sourcetype String Source type of input.

Response Codes

Status Code Description
200 Updated successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to edit monitoring stanza.
404 Monitoring stanza does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

Attribute Description
counters List of valid Performance Monitor counters.
disabled Indicates whether the input is disabled.
host Name of the host for the Windows Performance Monitor.
index The index that this input should send data to.

If no value is present, send data to the default index.

instances List of valid instances for a Performance Monitor counter.
interval How frequently, in seconds, to poll for new data.
object A valid Performance Monitor object as defined within Performance Monitor,
source Source for inputs.
sourcetype Source type of the input.

Example

Modifies the interval of the given perfmon stanza.

curl -k -u admin:pass \
	https://localhost:8089/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory \
	-d interval=10
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-perfmon</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-perfmon</id>
  <updated>2011-07-29T19:45:59-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>Available Memory</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory</id>
    <updated>2011-07-29T19:45:59-07:00</updated>
    <link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="list"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="counters">Available Bytes</s:key>
        <s:key name="disabled">1</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="instances"/>
        <s:key name="interval">10</s:key>
        <s:key name="object">Memory</s:key>
      </s:dict>
    </content>
  </entry>
</feed>


data/modular-inputs

Provides access to currently defined modular inputs on the system. For more information on modular inputs, see Modular inputs overview in the Developing Views and Apps for Splunk Web manual.

GET data/modular-inputs

Lists information about configured modular inputs.

For more information on modular inputs, see Modular inputs overview in the Developing Views and Apps for Splunk Web manual.

Request

Name Type Required Default Description
count Number 30 Indicates the maximum number of entries to return. To return all entries, specify 0.
offset Number 0 Index for first item to return.
search String Search expression to filter the response. The response matches field values against the search expression. For example:

search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.

sort_dir Enum asc Valid values: (asc | desc)

Indicates whether to sort returned entries in ascending or descending order.

sort_key String name Field to use for sorting.
sort_mode Enum auto Valid values: (auto | alpha | alpha_case | num)

Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view modular input entries.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
description Provides descriptive text for title in the Splunk Manager page for Data inputs.

The description also appears on the Add new data inputs Manager page.

For more information, refer to Modular inputs: Introspection scheme details.

endpoint Contains one or more <arg> elements, which define the parameters to an endpoint.

For more information, refer to Modular inputs: Introspection scheme details.

streaming_mode Indicates the streaming mode for the modular input.

Valid values:

xml
simple

For more information, refer to Modular inputs: Introspection scheme details.

title The label for a modular input script.

The label appears in the Splunk Manager page for Data inputs.

For more information, refer to Modular inputs: Introspection scheme details.

Example

Lists all defined modular inputs.

This example lists the two examples provided in Splunk documentation.

curl -k -u admin:pass https://localhost:8089/services/data/modular-inputs
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>modular-inputs</title>
  <id>https://localhost:8089/services/data/modular-inputs</id>
  <updated>2012-07-09T09:12:41-07:00</updated>
  <generator build="129290" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
   <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>s3</title>
    <id>https://localhost:8089/services/data/modular-inputs/s3</id>
    <updated>2012-07-09T09:12:41-07:00</updated>
    <link href="/services/data/modular-inputs/s3" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/data/modular-inputs/s3" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="description">Get data from Amazon S3.</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="endpoint">
          <s:dict>
            <s:key name="args">
              <s:dict>
                <s:key name="key_id">
                  <s:dict>
                    <s:key name="data_type">string</s:key>
                    <s:key name="description">Your Amazon key ID.</s:key>
                    <s:key name="order">1</s:key>
                    <s:key name="required_on_create">1</s:key>
                    <s:key name="required_on_edit">0</s:key>
                    <s:key name="title">Key ID</s:key>
                  </s:dict>
                </s:key>
                <s:key name="name">
                  <s:dict>
                    <s:key name="data_type">string</s:key>
                    <s:key name="description"><![CDATA[An S3 resource name without the leading s3://.  For example, for s3://bucket/file.txt specify bucket/file.txt.  You can also monitor a whole bucket (for example by specifying 'bucket'), or files within a sub-directory of a bucket (for example 'bucket/some/directory/'; note the trailing slash).]]></s:key>
                    <s:key name="order">0</s:key>
                    <s:key name="title">Resource name</s:key>
                  </s:dict>
                </s:key>
                <s:key name="secret_key">
                  <s:dict>
                    <s:key name="data_type">string</s:key>
                    <s:key name="description">Your Amazon secret key.</s:key>
                    <s:key name="order">2</s:key>
                    <s:key name="required_on_create">1</s:key>
                    <s:key name="required_on_edit">0</s:key>
                    <s:key name="title">Secret key</s:key>
                  </s:dict>
                </s:key>
              </s:dict>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="streaming_mode">xml</s:key>
        <s:key name="title">Amazon S3</s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>twitter</title>
    <id>https://localhost:8089/services/data/modular-inputs/twitter</id>
    . . .
    <!-- the twitter example elided for brevity. -->
    <!-- the twitter example is listed for data/modular-inputs/{name}/ example -->
  </entry>
</feed>

data/modular-inputs/{name}

GET data/modular-inputs/{name}

Lists information about the modular input specified by {name}.

For more information on modular inputs, see Modular inputs overview in the Developing Views and Apps for Splunk Web manual.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view modular input entries.
404 Modular input specified by {name} does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
description The label for a modular input script.

The label appears in the Splunk Manager page for Data inputs.

For more information, refer to Modular inputs: Introspcetion scheme details.

endpoint Contains one or more <arg> elements, which define the parameters to an endpoint.

For more information, refer to Modular inputs: Introspcetion scheme details.

streaming_mode Indicates the streaming mode for the modular input.

Valid values:

xml
simple (plain text)

Contains one or more <arg> elements, which define the parameters to an endpoint.

For more information, refer to Modular inputs: Introspcetion scheme details.

title The label for a modular input script.

The label appears in the Splunk Manager page for Data inputs.

For more information, refer to Modular inputs: Introspection scheme details.

Example

Lists details about the twitter modular input.

curl -k -u admin:pass https://localhost:8089/services/data/modular-inputs/twitter
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>modular-inputs</title>
  <id>https://localhost:8089/services/data/modular-inputs</id>
  <updated>2012-07-09T11:07:29-07:00</updated>
  <generator build="129290" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>twitter</title>
    <id>https://localhost:8089/services/data/modular-inputs/twitter</id>
    <updated>2012-07-09T11:07:29-07:00</updated>
    <link href="/services/data/modular-inputs/twitter" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/data/modular-inputs/twitter" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="description">Get data from Twitter.</s:key>
        <!-- eai:acl and eai:attribute nodes elided for brevity. -->
        <s:key name="endpoint">
          <s:dict>
            <s:key name="args">
              <s:dict>
                <s:key name="name">
                  <s:dict>
                    <s:key name="data_type">string</s:key>
                    <s:key name="description">Name of the current feed using the user credentials supplied.</s:key>
                    <s:key name="order">0</s:key>
                    <s:key name="title">Twitter feed name</s:key>
                  </s:dict>
                </s:key>
                <s:key name="password">
                  <s:dict>
                    <s:key name="data_type">string</s:key>
                    <s:key name="description">Your twitter password</s:key>
                    <s:key name="order">2</s:key>
                    <s:key name="required_on_create">1</s:key>
                    <s:key name="required_on_edit">0</s:key>
                    <s:key name="title">Password</s:key>
                  </s:dict>
                </s:key>
                <s:key name="username">
                  <s:dict>
                    <s:key name="data_type">string</s:key>
                    <s:key name="description">Your Twitter ID.</s:key>
                    <s:key name="order">1</s:key>
                    <s:key name="required_on_create">1</s:key>
                    <s:key name="required_on_edit">0</s:key>
                    <s:key name="title">Twitter ID/Handle</s:key>
                  </s:dict>
                </s:key>
              </s:dict>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="streaming_mode">simple</s:key>
        <s:key name="title">Twitter</s:key>
      </s:dict>
    </content>
  </entry>
</feed>


indexing/preview

Preview events from a source file before you index the file.

Typically, you create a data preview job for a source file. Use the resulting data preview job ID as the search_id parameter in GET /search/jobs/{search_id}/results_preview to preview events that would be generated from indexing the source file.

You can also check the status of a data preview job with GET /search/jobs/{search_id} to obtain information such as the dispatchState, doneProgress, and eventCount. For more information, see GET /search/jobs/{search_id}.

Note: This endpoint is new in Splunk 4.3.

GET indexing/preview

Return a list of all data preview jobs. Data returned includes the Splunk management URI to access each preview job.

Use the data preview job ID as the search_id parameter in GET /search/jobs/{search_id}/results_preview to preview events from the source file.

Note: Use the POST operation of this endpoint to create a data preview job and return the corresponding data preview job ID.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Listed successfully.

Returned Values

No values returned for this request.

Example

Return the data preview job ID of all data preview jobs. Data returned includes the Splunk management URI for each data preview job.

This example shows entries for three data preview jobs.

curl -k -u admin:pass https://localhost:8089/services/indexing/preview
feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest">
  <title>preview</title>
  <id>https://localhost:8089/services/indexing/preview</id>
  <updated>2011-11-28T14:35:35-08:00</updated>
  <generator version="108769"/>
  <author>
    <name>Splunk</name>
  </author>
  <entry>
    <title>1322518170.8</title>
    <id>https://localhost:8089/services/indexing/preview/1322518170.8</id>
    <updated>2011-11-28T14:35:35-08:00</updated>
    <link href="/services/indexing/preview/1322518170.8" rel="alternate"/>
    <link href="/services/search/jobs/1322518170.8" rel="job"/>
  </entry>
  <entry>
    <title>1322519686.9</title>
    <id>https://localhost:8089/services/indexing/preview/1322519686.9</id>
    <updated>2011-11-28T14:35:35-08:00</updated>
    <link href="/services/indexing/preview/1322519686.9" rel="alternate"/>
    <link href="/services/search/jobs/1322519686.9" rel="job"/>
  </entry>
  <entry>
    <title>1322519724.10</title>
    <id>https://localhost:8089/services/indexing/preview/1322519724.10</id>
    <updated>2011-11-28T14:35:35-08:00</updated>
    <link href="/services/indexing/preview/1322519724.10" rel="alternate"/>
    <link href="/services/search/jobs/1322519724.10" rel="job"/>
  </entry>
</feed>

POST indexing/preview

Create a preview data job for the specified source file, returning the preview data job ID. Use the preview job ID as the search_id parameter in GET /search/jobs/{search_id}/results_preview to obtain a data preview.

You can optionally define sourcetypes for preview data job in props.conf.

Request

Name Type Required Default Description
input.path String
The absolute file path to a local file that you want to preview data returned from indexing.
props.<props_attr> String Define a new sourcetype in props.conf for preview data that you are indexing.

Typically, you first examine preview data events returned from GET /search/jobs/{job_id}events. Then you define new sourcetypes as needed with this endpoint.

Response Codes

Status Code Description
201 Created successfully.

Returned Values

No values returned for this request.

Example

Create a data preview index job for the local file, $SPLUNK_HOME/var/log/splunk/metrics.log. This operation returns the data preview job ID. Use this job ID in /search/jobs/{search_id}/results_preview to view the events that would be generated by indexing this file.

Create the data preview job:

curl -k -u admin:pass https://localhost:8089/services/indexing/preview \
	-d input.path=/Applications/splunk/var/log/splunk/metrics.log
<response>
  <messages>
    <msg type='INFO'>1319496093.11</msg>
  </messages>
</response>

Now, use the returned job ID to preview the events:

curl -k -u admin:pass https://localhost:8089/services/search/jobs/1319496093.11/results_preview
<results preview='0'>
<meta>
<fieldOrder>
<field>_raw</field>
<field>_subsecond</field>
<field>_time</field>
<field>_timelen</field>
<field>_timestartpos</field>
<field>host</field>
<field>linecount</field>
<field>source</field>
<field>sourcetype</field>
</fieldOrder>
</meta>
  <result offset='0'>
    <field k='_raw'><v xml:space='preserve' trunc='0'>11-28-2011 13:41:31.409 -0800 INFO  Metrics - group=pipeline, name=indexerpipe, processor=indexandforward, cpu_seconds=0.000000, executes=74, cumulative_hits=26664</v></field>
    <field k='_subsecond'>
      <value><text>.409</text></value>
    </field>
    <field k='_time'>
      <value><text>2011-11-28T13:41:31.409-08:00</text></value>
    </field>
    <field k='_timelen'>
      <value><text>29</text></value>
    </field>
    <field k='_timestartpos'>
      <value><text>0</text></value>
    </field>
    <field k='host'>
      <value><text>vgenovese-mbp15.splunk.com</text></value>
    </field>
    <field k='linecount'>
      <value><text>1</text></value>
    </field>
    <field k='source'>
      <value><text>/Applications/splunk/var/log/splunk/metrics.log</text></value>
    </field>
    <field k='sourcetype'>
      <value><text>splunkd</text></value>
    </field>
  </result>
  . . .
  <!-- result nodes 1 - 98 elided for brevity. -->
  . . .
  <result offset='99'>
    <field k='_raw'><v xml:space='preserve' trunc='0'>11-28-2011 13:42:33.314 -0800 INFO  Metrics - group=pipeline, name=typing, processor=annotator, cpu_seconds=0.000000, executes=45, cumulative_hits=17246</v></field>
    <field k='_subsecond'>
      <value><text>.314</text></value>
    </field>
    <field k='_time'>
      <value><text>2011-11-28T13:42:33.314-08:00</text></value>
    </field>
    <field k='_timelen'>
      <value><text>29</text></value>
    </field>
    <field k='_timestartpos'>
      <value><text>0</text></value>
    </field>
    <field k='host'>
      <value><text>vgenovese-mbp15.splunk.com</text></value>
    </field>
    <field k='linecount'>
      <value><text>1</text></value>
    </field>
    <field k='source'>
      <value><text>/Applications/splunk/var/log/splunk/metrics.log</text></value>
    </field>
    <field k='sourcetype'>
      <value><text>splunkd</text></value>
    </field>
  </result>
</results>


indexing/preview/{job_id}

GET indexing/preview/{job_id}

Returns the props.conf settings for the data preview job specified by {job_id}.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Listed successfully.
404 Specified job ID does not exist.

Returned Values

No values returned for this request.

Example

Return the props.conf setting for the specified data preview job.


curl -k -u admin:pass https://localhost:8089/services/indexing/preview/1319496093.11
<entry xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest">
  <title>1319496093.11</title>
  <id>https://localhost:8089/services/indexing/preview/1319496093.11</id>
  <updated>2011-10-24T15:44:09-07:00</updated>
  <link href="/services/indexing/preview/1319496093.11" rel="alternate"/>
  <content type="text/xml">
    <s:dict>
      <s:key name="explicit">
        <s:dict>
          <s:key name="PREFERRED_SOURCETYPE">
            <s:dict>
              <s:key name="value">splunkd</s:key>
            </s:dict>
          </s:key>
        </s:dict>
      </s:key>
      <s:key name="inherited">
        <s:dict>
          <s:key name="ANNOTATE_PUNCT">
            <s:dict>
              <s:key name="value">True</s:key>
              <s:key name="stanza">default</s:key>
            </s:dict>
          </s:key>
          . . .
           <!-- additional inherited key values elided for brevity. -->
          <s:key name="sourcetype">
            <s:dict>
              <s:key name="value">splunkd</s:key>
              <s:key name="stanza">source::.../var/log/splunk/metrics.log(.\d+)?</s:key>
            </s:dict>
          </s:key>
        </s:dict>
      </s:key>
    </s:dict>
  </content>
  <link href="/services/search/jobs/1319496093.11" rel="job"/>
</entry>


receivers/simple

Allows for sending events to Splunk in an HTTP request.

POST receivers/simple

Create events from the contents contained in the HTTP body.

Request

Note that all metadata is specified using GET parameters.

Name Type Required Default Description
<arbitrary_data> String
Raw event text. This will be the entirety of the HTTP request body.
host String The value to populate in the host field for events from this data input.
host_regex String A regular expression used to extract the host value from each event.
index String default The index to send events from this input to.
source String The source value to fill in the metadata for this input's events.
sourcetype String The sourcetype to apply to events from this input.

Response Codes

Status Code Description
200 Data accepted.
400 Request error. See response body for details.
404 Receiver does not exist.

Returned Values

No values returned for this request.

Example

Send a web_event sourcetype from a www source event to this Splunk indexer.


curl -k -u admin:pass "https://localhost:8089/services/receivers/simple?source=www&sourcetype=web_event" \
	-d "Sun Jul 10 15:56:02 PDT 2011   User myusername logged in successfully."


<response>
  <results>
    <result>
      <field k="_index">
        <value>
          <text>default</text>
        </value>
      </field>
      <field k="bytes">
        <value>
          <text>67</text>
        </value>
      </field>
      <field k="host">
        <value>
          <text>127.0.0.1</text>
        </value>
      </field>
      <field k="source">
        <value>
          <text>www</text>
        </value>
      </field>
      <field k="sourcetype">
        <value>
          <text>web_event</text>
        </value>
      </field>
    </result>
  </results>
</response>

receivers/stream

Opens a socket for streaming events to Splunk.

POST receivers/stream

Create events from the stream of data following HTTP headers.

Request

Name Type Required Default Description
<data_stream> String
Raw event text. This does not need to be presented as a complete HTTP request, but can be streamed in as data is available.
host String The value to populate in the host field for events from this data input.
host_regex String A regular expression used to extract the host value from each event.
index String The index to send events from this input to.
source String The source value to fill in the metadata for this input's events.
sourcetype String The sourcetype to apply to events from this input.

Response Codes

Status Code Description
200 Data accepted.
204 Request completed by server but no data available.
400 Request error. See response body for details.
404 Receiver does not exist.

Returned Values

No values returned for this request.

Example

Stream an arbitrary number of events to Splunk Enterprise. A Python script using the httplib library demonstrates a realistic use of this endpoint. The script sends one event per second to Splunk Enterprise, and continues to run until you enter <CTRL-C>.

Note: For streaming connections, x-splunk-input-mode must be specified in the header.

import httplib, time

conn = httplib.HTTPSConnection("localhost", 8089)
conn.connect()
conn.putrequest("POST", "/services/receivers/stream?source=www&sourcetype=web_data")
conn.putheader("Authorization", "Splunk 67bed982ce1af9ba2e393b15ed63c916")
conn.putheader("x-splunk-input-mode", "streaming")
conn.endheaders()

print "Looping..."
while True:
    conn.send("%s A sample event.\n" % time.asctime())
    time.sleep(1)


There is no response for this request.

This documentation applies to the following versions of Splunk: 6.0 , 6.0.1 , 6.0.2 , 6.0.3 , 6.0.4 , 6.0.5 , 6.0.6 , 6.1 , 6.1.1 , 6.1.2 , 6.1.3 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!