REST API Reference




REST API reference and user guide

This section gives a detailed description of each endpoint interface.

See the REST API user guide section for an introduction to accessing Splunk Enterprise resources using the REST API.

Endpoint classification

Class Description
Access control Authorize and authenticate users.
Applications Install applications and application templates.
Clusters Configure and manage cluster master and peer nodes.
Configuration Access and modify configuration files and settings.
Deployment Manage deployment servers and clients.
Indexes Manage data indexes.
Inputs Manage data input.
Knowledge Define indexed and searched data configurations.
Licensing Manage licensing configurations.
Outputs Manage forwarder data configuration.
Search Manage searches and search-generated alerts and view objects.
System Manage server configuration.

Common GET request parameters

The following parameters are valid for most GET requests:

Name Type Default Description
count Number 30 Maximum number of entries to return. Set value to zero to get all available entries.
offset Number 0 Index of first item to return.
search String Response filter, where the response field values are matched against this search expression.


search=foo matches on any field containing foo.
search=field_name%3Dfield_value restricts the match to a single field. (Requires URI-encoding.)

sort_dir Enum asc Response sort order:

asc = ascending
desc = descending

sort_key String name Field name to use for sorting.
sort_mode Enum auto Collating sequence for sorting the response:

auto = If all field values are numeric, collate numerically. Otherwise, collate alphabetically.
alpha = Collate alphabetically, not case-sensitive.
alpha_case = Collate alphabetically, case-sensitive.
num = Collate numerically.

summarize Bool false Response type:

true = Summarized response, omitting some index details, providing a faster response.
false = full response.

HTTP status codes

REST requests can return one or more of the following HTTP status codes, as applicable for the endpoint:

Status code Generalized description
200 Request completed successfully.
201 Create request completed successfully.
400 Request error. See response body for details.
401 Authentication failure, invalid access credentials.
402 In-use Splunk license disables this feature.
403 Insufficient permission.
404 Requested endpoint does not exist.
409 Invalid operation for this endpoint. See response body for details.
500 Unspecified internal server error. See response body for details.
503 Feature is disabled in Splunk configuration file.

See Hypertext Transfer Protocol -- HTTP/1.1, Status Code Definitions for the complete standard and non-Splunk-specific definitions.

Conventions used for the examples

The reference examples uses the cURL command line utility to demonstrate the REST API. cURL is available with your *nix distribution or from the following resources:

Powershell users can use Invoke-RestMethod

This documentation applies to the following versions of Splunk: 6.0 , 6.0.1 , 6.0.2 , 6.0.3 View the Article History for its revisions.

You must be logged into in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!