REST API Reference

Version

Knowledge

data/lookup-table-files
GET data/lookup-table-files
POST data/lookup-table-files
data/lookup-table-files/{name}
DELETE data/lookup-table-files/{name}
GET data/lookup-table-files/{name}
POST data/lookup-table-files/{name}
data/props/calcfields
GET data/props/calcfields
POST data/props/calcfields
data/props/calcfields/{name}
DELETE data/props/calcfields/{name}
GET data/props/calcfields/{name}
POST data/props/calcfields/{name}
data/props/extractions
GET data/props/extractions
POST data/props/extractions
data/props/extractions/{name}
DELETE data/props/extractions/{name}
GET data/props/extractions/{name}
POST data/props/extractions/{name}
data/props/fieldaliases
GET data/props/fieldaliases
POST data/props/fieldaliases
data/props/fieldaliases/{name}
DELETE data/props/fieldaliases/{name}
GET data/props/fieldaliases/{name}
POST data/props/fieldaliases/{name}
data/props/lookups
GET data/props/lookups
POST data/props/lookups
data/props/lookups/{name}
DELETE data/props/lookups/{name}
GET data/props/lookups/{name}
POST data/props/lookups/{name}
data/props/sourcetype-rename
GET data/props/sourcetype-rename
POST data/props/sourcetype-rename
data/props/sourcetype-rename/{name}
DELETE data/props/sourcetype-rename/{name}
GET data/props/sourcetype-rename/{name}
POST data/props/sourcetype-rename/{name}
data/transforms/extractions
GET data/transforms/extractions
POST data/transforms/extractions
data/transforms/extractions/{name}
DELETE data/transforms/extractions/{name}
GET data/transforms/extractions/{name}
POST data/transforms/extractions/{name}
data/transforms/lookups
GET data/transforms/lookups
POST data/transforms/lookups
data/transforms/lookups/{name}
DELETE data/transforms/lookups/{name}
GET data/transforms/lookups/{name}
POST data/transforms/lookups/{name}
directory
GET directory
directory/{name}
GET directory/{name}
saved/eventtypes
GET saved/eventtypes
POST saved/eventtypes
saved/eventtypes/{name}
DELETE saved/eventtypes/{name}
GET saved/eventtypes/{name}
POST saved/eventtypes/{name}
search/fields
GET search/fields
search/fields/{field_name}
GET search/fields/{field_name}
search/fields/{field_name}/tags
GET search/fields/{field_name}/tags
POST search/fields/{field_name}/tags
search/tags
GET search/tags
search/tags/{tag_name}
DELETE search/tags/{tag_name}
GET search/tags/{tag_name}
POST search/tags/{tag_name}

Knowledge

Use the Knowledge endpoints to define data configurations indexed and searched by Splunk.

data/lookup-table-files/*
data/props/*
data/transforms/*
directory/*
Manage how Splunk handles data through look-ups, field extractions, filed aliases, sourcetypes, and transforms.

saved/eventypes/*
Manage saved event types

search/fields/*
search/tags/*
Manage search field configurations and search time tags.

data/lookup-table-files

Provides access to lookup table files.

GET data/lookup-table-files

List lookup table files.

Request

Name	Type	Default	Description
count	Number	30	Indicates the maximum number of entries to return. To return all entries, specify -1.
offset	Number	0	Index for first item to return.
search	String		Search expression to filter the response. The response matches field values against the search expression. For example: search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.
sort_dir	Enum	asc	Valid values: (asc \| desc) Indicates whether to sort returned entries in ascending or descending order.
sort_key	String	name	Field to use for sorting.
sort_mode	Enum	auto	Valid values: (auto \| alpha \| alpha_case \| num) Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code	Description
200	Listed successfully.
400	Request error. See response body for details.
401	Authentication failure: must pass valid credentials with request.
403	Insufficient permissions to view lookup-table file.
409	Request error: this operation is invalid for this item. See response body for details.
500	Internal server error. See response body for details.

Returned Values

Attribute	Description
eai:appName	The app for which the lookup table applies.
eai:data	The source path for the lookup staging area. The lookup table file is moved from here into $SPLUNK_HOME.
eai:userName	The Splunk user who created the lookup table.

Example

Retrieve the list of lookup table files.

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/lookup-table-files

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>lookup-table-files</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files</id>
  <updated>2011-07-21T19:26:11-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/lookup-table-files/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/lookup-table-files/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>lookup.csv</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv</id>
    <updated>2011-07-21T19:26:11-07:00</updated>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="list"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="edit"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="remove"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:data">
<![CDATA[/opt/splunk/etc/users/admin/search/lookups/lookup.csv]]>        </s:key>
        <s:key name="eai:userName">admin</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/lookup-table-files

Create a lookup table file by moving a file from the upload staging area into $SPLUNK_HOME.

Request

Name	Type	Required	Default	Description
eai:data	String	✓		Move a lookup table file from the given path into $SPLUNK_HOME. This path must have the lookup staging area as an ancestor.
name	String	✓		The lookup table filename.

Response Codes

Status Code	Description
201	Created successfully.
400	Request error. See response body for details.
401	Authentication failure: must pass valid credentials with request.
402	The Splunk license in use has disabled this feature.
403	Insufficient permissions to create lookup-table file.
409	Request error: this operation is invalid for this item. See response body for details.
500	Internal server error. See response body for details.
503	This feature has been disabled in Splunk configuration files.

Returned Values

Attribute	Description
eai:appName	The app for which the lookup table applies.
eai:data	The source path for the lookup staging area. The lookup table file is moved from here into $SPLUNK_HOME.
eai:userName	The Splunk user who created the lookup table.

Example

Create a private lookup table file from a file in the lookup staging area.

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/lookup-table-files \
	-d eai:data=/opt/splunk/var/run/splunk/lookup_tmp/lookup-in-staging-dir.csv \
	-d name=lookup.csv

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>lookup-table-files</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files</id>
  <updated>2011-07-21T18:26:35-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/lookup-table-files/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/lookup-table-files/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>lookup.csv</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv</id>
    <updated>2011-07-21T18:26:35-07:00</updated>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="list"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="edit"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="remove"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:data">
<![CDATA[/opt/splunk/etc/users/admin/search/lookups/lookup.csv]]>        </s:key>
        <s:key name="eai:userName">admin</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/lookup-table-files/{name}

DELETE data/lookup-table-files/{name}

Delete the named lookup table file.

Request

No parameters for this request.

Response Codes

Status Code	Description
200	Deleted successfully.
400	Request error. See response body for details.
401	Authentication failure: must pass valid credentials with request.
403	Insufficient permissions to delete look-up table file.
404	Look-up table file does not exist.
409	Request error: this operation is invalid for this item. See response body for details.
500	Internal server error. See response body for details.

Returned Values

No values returned for this request.

Example

Delete the lookup table file created earlier.

curl -k -u admin:pass --request DELETE \
	https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>lookup-table-files</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files</id>
  <updated>2011-07-21T18:43:11-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/lookup-table-files/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/lookup-table-files/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

GET data/lookup-table-files/{name}

List a single lookup table file.

Request

No parameters for this request.

Response Codes

Status Code	Description
200	Listed successfully.
400	Request error. See response body for details.
401	Authentication failure: must pass valid credentials with request.
403	Insufficient permissions to view look-up table files.
404	Look-up table file does not exist.
409	Request error: this operation is invalid for this item. See response body for details.
500	Internal server error. See response body for details.

Returned Values

Attribute	Description
eai:appName	The app for which the lookup table applies.
eai:attributes	See Accessing Splunk resources
eai:data	The source path for the lookup staging area. The lookup table file is moved from here into $SPLUNK_HOME.
eai:userName	The Splunk user who created the lookup table.

Example

Retrieve the newly created lookup table file.

curl -k -u admin:pass \
	https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>lookup-table-files</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files</id>
  <updated>2011-07-21T18:37:25-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/lookup-table-files/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/lookup-table-files/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>lookup.csv</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv</id>
    <updated>2011-07-21T18:37:25-07:00</updated>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="list"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="edit"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="remove"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list/>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>eai:data</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:data">
<![CDATA[/opt/splunk/etc/users/admin/search/lookups/lookup.csv]]>        </s:key>
        <s:key name="eai:userName">admin</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/lookup-table-files/{name}

Modify a lookup table file by replacing it with a file from the upload staging area.

Request

Name	Type	Required	Default	Description
eai:data	String	✓		Move a lookup table file from the given path into $SPLUNK_HOME. This path must have the lookup staging area as an ancestor.

Response Codes

Status Code	Description
200	Updated successfully.
400	Request error. See response body for details.
401	Authentication failure: must pass valid credentials with request.
402	The Splunk license in use has disabled this feature.
403	Insufficient permissions to edit look-up tble file.
404	Look-up table file does not exist.
409	Request error: this operation is invalid for this item. See response body for details.
500	Internal server error. See response body for details.
503	This feature has been disabled in Splunk configuration files.

Returned Values

Attribute	Description
eai:appName	The app for which the lookup table applies.
eai:data	The source path for the lookup staging area. The lookup table file is moved from here into $SPLUNK_HOME.
eai:userName	The Splunk user who created the lookup table.

Example

Replace the contents of an existing lookup table file with the contents of a file in the lookup staging area.

curl -k -u admin:pass \
	https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv \
	-d eai:data=/opt/splunk/var/run/splunk/lookup_tmp/another-lookup-in-staging-dir.csv

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>lookup-table-files</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files</id>
  <updated>2011-07-21T18:41:52-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/lookup-table-files/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/lookup-table-files/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>lookup.csv</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv</id>
    <updated>2011-07-21T18:41:52-07:00</updated>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="list"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="edit"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="remove"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:data">
<![CDATA[/opt/splunk/etc/users/admin/search/lookups/lookup.csv]]>        </s:key>
        <s:key name="eai:userName">admin</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/calcfields

Provides access to calculated fields, which are eval expressions in props.conf. See Define calculated fields in the Splunk Knowledge Manager manual for more information.

GET data/props/calcfields

Returns information on calculated fields for this instance of Splunk.

Request

Name	Type	Default	Description
count	Number	30	Indicates the maximum number of entries to return. To return all entries, specify -1.
offset	Number	0	Index for first item to return.
search	String		Search expression to filter the response. The response matches field values against the search expression. For example: search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.
sort_dir	Enum	asc	Valid values: (asc \| desc) Indicates whether to sort returned entries in ascending or descending order.
sort_key	String	name	Field to use for sorting.
sort_mode	Enum	auto	Valid values: (auto \| alpha \| alpha_case \| num) Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code	Description
200	Listed successfully.
400	Request error. See response body for details.
401	Authentication failure: must pass valid credentials with request.
403	Insufficient permissions to view the calculated field.
409	Request error: this operation is invalid for this item. See response body for details.
500	Internal server error. See response body for details.

Returned Values

Attribute	Description
attribute	The name of the calculated field, which includes the "EVAL-" prefix.
field.name	The name of the field which is being calculated with an EVAL expression.
stanza	The name of the stanza in props.conf that defines the calculated field.
type	The type of the calculated field. This is always EVAL.
value	The EVAL statement for the calculated field.

Example

List the calculated fields for this Splunk instance.

curl -k -u admin:pass https://localhost:8089/services/data/props/calcfields

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>props-eval</title>
  <id>https://localhost:8089/services/data/props/calcfields</id>
  <updated>2012-10-01T15:01:50-07:00</updated>
  <generator build="138753" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/props/calcfields/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title><access_common> : EVAL-response_time</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time</id>
    <updated>2012-10-01T15:01:50-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">EVAL-response_time</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="field.name">response_time</s:key>
        <s:key name="stanza"><access_common></s:key>
        <s:key name="type">EVAL</s:key>
        <s:key name="value">response_time/1000</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/props/calcfields

Create an eval expression defining a calculated field in props.conf.

Request

Name	Type	Required	Description
name	String	✓	The name of the calculated field. Do not specify the "EVAL-" prefix for the field. When Splunk writes the calculated field to props.conf, it adds the "EVAL-" prefix.
stanza	String	✓	The name of the stanza in props.conf for the calculated field. The name can be any of the following: Sourcetype of an event host::<host>, where <host> is the host for an event source::<source>, where <source> is the source for an event. Note: Use URL-encoding to ensure that Splunk interprets the name of the stanza correctly.
value	String	✓	The eval statement, which can be evaluated to any value type, including multivals, boolean, or null. Note: Use URL-encoding to ensure that Splunk interprets the name of the stanza correctly. See Create a calculated field by editing props.conf in the Splunk Knowledge Manager manual for details.

Name

Type

Required

Default

Description

name

String

✓

The name of the calculated field. Do not specify the "EVAL-" prefix for the field.

When Splunk writes the calculated field to props.conf, it adds the "EVAL-" prefix.

stanza

String

✓

The name of the stanza in props.conf for the calculated field.

The name can be any of the following:

Sourcetype of an event
host::<host>, where <host> is the host for an event
source::<source>, where <source> is the source for an event.

Note: Use URL-encoding to ensure that Splunk interprets the name of the stanza correctly.

value

String

✓

The eval statement, which can be evaluated to any value type, including multivals, boolean, or null.

Note: Use URL-encoding to ensure that Splunk interprets the name of the stanza correctly.

See Create a calculated field by editing props.conf in the Splunk Knowledge Manager manual for details.

Response Codes

Status Code	Description
201	Created successfully.
400	Request error. See response body for details.
401	Authentication failure: must pass valid credentials with request.
402	The Splunk license in use has disabled this feature.
403	Insufficient permissions to create the calculated field.
409	Request error: this operation is invalid for this item. See response body for details.
500	Internal server error. See response body for details.
503	This feature has been disabled in Splunk configuration files.

Returned Values

Attribute	Description
attribute	The name of the calculated field, which includes the "EVAL-" prefix.
field.name	The name of the field which is being calculated with an EVAL expression.
stanza	The name of the stanza in props.conf that defines the calculated field.
type	The type of the calculated field. This is always EVAL.
value	The EVAL statement for the calculated field.

Example

Create the following calculated field in props.conf:

[<access_common>]

EVAL-response_time = response_time/1000

curl -k -u admin:pass https://localhost:8089/services/data/props/calcfields \
	-d name=response_time \
	-d stanza=%3Caccess_common%3E \
	-d value=response_time/1000

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>props-eval</title>
  <id>https://localhost:8089/services/data/props/calcfields</id>
  <updated>2012-10-01T14:58:45-07:00</updated>
  <generator build="138753" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/props/calcfields/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title><access_common> : EVAL-response_time</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time</id>
    <updated>2012-10-01T14:58:45-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">EVAL-response_time</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="field.name">response_time</s:key>
        <s:key name="stanza"><access_common></s:key>
        <s:key name="type">EVAL</s:key>
        <s:key name="value">response_time/1000</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/calcfields/{name}

DELETE data/props/calcfields/{name}

Deletes the named calculated field.

Note: Use URL-encoding to ensure that Splunk interprets the name of the calculated field correctly.

Request

No parameters for this request.

Response Codes

Status Code	Description
200	Deleted successfully.
400	Request error. See response body for details.
401	Authentication failure: must pass valid credentials with request.
403	Insufficient permissions to delete the calculated field.
404	The caolculated field does not exist.
409	Request error: this operation is invalid for this item. See response body for details.
500	Internal server error. See response body for details.

Returned Values

No values returned for this request.

Example

Deletes the following calculated field:

<access_common> : EVAL-response_time

Note: Use URL encoding to make sure Splunk interprets the named field correctly.

curl -k -u admin:pass --request DELETE \
	https://localhost:8089/services/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time

<feed xmlns="http://www.w3.org/2005/Atom" 
      xmlns:s="http://dev.splunk.com/ns/rest" 
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>props-eval</title>
  <id>https://localhost:8089/services/data/props/calcfields</id>
  <updated>2012-10-01T15:33:06-07:00</updated>
  <generator build="138753" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/props/calcfields/_new" rel="create"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
</feed>

GET data/props/calcfields/{name}

Returns details about the named calculated field.

Request

No parameters for this request.

Response Codes

Status Code	Description
200	Listed successfully.
400	Request error. See response body for details.
401	Authentication failure: must pass valid credentials with request.
403	Insufficient permissions to view the calculated field.
404	The calculated field does not exist.
409	Request error: this operation is invalid for this item. See response body for details.
500	Internal server error. See response body for details.

Returned Values

Attribute	Description
attribute	The name of the calculated field, which includes the "EVAL-" prefix.
field.name	The name of the field which is being calculated with an EVAL expression.
stanza	The name of the stanza in props.conf that defines the calculated field.
type	The type of the calculated field. This is always EVAL.
value	The EVAL statement for the calculated field.

Example

List the details of the following named calculated field:

<access_common> : EVAL-response_time

Note: Use URL encoding to make sure Splunk interprets the named field correctly.

curl -k -u admin:pass \
	https://localhost:8089/services/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>props-eval</title>
  <id>https://localhost:8089/services/data/props/calcfields</id>
  <updated>2012-10-01T15:05:09-07:00</updated>
  <generator build="138753" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/props/calcfields/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title><access_common> : EVAL-response_time</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time</id>
    <updated>2012-10-01T15:05:09-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">EVAL-response_time</s:key>
	<!-- eai:acl nodes elided for brevity. -->
	<!-- eai:attributes nodes elided for brevity. -->
        <s:key name="field.name">response_time</s:key>
        <s:key name="stanza"><access_common></s:key>
        <s:key name="type">EVAL</s:key>
        <s:key name="value">response_time/1000</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/props/calcfields/{name}

Update the named calculated field.

Request

Name	Type	Required	Default	Description
value	String			The eval statement, which can be evaluated to any value type, including multivals, boolean, or null. Note: Use URL-encoding to ensure that Splunk interprets the name of the stanza correctly. See Create a calculated field by editing props.conf in the Splunk Knowledge Manager manual for details.

Name

Type

Required

Default

Description

value

String

The eval statement, which can be evaluated to any value type, including multivals, boolean, or null.

Note: Use URL-encoding to ensure that Splunk interprets the name of the stanza correctly.

See Create a calculated field by editing props.conf in the Splunk Knowledge Manager manual for details.

Response Codes

Status Code	Description
200	Updated successfully.
400	Request error. See response body for details.
401	Authentication failure: must pass valid credentials with request.
402	The Splunk license in use has disabled this feature.
403	Insufficient permissions to edit the calculated field.
404	The calculated field does not exist.
409	Request error: this operation is invalid for this item. See response body for details.
500	Internal server error. See response body for details.
503	This feature has been disabled in Splunk configuration files.

Returned Values

Attribute	Description
attribute	The name of the calculated field, which includes the "EVAL-" prefix.
field.name	The name of the field which is being calculated with an EVAL expression.
stanza	The name of the stanza in props.conf that defines the calculated field.
type	The type of the calculated field. This is always EVAL.
value	The EVAL statement for the calculated field.

Example

Change the value of the exisiting calculated field from response_time/1000 to response_time/100. The resulting field in props.conf becomes:

[<access_common>]

EVAL-response_time = response_time/100

Note: Use URL encoding to make sure Splunk interprets the named field correctly.

curl -k -u admin:pass \
	https://localhost:8089/services/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time \
	-d value=response_time/100

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>props-eval</title>
  <id>https://localhost:8089/services/data/props/calcfields</id>
  <updated>2012-10-01T15:14:19-07:00</updated>
  <generator build="138753" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/props/calcfields/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title><access_common> : EVAL-response_time</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time</id>
    <updated>2012-10-01T15:14:19-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">EVAL-response_time</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="field.name">response_time</s:key>
        <s:key name="stanza"><access_common></s:key>
        <s:key name="type">EVAL</s:key>
        <s:key name="value">response_time/100</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/extractions

Provides access to search-time field extractions in props.conf.

GET data/props/extractions

List field extractions.

Request

Name	Type	Default	Description
count	Number	30	Indicates the maximum number of entries to return. To return all entries, specify -1.
offset	Number	0	Index for first item to return.
search	String		Search expression to filter the response. The response matches field values against the search expression. For example: search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.
sort_dir	Enum	asc	Valid values: (asc \| desc) Indicates whether to sort returned entries in ascending or descending order.
sort_key	String	name	Field to use for sorting.
sort_mode	Enum	auto	Valid values: (auto \| alpha \| alpha_case \| num) Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code	Description
200	Listed successfully.
400	Request error. See response body for details.
401	Authentication failure: must pass valid credentials with request.
403	Insufficient permissions to view extractions.
409	Request error: this operation is invalid for this item. See response body for details.
500	Internal server error. See response body for details.

Returned Values

Attribute	Description
attribute	Specifies the field extraction configuration. For example, REPORT-<name> or EXTRACT-<name>.
stanza	The props.conf stanza to which this field extraction applies. for example, the sourcetype or source that triggers this field extraction. The full name of the field extraction includes this stanza name as a prefix.
type	Specifies the field extraction type, which can be either `inline` or `uses transform`.
value	If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields. If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply.

Example

Retrieve the list of search-time extractions.

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/extractions

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>props-extract</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/extractions</id>
  <updated>2011-07-10T22:55:04-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/extractions/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>access_combined : REPORT-access</title>
    <id>https://localhost:8089/servicesNS/nobody/system/data/props/extractions/access_combined%20%3A%20REPORT-access</id>
    <updated>2011-07-10T22:55:04-07:00</updated>
    <link href="/servicesNS/nobody/system/data/props/extractions/access_combined%20%3A%20REPORT-access" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/props/extractions/access_combined%20%3A%20REPORT-access" rel="list"/>
    <link href="/servicesNS/nobody/system/data/props/extractions/access_combined%20%3A%20REPORT-access" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">REPORT-access</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="stanza">access_combined</s:key>
        <s:key name="type">Uses transform</s:key>
        <s:key name="value">access-extractions</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/props/extractions

Create a new field extraction.

Request

Name	Type	Required	Description
name	String	✓	The user-specified part of the field extraction name. The full name of the field extraction includes this identifier as a suffix.
stanza	String	✓	The props.conf stanza to which this field extraction applies, e.g. the sourcetype or source that triggers this field extraction. The full name of the field extraction includes this stanza name as a prefix.
type	Enum	✓	Valid values: (REPORT \| EXTRACT) An EXTRACT-type field extraction is defined with an "inline" regular expression. A REPORT-type field extraction refers to a transforms.conf stanza.
value	String	✓	If this is an EXTRACT-type field extraction, specify a regular expression with named capture groups that define the desired fields. If this is a REPORT-type field extraction, specify a comma- or space-delimited list of transforms.conf stanza names that define the field transformations to apply.

Response Codes

Status Code	Description
201	Created successfully.
400	Request error. See response body for details.
401	Authentication failure: must pass valid credentials with request.
402	The Splunk license in use has disabled this feature.
403	Insufficient permissions to create extraction.
409	Request error: this operation is invalid for this item. See response body for details.
500	Internal server error. See response body for details.
503	This feature has been disabled in Splunk configuration files.

Returned Values

Attribute	Description
attribute	Specifies the field extraction configuration. For example, REPORT-<name> or EXTRACT-<name>.
stanza	Specifies the name of the stanza for the field extraction.
type	Specifies the field extraction type, which can be either `inline` or `uses transform`.
value	If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields. If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply.

Example

Create a new search-time extraction that extracts the port value from this FTP server log.

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/extractions \
	-d name=port \
	-d stanza=ftp_log \
	-d type=EXTRACT \
	-d "value=port (?<port_number>\d+)"

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>props-extract</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/extractions</id>
  <updated>2011-07-10T22:56:17-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/extractions/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>ftp_log : EXTRACT-port</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port</id>
    <updated>2011-07-10T22:56:17-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">EXTRACT-port</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="stanza">ftp_log</s:key>
        <s:key name="type">Inline</s:key>
        <s:key name="value">port (?<port_number>\d )</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/extractions/{name}

DELETE data/props/extractions/{name}

Delete the named field extraction.

Request

No parameters for this request.

Response Codes

Status Code	Description
200	Deleted successfully.
400	Request error. See response body for details.
401	Authentication failure: must pass valid credentials with request.
403	Insufficient permissions to delete named extraction.
404	Named extraction does not exist.
409	Request error: this operation is invalid for this item. See response body for details.
500	Internal server error. See response body for details.

Returned Values

No values returned for this request.

Example

Remove the extraction created earlier.

curl -k -u admin:pass --request DELETE \
	https://localhost:8089/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>props-extract</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/extractions</id>
  <updated>2011-07-10T23:05:42-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/extractions/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

GET data/props/extractions/{name}

List a single field extraction.

Request

No parameters for this request.

Response Codes

Status Code	Description
200	Listed successfully.
400	Request error. See response body for details.
401	Authentication failure: must pass valid credentials with request.
403	Insufficient permissions to view named extraction.
404	Named extraction does not exist.
409	Request error: this operation is invalid for this item. See response body for details.
500	Internal server error. See response body for details.

Returned Values

Attribute	Description
attribute	Specifies the field extraction configuration. For example, REPORT-<name> or EXTRACT-<name>.
eai:attributes	See Accessing Splunk resources
stanza	The props.conf stanza to which this field extraction applies. for example, the sourcetype or source that triggers this field extraction. The full name of the field extraction includes this stanza name as a prefix.
type	Specifies the field extraction type, which can be either `inline` or `uses transform`.
value	If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields. If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply.

Example

Retrieve the newly created extraction. Note that the name is an aggregate of extraction, affected stanza, and extraction type.

curl -k -u admin:pass \
	https://localhost:8089/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>props-extract</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/extractions</id>
  <updated>2011-07-10T23:02:31-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/extractions/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>ftp_log : EXTRACT-port</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port</id>
    <updated>2011-07-10T23:02:31-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">EXTRACT-port</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list/>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>value</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="stanza">ftp_log</s:key>
        <s:key name="type">Inline</s:key>
        <s:key name="value">connection on port (?<port_number>\d )</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/props/extractions/{name}

Modify the named field extraction.

Request

Name	Type	Required	Default	Description
value	String	✓		If this is an EXTRACT-type field extraction, specify a regular expression with named capture groups that define the desired fields. If this is a REPORT-type field extraction, specify a comma- or space-delimited list of transforms.conf stanza names that define the field transformations to apply.

Response Codes

Status Code	Description
200	Updated successfully.
400	Request error. See response body for details.
401	Authentication failure: must pass valid credentials with request.
402	The Splunk license in use has disabled this feature.
403	Insufficient permissions to edit named extraction.
404	Named extraction does not exist.
409	Request error: this operation is invalid for this item. See response body for details.
500	Internal server error. See response body for details.
503	This feature has been disabled in Splunk configuration files.

Returned Values

Attribute	Description
attribute	Specifies the field extraction configuration. For example, REPORT-<name> or EXTRACT-<name>.
stanza	Specifies the name of the stanza for the field extraction.
type	Specifies the field extraction type, which can be either `inline` or `uses transform`.
value	If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields. If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply.

Example

Adjust the regular expression for the recently created extraction.

curl -k -u admin:pass \
	https://localhost:8089/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port \
	-d "value=connection on port (?<port_number>\d+)"

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>props-extract</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/extractions</id>
  <updated>2011-07-10T23:05:05-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/extractions/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>ftp_log : EXTRACT-port</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port</id>
    <updated>2011-07-10T23:05:05-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">EXTRACT-port</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="stanza">ftp_log</s:key>
        <s:key name="type">Inline</s:key>
        <s:key name="value">connection on port (?<port_number>\d )</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/fieldaliases

Provides access to field aliases in props.conf.

GET data/props/fieldaliases

List field aliases.

Request

Name	Type	Default	Description
count	Number	30	Indicates the maximum number of entries to return. To return all entries, specify -1.
offset	Number	0	Index for first item to return.
search	String		Search expression to filter the response. The response matches field values against the search expression. For example: search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.
sort_dir	Enum	asc	Valid values: (asc \| desc) Indicates whether to sort returned entries in ascending or descending order.
sort_key	String	name	Field to use for sorting.
sort_mode	Enum	auto	Valid values: (auto \| alpha \| alpha_case \| num) Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code	Description
200	Listed successfully.
400	Request error. See response body for details.
401	Authentication failure: must pass valid credentials with request.
403	Insufficient permissions to view filed aliases.
409	Request error: this operation is invalid for this item. See response body for details.
500	Internal server error. See response body for details.

Returned Values

Attribute	Description
alias.*	The user-specified part of the field alias name. The full name of the field alias includes this identifier as a suffix.
attribute	Specifies the field extraction configuration. For example, REPORT-<name> or EXTRACT-<name>.
stanza	The props.conf stanza to which this field alias applies, e.g. the sourcetype or source that causes this field alias to be applied. The full name of the field alias includes this stanza name as a prefix.
type	Specifies the field extraction type, which can be either `inline` or `uses transform`.
value	If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields. If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply.

Example

Retrieve the list of field aliases.

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>fieldaliases</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases</id>
  <updated>2011-07-21T19:31:41-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/fieldaliases/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>my_sourcetype : FIELDALIAS-alias_name</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name</id>
    <updated>2011-07-21T19:31:41-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="alias.foo">bar</s:key>
        <s:key name="attribute">FIELDALIAS-alias_name</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="stanza">my_sourcetype</s:key>
        <s:key name="type">FIELDALIAS</s:key>
        <s:key name="value">foo AS bar</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/props/fieldaliases

Create a new field alias.

Request

Name	Type	Required	Description
name	String	✓	The user-specified part of the field alias name. The full name of the field alias includes this identifier as a suffix.
stanza	String	✓	The props.conf stanza to which this field alias applies, e.g. the sourcetype or source that causes this field alias to be applied. The full name of the field alias includes this stanza name as a prefix.
alias.*	String		The alias for a given field. For example, supply a value of "bar" for an argument "alias.foo" to alias "foo" to "bar".

Response Codes

Status Code	Description
201	Created successfully.
400	Request error. See response body for details.
401	Authentication failure: must pass valid credentials with request.
402	The Splunk license in use has disabled this feature.
403	Insufficient permissions to create field alias.
409	Request error: this operation is invalid for this item. See response body for details.
500	Internal server error. See response body for details.
503	This feature has been disabled in Splunk configuration files.

Returned Values

Attribute	Description
alias.*	The user-specified part of the field alias name. The full name of the field alias includes this identifier as a suffix.
attribute	Specifies the field extraction configuration. For example, REPORT-<name> or EXTRACT-<name>.
stanza	The props.conf stanza to which this field alias applies, e.g. the sourcetype or source that causes this field alias to be applied. The full name of the field alias includes this stanza name as a prefix.
type	Specifies the field extraction type, which can be either inline or uses transform.
value	If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields. If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply.

Example

Create a new field alias.

Alias the field "foo" as "bar" for sourcetype "my_sourctype".

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases \
	-d name=alias_name \
	-d stanza=my_sourcetype \
	-d alias.foo=bar

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>fieldaliases</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases</id>
  <updated>2011-07-21T19:30:17-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/fieldaliases/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>my_sourcetype : FIELDALIAS-alias_name</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name</id>
    <updated>2011-07-21T19:30:17-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="alias.foo">bar</s:key>
        <s:key name="attribute">FIELDALIAS-alias_name</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="stanza">my_sourcetype</s:key>
        <s:key name="type">FIELDALIAS</s:key>
        <s:key name="value">foo AS bar</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/fieldaliases/{name}

DELETE data/props/fieldaliases/{name}

Delete the named field alias.

Request

No parameters for this request.

Response Codes

Status Code	Description
200	Deleted successfully.
400	Request error. See response body for details.
401	Authentication failure: must pass valid credentials with request.
403	Insufficient permissions to delete field alias.
404	Field alias does not exist.
409	Request error: this operation is invalid for this item. See response body for details.
500	Internal server error. See response body for details.

Returned Values

No values returned for this request.

Example

Remove the recently created field alias.

curl -k -u admin:pass --request DELETE \
	https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>fieldaliases</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases</id>
  <updated>2011-07-21T19:37:45-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/fieldaliases/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

GET data/props/fieldaliases/{name}

List a single field alias.

Request

No parameters for this request.

Response Codes

Status Code	Description
200	Listed successfully.
400	Request error. See response body for details.
401	Authentication failure: must pass valid credentials with request.
403	Insufficient permissions to view field alias.
404	Field alias does not exist.
409	Request error: this operation is invalid for this item. See response body for details.
500	Internal server error. See response body for details.

Returned Values

Attribute	Description
alias.*	The user-specified part of the field alias name. The full name of the field alias includes this identifier as a suffix.
attribute	Specifies the field extraction configuration. For example, REPORT-<name> or EXTRACT-<name>.
eai:attributes	See Accessing Splunk resources
stanza	The props.conf stanza to which this field alias applies, e.g. the sourcetype or source that causes this field alias to be applied. The full name of the field alias includes this stanza name as a prefix.
type	Specifies the field extraction type, which can be either `inline` or `uses transform`.
value	If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields. If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply.

Example

Retrieve the newly created field alias.

curl -k -u admin:pass \
	https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>fieldaliases</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases</id>
  <updated>2011-07-21T19:33:00-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/fieldaliases/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>my_sourcetype : FIELDALIAS-alias_name</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name</id>
    <updated>2011-07-21T19:33:00-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="alias.foo">bar</s:key>
        <s:key name="attribute">FIELDALIAS-alias_name</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list/>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list>
                <s:item>alias\..*</s:item>
              </s:list>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="stanza">my_sourcetype</s:key>
        <s:key name="type">FIELDALIAS</s:key>
        <s:key name="value">foo AS bar</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/props/fieldaliases/{name}

Modify the named field alias.

Request

Name	Type	Required	Default	Description
alias.*	String			The alias for a given field. For example, supply a value of "bar" for an argument "alias.foo" to alias "foo" to "bar".

Response Codes

Status Code	Description
200	Updated successfully.
400	Request error. See response body for details.
401	Authentication failure: must pass valid credentials with request.
402	The Splunk license in use has disabled this feature.
403	Insufficient permissions to edit field alias.
404	Field alias does not exist.
409	Request error: this operation is invalid for this item. See response body for details.
500	Internal server error. See response body for details.
503	This feature has been disabled in Splunk configuration files.

Returned Values

Attribute	Description
alias.*	The alias for a given field. For example, supply a value of "bar" for an argument "alias.foo" to alias "foo" to "bar".
attribute	Specifies the field extraction configuration. For example, REPORT-<name> or EXTRACT-<name>.
stanza	The props.conf stanza to which this field alias applies, e.g. the sourcetype or source that causes this field alias to be applied. The full name of the field alias includes this stanza name as a prefix.
type	Specifies the field extraction type, which can be either inline or uses transform.
value	If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields. If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply.

Example

Adjust the newly created field alias.

Alias the fields "hi and "bye" as "hello" and "goodbye", respectively.

curl -k -u admin:pass \
	https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name \
	-d alias.hi=hello \
	-d alias.bye=goodbye

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>fieldaliases</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases</id>
  <updated>2011-07-21T19:34:36-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/fieldaliases/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>my_sourcetype : FIELDALIAS-alias_name</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name</id>
    <updated>2011-07-21T19:34:36-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="alias.bye">goodbye</s:key>
        <s:key name="alias.hi">hello</s:key>
        <s:key name="attribute">FIELDALIAS-alias_name</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="stanza">my_sourcetype</s:key>
        <s:key name="type">FIELDALIAS</s:key>
        <s:key name="value">bye AS goodbye hi AS hello</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/lookups

Provides access to automatic lookups in props.conf.

GET data/props/lookups

List automatic lookups.

Request

Name	Type	Default	Description
count	Number	30	Indicates the maximum number of entries to return. To return all entries, specify -1.
offset	Number	0	Index for first item to return.
search	String		Search expression to filter the response. The response matches field values against the search expression. For example: search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.
sort_dir	Enum	asc	Valid values: (asc \| desc) Indicates whether to sort returned entries in ascending or descending order.
sort_key	String	name	Field to use for sorting.
sort_mode	Enum	auto	Valid values: (auto \| alpha \| alpha_case \| num) Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code	Description
200	Listed successfully.
400	Request error. See response body for details.
401	Authentication failure: must pass valid credentials with request.
403	Insufficient permissions to view lookups.
409	Request error: this operation is invalid for this item. See response body for details.
500	Internal server error. See response body for details.

Returned Values

Attribute	Description
attribute	Specifies the field extraction configuration. For example, LOOKUP-my_lookup.
overwrite	If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist.
stanza	The props.conf stanza to which this automatic lookup applies. For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix.
transform	The transforms.conf stanza that defines the lookup to apply.
type	Specifies the field extraction type. For this endpoint, this is always `LOOKUP`
value	The transform stanza with the value for the lookup.

Example

Retrieve the list of automatic lookups.

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/lookups

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>props-lookup</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/lookups</id>
  <updated>2011-08-01T20:43:53-07:00</updated>
  <generator version="105049"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/lookups/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>my_sourcetype : LOOKUP-my_lookup</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup</id>
    <updated>2011-08-01T20:43:53-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">LOOKUP-my_lookup</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="lookup.field.input.foo"/>
        <s:key name="lookup.field.output.fuzz"/>
        <s:key name="overwrite">1</s:key>
        <s:key name="stanza">my_sourcetype</s:key>
        <s:key name="transform">my_transform</s:key>
        <s:key name="type">LOOKUP</s:key>
        <s:key name="value">my_transform foo OUTPUT fuzz</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/props/lookups

Create a new automatic lookup.

Request

Name	Type	Required	Description
name	String	✓	The user-specified part of the automatic lookup name. The full name of the automatic lookup includes this identifier as a suffix.
overwrite	Boolean	✓	If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist.
stanza	String	✓	The props.conf stanza to which this automatic lookup applies, e.g. the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix.
transform	String	✓	The transforms.conf stanza that defines the lookup to apply.
lookup.field.input.*	String		A column in the lookup table to match against. Supply a non-empty value if the corresponding field has a different name in your actual events. Note: This parameter is new in Splunk 4.3.
lookup.field.output.*	String		A column in the lookup table to output. Supply a non-empty value if the field should have a different name in your actual events. Note: This parameter is new in Splunk 4.3.

Response Codes

Status Code	Description
201	Created successfully.
400	Request error. See response body for details.
401	Authentication failure: must pass valid credentials with request.
402	The Splunk license in use has disabled this feature.
403	Insufficient permissions to create a lookup.
409	Request error: this operation is invalid for this item. See response body for details.
500	Internal server error. See response body for details.
503	This feature has been disabled in Splunk configuration files.

Returned Values

Attribute	Description
attribute	Specifies the field extraction configuration. For example, LOOKUP-my_lookup.
lookup.field.input.*	A column in the lookup table to match against. Supply a non-empty value if the corresponding field has a different name in your actual events.
lookup.field.output.*	A column in the lookup table to output. Supply a non-empty value if the field should have a different name in your actual events.
overwrite	If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist.
stanza	The props.conf stanza to which this automatic lookup applies. For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix.
transform	The transforms.conf stanza that defines the lookup to apply.
type	Specifies the field extraction type. For this endpoint, this is alwqys `LOOKUP`.
value	The props.conf stanza to which this automatic lookup applies. For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix.

Example

Create an automatic lookup named "my_lookup" on the sourcetype "my_sourcetype".

Use the lookup definition named "my_transform".

Match on the field "foo", and output the field "fuzz".

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/lookups \
	-d name=my_lookup \
	-d overwrite=1 \
	-d stanza=my_sourcetype \
	-d transform=my_transform \
	-d lookup.field.input.foo= \
	-d lookup.field.output.fuzz=

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>props-lookup</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/lookups</id>
  <updated>2011-08-01T20:43:31-07:00</updated>
  <generator version="105049"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/lookups/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>my_sourcetype : LOOKUP-my_lookup</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup</id>
    <updated>2011-08-01T20:43:31-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">LOOKUP-my_lookup</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="lookup.field.input.foo"/>
        <s:key name="lookup.field.output.fuzz"/>
        <s:key name="overwrite">1</s:key>
        <s:key name="stanza">my_sourcetype</s:key>
        <s:key name="transform">my_transform</s:key>
        <s:key name="type">LOOKUP</s:key>
        <s:key name="value">my_transform foo OUTPUT fuzz</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/lookups/{name}

DELETE data/props/lookups/{name}

Delete the named automatic lookup.

Request

No parameters for this request.

Response Codes

Status Code	Description
200	Deleted successfully.
400	Request error. See response body for details.
401	Authentication failure: must pass valid credentials with request.
403	Insufficient permissions to delete lookup.
404	Lookup does not exist.
409	Request error: this operation is invalid for this item. See response body for details.
500	Internal server error. See response body for details.

Returned Values

No values returned for this request.

Example

Remove the recently created automatic lookup.

curl -k -u admin:pass --request DELETE \
	https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>props-lookup</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/lookups</id>
  <updated>2011-08-01T20:44:32-07:00</updated>
  <generator version="105049"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/lookups/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

GET data/props/lookups/{name}

List a single automatic lookup.

Request

No parameters for this request.

Response Codes

Status Code	Description
200	Listed successfully.
400	Request error. See response body for details.
401	Authentication failure: must pass valid credentials with request.
403	Insufficient permissions to view lookup.
404	Lookup does not exist.
409	Request error: this operation is invalid for this item. See response body for details.
500	Internal server error. See response body for details.

Returned Values

Attribute	Description
attribute	Specifies the field extraction configuration. For example, LOOKUP-my_lookup.
eai:attributes	See Accessing Splunk resources
overwrite	If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist.
stanza	The props.conf stanza to which this automatic lookup applies. For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix.
transform	The transforms.conf stanza that defines the lookup to apply.
type	Specifies the field extraction type. For this endpoint, this is always `LOOKUP`.
value	The transform stanza with the value for the lookup.

Example

Retrieve the newly created automatic lookup.

curl -k -u admin:pass \
	https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>props-lookup</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/lookups</id>
  <updated>2011-08-01T20:44:06-07:00</updated>
  <generator version="105049"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/lookups/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>my_sourcetype : LOOKUP-my_lookup</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup</id>
    <updated>2011-08-01T20:44:06-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">LOOKUP-my_lookup</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list/>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>overwrite</s:item>
                <s:item>transform</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list>
                <s:item>lookup\.field\.input\..*</s:item>
                <s:item>lookup\.field\.output\..*</s:item>
              </s:list>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="lookup.field.input.foo"/>
        <s:key name="lookup.field.output.fuzz"/>
        <s:key name="overwrite">1</s:key>
        <s:key name="stanza">my_sourcetype</s:key>
        <s:key name="transform">my_transform</s:key>
        <s:key name="type">LOOKUP</s:key>
        <s:key name="value">my_transform foo OUTPUT fuzz</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/props/lookups/{name}

Modify the named automatic lookup.

Request

Name	Type	Required	Description
overwrite	Boolean	✓	If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist.
transform	String	✓	The transforms.conf stanza that defines the lookup to apply.
lookup.field.input.*	String		A column in the lookup table to match against. Supply a non-empty value if the corresponding field has a different name in your actual events. Note: This parameter is new in Splunk 4.3.
lookup.field.output.*	String		A column in the lookup table to output. Supply a non-empty value if the field should have a different name in your actual events. Note: This parameter is new in Splunk 4.3.

Response Codes

Status Code	Description
200	Updated successfully.
400	Request error. See response body for details.
401	Authentication failure: must pass valid credentials with request.
402	The Splunk license in use has disabled this feature.
403	Insufficient permissions to edit lookup.
404	Lookup does not exist.
409	Request error: this operation is invalid for this item. See response body for details.
500	Internal server error. See response body for details.
503	This feature has been disabled in Splunk configuration files.

Returned Values

Attribute	Description
attribute	Specifies the field extraction configuration. For example, LOOKUP-my_lookup.
lookup.field.input.*	A column in the lookup table to match against. Supply a non-empty value if the corresponding field has a different name in your actual events.
lookup.field.output.*	A column in the lookup table to output. Supply a non-empty value if the field should have a different name in your actual events.
overwrite	If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist.
stanza	The props.conf stanza to which this automatic lookup applies. For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix.
transform	The transforms.conf stanza that defines the lookup to apply.
type	Specifies the field extraction type. For this endpoint, this is alwqys `LOOKUP`.
value	The props.conf stanza to which this automatic lookup applies. For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix.

Example

Change the lookup and input/output fields for the recently created automatic lookup.

curl -k -u admin:pass \
	https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup \
	-d overwrite=1 \
	-d transform=other_transform \
	-d lookup.field.input.bar= \
	-d lookup.field.output.buzz=

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>props-lookup</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/lookups</id>
  <updated>2011-08-01T20:44:21-07:00</updated>
  <generator version="105049"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/lookups/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>my_sourcetype : LOOKUP-my_lookup</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup</id>
    <updated>2011-08-01T20:44:21-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">LOOKUP-my_lookup</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="lookup.field.input.bar"/>
        <s:key name="lookup.field.output.buzz"/>
        <s:key name="overwrite">1</s:key>
        <s:key name="stanza">my_sourcetype</s:key>
        <s:key name="transform">other_transform</s:key>
        <s:key name="type">LOOKUP</s:key>
        <s:key name="value">other_transform bar OUTPUT buzz</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/sourcetype-rename

Provides access to renamed sourcetypes which are configured in props.conf.

GET data/props/sourcetype-rename

List renamed sourcetypes.

Request

Name	Type	Default	Description
count	Number	30	Indicates the maximum number of entries to return. To return all entries, specify -1.
offset	Number	0	Index for first item to return.
search	String		Search expression to filter the response. The response matches field values against the search expression. For example: search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.
sort_dir	Enum	asc	Valid values: (asc \| desc) Indicates whether to sort returned entries in ascending or descending order.
sort_key	String	name	Field to use for sorting.
sort_mode	Enum	auto	Valid values: (auto \| alpha \| alpha_case \| num) Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code	Description
200	Listed successfully.
400	Request error. See response body for details.
401	Authentication failure: must pass valid credentials with request.
403	Insufficient permissions to view sourcetype renames.
409	Request error: this operation is invalid for this item. See response body for details.
500	Internal server error. See response body for details.

Returned Values

Attribute	Description
attribute	The configuration key.
stanza	The sourcetype to rename, which is the name of a stanza in props.conf.
type	The value of the configuration key.
value	The new name for the sourcetype.

Example

Retrieve the list of renamed sourcetypes. The sourcetype, hardware, was renamed to "hw" in the POST operation to this endpoint.

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>sourcetype-rename</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename</id>
  <updated>2011-07-12T15:40:53-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/sourcetype-rename/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>hardware</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware</id>
    <updated>2011-07-12T15:40:53-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">rename</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="stanza">hardware</s:key>
        <s:key name="type">rename</s:key>
        <s:key name="value">hw</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/props/sourcetype-rename

Rename a sourcetype.

Request

Name	Type	Required	Default	Description
name	String	✓		The original sourcetype name.
value	String	✓		The new sourcetype name.

Response Codes

Status Code	Description
201	Created successfully.
400	Request error. See response body for details.
401	Authentication failure: must pass valid credentials with request.
402	The Splunk license in use has disabled this feature.
403	Insufficient permissions to create a rename for a sourcetype.
409	Request error: this operation is invalid for this item. See response body for details.
500	Internal server error. See response body for details.
503	This feature has been disabled in Splunk configuration files.

Returned Values

Attribute	Description
attribute	The configuration key.
stanza	The sourcetype to rename, which is the name of a stanza in props.conf.
type	The value of the configuration key.
value	The new name for the sourcetype.

Example

Rename the sourcetype, hardware, to "hw."

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename \
	-d name=hardware \
	-d value=hw

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>sourcetype-rename</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename</id>
  <updated>2011-07-12T15:39:57-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/sourcetype-rename/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>hardware</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware</id>
    <updated>2011-07-12T15:39:57-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">rename</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="stanza">hardware</s:key>
        <s:key name="type">rename</s:key>
        <s:key name="value">hw</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/sourcetype-rename/{name}

DELETE data/props/sourcetype-rename/{name}

Restore a sourcetype's original name.

Request

No parameters for this request.

Response Codes

Status Code	Description
200	Deleted successfully.
400	Request error. See response body for details.
401	Authentication failure: must pass valid credentials with request.
403	Insufficient permissions to delete the rename for the sourcetype.
404	Rename for the sourcetype does not exist.
409	Request error: this operation is invalid for this item. See response body for details.
500	Internal server error. See response body for details.

Returned Values

No values returned for this request.

Example

Restore the sourcetype hardware to its original name.

curl -k -u admin:pass --request DELETE \
	https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>sourcetype-rename</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename</id>
  <updated>2011-07-12T15:49:16-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/sourcetype-rename/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

GET data/props/sourcetype-rename/{name}

List a single renamed sourcetype.

Request

No parameters for this request.

Response Codes

Status Code	Description
200	Listed successfully.
400	Request error. See response body for details.
401	Authentication failure: must pass valid credentials with request.
403	Insufficient permissions to view renames for sourcetypes.
404	Rename for sourcetype does not exist.
409	Request error: this operation is invalid for this item. See response body for details.
500	Internal server error. See response body for details.

Returned Values

Attribute	Description
attribute	The configuration key.
eai:attributes	See Accessing Splunk resources
stanza	The sourcetype to rename, which is the name of a stanza in props.conf.
type	The value of the configuration key.
value	The new name for the sourcetype.

Example

List the new name for the sourcetype, hardware.

This sourcetype was renamed to "hw" in the POST operation to this endpoint.

curl -k -u admin:pass \
	https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>sourcetype-rename</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename</id>
  <updated>2011-07-12T15:44:47-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/sourcetype-rename/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>hardware</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware</id>
    <updated>2011-07-12T15:44:47-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">rename</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list/>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>value</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="stanza">hardware</s:key>
        <s:key name="type">rename</s:key>
        <s:key name="value">hw</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/props/sourcetype-rename/{name}

Rename a sourcetype again, i.e. modify a sourcetype's new name.

Request

Name	Type	Required	Default	Description
value	String	✓		The new sourcetype name.

Response Codes

Status Code	Description
200	Updated successfully.
400	Request error. See response body for details.
401	Authentication failure: must pass valid credentials with request.
402	The Splunk license in use has disabled this feature.
403	Insufficient permissions to edit renames for the sourcetype.
404	Rename for the sourcetype does not exist.
409	Request error: this operation is invalid for this item. See response body for details.
500	Internal server error. See response body for details.
503	This feature has been disabled in Splunk configuration files.

Returned Values

Attribute	Description
attribute	The configuration key.
stanza	The sourcetype to rename, which is the name of a stanza in props.conf.
type	The value of the configuration key.
value	The new name for the sourcetype.

Example

Rename the sourcetype hardware again, this time to hrdwr.

curl -k -u admin:pass \
	https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware \
	-d value=hrdwr

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>sourcetype-rename</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename</id>
  <updated>2011-07-12T15:46:58-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/sourcetype-rename/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>hardware</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware</id>
    <updated>2011-07-12T15:46:58-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">rename</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="stanza">hardware</s:key>
        <s:key name="type">rename</s:key>
        <s:key name="value">hrdwr</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/transforms/extractions

Provides access to field transformations, i.e. field extraction definitions.

GET data/transforms/extractions

List field transformations.

Request

Name	Type	Default	Description
count	Number	30	Indicates the maximum number of entries to return. To return all entries, specify -1.
offset	Number	0	Index for first item to return.
search	String		Search expression to filter the response. The response matches field values against the search expression. For example: search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.
sort_dir	Enum	asc	Valid values: (asc \| desc) Indicates whether to sort returned entries in ascending or descending order.
sort_key	String	name	Field to use for sorting.
sort_mode	Enum	auto	Valid values: (auto \| alpha \| alpha_case \| num) Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code	Description
200	Listed successfully.
400	Request error. See response body for details.
401	Authentication failure: must pass valid credentials with request.
403	Insufficient permissions to view field transformations.
409	Request error: this operation is invalid for this item. See response body for details.
500	Internal server error. See response body for details.

Returned Values

Attribute	Description
CAN_OPTIMIZE	Controls whether Splunk can optimize this extraction out (another way of saying the extraction is disabled). You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search.
CLEAN_KEYS	If set to true, Splunk "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
DEFAULT_VALUE	Optional attribute for index-time field extractions. Splunk writes the specified value to DEST_KEY if the specified REGEX fails.
DEST_KEY	Valid for index-time field extractions, specifies where Splunk stores the REGEX results.
FORMAT	This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time. This attribute specifies the format of the event, including any field names or values you want to add. For details, refer to the documentation for this parameter in the POST operation.
KEEP_EMPTY_VALS	If set to true, Splunk preserves extracted fields with empty values.
LOOKAHEAD	Optional attribute for index-time filed extractions. specifies how many characters to search into an event. Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking).
MV_ADD	If Splunk extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
REGEX	The regular expression to operate on your data. This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms. For details, see the documentation for this parameter in the POST operation.
SOURCE_KEY	The KEY to which Splunk applies REGEX.
WRITE_META	Indicates whether to automatically write REGEX to metadata. This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute). Use instead of DEST_KEY = meta.
disabled	Indicates if the field transformation is disabled.
eai:appName	The Splunk app for which the field extractions are defined. For example, the search app.
eai:userName	The name of the Splunk user who created the field extraction definitions. For example, the admin user.

Example

Retrieve the list of field transformations.

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/extractions

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>transforms-extract</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions</id>
  <updated>2011-07-21T20:28:03-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/transforms/extractions/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/transforms/extractions/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>access-extractions</title>
    <id>https://localhost:8089/servicesNS/nobody/system/data/transforms/extractions/access-extractions</id>
    <updated>2011-07-21T20:28:03-07:00</updated>
    <link href="/servicesNS/nobody/system/data/transforms/extractions/access-extractions" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/nobody/system/data/transforms/extractions/access-extractions" rel="list"/>
    <link href="/servicesNS/nobody/system/data/transforms/extractions/access-extractions/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/transforms/extractions/access-extractions" rel="edit"/>
    <link href="/servicesNS/nobody/system/data/transforms/extractions/access-extractions/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="CAN_OPTIMIZE">1</s:key>
        <s:key name="CLEAN_KEYS">1</s:key>
        <s:key name="DEFAULT_VALUE"/>
        <s:key name="DEST_KEY"/>
        <s:key name="FORMAT"/>
        <s:key name="KEEP_EMPTY_VALS">0</s:key>
        <s:key name="LOOKAHEAD">4096</s:key>
        <s:key name="MV_ADD">0</s:key>
        <s:key name="REGEX">
<![CDATA[^[[nspaces:clientip]]\s++[[nspaces:ident]]\s++[[nspaces:user]]\s++[[sbstring:req_time]]\s++[[access-request]]\s++[[nspaces:status]]\s++[[nspaces:bytes]](?:\s++"(?<referer>[[bc_domain:referer_]]?+[^"]*+)"(?:\s++[[qstring:useragent]](?:\s++[[qstring:cookie]])?+)?+)?[[all:other]]]]>        </s:key>
        <s:key name="SOURCE_KEY">_raw</s:key>
        <s:key name="WRITE_META">0</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:userName">admin</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/transforms/extractions

Create a new field transformation.

Request

Name	Type	Required	Default	Description
REGEX	String	✓		Specify a regular expression to operate on your data. This attribute is valid for both index-time and search-time field extractions: \tREGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). \tREGEX is required for all index-time transforms. REGEX and the FORMAT attribute: Name-capturing groups in the REGEX are extracted directly to fields. This means that you do not need to specify the FORMAT attribute for simple field extraction cases. If the REGEX extracts both the field name and its corresponding field value, you can use the following special capturing groups if you want to skip specifying the mapping in FORMAT: _KEY_<string>, _VAL_<string>. For example, the following are equivalent: \tUsing FORMAT: \t\tREGEX = ([a-z]+)=([a-z]+) \t\tFORMAT = $1::$2 \tWithout using FORMAT \t\tREGEX = (?<_KEY_1>[a-z]+)=(?<_VAL_1>[a-z]+) REGEX defaults to an empty string.
SOURCE_KEY	String	✓	_raw	Specify the KEY to which Splunk applies REGEX.
name	String	✓		The name of the field transformation.
CAN_OPTIMIZE	Bool		True	Controls whether Splunk can optimize this extraction out (another way of saying the extraction is disabled). You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk only disables an extraction if it can determine that none of the fields identified by the extraction will ever be needed for the successful evaluation of a search. NOTE: This option should rarely be set to false.
CLEAN_KEYS	Boolean		True	If set to true, Splunk "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
FORMAT	String			This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time. This attribute specifies the format of the event, including any field names or values you want to add. FORMAT for index-time extractions: Use $n (for example $1, $2, etc) to specify the output of each REGEX match. If REGEX does not have n groups, the matching fails. The special identifier $0 represents what was in the DEST_KEY before the REGEX was performed. At index-time only, you can use FORMAT to create concatenated fields: FORMAT = ipaddress::$1.$2.$3.$4 When you create concatenated fields with FORMAT, "$" is the only special character. It is treated as a prefix for regex-capturing groups only if it is followed by a number and only if the number applies to an existing capturing group. So if REGEX has only one capturing group and its value is "bar", then: \t"FORMAT = foo$1" yields "foobar" \t"FORMAT = foo$bar" yields "foo$bar" \t"FORMAT = foo$1234" yields "foo$1234" \t"FORMAT = foo$1\\$2" yields "foobar\\$2" At index-time, FORMAT defaults to <stanza-name>::$1 FORMAT for search-time extractions: The format of this field as used during search time extractions is as follows: \tFORMAT = <field-name>::<field-value>( <field-name>::<field-value>)* \tfield-name = [<string>\|$<extracting-group-number>] \tfield-value = [<string>\|$<extracting-group-number>] Search-time extraction examples: \tFORMAT = first::$1 second::$2 third::other-value \tFORMAT = $1::$2 You cannot create concatenated fields with FORMAT at search time. That functionality is only available at index time. At search-time, FORMAT defaults to an empty string.
KEEP_EMPTY_VALS	Boolean		False	If set to true, Splunk preserves extracted fields with empty values.
MV_ADD	Boolean		False	If Splunk extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
disabled	Boolean			Specifies whether the field transformation is disabled.

Response Codes

Status Code	Description
201	Created successfully.
400	Request error. See response body for details.
401	Authentication failure: must pass valid credentials with request.
402	The Splunk license in use has disabled this feature.
403	Insufficient permissions to create field transformation.
409	Request error: this operation is invalid for this item. See response body for details.
500	Internal server error. See response body for details.
503	This feature has been disabled in Splunk configuration files.

Returned Values

Attribute	Description
CAN_OPTIMIZE	Controls whether Splunk can optimize this extraction out (another way of saying the extraction is disabled). You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search.
CLEAN_KEYS	If set to true, Splunk "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
DEFAULT_VALUE	Optional attribute for index-time field extractions. Splunk writes the specified value to DEST_KEY if the specified REGEX fails.
DEST_KEY	Valid for index-time field extractions, specifies where Splunk stores the REGEX results.
FORMAT	This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time. This attribute specifies the format of the event, including any field names or values you want to add. For details, refer to the documentation for this parameter in the POST operation.
KEEP_EMPTY_VALS	If set to true, Splunk preserves extracted fields with empty values.
LOOKAHEAD	Optional attribute for index-time filed extractions. specifies how many characters to search into an event. Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking).
MV_ADD	If Splunk extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
REGEX	The regular expression to operate on your data. This attribute is valid for both index-time and search-time field extractions: \\tREGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). \\tREGEX is required for all index-time transforms. For details, see the documentation for this parameter in the POST operation.
SOURCE_KEY	The KEY to which Splunk applies REGEX.
WRITE_META	Indicates whether to automatically write REGEX to metadata. This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute). Use instead of DEST_KEY = meta.
disabled	Indicates if the field transformation is disabled.
eai:appName	The Splunk app for which the field extractions are defined. For example, the search app.
eai:userName	The name of the Splunk user who created the field extraction definitions. For example, the admin user.

Example

Create a new field transformation.

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/extractions \
	-d REGEX="(?<_KEY_1>[a-z]*),(?<_VAL_1>[a-z]*)" \
	-d SOURCE_KEY=_raw \
	-d name=my_transform

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>transforms-extract</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions</id>
  <updated>2011-07-21T20:25:20-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/transforms/extractions/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/transforms/extractions/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>my_transform</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions/my_transform</id>
    <updated>2011-07-21T20:25:20-07:00</updated>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="list"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="edit"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="remove"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/move" rel="move"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="CAN_OPTIMIZE">1</s:key>
        <s:key name="CLEAN_KEYS">1</s:key>
        <s:key name="DEFAULT_VALUE"/>
        <s:key name="DEST_KEY"/>
        <s:key name="FORMAT"/>
        <s:key name="KEEP_EMPTY_VALS">0</s:key>
        <s:key name="LOOKAHEAD">4096</s:key>
        <s:key name="MV_ADD">0</s:key>
        <s:key name="REGEX">(?<_KEY_1>[a-z]*),(?<_VAL_1>[a-z]*)</s:key>
        <s:key name="SOURCE_KEY">_raw</s:key>
        <s:key name="WRITE_META">0</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:userName">admin</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/transforms/extractions/{name}

DELETE data/transforms/extractions/{name}

Delete the named field transformation.

Request

No parameters for this request.

Response Codes

Status Code	Description
200	Deleted successfully.
400	Request error. See response body for details.
401	Authentication failure: must pass valid credentials with request.
403	Insufficient permissions to delete named field transformation.
404	Named field transformation does not exist.
409	Request error: this operation is invalid for this item. See response body for details.
500	Internal server error. See response body for details.

Returned Values

No values returned for this request.

Example

Remove the newly created field transformation.

curl -k -u admin:pass --request DELETE \
	https://localhost:8089/servicesNS/admin/search/data/transforms/extractions/my_transform

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>transforms-extract</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions</id>
  <updated>2011-07-21T20:34:30-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/transforms/extractions/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/transforms/extractions/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

GET data/transforms/extractions/{name}

List a single field transformation.

Request

No parameters for this request.

Response Codes

Status Code	Description
200	Listed successfully.
400	Request error. See response body for details.
401	Authentication failure: must pass valid credentials with request.
403	Insufficient permissions to view named field transformation.
404	Named field transformation does not exist.
409	Request error: this operation is invalid for this item. See response body for details.
500	Internal server error. See response body for details.

Returned Values

Attribute	Description
CAN_OPTIMIZE	Controls whether Splunk can optimize this extraction out (another way of saying the extraction is disabled). You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search.
CLEAN_KEYS	If set to true, Splunk "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
DEFAULT_VALUE	Optional attribute for index-time field extractions. Splunk writes the specified value to DEST_KEY if the specified REGEX fails.
DEST_KEY	Valid for index-time field extractions, specifies where Splunk stores the REGEX results.
FORMAT	This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time. This attribute specifies the format of the event, including any field names or values you want to add. For details, refer to the documentation for this parameter in the POST operation.
KEEP_EMPTY_VALS	If set to true, Splunk preserves extracted fields with empty values.
LOOKAHEAD	Optional attribute for index-time filed extractions. specifies how many characters to search into an event. Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking).
MV_ADD	If Splunk extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
REGEX	The regular expression to operate on your data. This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms. For details, see the documentation for this parameter in the POST operation.
SOURCE_KEY	The KEY to which Splunk applies REGEX.
WRITE_META	Indicates whether to automatically write REGEX to metadata. This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute). Use instead of DEST_KEY = meta.
disabled	Indicates if the field transformation is disabled.
eai:appName	The Splunk app for which the field extractions are defined. For example, the search app.
eai:attributes	See Accessing Splunk resources
eai:userName	The name of the Splunk user who created the field extraction definitions. For example, the admin user.

Example

Retrieve the newly created field transformation.

curl -k -u admin:pass \
	https://localhost:8089/servicesNS/admin/search/data/transforms/extractions/my_transform

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>transforms-extract</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions</id>
  <updated>2011-07-21T20:29:00-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/transforms/extractions/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/transforms/extractions/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>my_transform</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions/my_transform</id>
    <updated>2011-07-21T20:29:00-07:00</updated>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="list"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="edit"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="remove"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/move" rel="move"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="CAN_OPTIMIZE">1</s:key>
        <s:key name="CLEAN_KEYS">1</s:key>
        <s:key name="DEFAULT_VALUE"/>
        <s:key name="DEST_KEY"/>
        <s:key name="FORMAT"/>
        <s:key name="KEEP_EMPTY_VALS">0</s:key>
        <s:key name="LOOKAHEAD">4096</s:key>
        <s:key name="MV_ADD">0</s:key>
        <s:key name="REGEX">(?<_KEY_1>[a-z]*),(?<_VAL_1>[a-z]*)</s:key>
        <s:key name="SOURCE_KEY">_raw</s:key>
        <s:key name="WRITE_META">0</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>CAN_OPTIMIZE</s:item>
                <s:item>CLEAN_KEYS</s:item>
                <s:item>FORMAT</s:item>
                <s:item>KEEP_EMPTY_VALS</s:item>
                <s:item>MV_ADD</s:item>
                <s:item>disabled</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>REGEX</s:item>
                <s:item>SOURCE_KEY</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:userName">admin</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/transforms/extractions/{name}

Modify the named field transformation.

Request

Name	Type	Required	Default	Description
REGEX	String	✓		Specify a regular expression to operate on your data. This attribute is valid for both index-time and search-time field extractions: \tREGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). \tREGEX is required for all index-time transforms. REGEX and the FORMAT attribute: Name-capturing groups in the REGEX are extracted directly to fields. This means that you do not need to specify the FORMAT attribute for simple field extraction cases. If the REGEX extracts both the field name and its corresponding field value, you can use the following special capturing groups if you want to skip specifying the mapping in FORMAT: _KEY_<string>, _VAL_<string>. For example, the following are equivalent: \tUsing FORMAT: \t\tREGEX = ([a-z]+)=([a-z]+) \t\tFORMAT = $1::$2 \tWithout using FORMAT \t\tREGEX = (?<_KEY_1>[a-z]+)=(?<_VAL_1>[a-z]+) REGEX defaults to an empty string.
SOURCE_KEY	String	✓	_raw	Specify the KEY to which Splunk applies REGEX.
CAN_OPTIMIZE	Bool		True	Controls whether Splunk can optimize this extraction out (another way of saying the extraction is disabled). You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk only disables an extraction if it can determine that none of the fields identified by the extraction will ever be needed for the successful evaluation of a search. NOTE: This option should rarely be set to false.
CLEAN_KEYS	Boolean		True	If set to true, Splunk "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
FORMAT	String			This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time. This attribute specifies the format of the event, including any field names or values you want to add. FORMAT for index-time extractions: Use $n (for example $1, $2, etc) to specify the output of each REGEX match. If REGEX does not have n groups, the matching fails. The special identifier $0 represents what was in the DEST_KEY before the REGEX was performed. At index-time only, you can use FORMAT to create concatenated fields: FORMAT = ipaddress::$1.$2.$3.$4 When you create concatenated fields with FORMAT, "$" is the only special character. It is treated as a prefix for regex-capturing groups only if it is followed by a number and only if the number applies to an existing capturing group. So if REGEX has only one capturing group and its value is "bar", then: \t"FORMAT = foo$1" yields "foobar" \t"FORMAT = foo$bar" yields "foo$bar" \t"FORMAT = foo$1234" yields "foo$1234" \t"FORMAT = foo$1\\$2" yields "foobar\\$2" At index-time, FORMAT defaults to <stanza-name>::$1 FORMAT for search-time extractions: The format of this field as used during search time extractions is as follows: \tFORMAT = <field-name>::<field-value>( <field-name>::<field-value>)* \tfield-name = [<string>\|$<extracting-group-number>] \tfield-value = [<string>\|$<extracting-group-number>] Search-time extraction examples: \tFORMAT = first::$1 second::$2 third::other-value \tFORMAT = $1::$2 You cannot create concatenated fields with FORMAT at search time. That functionality is only available at index time. At search-time, FORMAT defaults to an empty string.
KEEP_EMPTY_VALS	Boolean		False	If set to true, Splunk preserves extracted fields with empty values.
MV_ADD	Boolean		False	If Splunk extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
disabled	Boolean			Specifies whether the field transformation is disabled.

Response Codes

Status Code	Description
200	Updated successfully.
400	Request error. See response body for details.
401	Authentication failure: must pass valid credentials with request.
402	The Splunk license in use has disabled this feature.
403	Insufficient permissions to edit named field transformation.
404	Named field transformation does not exist.
409	Request error: this operation is invalid for this item. See response body for details.
500	Internal server error. See response body for details.
503	This feature has been disabled in Splunk configuration files.

Returned Values

Attribute	Description
CAN_OPTIMIZE	Controls whether Splunk can optimize this extraction out (another way of saying the extraction is disabled). You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search.
CLEAN_KEYS	If set to true, Splunk "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
DEFAULT_VALUE	Optional attribute for index-time field extractions. Splunk writes the specified value to DEST_KEY if the specified REGEX fails.
DEST_KEY	Valid for index-time field extractions, specifies where Splunk stores the REGEX results.
FORMAT	This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time. This attribute specifies the format of the event, including any field names or values you want to add. For details, refer to the documentation for this parameter in the POST operation.
KEEP_EMPTY_VALS	If set to true, Splunk preserves extracted fields with empty values.
LOOKAHEAD	Optional attribute for index-time filed extractions. specifies how many characters to search into an event. Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking).
MV_ADD	If Splunk extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
REGEX	The regular expression to operate on your data. This attribute is valid for both index-time and search-time field extractions: \\tREGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). \\tREGEX is required for all index-time transforms. For details, see the documentation for this parameter in the POST operation.
SOURCE_KEY	The KEY to which Splunk applies REGEX.
WRITE_META	Indicates whether to automatically write REGEX to metadata. This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute). Use instead of DEST_KEY = meta.
disabled	Indicates if the field transformation is disabled.
eai:appName	The Splunk app for which the field extractions are defined. For example, the search app.
eai:userName	The name of the Splunk user who created the field extraction definitions. For example, the admin user.

Example

Disable key cleaning on the newly created field transformation.

curl -k -u admin:pass \
	https://localhost:8089/servicesNS/admin/search/data/transforms/extractions/my_transform \
	-d REGEX="(?<_KEY_1>[a-z]*),(?<_VAL_1>[a-z]*)" \
	-d SOURCE_KEY=_raw \
	-d CLEAN_KEYS=false

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>transforms-extract</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions</id>
  <updated>2011-07-21T20:33:13-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/transforms/extractions/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/transforms/extractions/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>my_transform</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions/my_transform</id>
    <updated>2011-07-21T20:33:13-07:00</updated>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="list"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="edit"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="remove"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/move" rel="move"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="CAN_OPTIMIZE">1</s:key>
        <s:key name="CLEAN_KEYS">0</s:key>
        <s:key name="DEFAULT_VALUE"/>
        <s:key name="DEST_KEY"/>
        <s:key name="FORMAT"/>
        <s:key name="KEEP_EMPTY_VALS">0</s:key>
        <s:key name="LOOKAHEAD">4096</s:key>
        <s:key name="MV_ADD">0</s:key>
        <s:key name="REGEX">(?<_KEY_1>[a-z]*),(?<_VAL_1>[a-z]*)</s:key>
        <s:key name="SOURCE_KEY">_raw</s:key>
        <s:key name="WRITE_META">0</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:userName">admin</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/transforms/lookups

Provides access to lookup definitions in transforms.conf.

GET data/transforms/lookups

List lookup definitions.

Request

Name	Type	Default	Description
count	Number	30	Indicates the maximum number of entries to return. To return all entries, specify -1.
offset	Number	0	Index for first item to return.
search	String		Search expression to filter the response. The response matches field values against the search expression. For example: search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.
sort_dir	Enum	asc	Valid values: (asc \| desc) Indicates whether to sort returned entries in ascending or descending order.
sort_key	String	name	Field to use for sorting.
sort_mode	Enum	auto	Valid values: (auto \| alpha \| alpha_case \| num) Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code	Description
200	Listed successfully.
400	Request error. See response body for details.
401	Authentication failure: must pass valid credentials with request.
403	Insufficient permissions to view lookups.
409	Request error: this operation is invalid for this item. See response body for details.
500	Internal server error. See response body for details.

Returned Values

Attribute	Description
CAN_OPTIMIZE	Controls whether Splunk can optimize this extraction out (another way of saying the extraction is disabled). You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search.
CLEAN_KEYS	If set to true, Splunk "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
DEFAULT_VALUE	Optional attribute for index-time field extractions. Splunk writes the specified value to DEST_KEY if the specified REGEX fails.
DEST_KEY	Valid for index-time field extractions, specifies where Splunk stores the REGEX results.
FORMAT	This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time. This attribute specifies the format of the event, including any field names or values you want to add. For details, refer to the documentation for this parameter in the POST operation for data/transforms/extractions.
KEEP_EMPTY_VALS	If set to true, Splunk preserves extracted fields with empty values.
LOOKAHEAD	Optional attribute for index-time filed extractions. specifies how many characters to search into an event. Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking).
MV_ADD	If Splunk extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
REGEX	The regular expression to operate on your data. This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms. For details, see the documentation for this parameter in the POST operation.
SOURCE_KEY	The KEY to which Splunk applies REGEX.
WRITE_META	Indicates whether to automatically write REGEX to metadata. This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute). Use instead of DEST_KEY = meta.
disabled	Indicates if this lookup is disabled.
eai:appName	The Splunk app for which the lookups are defined. For example, the search app.
eai:userName	The Splunk user for which the lookups are defined.
external_cmd	Provides the command and arguments to invoke to perform a lookup. Use this for external (or "scripted") lookups, where you interface with with an external script rather than a lookup table. This string is parsed like a shell command. The first argument is expected to be a python script located in: $SPLUNK_HOME/etc/<app_name>/bin (or ../etc/searchscripts) Presence of this field indicates that the lookup is external and command based.
fields_list	List of all fields that are supported by the external command.
type	Specifies the field extraction type. Can be either external or file.

Example

Retrieve the list of lookup definitions.

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/lookups

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>transforms-lookup</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups</id>
  <updated>2011-08-01T21:10:44-07:00</updated>
  <generator version="105049"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/transforms/lookups/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/transforms/lookups/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>dnslookup</title>
    <id>https://localhost:8089/servicesNS/nobody/system/data/transforms/lookups/dnslookup</id>
    <updated>2011-08-01T21:10:44-07:00</updated>
    <link href="/servicesNS/nobody/system/data/transforms/lookups/dnslookup" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/transforms/lookups/dnslookup" rel="list"/>
    <link href="/servicesNS/nobody/system/data/transforms/lookups/dnslookup/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/transforms/lookups/dnslookup" rel="edit"/>
    <link href="/servicesNS/nobody/system/data/transforms/lookups/dnslookup/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="CAN_OPTIMIZE">1</s:key>
        <s:key name="CLEAN_KEYS">1</s:key>
        <s:key name="DEFAULT_VALUE"/>
        <s:key name="DEST_KEY"/>
        <s:key name="FORMAT"/>
        <s:key name="KEEP_EMPTY_VALS">0</s:key>
        <s:key name="LOOKAHEAD">4096</s:key>
        <s:key name="MV_ADD">0</s:key>
        <s:key name="REGEX"/>
        <s:key name="SOURCE_KEY">_raw</s:key>
        <s:key name="WRITE_META">0</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="external_cmd">external_lookup.py clienthost clientip</s:key>
        <s:key name="fields_list">clienthost clientip</s:key>
        <s:key name="type">external</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/transforms/lookups

Create a new lookup definition.

Request

Name	Type	Required	Description
name	String	✓	The name of the lookup definition.
default_match	String		If min_matches is greater than zero and Splunk has less than min_matches for any given input, it provides this default_match value one or more times until the min_matches threshold is reached.
disabled	Boolean		Specifies whether the lookup definition is disabled.
external_cmd	String		Provides the command and arguments to invoke to perform a lookup. Use this for external (or "scripted") lookups, where you interface with with an external script rather than a lookup table. This string is parsed like a shell command. The first argument is expected to be a python script located in: $SPLUNK_HOME/etc/<app_name>/bin (or ../etc/searchscripts) Presence of this field indicates that the lookup is external and command based.
fields_list	String		A comma- and space-delimited list of all fields that are supported by the external command. Use this for external (or "scripted") lookups.
filename	String		The name of the static lookup table file.
max_matches	Number		The maximum number of possible matches for each input lookup value.
max_offset_secs	Number		For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur.
min_matches	Number		The minimum number of possible matches for each input lookup value.
min_offset_secs	Number		For temporal lookups, this is the minimum time (in seconds) that the event timestamp can be later than the lookup entry timestamp for a match to occur.
time_field	String		For temporal lookups, this is the field in the lookup table that represents the timestamp.
time_format	String		For temporal lookups, this specifies the "strptime" format of the timestamp field.

Response Codes

Status Code	Description
201	Created successfully.
400	Request error. See response body for details.
401	Authentication failure: must pass valid credentials with request.
402	The Splunk license in use has disabled this feature.
403	Insufficient permissions to create lookup.
409	Request error: this operation is invalid for this item. See response body for details.
500	Internal server error. See response body for details.
503	This feature has been disabled in Splunk configuration files.

Returned Values

Attribute	Description
CAN_OPTIMIZE	Controls whether Splunk can optimize this extraction out (another way of saying the extraction is disabled). You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search.
CLEAN_KEYS	If set to true, Splunk "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
DEFAULT_VALUE	Optional attribute for index-time field extractions. Splunk writes the specified value to DEST_KEY if the specified REGEX fails.
DEST_KEY	Valid for index-time field extractions, specifies where Splunk stores the REGEX results.
FORMAT	This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time. This attribute specifies the format of the event, including any field names or values you want to add. For details, refer to the documentation for this parameter in the POST operation for data/transforms/extractions.
KEEP_EMPTY_VALS	If set to true, Splunk preserves extracted fields with empty values.
LOOKAHEAD	Optional attribute for index-time filed extractions. specifies how many characters to search into an event. Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking).
MV_ADD	If Splunk extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
REGEX	The regular expression to operate on your data. This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms. For details, see the documentation for this parameter in the POST operation.
SOURCE_KEY	The KEY to which Splunk applies REGEX.
WRITE_META	Indicates whether to automatically write REGEX to metadata. This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute). Use instead of DEST_KEY = meta.
default_match	If min_matches is greater than zero and Splunk has less than min_matches for any given input, it provides this default_match value one or more times until the min_matches threshold is reached.
disabled	Specifies whether the lookup definition is disabled.
eai:appName	The Splunk app for which the lookups are defined. For example, the search app.
eai:userName	The Splunk user for which the lookups are defined.
external_cmd	Provides the command and arguments to invoke to perform a lookup. Use this for external (or "scripted") lookups, where you interface with with an external script rather than a lookup table. This string is parsed like a shell command. The first argument is expected to be a python script located in: $SPLUNK_HOME/etc/<app_name>/bin (or ../etc/searchscripts) Presence of this field indicates that the lookup is external and command based.
fields_list	List of all fields that are supported by the external command. Use this for external (or "scripted") lookups.
filename	The name of the static lookup table file.
max_matches	The maximum number of possible matches for each input lookup value. If the lookup is non-temporal (not time-bounded, meaning the time_field attribute is not specified), Splunk uses the first <integer> entries, in file order. If the lookup is temporal, Splunk uses the first <integer> entries in descending time order. Default = 100 if the lookup is not temporal, default = 1 if it is temporal.
max_offset_secs	For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur.
min_matches	The minimum number of possible matches for each input lookup value.
min_offset_secs	For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur.
time_field	For temporal lookups, this is the field in the lookup table that represents the timestamp.
time_format	For temporal lookups, this specifies the \\"strptime\\" format of the timestamp field.
type	Specifies the field extraction type. Can be either external or file.

Example

Create a new file-based lookup associated with lookup.csv.

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/lookups \
	-d name=my_lookup \
	-d filename=lookup.csv

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>transforms-lookup</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups</id>
  <updated>2011-08-01T21:10:33-07:00</updated>
  <generator version="105049"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/transforms/lookups/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/transforms/lookups/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>my_lookup</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups/my_lookup</id>
    <updated>2011-08-01T21:10:33-07:00</updated>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="list"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="edit"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="remove"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/move" rel="move"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="CAN_OPTIMIZE">1</s:key>
        <s:key name="CLEAN_KEYS">1</s:key>
        <s:key name="DEFAULT_VALUE"/>
        <s:key name="DEST_KEY"/>
        <s:key name="FORMAT"/>
        <s:key name="KEEP_EMPTY_VALS">0</s:key>
        <s:key name="LOOKAHEAD">4096</s:key>
        <s:key name="MV_ADD">0</s:key>
        <s:key name="REGEX"/>
        <s:key name="SOURCE_KEY">_raw</s:key>
        <s:key name="WRITE_META">0</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="filename">lookup.csv</s:key>
        <s:key name="type">file</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/transforms/lookups/{name}

DELETE data/transforms/lookups/{name}

Delete the named lookup definition.

Request

No parameters for this request.

Response Codes

Status Code	Description
200	Deleted successfully.
400	Request error. See response body for details.
401	Authentication failure: must pass valid credentials with request.
403	Insufficient permissions to delete named lookup.
404	Named lookup does not exist.
409	Request error: this operation is invalid for this item. See response body for details.
500	Internal server error. See response body for details.

Returned Values

No values returned for this request.

Example

Remove the newly created lookup definition.

curl -k -u admin:pass --request DELETE \
	https://localhost:8089/servicesNS/admin/search/data/transforms/lookups/my_lookup

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>transforms-lookup</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups</id>
  <updated>2011-07-21T20:03:24-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/transforms/lookups/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/transforms/lookups/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

GET data/transforms/lookups/{name}

List a single lookup definition.

Request

No parameters for this request.

Response Codes

Status Code	Description
200	Listed successfully.
400	Request error. See response body for details.
401	Authentication failure: must pass valid credentials with request.
403	Insufficient permissions to view named lookup.
404	Named lookup does not exist.
409	Request error: this operation is invalid for this item. See response body for details.
500	Internal server error. See response body for details.

Returned Values

Attribute	Description
CAN_OPTIMIZE	Indicates whether Splunk can optimize this extraction out (another way of saying the extraction is disabled). You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search.
CLEAN_KEYS	Indicates whether Splunk "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
DEFAULT_VALUE	Optional attribute for index-time field extractions. Splunk writes the specified value to DEST_KEY if the specified REGEX fails.
DEST_KEY	Valid for index-time field extractions, specifies where Splunk stores the REGEX results.
FORMAT	This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time. This attribute specifies the format of the event, including any field names or values you want to add. For details, refer to the documentation for this parameter in the POST operation for data/transforms/extractions.
KEEP_EMPTY_VALS	Indicates whether Splunk preserves extracted fields with empty values.
LOOKAHEAD	For index-time filed extractions. Specifies how many characters to search into an event. Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking).
MV_ADD	"If Splunk extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
REGEX	The regular expression to operate on your data. This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms. For details, see the documentation for this parameter in the POST operation.
SOURCE_KEY	The KEY to which Splunk applies REGEX.
WRITE_META	Indicates whether to automatically write REGEX to metadata. This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute). Use instead of DEST_KEY = meta.
disabled	Indicates if this lookup is disabled.
eai:appName	The Splunk app for which the lookups are defined. For example, the search app.
eai:attributes	See Accessing Splunk resources
eai:userName	The Splunk user for which the lookups are defined.
filename	The name of the static lookup table file.
type	Specifies the field extraction type. Can be either external or file.

Example

Retrieve the newly created lookup definition.

curl -k -u admin:pass \
	https://localhost:8089/servicesNS/admin/search/data/transforms/lookups/my_lookup

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>transforms-lookup</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups</id>
  <updated>2011-08-01T21:11:01-07:00</updated>
  <generator version="105049"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/transforms/lookups/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/transforms/lookups/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>my_lookup</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups/my_lookup</id>
    <updated>2011-08-01T21:11:01-07:00</updated>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="list"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="edit"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="remove"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/move" rel="move"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="CAN_OPTIMIZE">1</s:key>
        <s:key name="CLEAN_KEYS">1</s:key>
        <s:key name="DEFAULT_VALUE"/>
        <s:key name="DEST_KEY"/>
        <s:key name="FORMAT"/>
        <s:key name="KEEP_EMPTY_VALS">0</s:key>
        <s:key name="LOOKAHEAD">4096</s:key>
        <s:key name="MV_ADD">0</s:key>
        <s:key name="REGEX"/>
        <s:key name="SOURCE_KEY">_raw</s:key>
        <s:key name="WRITE_META">0</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>default_match</s:item>
                <s:item>disabled</s:item>
                <s:item>external_cmd</s:item>
                <s:item>fields_list</s:item>
                <s:item>filename</s:item>
                <s:item>max_matches</s:item>
                <s:item>max_offset_secs</s:item>
                <s:item>min_matches</s:item>
                <s:item>min_offset_secs</s:item>
                <s:item>time_field</s:item>
                <s:item>time_format</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="filename">lookup.csv</s:key>
        <s:key name="type">file</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/transforms/lookups/{name}

Modify the named lookup definition.

Request

Name	Type	Description
default_match	String	If min_matches is greater than zero and Splunk has less than min_matches for any given input, it provides this default_match value one or more times until the min_matches threshold is reached.
disabled	Boolean	Specifies whether the lookup definition is disabled.
external_cmd	String	Provides the command and arguments to invoke to perform a lookup. Use this for external (or "scripted") lookups, where you interface with with an external script rather than a lookup table. This string is parsed like a shell command. The first argument is expected to be a python script located in: $SPLUNK_HOME/etc/<app_name>/bin (or ../etc/searchscripts) Presence of this field indicates that the lookup is external and command based.
fields_list	String	A comma- and space-delimited list of all fields that are supported by the external command. Use this for external (or "scripted") lookups.
filename	String	The name of the static lookup table file.
max_matches	Number	The maximum number of possible matches for each input lookup value.
max_offset_secs	Number	For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur.
min_matches	Number	The minimum number of possible matches for each input lookup value.
min_offset_secs	Number	For temporal lookups, this is the minimum time (in seconds) that the event timestamp can be later than the lookup entry timestamp for a match to occur.
time_field	String	For temporal lookups, this is the field in the lookup table that represents the timestamp.
time_format	String	For temporal lookups, this specifies the "strptime" format of the timestamp field.

Response Codes

Status Code	Description
200	Updated successfully.
400	Request error. See response body for details.
401	Authentication failure: must pass valid credentials with request.
402	The Splunk license in use has disabled this feature.
403	Insufficient permissions to edit named lookup.
404	Named lookup does not exist.
409	Request error: this operation is invalid for this item. See response body for details.
500	Internal server error. See response body for details.
503	This feature has been disabled in Splunk configuration files.

Returned Values

Attribute	Description
CAN_OPTIMIZE	Controls whether Splunk can optimize this extraction out (another way of saying the extraction is disabled). You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search.
CLEAN_KEYS	If set to true, Splunk \\"cleans\\" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
DEFAULT_VALUE	Optional attribute for index-time field extractions. Splunk writes the specified value to DEST_KEY if the specified REGEX fails.
DEST_KEY	Valid for index-time field extractions, specifies where Splunk stores the REGEX results.
FORMAT	This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time. This attribute specifies the format of the event, including any field names or values you want to add. For details, refer to the documentation for this parameter in the POST operation for data/transforms/extractions.
KEEP_EMPTY_VALS	If set to true, Splunk preserves extracted fields with empty values.
LOOKAHEAD	Optional attribute for index-time filed extractions. specifies how many characters to search into an event. Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking).
MV_ADD	If Splunk extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
REGEX	The regular expression to operate on your data. This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms. For details, see the documentation for this parameter in the POST operation.
SOURCE_KEY	The KEY to which Splunk applies REGEX.
WRITE_META	Indicates whether to automatically write REGEX to metadata. This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute). Use instead of DEST_KEY = meta.
default_match	If min_matches is greater than zero and Splunk has less than min_matches for any given input, it provides this default_match value one or more times until the min_matches threshold is reached.
disabled	Specifies whether the lookup definition is disabled.
eai:appName	The Splunk app for which the lookups are defined. For example, the search app.
eai:userName	The Splunk user for which the lookups are defined.
external_cmd	Provides the command and arguments to invoke to perform a lookup. Use this for external (or "scripted") lookups, where you interface with with an external script rather than a lookup table. This string is parsed like a shell command. The first argument is expected to be a python script located in: $SPLUNK_HOME/etc/<app_name>/bin (or ../etc/searchscripts) Presence of this field indicates that the lookup is external and command based.
fields_list	List of all fields that are supported by the external command. Use this for external (or "scripted") lookups.
filename	The name of the static lookup table file.
max_matches	The maximum number of possible matches for each input lookup value.
max_offset_secs	For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur.
min_matches	The minimum number of possible matches for each input lookup value.
min_offset_secs	For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur.
time_field	For temporal lookups, this is the field in the lookup table that represents the timestamp.
time_format	For temporal lookups, this specifies the "strptime" format of the timestamp field.
type	Specifies the field extraction type. Can be either external or file.

Example

Change the newly created lookup to be based on a script instead of a lookup table file.

curl -k -u admin:pass \
	https://localhost:8089/servicesNS/admin/search/data/transforms/lookups/my_lookup \
	-d external_cmd=myscript.py \
	-d fields_list=a,b,c

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>transforms-lookup</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups</id>
  <updated>2011-07-21T20:00:07-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/transforms/lookups/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/transforms/lookups/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>my_lookup</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups/my_lookup</id>
    <updated>2011-07-21T20:00:07-07:00</updated>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="list"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="edit"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="remove"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/move" rel="move"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="CAN_OPTIMIZE">1</s:key>
        <s:key name="CLEAN_KEYS">1</s:key>
        <s:key name="DEFAULT_VALUE"/>
        <s:key name="DEST_KEY"/>
        <s:key name="FORMAT"/>
        <s:key name="KEEP_EMPTY_VALS">0</s:key>
        <s:key name="LOOKAHEAD">4096</s:key>
        <s:key name="MV_ADD">0</s:key>
        <s:key name="REGEX"/>
        <s:key name="SOURCE_KEY">_raw</s:key>
        <s:key name="WRITE_META">0</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="external_cmd">myscript.py</s:key>
        <s:key name="fields_list">a,b,c</s:key>
        <s:key name="type">external</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

directory/{name}

GET directory/{name}

Displays information about a single entity in the directory service enumeration.

This is rarely used. Typically after using the directory service enumeration, a client follows the specific link for an object in an enumeration.

Request

No parameters for this request.

Response Codes

Status Code	Description
200	Listed successfully.
400	Request error. See response body for details.
401	Authentication failure: must pass valid credentials with request.
403	Insufficient permissions to view the user configurable object.
404	User configurable object does not exist.
409	Request error: this operation is invalid for this item. See response body for details.
500	Internal server error. See response body for details.

Returned Values

Attribute	Description
eai:attributes	See Accessing Splunk resources

Example

This example displays information about a single enitity in the directory service enumeration.

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/directory/dashboard_live

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>directory</title>
  <id>https://localhost:8089/services/directory</id>
  <updated>2011-05-16T19:09:59-0700</updated>
  <generator version="98144"/>
  <author>
    <name>Splunk</name>
  </author>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>dashboard_live</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/ui/views/dashboard_live</id>
    <updated>2011-05-16T19:09:59-0700</updated>
    <link href="/servicesNS/nobody/search/data/ui/views/dashboard_live" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/ui/views/dashboard_live" rel="list"/>
    <link href="/servicesNS/nobody/search/data/ui/views/dashboard_live/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/ui/views/dashboard_live" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:attributes">
            <s:dict>
                <s:key name="optionalFields">
                    <s:list/>
                </s:key>
                <s:key name="requiredFields">
                    <s:list/>
                </s:key>
                <s:key name="wildcardFields">
                    <s:list/>
                </s:key>
            </s:dict>
        </s:key>
        <s:key name="eai:type">views</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

saved/eventtypes

Provides access to saved event types.

GET saved/eventtypes

Retrieve saved event types.

Request

Name	Type	Default	Description
count	Number	30	Indicates the maximum number of entries to return. To return all entries, specify -1.
offset	Number	0	Index for first item to return.
search	String		Search expression to filter the response. The response matches field values against the search expression. For example: search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.
sort_dir	Enum	asc	Valid values: (asc \| desc) Indicates whether to sort returned entries in ascending or descending order.
sort_key	String	name	Field to use for sorting.
sort_mode	Enum	auto	Valid values: (auto \| alpha \| alpha_case \| num) Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code	Description
200	Listed successfully.
400	Request error. See response body for details.
401	Authentication failure: must pass valid credentials with request.
403	Insufficient permissions to view event types.
409	Request error: this operation is invalid for this item. See response body for details.
500	Internal server error. See response body for details.

Returned Values

Attribute	Description
description	Description of this event type.
disabled	Indicates if the event type is disabled.
eai:appName	The Splunk app for which this event type applies. For example, the Splunk search app.
eai:userName	Splunk user name of the creator of this event type. For example, the Splunk admin user.
priority	The value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority.
search	Search terms for this event type.
tags	Deprecated. Tags associated with this event type. Use the tags.conf.spec file to assign tags to groups of events with related field values.

Example

Lists all saved event types accessible to the admin user in the search app.

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/eventtypes

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>eventtypes</title>
  <id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes</id>
  <updated>2011-07-10T23:46:52-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/saved/eventtypes/_new" rel="create"/>
  <link href="/servicesNS/admin/search/saved/eventtypes/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>internal_search_terms</title>
    <id>https://localhost:8089/servicesNS/nobody/system/saved/eventtypes/internal_search_terms</id>
    <updated>2011-07-10T23:46:52-07:00</updated>
    <link href="/servicesNS/nobody/system/saved/eventtypes/internal_search_terms" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/saved/eventtypes/internal_search_terms" rel="list"/>
    <link href="/servicesNS/nobody/system/saved/eventtypes/internal_search_terms/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/saved/eventtypes/internal_search_terms" rel="edit"/>
    <link href="/servicesNS/nobody/system/saved/eventtypes/internal_search_terms/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="description"/>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="priority">1</s:key>
        <s:key name="search">
<![CDATA[( "After evaluating args" OR "Before evaluating args" OR "context dispatched for search=" OR "SearchParser - PARSING" OR "got search" OR "_dispatchNewSearch - search" OR "search:* - q" OR ( decomposition fullsearch ) OR "PAAAAAARSER! - search" OR "view:* - DECOMPOSITION" OR "Splunk.Module.SearchBar .setInputField" OR ( typeahead prefix ) OR "DEBUG HTTPServer - Deleting request=GET" OR /en-US/api/search/typeahead )]]>        </s:key>
        <s:key name="tags">
          <s:list/>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST saved/eventtypes

Creates a new event type.

Request

Name	Type	Required	Default	Description
name	String	✓		The name for the event type.
search	String	✓		Search terms for this event type.
description	String			Human-readable description of this event type.
disabled	Boolean		0	If True, disables the event type.
priority	Number		1	Specify an integer from 1 to 10 for the value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority.
tags	String			Deprecated. Use tags.conf.spec file to assign tags to groups of events with related field values.

Response Codes

Status Code	Description
201	Created successfully.
400	Request error. See response body for details.
401	Authentication failure: must pass valid credentials with request.
402	The Splunk license in use has disabled this feature.
403	Insufficient permissions to create an event type.
409	Request error: this operation is invalid for this item. See response body for details.
500	Internal server error. See response body for details.
503	This feature has been disabled in Splunk configuration files.

Returned Values

Attribute	Description
description	Description of this event type.
disabled	Indicates if this event type is disabled.
eai:appName	The Splunk app for which this event type applies. For example, the Splunk search app.
eai:userName	Splunk user name of the creator of this event type. For example, the Splunk admin user.
priority	The value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority.
search	Search terms for this event type.
tags	Deprecated. Tags associated with this event type. Use tags.conf.spec file to assign tags to groups of events with related field values.

Example

Creates an event type, client-errors, for the specified search.

URI-encode the search string if it contains any of the following characters: =, &, ?, %

Otherwise, these characters can be interpreted as part of the HTTP request.

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/eventtypes \
	-d name="client-errors" \
	--data-urlencode search=search="http client error NOT (403 OR 404)"

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>eventtypes</title>
  <id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes</id>
  <updated>2011-07-10T23:47:10-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/saved/eventtypes/_new" rel="create"/>
  <link href="/servicesNS/admin/search/saved/eventtypes/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>client-errors</title>
    <id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes/client-errors</id>
    <updated>2011-07-10T23:47:10-07:00</updated>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="list"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="edit"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="remove"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors/move" rel="move"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="description"/>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="priority">1</s:key>
        <s:key name="search">search</s:key>
        <s:key name="tags">
          <s:list/>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>

saved/eventtypes/{name}

DELETE saved/eventtypes/{name}

Deletes this event type.

Request

No parameters for this request.

Response Codes

Status Code	Description
200	Deleted successfully.
400	Request error. See response body for details.
401	Authentication failure: must pass valid credentials with request.
403	Insufficient permissions to delete event type.
404	Event type does not exist.
409	Request error: this operation is invalid for this item. See response body for details.
500	Internal server error. See response body for details.

Returned Values

No values returned for this request.

Example

Deletes the saved event type, client-errors.

curl -k -u admin:pass --request DELETE \
	https://localhost:8089/servicesNS/admin/search/saved/eventtypes/client-errors

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>eventtypes</title>
  <id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes</id>
  <updated>2011-07-10T23:48:29-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/saved/eventtypes/_new" rel="create"/>
  <link href="/servicesNS/admin/search/saved/eventtypes/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

GET saved/eventtypes/{name}

Returns information on this event type.

Request

No parameters for this request.

Response Codes

Status Code	Description
200	Listed successfully.
400	Request error. See response body for details.
401	Authentication failure: must pass valid credentials with request.
403	Insufficient permissions to view event type.
404	Event type does not exist.
409	Request error: this operation is invalid for this item. See response body for details.
500	Internal server error. See response body for details.

Returned Values

Attribute	Description
description	Description of this event type.
disabled	Indicates if the event type is disabled.
eai:appName	The Splunk app for which this event type applies. For example, the Splunk search app.
eai:attributes	See Accessing Splunk resources
eai:userName	Splunk user name of the creator of this event type. For example, the Splunk admin user.
priority	The value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority.
search	Search terms for this event type.
tags	Deprecated. Tags associated with this event type. Use the tags.conf.spec file to assign tags to groups of events with related field values.

Example

Returns details on the event type, client-errors.

The example for the POST operation of saved/eventtypes creates this event type.

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/eventtypes/client-errors

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>eventtypes</title>
  <id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes</id>
  <updated>2011-07-10T23:47:17-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/saved/eventtypes/_new" rel="create"/>
  <link href="/servicesNS/admin/search/saved/eventtypes/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>client-errors</title>
    <id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes/client-errors</id>
    <updated>2011-07-10T23:47:17-07:00</updated>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="list"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="edit"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="remove"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors/move" rel="move"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="description"/>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>description</s:item>
                <s:item>disabled</s:item>
                <s:item>priority</s:item>
                <s:item>tags</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>search</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="priority">1</s:key>
        <s:key name="search">search</s:key>
        <s:key name="tags">
          <s:list/>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST saved/eventtypes/{name}

Updates this event type.

Request

Name	Type	Required	Default	Description
search	String	✓		Search terms for this event type.
description	String			Human-readable description of this event type.
disabled	Boolean		0	If True, disables the event type.
priority	Number		1	Specify an integer from 1 to 10 for the value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority.
tags	String			Deprecated. Use tags.conf.spec file to assign tags to groups of events with related field values.

Response Codes

Status Code	Description
200	Updated successfully.
400	Request error. See response body for details.
401	Authentication failure: must pass valid credentials with request.
402	The Splunk license in use has disabled this feature.
403	Insufficient permissions to edit event type.
404	Event type does not exist.
409	Request error: this operation is invalid for this item. See response body for details.
500	Internal server error. See response body for details.
503	This feature has been disabled in Splunk configuration files.

Returned Values

Attribute	Description
description	Description of this event type.
disabled	Indicates if this event type is disabled.
eai:appName	The Splunk app for which this event type applies. For example, the Splunk search app.
eai:userName	Splunk user name of the creator of this event type. For example, the Splunk admin user.
priority	The value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority.
search	Search terms for this event type.
tags	Deprecated. Tags associated with this event type. Use tags.conf.spec file to assign tags to groups of events with related field values.

Example

Updates the event type, client-errors, to specify a description for the event type. Note that the search must be re-specified for this edit.

URI-encode the search string if it contains any of the following characters: =, &, ?, %

Otherwise, these characters can be interpreted as part of the HTTP request.

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/eventtypes/client-errors \
	-d description="HTTP Client Errors" \
	--data-urlencode search=search="http client error NOT (403 OR 404)"

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>eventtypes</title>
  <id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes</id>
  <updated>2011-07-10T23:48:22-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/saved/eventtypes/_new" rel="create"/>
  <link href="/servicesNS/admin/search/saved/eventtypes/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>client-errors</title>
    <id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes/client-errors</id>
    <updated>2011-07-10T23:48:22-07:00</updated>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="list"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="edit"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="remove"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors/move" rel="move"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="description">HTTP Client Errors</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="priority">1</s:key>
        <s:key name="search">search</s:key>
        <s:key name="tags">
          <s:list/>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>

search/fields

Provides management for search field configurations.

Field configuration is specified in $SPLUNK_HOME/etc/system/default/fields.conf, with overriden values in $SPLUNK_HOME/etc/system/local/fields.conf.

GET search/fields

Returns a list of fields registered for field configuration.

Request

Name

Type

Required

Default

Description

output_mode

String

xml

Specify output formatting. Select from either:

xml: XML formatting

json: JSON formatting

See JSON and other response formats for more information.

Response Codes

Status Code	Description
200	Listed successfully.

Returned Values

No values returned for this request.

Example

Returns the list of fields that have tags applied to them.

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/fields

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>Fields</title>
  <id>/servicesNS/admin/search/search/fields</id>
  <updated>2011-07-11T10:04:51-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <entry>
    <title>_indextime</title>
    <id>/servicesNS/admin/search/search/fields/_indextime</id>
    <updated>2011-07-11T10:04:51-07:00</updated>
    <link href="/servicesNS/admin/search/search/fields/_indextime" rel="alternate"/>
  </entry>
  <entry>
    <title>_sourcetype</title>
    <id>/servicesNS/admin/search/search/fields/_sourcetype</id>
    <updated>2011-07-11T10:04:51-07:00</updated>
    <link href="/servicesNS/admin/search/search/fields/_sourcetype" rel="alternate"/>
  </entry>
  <entry>
    <title>date_hour</title>
    <id>/servicesNS/admin/search/search/fields/date_hour</id>
    <updated>2011-07-11T10:04:51-07:00</updated>
    <link href="/servicesNS/admin/search/search/fields/date_hour" rel="alternate"/>
  </entry>

  . . .

  <entry>
    <title>splunk_server</title>
    <id>/servicesNS/admin/search/search/fields/splunk_server</id>
    <updated>2011-07-11T10:04:51-07:00</updated>
    <link href="/servicesNS/admin/search/search/fields/splunk_server" rel="alternate"/>
  </entry>
  <entry>
    <title>timeendpos</title>
    <id>/servicesNS/admin/search/search/fields/timeendpos</id>
    <updated>2011-07-11T10:04:51-07:00</updated>
    <link href="/servicesNS/admin/search/search/fields/timeendpos" rel="alternate"/>
  </entry>
  <entry>
    <title>timestartpos</title>
    <id>/servicesNS/admin/search/search/fields/timestartpos</id>
    <updated>2011-07-11T10:04:51-07:00</updated>
    <link href="/servicesNS/admin/search/search/fields/timestartpos" rel="alternate"/>
  </entry>
</feed>

search/fields/{field_name}

GET search/fields/{field_name}

Retrieves information about the named field.

Request

Name

Type

Required

Default

Description

output_mode

String

xml

Specify output formatting. Select from either:

xml: XML formatting

json: JSON formatting

See JSON and other response formats for more information.

Response Codes

Status Code	Description
200	Listed successfully.
400	Request error. See response body for details.

Returned Values

No values returned for this request.

Example

Returns information about the field configuration for the sourcetype search field.

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/fields/sourcetype

<entry xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest">
  <title>sourcetype</title>
  <id>/servicesNS/admin/search/search/fields/sourcetype</id>
  <updated>2011-07-11T10:08:54-07:00</updated>
  <link href="/servicesNS/admin/search/search/fields/sourcetype" rel="alternate"/>
  <content type="text">	Attr:INDEXED	True
	Attr:INDEXED_VALUE	False
	Attr:TOKENIZER	
</content>
</entry>

search/fields/{field_name}/tags

GET search/fields/{field_name}/tags

Returns a list of tags that have been associated with the field specified by {field_name}.

Request

No parameters for this request.

Response Codes

Because fields exist only at search time, this endpoint returns a 200 response for any non-empty request.

Status Code	Description
200	Listed successfully.
404	Named field does not exist.

Returned Values

No values returned for this request.

Example

Return the tags associated with the field host.

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/fields/host/tags

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest">
  <title>Tags for the host field</title>
  <id>/servicesNS/admin/search/search/fields/host/tags</id>
  <updated>2011-07-11T10:41:46-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <entry>
    <title>location::sfo</title>
    <id>/servicesNS/admin/search/search/fields/host/tags#location::sfo</id>
    <updated>2011-07-11T10:41:46-07:00</updated>
    <link href="/servicesNS/admin/search/search/fields/host/tags#location::sfo" rel="alternate"/>
  </entry>
</feed>

POST search/fields/{field_name}/tags

Update the tags associated with the field specified by {field_name}.

The value parameter specifies the specific value on which to bind tag actions. Multiple tags can be attached by passing multiple add or delete form parameters. The server processes all of the adds first, and then processes the deletes.

You must specify at least one add or delete parameter.

Request

Name	Type	Required	Description
value	String	✓	The specific field value on which to bind the tags.
add	String		The tag to attach to this `field_name:value` combination.
delete	String		The tag to remove to this `field_name::value` combination.

Response Codes

Status Code	Description
200	Tags updated.
400	Request error. See response body for details.

Returned Values

No values returned for this request.

Example

For the field host, adds the tag sfo and deletes the tag nyc for the value location.

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/fields/host/tags \
	-d add=sfo \
	-d delete=nyc \
	-d value=location

<response>
  <messages>
    <msg type='INFO'>Successfully processed adds/deletes for field host</msg>
  </messages>
</response>

search/tags

Provides management of search time tags.

GET search/tags

Returns a list of all search time tags.

Request

No parameters for this request.

Response Codes

Status Code	Description
200	Listed successfully.

Returned Values

No values returned for this request.

Example

Display search time tags for this Splunk instance.

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/tags

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>Tags</title>
  <id>/servicesNS/admin/search/search/tags</id>
  <updated>2011-07-08T01:35:09-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <entry>
    <title>machine</title>
    <id>/servicesNS/admin/search/search/tags/machine</id>
    <updated>2011-07-08T01:35:09-07:00</updated>
    <link href="/servicesNS/admin/search/search/tags/machine" rel="alternate"/>
  </entry>
  <entry>
    <title>user</title>
    <id>/servicesNS/admin/search/search/tags/user</id>
    <updated>2011-07-08T01:35:09-07:00</updated>
    <link href="/servicesNS/admin/search/search/tags/user" rel="alternate"/>
  </entry>
</feed>

search/tags/{tag_name}

DELETE search/tags/{tag_name}

Deletes the tag, and its associated field:value pair assignments. The resulting change in tags.conf is to set all field:value pairs to disabled.

Request

No parameters for this request.

Response Codes

Status Code	Description
200	Deleted successfully.
404	Search tag does not exist.

Returned Values

No values returned for this request.

Example

Deletes the user tag.

tags.conf has been updated to mark this tag disabled.

curl -k -u admin:pass --request DELETE \
	https://localhost:8089/servicesNS/admin/search/search/tags/user

<response>
  <messages>
    <msg type="INFO">Tag successfully deleted</msg>
  </messages>
</response>

GET search/tags/{tag_name}

Returns a list of field:value pairs that have been associated with the tag specified by {tag_name}.

Request

No parameters for this request.

Response Codes

Status Code	Description
200	Listed successfully.
404	Search tag does not exist.

Returned Values

No values returned for this request.

Example

Returns field:value pairs associated with the tag name "user."

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/tags/user

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>Field::Value pairs with tag user</title>
  <id>/servicesNS/admin/search/search/tags/user</id>
  <updated>2011-07-08T01:35:28-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <entry>
    <title>eventtype::userupdate</title>
    <id>/servicesNS/admin/search/search/tags/user#eventtype::userupdate</id>
    <updated>2011-07-08T01:35:28-07:00</updated>
    <link href="/servicesNS/admin/search/search/tags/user#eventtype::userupdate" rel="alternate"/>
  </entry>
</feed>

POST search/tags/{tag_name}

Updates the field:value pairs associated with {tag_name}.

Multiple field:value pairs can be attached by passing multiple add or delete form parameters. The server processes all of the adds first, and then deletes.

If {tag_name} does not exist, then the tag is created inline. Notification is sent to the client using the HTTP 201 status.

Request

Name	Type	Required	Default	Description
add	String			A field:value pair to tag with {tag_name}.
delete	String			A field:value pair to remove from {tag_name}.

Response Codes

Status Code	Description
200	Updated successfully.
201	Field successfuly added to tag.
400	Request error. See response body for details.

Returned Values

No values returned for this request.

Example

Adds a field::value pair and deletes an existing field::value pair.

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/tags/user \
	-d add=eventtype::userupdate \
	-d delete=eventtype::useradd-suse

<response>
  <messages>
    <msg type="INFO">Processed adds/deletes for tag</msg>
  </messages>
</response>

Retrieved from "http://docs.splunk.com/Documentation/Splunk/5.0.2/RESTAPI/RESTknowledge"

« Inputs Licenses »

This documentation applies to the following versions of Splunk: 5.0 , 5.0.1 , 5.0.2 View the Article History for its revisions.

Was this topic useful?
Post a comment

You must be logged into splunk.com in order to post comments. Log in now.

Feedback submitted, thanks!

REST API Reference

Knowledge

Contents

Knowledge

data/lookup-table-files

GET data/lookup-table-files

Request

Response Codes

Returned Values

Example

POST data/lookup-table-files

Request

Response Codes

Returned Values

Example

data/lookup-table-files/{name}

DELETE data/lookup-table-files/{name}

Request

Response Codes

Returned Values

Example

GET data/lookup-table-files/{name}

Request

Response Codes

Returned Values

Example

POST data/lookup-table-files/{name}

Request

Response Codes

Returned Values

Example

data/props/calcfields

GET data/props/calcfields

Request

Response Codes

Returned Values

Example

POST data/props/calcfields

Request

Response Codes

Returned Values

Example

data/props/calcfields/{name}

DELETE data/props/calcfields/{name}

Request

Response Codes

Returned Values

Example

GET data/props/calcfields/{name}

Request

Response Codes

Returned Values

Example

POST data/props/calcfields/{name}

Request

Response Codes

Returned Values

Example

data/props/extractions

GET data/props/extractions

Request

Response Codes

Returned Values

Example

POST data/props/extractions

Request

Response Codes

Returned Values

Example

data/props/extractions/{name}

DELETE data/props/extractions/{name}

Request

Response Codes

Returned Values

Example

GET data/props/extractions/{name}

Request

Response Codes

Returned Values

Example