class Splunk::Service

A user friendly interface to the Splunk REST API.

Service subclasses Context (which provides the methods to login to Splunk and make requests to the REST API), and adds convenience methods for accessing the major collections of entities, such as indexes, search jobs, and configurations.

Public Instance Methods

apps() click to toggle source

Returns a collection of all the apps installed on Splunk.

Returns a Collection containing Entity objects.


require 'splunk-sdk-ruby'
service = Splunk::connect(:username => 'admin', 
                          :password => 'changeme')
service.apps.each do |app|
# File lib/splunk-sdk-ruby/service.rb, line 108
def apps, PATH_APPS_LOCAL)
capabilities() click to toggle source

Returns an Array of all the capabilities roles may have in Splunk.

Capabilities are a fixed list on the server, so this method returns an Array rather than an Entity.

Returns: an Array of Strings.


service = Splunk::connect(:username => 'admin', 
                          :password => 'changeme')
puts service.capabilities
# Prints: ["admin_all_objects", "change_authentication",
#          "change_own_password", "delete_by_keyword", ...]
# File lib/splunk-sdk-ruby/service.rb, line 127
def capabilities
  response = request(:resource => PATH_CAPABILITIES)
  feed =
confs() click to toggle source

Returns a Collection of all the configuration files visible on Splunk.

The configurations you see are dependent on the namespace your Service is connected with. So if you are connected in the system namespace, you may see different values than if you're connected in the app namespace associated with a particular app, since the app may override some values within its scope.

The configuration files which are the contents of this Collection are not Entity objects, but Collection objects in their own right. They contain Entity objects representing the stanzas in that configuration file.

Returns: Configurations (a subclass of Collection containing ConfigurationFile objects).

# File lib/splunk-sdk-ruby/service.rb, line 150
def confs
create_oneshot(query, args={}) click to toggle source

Creates a blocking search.

The create_oneshot method starts a search query, and any optional arguments specified in a hash (which are identical to those taken by create). It then blocks until the job finished, and returns the results, as transformed by any transforming search commands in query (equivalent to calling the results method on a Job).

Returns: a stream readable by ResultsReader.

# File lib/splunk-sdk-ruby/service.rb, line 165
def create_oneshot(query, args={})
  jobs.create_oneshot(query, args)
create_stream(query, args={}) click to toggle source

DEPRECATED. Use create_export instead.

# File lib/splunk-sdk-ruby/service.rb, line 195
def create_stream(query, args={})
  warn "[DEPRECATION] Service#create_stream is deprecated. Use Service#create_export instead."
  jobs.create_export(query, args)
indexes() click to toggle source

Returns a Collection of all Index objects.

Index is a subclass of Entity, with additional methods for manipulating indexes in particular.

# File lib/splunk-sdk-ruby/service.rb, line 206
def indexes, PATH_INDEXES, entity_class=Index)
info() click to toggle source

Returns a Hash containing Splunk's runtime information.

The Hash has keys such as “build” (the number of the build of this Splunk instance) and “cpu_arch” (what CPU Splunk is running on), and “os_name” (the name of the operating system Splunk is running on).

Returns: A Hash that has Strings as both keys and values.

# File lib/splunk-sdk-ruby/service.rb, line 219
def info
  response = request(:namespace => Splunk::namespace(:sharing => "default"),
                     :resource => PATH_INFO)
  feed =
inputs() click to toggle source

Return a collection of the input kinds.

# File lib/splunk-sdk-ruby/service.rb, line 229
def inputs, PATH_INPUTS)
jobs() click to toggle source

Returns a collection of all the search jobs running on Splunk.

The Jobs object returned is a subclass of Collection, but also has convenience methods for starting oneshot and streaming jobs as well as creating normal, asynchronous jobs.

Returns: A Jobs object.

# File lib/splunk-sdk-ruby/service.rb, line 241
def jobs
loggers() click to toggle source

Returns a collection of the loggers in Splunk.

Each logger logs errors, warnings, debug info, or informational information about a specific part of the Splunk system (e.g., WARN on DeploymentClient).

Returns: a Collection of Entity objects representing loggers.


service = Splunk::connect(:username => 'admin', :password => 'foo')
service.loggers.each do |logger|
  puts + ":" + logger['level']
# Prints:
#   ...
#   DedupProcessor:WARN
#   DeployedApplication:INFO
#   DeployedServerClass:WARN
#   DeploymentClient:WARN
#   DeploymentClientAdminHandler:WARN
#   DeploymentMetrics:INFO
#   ...
# File lib/splunk-sdk-ruby/service.rb, line 269
def loggers, PATH_LOGGER)
messages() click to toggle source

Returns a collection of the global messages on Splunk.

Messages include such things as warnings and notices that Splunk needs to restart.

Returns: A Collection of Message objects (which are subclasses of Entity).

# File lib/splunk-sdk-ruby/service.rb, line 282
def messages, PATH_MESSAGES, entity_class=Message)
modular_input_kinds() click to toggle source

Returns a read only collection of modular input kinds.

The modular input kinds are custom input kinds on this Splunk instance. To access the actual inputs of these kinds, use the Service#inputs method. This method gives access to the metadata describing the input kinds.

Returns: A ReadOnlyCollection of ModularInputKind objects representing all the custom input types added to this Splunk instance.

# File lib/splunk-sdk-ruby/service.rb, line 297
def modular_input_kinds
  if self.splunk_version[0] < 5
    raise"Modular input kinds are " +
                                   "not supported before Splunk 5.0")
roles() click to toggle source

Returns a collection of the roles on the system.

Returns: A Collection of Entity objects representing the roles on this Splunk instance.

# File lib/splunk-sdk-ruby/service.rb, line 313
def roles, PATH_ROLES)
saved_searches() click to toggle source
# File lib/splunk-sdk-ruby/service.rb, line 321
def saved_searches, PATH_SAVED_SEARCHES, entity_class=SavedSearch)
settings() click to toggle source

Returns an Entity of Splunk's mutable runtime information.

The settings method includes values such as “SPLUNK_DB” and “SPLUNK_HOME”. Unlike the values returned by the info method, these settings can be updated.

Returns: an Entity with all server settings.


service = Splunk::connect(:username => 'admin', :password => 'foo')
# Prints:
#    {"SPLUNK_DB" => "/path/to/splunk_home/var/lib/splunk",
#     "SPLUNK_HOME" => "/path/to/splunk_home",
#     ...}
# File lib/splunk-sdk-ruby/service.rb, line 342
def settings
  # Though settings looks like a collection on the server, it always has
  # a single entity, of the same name, giving the actual settings. We access
  # that entity directly rather than putting a collection inbetween., Splunk::namespace(:sharing => "default"),
             PATH_SETTINGS, "settings").refresh()
splunk_version() click to toggle source

Returns the version of Splunk this Service is connected to.

The version is represented as an Array of length 3, with each of its components an integer. For example, on Splunk 4.3.5, splunk_version would return [4, 3, 5], while on Splunk 5.0.2, splunk_version would return [5, 0, 2].

Returns: An Array of Integers of length 3.

# File lib/splunk-sdk-ruby/service.rb, line 360
def splunk_version
  info["version"].split(".").map() {|v| Integer(v)}
users() click to toggle source

Return a Collection of the users defined on Splunk.

# File lib/splunk-sdk-ruby/service.rb, line 367
def users, PATH_USERS)