Splunk® Intelligence Management (Legacy)

Welcome to Splunk Intelligence Management

Policy for API usage in Splunk Intelligence Management

The Splunk Intelligence Management REST API lets you submit data and retrieve reports and indicators of compromise (IOCs) from its platform. However, Splunk Intelligence Management has implemented controls for API usage. The purpose of the daily API limit is to protect the Splunk Intelligence Management platform from Denial of Service (DOS) attacks.

If legitimate integrations or scripts require you to exceed your daily rate limit and prevents you from achieving what you need to, reach out to your Splunk Intelligence Management account manager. Your account manager validates your need and increases the daily API quota for your company account to a level that lets you achieve required outcomes, while protecting Splunk Intelligence Management.

For organizations that have a company-level API quota, run one of the following checks to your API quota through the Splunk Intelligence Management web app..

  • On the Navigation bar, select User Settings > Settings.
    Your quota resets every 24 hours at 12 AM UTC.
  • Use the API to check your quota. This API call does not count towards your daily quota.

Other exemptions that do not count towards the daily API quota includes the following endpoints:

  • Report submission
  • Report update
  • Indicator submission
  • Enclave list
  • Ping

Increasing daily limit

If your quota is insufficient, contact Splunk Intelligence Management Support. For more information on getting help from support, see Get help to use Splunk Intelligence Management

API submissions do not count against your API quota.

API usage limit for community-plus companies

Following are the API usage limits for community-plus companies:

  • Daily API limit: A maximum of 300 API calls.
  • Subject to all other limits.
    • per-user / minute.
    • per-IP / 5-min.

API usage limit for individual user

API usage limits for each individual user is 60 API calls every minute.

API limits are a platform protection measure and cannot change.

API usage limits for each IP address

API usage limits for each IP address is 1000 API calls every 5 minutes.

API limits are a platform protection measure and cannot change.

Exceeding API usage limits

When API usage exceeds one of these limits, Splunk Intelligence Management returns a Too Many Requests (429) error code. The response body of the error code contains a field called waitTime, which represents the number of seconds you must wait before making another request.

    "message": "Request limit exceeded for the current time period. Wait 4000 milliseconds before making more requests".
    "waitTime": 4000

Avoid exceeding API usage limits

The Splunk Intelligence Management Python SDK handles all API limits. Splunk Intelligence Management strongly recommends using it for any custom code you write or run.

Last modified on 21 April, 2022
Common terms in Splunk Intelligence Management   Get help to use Splunk Intelligence Management

This documentation applies to the following versions of Splunk® Intelligence Management (Legacy): current

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters