Splunk® Enterprise

REST API Reference Manual

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Splunk's Atom Feed response to REST operations

Splunk responses to REST API operations are returned in the Atom Syndication Format, also known as an Atom Feed.

Note: New to Atom? For an introduction go to AtomEnabled.org.

Each Splunk response includes the following containers:

  • <feed> top-level element containing metadata plus one or more entries.
  • <entry> contains metadata, plus the content element.
  • <content> provides key/value pairs returned by the Splunk operation.

The Feed, Entry, and Content sections below describe the meanings of elements within those containers.

Feed element

<feed>
  <title>. . .</title>
  <id>. . .</id>
  <updated>. . .</updated>
  <generator />
  <author>. . .</author>
  <link>. . .</link>
  <opensearch:totalResults>...</opensearch:totalResults>
  <opensearch:itemsPerPage>...</opensearch:itemsPerPage>
  <opensearch:startIndex>...</opensearch:startIndex>
  <s:messages>. . .</messages>
  <entry>...</entry>
  <entry>...</entry>
   . . .
</feed>


Name Description
title Human readable name of the endpoint, typically derived from the last node of the endpoint.
id Splunk management URL for accessing the endpoint.
updated Date this endpoint was implemented in Splunk
generator Lists the version of the Atom Feed generator.
author Splunk is the author for all responses.
link URI for the endpoint, relative to the management port of a Splunk instance
opensearch For GET operations, these elements list the pagination attributes of a response:
  • totalResults: Total number of entries that can be returned for this operation.
  • itemsPerPage: The maximum number of entries returned for this operation. itemsPerPage is the value specified by the count parameter in the GET operation. The actual number of entries returned can be less than the maximum specified by itemsPerPage. The default value of the count parameter is 30.
  • startIndex: Offset of the first entry returned. Use the offset parameter in the GET operation to override the default value of 0. The default value of 0 retrieves the first itemsPerPage results from the full result set.

See GET parameter list.

messages Displays any info, warning, or error messages associated with the operation.

Not all responses display messages.

entry A result returned from the operation. See Entry element below.

Entry element

Endpoints that return lists of entry elements typically sort the entries by entry name as listed in the <title> tag. Certain endpoints override this default ordering of endpoints. For example, search/jobs lists entries in descending order by dispatch time, as listed in the <published> tag.

This section describes tags commonly found in returned entries. Some endpoints contain tags specific to that endpoint.

  <entry>
    <messages>...</messages>
    <title>. . .</title>
    <id>. . .</id>
    <updated>. . .</updated>
    <link>. . .</link>
    <author>. . .</author>
    <link>. . .</link>
    <link>. . .</link>
    . . .
    <content>. . .</content>
  </entry>


Name Description
messages Displays any info, warning, or error messages associated with the entry.

Not all entries display messages

title Human readable name for the returned entry. The value of title depends on the endpoint accessed.
id Splunk management URL for accessing the endpoint.
updated Date the value for this entry was updated in Splunk
link URI for the endpoint to this entry, relative to the management port of a Splunk instance.
author The owner of this resource, as defined in the access control list. The value can be:
  • system
  • nobody
  • specific user

Refer to Access control lists for Splunk objects in the section Accessing Splunk resources.

link One or more URIs for the endpoint to this entry, relative to the management port of a Splunk instance. Each URI lists an action available for this endpoint. Possible actions include:
  • list: GET operation
  • edit: POST operation to modify the resource
  • create: POST operation to create the resource
  • remove: DELETE operation
  • disable / enable: disable or enable the resource
  • move: change location of the resource
  • _reload: refresh the resource
content Container for content returned by the operation for an entry. Typically, Splunk returns content as dictionaries with key/value pairs that list properties of the entry. However, content can be returned as a list of values or as inline plain text.

Content element

Container for content returned by the operation for an entry. Typically, Splunk returns content as dictionaries with key/value pairs that list properties of the entry. However, content can be returned as a list of values or as inline plain text.

The key value pairs present depend on the endpoint and REST operation. Not all entries have all the elements listed here. Some key value pairs will be unique to some endpoints.

The following example shows content returned as a dictionary.


  <content>
    <s:dict>
      <s:key name="...">. . .</s:key>
         <s:list>
            <s:item>. . .</s:item>
            . . .
         </s:list>
      <s:key name="...">. . .</s:key>
      . . .
      <s:key name="eai:acl">
         <s:dict>
            <s:key name="app">...</s:key>
            <s:key name="can_write">...</s:key>
             . . .
         </s:dict>
      </s:key>
      <s:key name="eai:attributes">
         <s:dict>
            <s:key name="optionalFields">...</s:key>
            <s:key name="requiredFields">...</s:key>
            <s:key name="wildcardFields">...</s:key>
          </s:dict>
      </s:key>
       . . .                   
    </s:dict>
  </content>


Name Description
dict Container for holding related properties.
list Container for listing values.
key Element defining a key/value pair.
key name="eai:acl" The access control list for a resource, listing the permissions for accessing the endpoint. See Access control lists for Splunk objects.
key name="eai:attributes" Lists the eai attributes for the resource.
  • optionalFields
  • requiredFields
  • wildcardFields
PREVIOUS
Splunk REST API basics
  NEXT
Accessing Splunk resources

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7


Comments

> "Splunk responses to REST API operations are returned in the Atom Syndication Format"<br />> "Each Splunk response includes the following containers:..."<br /><br />Is this really true?<br /><br />In my testing so far responses are not always Atom and they don't always have all of those containers. My results so far: https://gist.github.com/2892bbd5aeaeaf39534c

Jordananimoto
August 14, 2012

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters