Splunk® Enterprise

REST API Reference Manual

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

About the Splunk REST API

Splunk's API is RESTful

Splunk's API is RESTful, which means it uses HTTP requests to interact with resources within Splunk. Both Splunk Web and the Splunk CLI use Splunk’s REST API to communicate with a Splunk instance. You can use the REST API to configure and manage a Splunk instance, create and run searches in Splunk, or create your own applications that interact with Splunk.

You can use any language or tool that supports HTTP calls to access the Splunk REST API.

Note: The Splunk REST API Reference examples use cURL to illustrate REST access to Splunk resources. However, you can use wget, libcurl or any other method to access the REST API.

Accessing Splunk resources

Splunk resources are identified as URLs that map to endpoints. You can access the resources using a web browser, curl or other command line tools, or through program language tools.

splunkd is the server for the REST API endpoints. The Splunk REST API Reference categorizes and lists the endpoints available for development.

You can view the endpoints available in a Splunk instance using a web browser pointing to the Splunk management port.


For example, the following curl command creates a search:

curl -u admin:pass \
     -k https://localhost:8089/services/search/jobs \
     -d "search=search *"

Note: 8089 is the default Splunk management port. The management port in your Splunk installation may vary. Examples in this reference use the default managment port.

API differences between Splunk 4.2 and Splunk 4.3

This version of the Splunk REST API Reference contains endpoints available for Splunk 4.3. With few exceptions, endpoints available in Splunk 4.3 are also available in Splunk 4.2

Several endpoints available for Splunk 4.2 have been implemented differently for Splunk 4.3.

Endpoints available in Splunk 4.2 implemented differently in Splunk 4.3

/directory (Splunk 4.3)
/admin/directory (Splunk 4.2)

Provides access to user configurable objects.

storage/passwords (Splunk 4.3)
admin/passwords (Splunk 4.2)

Allows for management of secure credentials.

Endpoints available only in Splunk 4.3

Preview events from a source file before you index the file.

Return the props.conf settings for a data preview job.

Parameters to endpoints available only in Splunk 4.3

POST tz: configure the timezone for a user.

POST configured: Determine if setup has been run for an application.

GET <arbitrary_key>

GET <arbitrary_key>

POST enableOnlineBucketRepair
POST <code>maxRunningProcessGroupsLowPriority

POST lookup.field.input.*
POST lookup.field.output.*

POST alias.*

POST action.*
POST args.*
POST dispatch.*

POST <arbitrary_key>

GET <arbitrary_key>

POST action.email*

POST action.email*

GET action.email*


This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters