About the Splunk REST API
Splunk's API is RESTful
Splunk's API is RESTful, which means it uses HTTP requests to interact with resources within Splunk. Both Splunk Web and the Splunk CLI use Splunk’s REST API to communicate with a Splunk instance. You can use the REST API to configure and manage a Splunk instance, create and run searches in Splunk, or create your own applications that interact with Splunk.
You can use any language or tool that supports HTTP calls to access the Splunk REST API.
Accessing Splunk resources
Splunk resources are identified as URLs that map to endpoints. You can access the resources using a web browser, curl or other command line tools, or through program language tools.
splunkd is the server for the REST API endpoints. The Splunk REST API Reference categorizes and lists the endpoints available for development.
You can view the endpoints available in a Splunk instance using a web browser pointing to the Splunk management port.
For example, the following curl command creates a search:
curl -u admin:pass \ -k https://localhost:8089/services/search/jobs \ -d "search=search *"
Note: 8089 is the default Splunk management port. The management port in your Splunk installation may vary. Examples in this reference use the default managment port.
API differences between Splunk 4.2 and Splunk 4.3
This version of the Splunk REST API Reference contains endpoints available for Splunk 4.3. With few exceptions, endpoints available in Splunk 4.3 are also available in Splunk 4.2
Several endpoints available for Splunk 4.2 have been implemented differently for Splunk 4.3.
Endpoints available in Splunk 4.2 implemented differently in Splunk 4.3
/directory (Splunk 4.3)
/admin/directory (Splunk 4.2)
Provides access to user configurable objects.
storage/passwords (Splunk 4.3)
admin/passwords (Splunk 4.2)
Allows for management of secure credentials.
Endpoints available only in Splunk 4.3
Preview events from a source file before you index the file.
Return the props.conf settings for a data preview job.
Parameters to endpoints available only in Splunk 4.3
tz: configure the timezone for a user.
configured: Determine if setup has been run for an application.
This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7