Splunk® Enterprise

REST API Reference Manual

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Outputs

Use the Outputs endpoints to manage the configuration of data sent from Splunk forwarders.


data/outputs/tcp/default

Provides access to global TCP out properties.

GET data/outputs/tcp/default

Returns the current tcpout properties.

Request

Name Type Required Default Description
count Number 30 Indicates the maximum number of entries to return. To return all entries, specify 0.
offset Number 0 Index for first item to return.
search String Search expression to filter the response. The response matches field values against the search expression. For example:

search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.

sort_dir Enum asc Valid values: (asc | desc)

Indicates whether to sort returned entries in ascending or descending order.

sort_key String name Field to use for sorting.
sort_mode Enum auto Valid values: (auto | alpha | alpha_case | num)

Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view outputs.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
autoLB Specifies whether Auto Load balance method is used.
defaultGroup Target group names. The forwarder sends all data to the specified groups.

Starting with 4.2, this attribute is no longer required.

disabled Indicates if tcpout settings are disabled.
forwardedindex.0.whitelist Specifies 0th whitelist filter.

forwardedindex.<n>.whitelist decides which events get forwarded based on the indexes they belong to.

forwardedindex.1.blacklist Specifies 1st blacklist filter. forwardedindex.<n>.blacklist specifies index for which events are not forwarded.
forwardedindex.2.whitelist Specifies 2nd whitelist filter.

forwardedindex.<n>.whitelist decides which events get forwarded based on the indexes they belong to.

forwardedindex.filter.disable Specifies whether filtering of forwarded data based on index is diasbled.
indexAndForward Specifies whether to index all data locally, in addition to forwarding it. Defaults to false.

This is known as an "index-and-forward" configuration. This attribute is only available for heavy forwarders. It is available only at the top level [tcpout] stanza in outputs.conf. It cannot be overridden in a target group.

maxQueueSize Sets the maximum size of the forwarder's output queue. It also sets the maximum size of the wait queue to 3x this value, if you have enabled indexer acknowledgment (useACK=true).

See the parmeter description for the POST operation for more information.

Example

Retrieves the default TCP output settings.


curl -k -u admin:pass https://localhost:8089/services/data/outputs/tcp/default


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>tcpout-default</title>
  <id>https://localhost:8089/services/data/outputs/tcp/default</id>
  <updated>2011-07-10T22:38:23-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/outputs/tcp/default/_new" rel="create"/>
  <link href="/services/data/outputs/tcp/default/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>tcpout</title>
    <id>https://localhost:8089/servicesNS/nobody/system/data/outputs/tcp/default/tcpout</id>
    <updated>2011-07-10T22:38:23-07:00</updated>
    <link href="/servicesNS/nobody/system/data/outputs/tcp/default/tcpout" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/outputs/tcp/default/tcpout" rel="list"/>
    <link href="/servicesNS/nobody/system/data/outputs/tcp/default/tcpout/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/outputs/tcp/default/tcpout" rel="edit"/>
    <link href="/servicesNS/nobody/system/data/outputs/tcp/default/tcpout" rel="remove"/>
    <link href="/servicesNS/nobody/system/data/outputs/tcp/default/tcpout/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="autoLB">1</s:key>
        <s:key name="defaultGroup">spacecake_9998</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="forwardedindex.0.whitelist">.*</s:key>
        <s:key name="forwardedindex.1.blacklist">_.*</s:key>
        <s:key name="forwardedindex.2.whitelist">_audit</s:key>
        <s:key name="forwardedindex.filter.disable">0</s:key>
        <s:key name="indexAndForward">0</s:key>
        <s:key name="maxQueueSize">500KB</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/outputs/tcp/default

Configures global tcpout properties.

Request

Name Type Required Default Description
name String
Configuration to be edited. The only valid value is "tcpout".
defaultGroup String Comma-separated list of one or more target group names, specified later in [tcpout:<target_group>] stanzas of outputs.conf.spec file.

The forwarder sends all data to the specified groups. If you don't want to forward data automatically, don't set this attribute. Can be overridden by an inputs.conf _TCP_ROUTING setting, which in turn can be overridden by a props.conf/transforms.conf modifier.

Starting with 4.2, this attribute is no longer required.

disabled Boolean Disables default tcpout settings
dropEventsOnQueueFull Number If set to a positive number, wait the specified number of seconds before throwing out all new events until the output queue has space. Defaults to -1 (do not drop events).

CAUTION: Do not set this value to a positive integer if you are monitoring files.

Setting this to -1 or 0 causes the output queue to block when it gets full, which causes further blocking up the processing chain. If any target group's queue is blocked, no more data reaches any other target group.

Using auto load-balancing is the best way to minimize this condition, because, in that case, multiple receivers must be down (or jammed up) before queue blocking can occur.

heartbeatFrequency Number How often (in seconds) to send a heartbeat packet to the receiving server.

Heartbeats are only sent if sendCookedData=true. Defaults to 30 seconds.

indexAndForward Boolean Specifies whether to index all data locally, in addition to forwarding it. Defaults to false.

This is known as an "index-and-forward" configuration. This attribute is only available for heavy forwarders. It is available only at the top level [tcpout] stanza in outputs.conf. It cannot be overridden in a target group.

maxQueueSize Number Specify an integer or integer[KB|MB|GB].

Sets the maximum size of the forwarder's output queue. It also sets the maximum size of the wait queue to 3x this value, if you have enabled indexer acknowledgment (useACK=true).

Although the wait queue and the output queues are both configured by this attribute, they are separate queues. The setting determines the maximum size of the queue's in-memory (RAM) buffer.

For heavy forwarders sending parsed data, maxQueueSize is the maximum number of events. Since events are typically much shorter than data blocks, the memory consumed by the queue on a parsing forwarder will likely be much smaller than on a non-parsing forwarder, if you use this version of the setting.

If specified as a lone integer (for example, maxQueueSize=100), maxQueueSize indicates the maximum number of queued events (for parsed data) or blocks of data (for unparsed data). A block of data is approximately 64KB. For non-parsing forwarders, such as universal forwarders, that send unparsed data, maxQueueSize is the maximum number of data blocks.

If specified as an integer followed by KB, MB, or GB (for example, maxQueueSize=100MB), maxQueueSize indicates the maximum RAM allocated to the queue buffer. Defaults to 500KB (which means a maximum size of 500KB for the output queue and 1500KB for the wait queue, if any).

sendCookedData Boolean If true, events are cooked (have been processed by Splunk). If false, events are raw and untouched prior to sending. Defaults to true.

Set to false if you are sending to a third-party system.

Response Codes

Status Code Description
201 Created successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to create output.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

No values returned for this request.

Example

Can be used to edit default forwarding settings just as with POSTing to data/outputs/tcp/default/{name}. Note that this action does not create a new entry, and that "tcpout" is the only valid name to specify here.


curl -k -u admin:pass https://localhost:8089/services/data/outputs/tcp/default/tcpout \
	-d 'defaultGroup=west_coast_indexers'


See response for POST data/outputs/tcp/default/{name}.

data/outputs/tcp/default/{name}

DELETE data/outputs/tcp/default/{name}

Disable the default forwarding settings.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Deleted successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to disable forwarding settings.
404 Forwarding settings do not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

No values returned for this request.

Example

Disables the default forwarding settings stanza. Note that "tcpout" is the only valid name here.


curl -k -u admin:pass --request DELETE \
	https://localhost:8089/services/data/outputs/tcp/default/tcpout


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>tcpout-default</title>
  <id>https://localhost:8085/services/data/outputs/tcp/default</id>
  <updated>2011-07-19T20:09:02-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/outputs/tcp/default/_new" rel="create"/>
  <link href="/services/data/outputs/tcp/default/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>


GET data/outputs/tcp/default/{name}

Retrieve the named configuration. The only valid name here is "tcpout".

Request

No parameters for this request.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view forwarding settings.
404 Forwarding settings do not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

No values returned for this request.

Example

Retrieves the default forwarding settings. This is identical to retrieving data/outputs/tcp/default. Note that "tcpout" is the only valid name to retrieve at this endpoint.


curl -k -u admin:pass https://localhost:8089/services/data/outputs/tcp/default/tcpout


See response for data/outputs/tcp/default.

POST data/outputs/tcp/default/{name}

Configure global forwarding properties.

Request

Name Type Required Default Description
defaultGroup String Comma-separated list of one or more target group names, specified later in [tcpout:<target_group>] stanzas of outputs.conf.spec file.

The forwarder sends all data to the specified groups. If you don't want to forward data automatically, don't set this attribute. Can be overridden by an inputs.conf _TCP_ROUTING setting, which in turn can be overridden by a props.conf/transforms.conf modifier.

Starting with 4.2, this attribute is no longer required.

disabled Boolean Disables default tcpout settings
dropEventsOnQueueFull Number If set to a positive number, wait the specified number of seconds before throwing out all new events until the output queue has space. Defaults to -1 (do not drop events).

CAUTION: Do not set this value to a positive integer if you are monitoring files.

Setting this to -1 or 0 causes the output queue to block when it gets full, which causes further blocking up the processing chain. If any target group's queue is blocked, no more data reaches any other target group.

Using auto load-balancing is the best way to minimize this condition, because, in that case, multiple receivers must be down (or jammed up) before queue blocking can occur.

heartbeatFrequency Number How often (in seconds) to send a heartbeat packet to the receiving server.

Heartbeats are only sent if sendCookedData=true. Defaults to 30 seconds.

indexAndForward Boolean Specifies whether to index all data locally, in addition to forwarding it. Defaults to false.

This is known as an "index-and-forward" configuration. This attribute is only available for heavy forwarders. It is available only at the top level [tcpout] stanza in outputs.conf. It cannot be overridden in a target group.

maxQueueSize Number Specify an integer or integer[KB|MB|GB].

Sets the maximum size of the forwarder's output queue. It also sets the maximum size of the wait queue to 3x this value, if you have enabled indexer acknowledgment (useACK=true).

Although the wait queue and the output queues are both configured by this attribute, they are separate queues. The setting determines the maximum size of the queue's in-memory (RAM) buffer.

For heavy forwarders sending parsed data, maxQueueSize is the maximum number of events. Since events are typically much shorter than data blocks, the memory consumed by the queue on a parsing forwarder will likely be much smaller than on a non-parsing forwarder, if you use this version of the setting.

If specified as a lone integer (for example, maxQueueSize=100), maxQueueSize indicates the maximum number of queued events (for parsed data) or blocks of data (for unparsed data). A block of data is approximately 64KB. For non-parsing forwarders, such as universal forwarders, that send unparsed data, maxQueueSize is the maximum number of data blocks.

If specified as an integer followed by KB, MB, or GB (for example, maxQueueSize=100MB), maxQueueSize indicates the maximum RAM allocated to the queue buffer. Defaults to 500KB (which means a maximum size of 500KB for the output queue and 1500KB for the wait queue, if any).

sendCookedData Boolean If true, events are cooked (have been processed by Splunk). If false, events are raw and untouched prior to sending. Defaults to true.

Set to false if you are sending to a third-party system.

Response Codes

Status Code Description
200 Updated successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to edit forwarding settings.
404 Forwarding settings do not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

No values returned for this request.

Example

Increases the default heartbeat frequency to 60 seconds. Note that "tcpout" is the only valid name to edit at this endpoint.


curl -k -u admin:pass https://localhost:8089/services/data/outputs/tcp/default/tcpout \
	-d heartbeatFrequency=60


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>tcpout-default</title>
  <id>https://localhost:8089/services/data/outputs/tcp/default</id>
  <updated>2011-07-10T22:43:53-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/outputs/tcp/default/_new" rel="create"/>
  <link href="/services/data/outputs/tcp/default/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>


data/outputs/tcp/group

Provides access to the configuration of a group of one or more data forwarding destinations.

GET data/outputs/tcp/group

Returns configuration information about target groups.

Request

Name Type Required Default Description
count Number 30 Indicates the maximum number of entries to return. To return all entries, specify 0.
offset Number 0 Index for first item to return.
search String Search expression to filter the response. The response matches field values against the search expression. For example:

search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.

sort_dir Enum asc Valid values: (asc | desc)

Indicates whether to sort returned entries in ascending or descending order.

sort_key String name Field to use for sorting.
sort_mode Enum auto Valid values: (auto | alpha | alpha_case | num)

Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view group.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
disabled Indicates if tcpout is disabled for this group.
method Specifies the type of output processor.

Valid values: (tcpout | syslog)

servers Servers included in this group.

Example

Display the list of output groups configured to send data via Splunk's cooked format.


curl -k -u admin:pass https://localhost:8089/services/data/outputs/tcp/group


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>tcpout-group</title>
  <id>https://localhost:8089/services/data/outputs/tcp/group</id>
  <updated>2011-07-10T22:21:07-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/outputs/tcp/group/_new" rel="create"/>
  <link href="/services/data/outputs/tcp/group/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>spacecake_9998</title>
    <id>https://localhost:8089/servicesNS/nobody/system/data/outputs/tcp/group/spacecake_9998</id>
    <updated>2011-07-10T22:21:07-07:00</updated>
    <link href="/servicesNS/nobody/system/data/outputs/tcp/group/spacecake_9998" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/outputs/tcp/group/spacecake_9998" rel="list"/>
    <link href="/servicesNS/nobody/system/data/outputs/tcp/group/spacecake_9998/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/outputs/tcp/group/spacecake_9998" rel="edit"/>
    <link href="/servicesNS/nobody/system/data/outputs/tcp/group/spacecake_9998" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="method">autobalance</s:key>
        <s:key name="servers">
          <s:list>
            <s:item>spacecake:9998</s:item>
          </s:list>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/outputs/tcp/group

Configures a group of one or more data forwarding destinations.

Request

Name Type Required Default Description
name String
The name of the group of receivers.
servers String
Comma-separated list of servers to include in the group.
autoLB Boolean true If set to true, forwarder performs automatic load balancing. In automatic mode, the forwarder selects a new indexer every autoLBFrequency seconds. If the connection to the current indexer is lost, the forwarder selects a new live indexer to forward data to.

Do not alter the default setting, unless you have some overriding need to use round-robin load balancing. Round-robin load balancing (autoLB=false) was previously the default load balancing method. Starting with release 4.2, however, round-robin load balancing has been deprecated, and the default has been changed to automatic load balancing (autoLB=true).

compressed Boolean false If true, forwarder sends compressed data.

If set to true, the receiver port must also have compression turned on.

disabled Boolean false If true, disables the group.
dropEventsOnQueueFull Number -1 If set to a positive number, wait the specified number of seconds before throwing out all new events until the output queue has space. Defaults to -1 (do not drop events).

CAUTION: Do not set this value to a positive integer if you are monitoring files.

Setting this to -1 or 0 causes the output queue to block when it gets full, which causes further blocking up the processing chain. If any target group's queue is blocked, no more data reaches any other target group.

Using auto load-balancing is the best way to minimize this condition, because, in that case, multiple receivers must be down (or jammed up) before queue blocking can occur.

heartbeatFrequency Number 30 How often (in seconds) to send a heartbeat packet to the group.

Heartbeats are only sent if sendCookedData=true. Defaults to 30 seconds.

maxQueueSize Number 500KB Specify either an integer or integer[KB|MB|GB].

Sets the maximum size of the forwarder's output queue. It also sets the maximum size of the wait queue to 3x this value, if you have enabled indexer acknowledgment (useACK=true).

Although the wait queue and the output queues are both configured by this attribute, they are separate queues. The setting determines the maximum size of the queue's in-memory (RAM) buffer.

For heavy forwarders sending parsed data, maxQueueSize is the maximum number of events. Since events are typically much shorter than data blocks, the memory consumed by the queue on a parsing forwarder will likely be much smaller than on a non-parsing forwarder, if you use this version of the setting.

If specified as a lone integer (for example, maxQueueSize=100), maxQueueSize indicates the maximum number of queued events (for parsed data) or blocks of data (for unparsed data). A block of data is approximately 64KB. For non-parsing forwarders, such as universal forwarders, that send unparsed data, maxQueueSize is the maximum number of data blocks.

If specified as an integer followed by KB, MB, or GB (for example, maxQueueSize=100MB), maxQueueSize indicates the maximum RAM allocated to the queue buffer. Defaults to 500KB (which means a maximum size of 500KB for the output queue and 1500KB for the wait queue, if any).

method Enum Valid values: (tcpout | syslog)

Specifies the type of output processor.

sendCookedData Boolean true If true, send cooked events (events that have been processed by Splunk).

If false, events are raw and untouched prior to sending. Set to false if you are sending to a third-party system.

Defaults to true.

Response Codes

Status Code Description
201 Created successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to create group.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

No values returned for this request.

Example

Creates an auto-load balanced forwarding configuration consisting of two Splunk receivers.


curl -k -u admin:pass https://localhost:8089/services/data/outputs/tcp/group \
	-d name=lan_receivers \
	-d method=autobalance \
	-d servers=10.3.3.3:9997,10.4.4.4:9997


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>tcpout-group</title>
  <id>https://localhost:8089/services/data/outputs/tcp/group</id>
  <updated>2011-07-10T22:21:23-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/outputs/tcp/group/_new" rel="create"/>
  <link href="/services/data/outputs/tcp/group/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

data/outputs/tcp/group/{name}

DELETE data/outputs/tcp/group/{name}

Deletes the target group specified by {name}.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Deleted successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to delete group.
404 Group does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

No values returned for this request.

Example

Removes the lan_receivers forwarding configuration.


curl -k -u admin:pass --request DELETE \
	https://localhost:8089/services/data/outputs/tcp/group/lan_receivers


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>tcpout-group</title>
  <id>https://localhost:8089/services/data/outputs/tcp/group</id>
  <updated>2011-07-10T22:32:47-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/outputs/tcp/group/_new" rel="create"/>
  <link href="/services/data/outputs/tcp/group/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

GET data/outputs/tcp/group/{name}

Returns configuration information about the target group specified by {name}.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view group.
404 Group does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
autoLB Indicates if the forwarder performs automatic load balancing.

See the description for the autoLB parameter in POST data/outputs/tcp/group for details.

disabled Indicates if tcpout is disabled for this group.
eai:attributes See Accessing Splunk resources
method Specifies the type of output processor.

Valid values: (tcpout | syslog)

servers Servers included in this group.

Example

Displays the configuration for the newly created forwarder configuration.


curl -k -u admin:pass https://localhost:8089/services/data/outputs/tcp/group/lan_receivers


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>tcpout-group</title>
  <id>https://localhost:8089/services/data/outputs/tcp/group</id>
  <updated>2011-07-10T22:23:10-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/outputs/tcp/group/_new" rel="create"/>
  <link href="/services/data/outputs/tcp/group/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>lan_receivers</title>
    <id>https://localhost:8089/servicesNS/nobody/system/data/outputs/tcp/group/lan_receivers</id>
    <updated>2011-07-10T22:23:10-07:00</updated>
    <link href="/servicesNS/nobody/system/data/outputs/tcp/group/lan_receivers" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/outputs/tcp/group/lan_receivers" rel="list"/>
    <link href="/servicesNS/nobody/system/data/outputs/tcp/group/lan_receivers/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/outputs/tcp/group/lan_receivers" rel="edit"/>
    <link href="/servicesNS/nobody/system/data/outputs/tcp/group/lan_receivers" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="autoLB">1</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>autoLB</s:item>
                <s:item>blockOnQueueFull</s:item>
                <s:item>compressed</s:item>
                <s:item>disabled</s:item>
                <s:item>dropEventsOnQueueFull</s:item>
                <s:item>heartbeatFrequency</s:item>
                <s:item>maxPersistentQueueSizeInMegs</s:item>
                <s:item>maxQueueSize</s:item>
                <s:item>method</s:item>
                <s:item>persistentQueuePath</s:item>
                <s:item>sendCookedData</s:item>
                <s:item>usePersistentQueue</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>servers</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="method">autobalance</s:key>
        <s:key name="servers">
          <s:list>
            <s:item>10.3.3.3:9997</s:item>
            <s:item>10.4.4.4:9997</s:item>
          </s:list>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/outputs/tcp/group/{name}

Updates the configuration of the target group.

Request

Name Type Required Default Description
servers String
Comma-separated list of servers to include in the group.
autoLB Boolean true If set to true, forwarder performs automatic load balancing. In automatic mode, the forwarder selects a new indexer every autoLBFrequency seconds. If the connection to the current indexer is lost, the forwarder selects a new live indexer to forward data to.

Do not alter the default setting, unless you have some overriding need to use round-robin load balancing. Round-robin load balancing (autoLB=false) was previously the default load balancing method. Starting with release 4.2, however, round-robin load balancing has been deprecated, and the default has been changed to automatic load balancing (autoLB=true).

compressed Boolean false If true, forwarder sends compressed data.

If set to true, the receiver port must also have compression turned on.

disabled Boolean false If true, disables the group.
dropEventsOnQueueFull Number -1 If set to a positive number, wait the specified number of seconds before throwing out all new events until the output queue has space. Defaults to -1 (do not drop events).

CAUTION: Do not set this value to a positive integer if you are monitoring files.

Setting this to -1 or 0 causes the output queue to block when it gets full, which causes further blocking up the processing chain. If any target group's queue is blocked, no more data reaches any other target group.

Using auto load-balancing is the best way to minimize this condition, because, in that case, multiple receivers must be down (or jammed up) before queue blocking can occur.

heartbeatFrequency Number 30 How often (in seconds) to send a heartbeat packet to the group.

Heartbeats are only sent if sendCookedData=true. Defaults to 30 seconds.

maxQueueSize Number 500KB Specify either an integer or integer[KB|MB|GB].

Sets the maximum size of the forwarder's output queue. It also sets the maximum size of the wait queue to 3x this value, if you have enabled indexer acknowledgment (useACK=true).

Although the wait queue and the output queues are both configured by this attribute, they are separate queues. The setting determines the maximum size of the queue's in-memory (RAM) buffer.

For heavy forwarders sending parsed data, maxQueueSize is the maximum number of events. Since events are typically much shorter than data blocks, the memory consumed by the queue on a parsing forwarder will likely be much smaller than on a non-parsing forwarder, if you use this version of the setting.

If specified as a lone integer (for example, maxQueueSize=100), maxQueueSize indicates the maximum number of queued events (for parsed data) or blocks of data (for unparsed data). A block of data is approximately 64KB. For non-parsing forwarders, such as universal forwarders, that send unparsed data, maxQueueSize is the maximum number of data blocks.

If specified as an integer followed by KB, MB, or GB (for example, maxQueueSize=100MB), maxQueueSize indicates the maximum RAM allocated to the queue buffer. Defaults to 500KB (which means a maximum size of 500KB for the output queue and 1500KB for the wait queue, if any).

method Enum Valid values: (tcpout | syslog)

Specifies the type of output processor.

sendCookedData Boolean true If true, send cooked events (events that have been processed by Splunk).

If false, events are raw and untouched prior to sending. Set to false if you are sending to a third-party system.

Defaults to true.

Response Codes

Status Code Description
200 Updated successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to edit group.
404 Group does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

No values returned for this request.

Example

Sets the memory buffer for the new forwarding group to 1 megabyte. Note that the servers must be re-specified in this edit.


curl -k -u admin:pass https://localhost:8089/services/data/outputs/tcp/group/lan_receivers \
	-d maxQueueSize=1024KB \
	-d servers=10.3.3.3:9997,10.4.4.4:9997


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>tcpout-group</title>
  <id>https://localhost:8089/services/data/outputs/tcp/group</id>
  <updated>2011-07-10T22:26:02-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/outputs/tcp/group/_new" rel="create"/>
  <link href="/services/data/outputs/tcp/group/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>


data/outputs/tcp/server

Provides access to data forwarding configurations.

GET data/outputs/tcp/server

Lists existing forwarded servers.

Request

Name Type Required Default Description
count Number 30 Indicates the maximum number of entries to return. To return all entries, specify 0.
offset Number 0 Index for first item to return.
search String Search expression to filter the response. The response matches field values against the search expression. For example:

search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.

sort_dir Enum asc Valid values: (asc | desc)

Indicates whether to sort returned entries in ascending or descending order.

sort_key String name Field to use for sorting.
sort_mode Enum auto Valid values: (auto | alpha | alpha_case | num)

Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view forwarded servers.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
destHost DNS name of the destination server.
destIp IP address of the destination server.
destPort Port on which the destination server is listening.
disabled Indicates if the outputs to the destination server is disabled.
method The data distribution method used when two or more servers exist in the same forwarder group.

Valid values: (clone | balance | autobalance)

sourcePort Port on destination server where data is forwarded.
status Indicates the status of the connection to the server.

Example

Retrieves the list of forwarding targets that have been defined.


curl -k -u admin:pass https://localhost:8089/services/data/outputs/tcp/server


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>tcpout-server</title>
  <id>https://localhost:8089/services/data/outputs/tcp/server</id>
  <updated>2011-07-10T21:34:59-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/outputs/tcp/server/_new" rel="create"/>
  <link href="/services/data/outputs/tcp/server/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>spacecake:9998</title>
    <id>https://localhost:8089/servicesNS/nobody/system/data/outputs/tcp/server/spacecake%3A9998</id>
    <updated>2011-07-10T21:34:59-07:00</updated>
    <link href="/servicesNS/nobody/system/data/outputs/tcp/server/spacecake%3A9998" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/outputs/tcp/server/spacecake%3A9998" rel="list"/>
    <link href="/servicesNS/nobody/system/data/outputs/tcp/server/spacecake%3A9998/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/outputs/tcp/server/spacecake%3A9998" rel="edit"/>
    <link href="/servicesNS/nobody/system/data/outputs/tcp/server/spacecake%3A9998" rel="remove"/>
    <link href="/servicesNS/nobody/system/data/outputs/tcp/server/spacecake%3A9998/allconnections" rel="allconnections"/>
    <link href="/servicesNS/nobody/system/data/outputs/tcp/server/spacecake%3A9998/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="destHost">spacecake.splunk.com</s:key>
        <s:key name="destIp">10.1.1.73</s:key>
        <s:key name="destPort">9998</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="method">autobalance</s:key>
        <s:key name="sourcePort">8085</s:key>
        <s:key name="status">connect_fail</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/outputs/tcp/server

Creates a new forwarder output.

Request

Name Type Required Default Description
name String
<host>:<port> of the Splunk receiver. <host> can be either an ip address or server name. <port> is the that port that the Splunk receiver is listening on.
backoffAtStartup Number Do not use. Ignored by the Splunk server.
disabled Boolean If true, disables the forwarder.
initialBackoff Number Do not use. Ignored by the Splunk server.
maxBackoff Number Do not use. Ignored by the Splunk server.
maxNumberOfRetriesAtHighestBackoff Number Do not use. Ignored by the Splunk server.
method Enum Valid values: (clone | balance | autobalance)

The data distribution method used when two or more servers exist in the same forwarder group.

sslAltNameToCheck String The alternate name to match in the remote server's SSL certificate.
sslCertPath String Path to the client certificate. If specified, connection uses SSL.
sslCipher String SSL Cipher in the form ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
sslCommonNameToCheck String Check the common name of the server's certificate against this name.

If there is no match, assume that Splunk is not authenticated against this server. You must specify this setting if sslVerifyServerCert is true.

sslPassword String The password associated with the CAcert.

The default Splunk CAcert uses the password "password."

sslRootCAPath String The path to the root certificate authority file (optional).
sslVerifyServerCert Boolean If true, make sure that the server you are connecting to is a valid one (authenticated). Both the common name and the alternate name of the server are then checked for a match.

Response Codes

Status Code Description
201 Created successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to create a forwarded server.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

No values returned for this request.

Example

Creates a new data output directing data to port 9997 on the host "tiny".


curl -k -u admin:pass https://localhost:8089/services/data/outputs/tcp/server \
	-d name=tiny:9997


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>tcpout-server</title>
  <id>https://localhost:8089/services/data/outputs/tcp/server</id>
  <updated>2011-07-10T21:35:13-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/outputs/tcp/server/_new" rel="create"/>
  <link href="/services/data/outputs/tcp/server/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

data/outputs/tcp/server/{name}

DELETE data/outputs/tcp/server/{name}

Deletes the configuration for the forwarded server specified by {name}.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Deleted successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to delete forwarded server configuration.
404 Forwarded server does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

No values returned for this request.

Example

Remove the configuration forwarding data to host tiny's port 9997.


curl -k -u admin:pass --request DELETE \
	https://localhost:8089/services/data/outputs/tcp/server/tiny:9997


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>tcpout-server</title>
  <id>https://localhost:8089/services/data/outputs/tcp/server</id>
  <updated>2011-07-10T21:35:41-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/outputs/tcp/server/_new" rel="create"/>
  <link href="/services/data/outputs/tcp/server/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

GET data/outputs/tcp/server/{name}

Lists information aobut the forwarded server specified by {name}.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view forwarded server.
404 Forwarded server does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
disabled Indicates if the outputs to the destination server is disabled.
eai:attributes See Accessing Splunk resources
method The data distribution method used when two or more servers exist in the same forwarder group.

Valid values: (clone | balance | autobalance)

Example

Retrieve configuration details for the output configured to port 9997 on host "tiny".


curl -k -u admin:pass https://localhost:8089/services/data/outputs/tcp/server/tiny:9997


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>tcpout-server</title>
  <id>https://localhost:8089/services/data/outputs/tcp/server</id>
  <updated>2011-07-10T21:35:24-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/outputs/tcp/server/_new" rel="create"/>
  <link href="/services/data/outputs/tcp/server/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>tiny:9997</title>
    <id>https://localhost:8089/servicesNS/nobody/system/data/outputs/tcp/server/tiny%3A9997</id>
    <updated>2011-07-10T21:35:24-07:00</updated>
    <link href="/servicesNS/nobody/system/data/outputs/tcp/server/tiny%3A9997" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/outputs/tcp/server/tiny%3A9997" rel="list"/>
    <link href="/servicesNS/nobody/system/data/outputs/tcp/server/tiny%3A9997/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/outputs/tcp/server/tiny%3A9997" rel="edit"/>
    <link href="/servicesNS/nobody/system/data/outputs/tcp/server/tiny%3A9997" rel="remove"/>
    <link href="/servicesNS/nobody/system/data/outputs/tcp/server/tiny%3A9997/allconnections" rel="allconnections"/>
    <link href="/servicesNS/nobody/system/data/outputs/tcp/server/tiny%3A9997/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>backoffAtStartup</s:item>
                <s:item>disabled</s:item>
                <s:item>initialBackoff</s:item>
                <s:item>maxBackoff</s:item>
                <s:item>maxNumberOfRetriesAtHighestBackoff</s:item>
                <s:item>method</s:item>
                <s:item>sslAltNameToCheck</s:item>
                <s:item>sslCertPath</s:item>
                <s:item>sslCipher</s:item>
                <s:item>sslCommonNameToCheck</s:item>
                <s:item>sslPassword</s:item>
                <s:item>sslRootCAPath</s:item>
                <s:item>sslVerifyServerCert</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="method">autobalance</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/outputs/tcp/server/{name}

Configures the forwarded server specified by {name}.

Request

Name Type Required Default Description
backoffAtStartup Number Do not use. Ignored by the Splunk server.
disabled Boolean If true, disables the forwarder.
initialBackoff Number Do not use. Ignored by the Splunk server.
maxBackoff Number Do not use. Ignored by the Splunk server.
maxNumberOfRetriesAtHighestBackoff Number Do not use. Ignored by the Splunk server.
method Enum Valid values: (clone | balance | autobalance)

The data distribution method used when two or more servers exist in the same forwarder group.

sslAltNameToCheck String The alternate name to match in the remote server's SSL certificate.
sslCertPath String Path to the client certificate. If specified, connection uses SSL.
sslCipher String SSL Cipher in the form ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
sslCommonNameToCheck String Check the common name of the server's certificate against this name.

If there is no match, assume that Splunk is not authenticated against this server. You must specify this setting if sslVerifyServerCert is true.

sslPassword String The password associated with the CAcert.

The default Splunk CAcert uses the password "password."

sslRootCAPath String The path to the root certificate authority file (optional).
sslVerifyServerCert Boolean If true, make sure that the server you are connecting to is a valid one (authenticated). Both the common name and the alternate name of the server are then checked for a match.

Response Codes

Status Code Description
200 Updated successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to edit configuratin for forwarded server.
404 Forwarded server does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

No values returned for this request.

Example

For the forwarding configuration pointed to port 9997 on tiny, adjust the reconnect behavior to wait longer before attempting another connection.


curl -k -u admin:pass https://localhost:8089/services/data/outputs/tcp/server/tiny:9997 \
	-d initialBackoff=10


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>tcpout-server</title>
  <id>https://localhost:8089/services/data/outputs/tcp/server</id>
  <updated>2011-07-10T21:35:33-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/outputs/tcp/server/_new" rel="create"/>
  <link href="/services/data/outputs/tcp/server/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

data/outputs/tcp/server/{name}/allconnections

GET data/outputs/tcp/server/{name}/allconnections

List current connections to forwarded server specified by {name}

Request

No parameters for this request.

Response Codes

Status Code Description
200 Listed connections successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to list ouput connections.
404 Output server does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
destHost DNS name of the destination server.
destIp IP address of the destination server.
destPort Port on which the destination server is listening.
sourcePort Port on destination server where data is forwarded.
status Indicates the status of the connection to the server.

Example

List existing connections to forwarded server listening at localhost:9997


curl -k -u admin:pass \
	https://localhost:8089/services/data/outputs/tcp/server/localhost%3A9997/allconnections


<feed xmlns="http://www.w3.org/2005/Atom" 
      xmlns:s="http://dev.splunk.com/ns/rest" 
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>tcpout-server</title>
  <id>https://localhost:8089/services/data/outputs/tcp/server</id>
  <updated>2011-07-15T15:15:12-0700</updated>
  <generator version="101277"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/outputs/tcp/server/_new" rel="create"/>
  <link href="/services/data/outputs/tcp/server/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>localhost:9997</title>
    <id>https://localhost:8089/services/data/outputs/tcp/server/localhost%3A9997</id>
    <updated>2011-07-15T15:15:12-0700</updated>
    <link href="/services/data/outputs/tcp/server/localhost%3A9997" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/data/outputs/tcp/server/localhost%3A9997" rel="list"/>
    <link href="/services/data/outputs/tcp/server/localhost%3A9997/_reload" rel="_reload"/>
    <link href="/services/data/outputs/tcp/server/localhost%3A9997" rel="edit"/>
    <link href="/services/data/outputs/tcp/server/localhost%3A9997" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="destHost">localhost</s:key>
        <s:key name="destIp">127.0.0.1</s:key>
        <s:key name="destPort">9997</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="sourcePort">8089</s:key>
        <s:key name="status">connect_done</s:key>
      </s:dict>
    </content>
  </entry>
</feed>


data/outputs/tcp/syslog

Provides access to the configuration of a forwarded server configured to provide data in standard syslog format.

GET data/outputs/tcp/syslog

Provides access to syslog data forwarding configurations.

Request

Name Type Required Default Description
count Number 30 Indicates the maximum number of entries to return. To return all entries, specify 0.
offset Number 0 Index for first item to return.
search String Search expression to filter the response. The response matches field values against the search expression. For example:

search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.

sort_dir Enum asc Valid values: (asc | desc)

Indicates whether to sort returned entries in ascending or descending order.

sort_key String name Field to use for sorting.
sort_mode Enum auto Valid values: (auto | alpha | alpha_case | num)

Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view configuration of forwarded servers.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
disabled Specifies whether global syslog configuration is disabled.
server Specifies server:port where data is forwarded.
type Specifies whether tcp or udp is used to forward data. If unspecified, udp is used. Valid values : (tcp | udp).

Example

Retrieves the list of forwarding targets via syslog that have been defined.


curl -k -u admin:pass https://localhost:8089/services/data/outputs/tcp/syslog


<feed xmlns="http://www.w3.org/2005/Atom" 
      xmlns:s="http://dev.splunk.com/ns/rest" 
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>syslog</title>
  <id>https://localhost:8089/services/data/outputs/tcp/syslog</id>
  <updated>2011-07-21T22:16:11-0700</updated>
  <generator version="101277"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/outputs/tcp/syslog/_new" rel="create"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>west_coast_servers</title>
    <id>https://localhost:8089/servicesNS/nobody/system/data/outputs/tcp/syslog/west_coast_servers</id>
    <updated>2011-07-21T22:16:11-0700</updated>
    <link href="/servicesNS/nobody/system/data/outputs/tcp/syslog/west_coast_servers" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/outputs/tcp/syslog/west_coast_servers" rel="list"/>
    <link href="/servicesNS/nobody/system/data/outputs/tcp/syslog/west_coast_servers" rel="edit"/>
    <link href="/servicesNS/nobody/system/data/outputs/tcp/syslog/west_coast_servers" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">1</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="server">syslogservers.splunk.com:514</s:key>
        <s:key name="type">tcp</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/outputs/tcp/syslog

Configures a forwarder to send data in standard syslog format.

Request

Name Type Required Default Description
name String
Name of the forwarder to send data in standard syslog format.
disabled Boolean If true, disables global syslog settings.
priority Number Sets syslog priority value.
server String host:port of the server where syslog data should be sent
timestampformat String Format of timestamp to add at start of the events to be forwarded.
type String Protocol to use to send syslog data. Valid values: (tcp | udp ).

Response Codes

Status Code Description
201 Created successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to configure a forwarded server.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

No values returned for this request.

Example

Create a new group for forwarding using syslog.


curl -k -u admin:changeme https://localhost:8089/services/data/outputs/tcp/syslog \
	-d name=east_coast_servers \
	-d server=east.splunk.com:514


<feed xmlns="http://www.w3.org/2005/Atom" 
      xmlns:s="http://dev.splunk.com/ns/rest" 
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>syslog</title>
  <id>https://localhost:22090/services/data/outputs/tcp/syslog</id>
  <updated>2011-07-21T23:00:26-07:00</updated>
  <generator version="104359"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/outputs/tcp/syslog/_new" rel="create"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
</feed>

data/outputs/tcp/syslog/{name}

DELETE data/outputs/tcp/syslog/{name}

Deletes the configuration for the forwarder specified by {name} that sends data in syslog format.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Deleted successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to delete forwarded server configuration.
404 Forwarded server configuration does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

No values returned for this request.

Example

Remove the configuration for forwarding data to host syslog group west_coast_servers


curl -k -u admin:pass --request DELETE \
	https://localhost:8089/services/data/outputs/tcp/syslog/west_coast_servers


<feed xmlns="http://www.w3.org/2005/Atom" 
      xmlns:s="http://dev.splunk.com/ns/rest" 
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>syslog</title>
  <id>https://localhost:8089/services/data/outputs/tcp/syslog</id>
  <updated>2011-07-21T22:20:52-0700</updated>
  <generator version="101277"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/outputs/tcp/syslog/_new" rel="create"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
</feed>

GET data/outputs/tcp/syslog/{name}

Returns configuration information for the forwarder specified by {name} that sends data in standard syslog format.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view forwarded server configuration.
404 Forwarded server does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
disabled Specifies whether global syslog configuration is disabled.
eai:attributes See Accessing Splunk resources
server Specifies server:port where data is forwarded.
type Specifies whether tcp or udp is used to forward data. If unspecified, udp is used. Valid values : (tcp | udp).

Example

Retrieve configuration details for the syslog output configured for group west_coast_servers


curl -k -u admin:pass https://localhost:8089/services/data/outputs/tcp/syslog/west_coast_servers


<feed xmlns="http://www.w3.org/2005/Atom" 
      xmlns:s="http://dev.splunk.com/ns/rest" 
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>syslog</title>
  <id>https://localhost:8089/services/data/outputs/tcp/syslog</id>
  <updated>2011-07-21T22:30:33-0700</updated>
  <generator version="101277"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/outputs/tcp/syslog/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>west_coast_servers</title>
    <id>https://localhost:8089/servicesNS/nobody/system/data/outputs/tcp/syslog/west_coast_servers</id>
    <updated>2011-07-21T22:30:33-0700</updated>
    <link href="/servicesNS/nobody/system/data/outputs/tcp/syslog/west_coast_servers" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/outputs/tcp/syslog/west_coast_servers" rel="list"/>
    <link href="/servicesNS/nobody/system/data/outputs/tcp/syslog/west_coast_servers" rel="edit"/>
    <link href="/servicesNS/nobody/system/data/outputs/tcp/syslog/west_coast_servers" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">1</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list/>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="server">syslogservers.splunk.com:514</s:key>
        <s:key name="type">tcp</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/outputs/tcp/syslog/{name}

Updates the configuration of the forwarder specified by {name} that sends data in syslog format.

Request

Name Type Required Default Description
disabled Boolean If true, disables global syslog settings.
priority Number Sets syslog priority value.
server String host:port of the server where syslog data should be sent
timestampformat String Format of timestamp to add at start of the events to be forwarded.
type String Protocol to use to send syslog data. Valid values: (tcp | udp ).

Response Codes

Status Code Description
200 Updated successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to edit forwarded server configuration.
404 Forwarded server does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

No values returned for this request.

Example

For forwarding group west_coast_servers, modify type to udp


curl -k -u admin:pass https://localhost:8089/services/data/outputs/tcp/syslog/west_coast_servers \
	-d type=udp


<feed xmlns="http://www.w3.org/2005/Atom" 
      xmlns:s="http://dev.splunk.com/ns/rest" 
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>syslog</title>
  <id>https://localhost:8089/services/data/outputs/tcp/syslog</id>
  <updated>2011-07-21T22:53:23-07:00</updated>
  <generator version="104359"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/outputs/tcp/syslog/_new" rel="create"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
</feed>
PREVIOUS
Licenses
  NEXT
Search

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters