Splunk® Enterprise

REST API Reference Manual

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Applications

Use the Applications endpoints to install applications and application templates into a Splunk instance.


apps/appinstall

Provides for installation of apps from a URL or local file.

POST apps/appinstall

Installs a Splunk app from a local file or from a URL.

Request

Name Type Required Default Description
name String
Specifies the app to install. Can be either a path to the app on a local disk or a URL to an app.

Note: In Splunk 4.3, this endpoint does not support HTTP sessions that require authentication, such as Splunkbase.

update Boolean If true, installs an update to an app, overwriting the existing app folder.

Response Codes

Status Code Description
201 Created successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to install app.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

Attribute Description
eai:acl See Access control lists for Splunk objects
location Local path to the location of the installed app.
name The name of the app that was installed.
source_location Local path to the source installation file.
status Indicates whether the app was installed.
update Indicates if the installed app was an update. If true, the update overwrites the existing app folder.

Example

This example installs the basketball app from a local file. The file was an app downloaded from splunkbase.


curl -k -u admin:pass https://localhost:8089/services/apps/appinstall/ \
	-d name=/Users/vgenovese/Downloads/basketball.tar



<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" 
  xmlns:s="http://dev.splunk.com/ns/rest" 
  xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title></title>
  <id>https://localhost:8089/services/apps/appinstall</id>
  <updated>2011-05-31T14:37:32-07:00</updated>
  <generator version="100492"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/apps/appinstall/_new" rel="create"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>Installed</title>
    <id>https://localhost:8089/services/apps/appinstall/Installed</id>
    <updated>2011-05-31T14:37:32-07:00</updated>
    <link href="/services/apps/appinstall/Installed" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/apps/appinstall/Installed" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
        . . .
        </s:key>
        <s:key name="location">/Applications/splunk4.3/etc/apps/basketball</s:key>
        <s:key name="name">basketball</s:key>
        <s:key name="source_location">/Users/vgenovese/Downloads/basketball.tar</s:key>
        <s:key name="status">installed</s:key>
      </s:dict>
    </content>
  </entry>
</feed>


apps/apptemplates

Provides access to app templates that can be used to create new Splunk apps.

GET apps/apptemplates

Lists app templates that are used to create apps from the Mangager interface in Splunk Web.

An app template is valid as the "template" argument to POST to /services/apps/local. The app templates can be found by enumerating $SPLUNK_HOME/share/splunk/app_templates. Adding a new template takes effect without restarting splunkd or SplunkWeb.

Request

Name Type Required Default Description
count Number 30 Indicates the maximum number of entries to return. To return all entries, specify -1.
offset Number 0 Index for first item to return.
search String Search expression to filter the response. The response matches field values against the search expression. For example:

search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.

sort_dir Enum asc Valid values: (asc | desc)

Indicates whether to sort returned entries in ascending or descending order.

sort_key String name Field to use for sorting.
sort_mode Enum auto Valid values: (auto | alpha | alpha_case | num)

Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view app templates.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

No values returned for this request.

Example

Lists available app templates that can be used to create a new app.


curl -k -u admin:pass https://localhost:8089/services/apps/apptemplates


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title/>
  <id>https://localhost:8089/services/apps/apptemplates</id>
  <updated>2011-07-08T01:19:34-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>barebones</title>
    <id>https://localhost:8089/services/apps/apptemplates/barebones</id>
    <updated>2011-07-08T01:19:34-07:00</updated>
    <link href="/services/apps/apptemplates/barebones" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/apps/apptemplates/barebones" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="lol">wut</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

apps/apptemplates/{name}

GET apps/apptemplates/{name}

Retrieves information about a specific app template.

This call is rarely used, as all the information is provided by the apps/templates endpoint, which does not require an explicit name.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view app template.
404 app template does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
eai:attributes See Accessing Splunk resources

Example

List information about the barebones app template.


curl -k -u admin:pass https://localhost:8089/services/apps/apptemplates/barebones


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title/>
  <id>https://localhost:8089/services/apps/apptemplates</id>
  <updated>2011-07-08T01:19:35-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>barebones</title>
    <id>https://localhost:8089/services/apps/apptemplates/barebones</id>
    <updated>2011-07-08T01:19:35-07:00</updated>
    <link href="/services/apps/apptemplates/barebones" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/apps/apptemplates/barebones" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list/>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="lol">wut</s:key>
      </s:dict>
    </content>
  </entry>
</feed>


apps/local

Endpoint for creating new Splunk apps, and subsequently accessing, updating, and deleting local apps.

GET apps/local

Returns information on all locally-installed apps.

Splunkbase can correlate locally-installed apps with the same app on Splunkbase to notify users about app updates.

Request

Name Type Required Default Description
count Number 30 Indicates the maximum number of entries to return. To return all entries, specify -1.
offset Number 0 Index for first item to return.
refresh Boolean Indicates whether to scan for new apps and reload any objects those new apps contain.
search String Search expression to filter the response. The response matches field values against the search expression. For example:

search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.

sort_dir Enum asc Valid values: (asc | desc)

Indicates whether to sort returned entries in ascending or descending order.

sort_key String name Field to use for sorting.
sort_mode Enum auto Valid values: (auto | alpha | alpha_case | num)

Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view local apps.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
author The author of the app, plus other optional contact info. For apps deployed on Splunkbase, this is the username for the Splunkbase account.
check_for_updates Boolean value indicating whether to check Splunkbase for updates to the app.
configured Indicates if the application's custom setup has been performed.
description Short explanatory string about the app. In Splunk Web, displayed below the app's title in Launcher.
disabled Boolean value indicating whether the installed app is disabled.
label The name of the app that is shown in Splunk Web and Splunk Launcher.
manageable Deprecated. Indicates that the Splunk Manager can manage the app.
refresh Indicates whether to scan for new apps and reload any objects those new apps contain.
state_change_requires_restart Indicates whether changing an app's state always requires a restart of Splunk.

State changes include enabling or disabling an app.

  • When true, changing an app's state always requires a restart.
  • When false, modifying an app's state may or may not require a restart depending on what the app contains. This setting does not avoid all restart requirements.
version Specifies the version for the app. Each release of an app must change the version number.

Version numbers are a number followed by a sequence of numbers or dots. Pre-release versions can append a space and a single-word suffix like "beta2". Examples:

  • 1.2
  • 11.0.34
  • 2.0 beta
  • 1.3 beta2
  • 1.0 b2
  • 12.4 alpha
  • 11.0.34.234.254
visible Indicates if the app is visible and navigable from Splunk Web.

Visible apps require at least one view that is available from Splunnk Web.

Example

Return all locally installed apps for this Splunk instance.


curl -k -u admin:pass https://localhost:8089/services/apps/local


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>localapps</title>
  <id>https://localhost:8089/services/apps/local</id>
  <updated>2011-07-11T19:14:48-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/apps/local/_new" rel="create"/>
  <link href="/services/apps/local/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>dstestapp</title>
    <id>https://localhost:8089/services/apps/local/dstestapp</id>
    <updated>2011-07-11T19:14:48-07:00</updated>
    <link href="/services/apps/local/dstestapp" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/apps/local/dstestapp" rel="list"/>
    <link href="/services/apps/local/dstestapp/_reload" rel="_reload"/>
    <link href="/services/apps/local/dstestapp" rel="edit"/>
    <link href="/services/apps/local/dstestapp" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="author">Greg Albrecht (gba@splunk.com)</s:key>
        <s:key name="check_for_updates">1</s:key>
        <s:key name="configured">0</s:key>
        <s:key name="description">If you see this app then your deployment client is working correctly.</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="label">Deployment Server Test App</s:key>
        <s:key name="manageable">1</s:key>
        <s:key name="state_change_requires_restart">0</s:key>
        <s:key name="version">69.420</s:key>
        <s:key name="visible">1</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST apps/local

Creates a new application.

Request

Name Type Required Default Description
name String
Depending on the value of the filename parameter, either a literal name to give the app or a path to the file to install.

If filename is false, name indicates the literal name of the application to create. The name you select becomes the name of the folder on disk that contains the app. In this scenario, the app is created from Splunk Web using a template.

If filename is true, name indicates a path to a file on local disk to install as an app. It can point to either an app tarball to install or an untarred directory to install as an app.

It may also be a URL to an app tarball residing on an HTTP server. For example, you can pass the URL to a tarball housed on Splunkbase, though you must use the actual direct download link (and not, for example, the "app homepage"). If you pass a Splunkbase URL, you must also set "auth" or "session" so that splunkd can authenticate against Splunkbase properly.

auth String Splunkbase session token for operations (like app install and app update) that require a login to Splunkbase.

Use this parameter (or alterntively, the session parameter) when installing or updating an app through Splunkbase.

author String For apps you intend to post to Splunkbase, enter the username of your splunk.com account.

For internal-use-only apps, include your full name and/or contact info (for example, email).

configured Boolean Indicates if the application's custom setup has been performed.

Note: This parameter is new with Splunk 4.2.4.

description String Short explanatory string displayed underneath the app's title in Launcher.

Typically, short descriptions of 200 characters are more effective.

explicit_appname String When installing an app from file (filename = 1), overrides the default name for the app.

The default name of the app is the name of the top-level directory for the app. Use explicit_appname to specify a custom name for the app.

filename Boolean If true, indicates that the name parameter is a path to a file to install.

If false, name represents the literal name to give the app. In this scenario, the app is created from Splunk Web using a template.

label String Defines the name of the app shown in the Splunk GUI and Launcher.
  • Recommended length between 5 and 80 characters.
  • Must not include "Splunk For" prefix.

Examples of good labels:

  • IMAP Monitor
  • SQL Server Integration Services
  • FISMA Compliance
manageable Boolean Deprecated. Indicates that the Splunk Manager can manage the app.
session String Splunkbase session token for operations (like app install and app update) that require a login to Splunkbase.

Use this parameter (or alterntively, the auth parameter) when installing or updating an app through Splunkbase.

template Enum Valid values: (barebones | sample_app)

Indicates the app template to use when creating the app.

Specify either of the following:

  • barebones - contains basic framework for an app
  • sample_app - contains example views and searches

You can also specify any valid app template you may have previously added.

update Boolean Indicates if a file-based app installation (using the filename argument) can update an existing app.

If update is not set or is set to false, Splunk only installs an app tarball if the desired app does not exist.

If update is set to true, Splunk installs an app tarball even if the desired app already exists, updating it as necessary.

version String Specifies the version for the app. Each release of an app must change the version number.

Version numbers are a number followed by a sequence of numbers or dots. Pre-release versions can append a space and a single-word suffix like "beta2". Examples:

  • 1.2
  • 11.0.34
  • 2.0 beta
  • 1.3 beta2
  • 1.0 b2
  • 12.4 alpha
  • 11.0.34.234.254
visible Boolean Indicates if the app is visible and navigable from the UI.

Visible apps require at least 1 view that is available from the UI

Response Codes

Status Code Description
201 Created successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to create local app.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

Attribute Description
author For apps posted to Splunkbase, the username of a splunk.com account.

For internal-use-only apps, name and contact information for the app author.

configured Indicates if the application's custom setup has been performed.
description Short explanatory string displayed underneath the app's title in Launcher.
label Defines the name of the app shown in the Splunk GUI and Launcher.
manageable Deprecated. Indicates that the Splunk Manager can manage the app.
name The name of the app after it is installed.

Note: name as a returned value can differ from the corresponding POST parameter. As a returned value, it always represents the name of the installed app.

visible Indicates if the app is visible and navigable from Splunk Web.

Visible apps require at least 1 view that is available from the Splunk Web.

Example

This example creates a new application, "myApp," based on sample_app template.

The application appears as "My Application" in Splunk Web and is navigable in Splunk Web.


curl -k -u admin:pass https://localhost:8089/services/apps/local \
	-d name=myApp \
	-d label="My Application" \
	-d template=sample_app \
	-d visible=1


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title/>
  <id>https://localhost:8089/services/apps/local</id>
  <updated>2011-07-11T19:15:35-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/apps/local/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>Created</title>
    <id>https://localhost:8089/services/apps/local/Created</id>
    <updated>2011-07-11T19:15:35-07:00</updated>
    <link href="/services/apps/local/Created" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/apps/local/Created" rel="list"/>
    <link href="/services/apps/local/Created" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="name">myApp</s:key>
        <s:key name="template">sample_app</s:key>
        <s:key name="url">http://mrt:8001/app/myApp</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

apps/local/{name}

DELETE apps/local/{name}

Removes the locally installed app with the name specified by {name}.

After deleting an app, there might also be some manual cleanup. See "Uninstall an app" in the "Meet Splunk apps" section of the Splunk Admin manual.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Deleted successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to delete local app.
404 Local app does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

No values returned for this request.

Example

This example removes the locally installed app, myApp.

After deleting the app, you can use the GET operation for /apps/local to confirm that the app is no longer installed.


curl -k -u admin:pass --request DELETE https://localhost:8089/services/apps/local/myApp


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>localapps</title>
  <id>https://localhost:8089/services/apps/local</id>
  <updated>2011-07-11T19:16:36-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/apps/local/_new" rel="create"/>
  <link href="/services/apps/local/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

GET apps/local/{name}

Returns information about the locally installed app with the name specified by {name}.

Request

Name Type Required Default Description
refresh Boolean Indicates whether to reload the objects contained in the locally installed app with the name specified by {name}.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view local app.
404 Local app does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
author The author of the app, plus other optional contact info. For apps deployed on Splunkbase, this is the username for the Splunkbase account.
check_for_updates Boolean value indicating whether to check Splunkbase for updates to the app.
configured Indicates if the application's custom setup has been performed.
description Short explanatory string about the app. In Splunk Web, displayed below the app's title in Launcher.
disabled Indicates if the app is disabled.
eai:attributes See Accessing Splunk resources
label The name of the app that is shown in Splunk Web and Splunk Launcher.
manageable Deprecated. Indicates that the Splunk Manager can manage the app.
refresh Indicates whether to reload the objects contained in the locally installed app with the name specified by {name}.
state_change_requires_restart Indicates whether changing an app's state always requires a restart of Splunk. State changes include enabling or disabling an app.
  • When true, changing an app's state always requires a restart.
  • When false, modifying an app's state may or may not require a restart depending on what the app contains. This setting does not avoid all restart requirements.
version Specifies the version for the app. Each release of an app must change the version number.

Version numbers are a number followed by a sequence of numbers or dots. Pre-release versions can append a space and a single-word suffix like "beta2". Examples:

  • 1.2
  • 11.0.34
  • 2.0 beta
  • 1.3 beta2
  • 1.0 b2
  • 12.4 alpha
  • 11.0.34.234.254
visible Indicates if the app is visible and navigable from Splunk Web.

Visible apps require at least one view that is available from Splunnk Web.

Example

Returns information about the locally installed Splunk search app.


curl -k -u admin:pass https://localhost:8089/services/apps/local/search


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>localapps</title>
  <id>https://localhost:8089/services/apps/local</id>
  <updated>2011-07-11T19:15:49-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/apps/local/_new" rel="create"/>
  <link href="/services/apps/local/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>search</title>
    <id>https://localhost:8089/services/apps/local/search</id>
    <updated>2011-07-11T19:15:49-07:00</updated>
    <link href="/services/apps/local/search" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/apps/local/search" rel="list"/>
    <link href="/services/apps/local/search/_reload" rel="_reload"/>
    <link href="/services/apps/local/search" rel="edit"/>
    <link href="/services/apps/local/search" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="author">Splunk</s:key>
        <s:key name="check_for_updates">1</s:key>
        <s:key name="configured">1</s:key>
        <s:key name="description">
<![CDATA[The Search app is Splunk's default interface for searching and analyzing IT data. It allows you to index data into Splunk, add knowledge, build reports, and create alerts. The Search app can be used across many areas of IT including application management, operations management, security, and compliance.]]>        </s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>author</s:item>
                <s:item>check_for_updates</s:item>
                <s:item>description</s:item>
                <s:item>label</s:item>
                <s:item>manageable</s:item>
                <s:item>version</s:item>
                <s:item>visible</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="label">Search</s:key>
        <s:key name="manageable">1</s:key>
        <s:key name="state_change_requires_restart">0</s:key>
        <s:key name="version">4.3</s:key>
        <s:key name="visible">1</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST apps/local/{name}

Updates the app specified by {name}.

Request

Name Type Required Default Description
author String For apps you intend to post to Splunkbase, enter the username of your splunk.com account.

For internal-use-only apps, include your full name and/or contact info (for example, email).

check_for_updates Boolean If set to true, Splunk checks Splunkbase for updates to this app.
configured Boolean Indicates if the application's custom setup has been performed.

Note: This parameter is new with Splunk 4.2.4.

description String Short explanatory string displayed underneath the app's title in Launcher.

Typically, short descriptions of 200 characters are more effective.

label String Defines the name of the app shown in the Splunk GUI and Launcher.
  • Recommended length between 5 and 80 characters.
  • Must not include "Splunk For" prefix.

Examples of good labels:

  • IMAP Monitor
  • SQL Server Integration Services
  • FISMA Compliance
manageable Boolean Deprecated. Indicates that the Splunk Manager can manage the app.
version String Specifies the version for the app. Each release of an app must change the version number.

Version numbers are a number followed by a sequence of numbers or dots. Pre-release versions can append a space and a single-word suffix like "beta2". Examples:

  • 1.2
  • 11.0.34
  • 2.0 beta
  • 1.3 beta2
  • 1.0 b2
  • 12.4 alpha
  • 11.0.34.234.254
visible Boolean Indicates if the app is visible and navigable from the UI.

Visible apps require at least 1 view that is available from the UI

Response Codes

Status Code Description
200 Updated successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to edit local app.
404 Local app does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

No values returned for this request.

Example

This example updates the label of the app MyApp. MyApp was created for the example to the POST operation of apps/local.

The application now appears as "My Killer App" in Splunk Web.


curl -k -u admin:pass https://localhost:8089/services/apps/local/myApp \
	-d label="My Killer App"



<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title/>
  <id>https://localhost:8089/services/apps/local</id>
  <updated>2011-07-11T19:16:08-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/apps/local/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

apps/local/{name}/package

GET apps/local/{name}/package

Archives the app specified by {name}, placing the archive in the following directory on your Splunk installation:

$SPLUNK_HOME/etc/system/static/app-packages/{name}.spl

The archive can then be downloaded from the management port of your Splunk installation:

https://[Splunk Host]:[Management Port]/static/app-packages/{name}.spl

Request

No parameters for this request.

Response Codes

Status Code Description
200 Package file for the app created successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to create package for the app.
404 App specified by {name} does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
name Name of the application. This name becomes the name of the folder on disk that contains the app.
path The local path to an archive of an app.
refresh Indicates whether to reload the objects contained in the locally installed app with the name specified by {name}.
url The URL to use to download an archive of an app.

Example

Create an archive of the unix app that can later be accessed from the Splunk management port.

This operation returns the local directory of the archive plus the URL to use to download it.

curl -k -u admin:pass https://localhost:8089/services/apps/local/unix/package
<feed xmlns="http://www.w3.org/2005/Atom" 
      xmlns:s="http://dev.splunk.com/ns/rest" 
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title></title>
  <id>https://localhost:8089/services/apps/local</id>
  <updated>2011-10-20T09:09:03-07:00</updated>
  <generator version="108769"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/apps/local/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>Package</title>
    <id>https://localhost:8089/services/apps/local/Package</id>
    <updated>2011-10-20T09:09:03-07:00</updated>
    <link href="/services/apps/local/Package" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/apps/local/Package/setup" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="name">unix</s:key>
        <s:key name="path">/Applications/splunk/etc/system/static/app-packages/unix.spl</s:key>
        <s:key name="url">https://vgenovese-mbp15.local:8089/static/app-packages/unix.spl</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

apps/local/{name}/setup

GET apps/local/{name}/setup

Returns set up information for the app specified by {name}. In the response to this operation, the actual setup script is listed under the key value, "eai:setup."

Some apps contain setup scripts that must be run before the app is enabled. For example, the Splunk for Unix and Linux app, available from Splunkbase, contains a setup script.

For more information on setup scripts, see Configure a setup screen in the Splunk Developing Views and Apps for Splunk Web manual.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Set up information returned successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to setup app.
404 App does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
eai:attributes See Accessing Splunk resources
eai:setup Listing of the setup script.
refresh Indicates whether to scan for new apps and reload any objects those new apps contain.

Example

Returns information about the setup script for the Splunk for Unix and Linux app.

The actual setup script is listed for the key value, "eai:setup."

curl -k -u admin:pass https://localhost:8089/services/apps/local/unix/setup


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>localapps</title>
  <id>https://localhost:8089/services/apps/local</id>
  <updated>2011-07-13T11:24:35-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/apps/local/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>unix</title>
    <id>https://localhost:8089/servicesNS/nobody/unix/apps/local/unix</id>
    <updated>2011-07-13T11:24:35-07:00</updated>
    <link href="/servicesNS/nobody/unix/apps/local/unix" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/unix/apps/local/unix/setup" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="/admin/script/.%252Fbin%252Fcpu.sh/enabled">1</s:key>
        <s:key name="/admin/script/.%252Fbin%252Fcpu.sh/interval">30</s:key>
        <s:key name="/admin/script/.%252Fbin%252Fdf.sh/enabled">1</s:key>
        <s:key name="/admin/script/.%252Fbin%252Fdf.sh/interval">300</s:key>
        <!-- other script nodes elided for brevity. -->
        <s:key name="/admin/script/.%252Fbin%252Fwho.sh/enabled">1</s:key>
        <s:key name="/admin/script/.%252Fbin%252Fwho.sh/interval">150</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list/>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list>
                <s:item>.*</s:item>
              </s:list>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:setup">
<![CDATA[<?xml version="1.0" encoding="UTF-8"?>
<SetupInfo>
  <block title="Welcome to the Splunk for nix App">
    <text>The Splunk for nix app provides some sample searches and reports to boot-strap your use of Splunk for Unix host management. 
	       To work, it needs certain inputs enabled. These system metrics drive the sample dashboards.
	       Please review and confirm the inputs below before proceeding.</text>
  </block>
  <block title="CPU Stats (sar / mpstat / etc.)" endpoint="admin/script" entity=".%252Fbin%252Fcpu.sh">
    <input field="interval" id="/admin/script/.%252Fbin%252Fcpu.sh/interval">
      <label>Polling Interval (sec)</label>
      <type>text</type>
    </input>
    <input field="enabled" id="/admin/script/.%252Fbin%252Fcpu.sh/enabled">
      <label>Enable</label>
      <type>bool</type>
    </input>
  </block>

 . . .

  <block title="Time Query (date, ntpdate -q)" endpoint="admin/script" entity=".%252Fbin%252Ftime.sh">
    <input field="interval" id="/admin/script/.%252Fbin%252Ftime.sh/interval">
      <label>Polling Interval (sec)</label>
      <type>text</type>
    </input>
    <input field="enabled" id="/admin/script/.%252Fbin%252Ftime.sh/enabled">
      <label>Enable</label>
      <type>bool</type>
    </input>
  </block>
  <block title="Linux Audit Log (/var/log/audit/audit.log | ausearch)" endpoint="admin/script" entity=".%252Fbin%252Frlog.sh">
    <input field="interval" id="/admin/script/.%252Fbin%252Frlog.sh/interval">
      <label>Polling Interval (sec)</label>
      <type>text</type>
    </input>
    <input field="enabled" id="/admin/script/.%252Fbin%252Frlog.sh/enabled">
      <label>Enable</label>
      <type>bool</type>
    </input>
  </block>
  <block title="Warning">
    <text>Submitting this form can take a long time.  Please be patient and wait for it to complete before navigating away from this page.</text>
  </block>
</SetupInfo>
]]>        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>

apps/local/{name}/update

GET apps/local/{name}/update

Returns any update information available for the app specified by {name}.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Update information for the app was returned successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to update app.
404 App does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
refresh Indicates whether to scan for new apps and reload any objects those new apps contain.
update.appurl URL to download the updated version of the app.
update.checksum The checksum to use to verify the download of the app.
update.checksum.type The name of the checksum hash function.
update.homepage URL to the Splunkbase page for the app.
update.implicit_id_required If false, indicates that the app has an explicit app ID in app.conf.

Splunk uses app IDs to help identify apps during updates.

update.name The name of the app to update.
update.size The downlaod size of the update to the app.
update.version The version of the app to update.

Example

Returns update information for the Splunk Deployment Monitior app.


curl -k -u admin:pass https://localhost:8089/services/apps/local/SplunkDeploymentMonitor/update


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>localapps</title>
  <id>https://localhost:8089/services/apps/local</id>
  <updated>2011-07-13T11:27:41-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/apps/local/_new" rel="create"/>
  <link href="/services/apps/local/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>SplunkDeploymentMonitor</title>
    <id>https://localhost:8089/services/apps/local/SplunkDeploymentMonitor</id>
    <updated>2011-07-13T11:27:41-07:00</updated>
    <link href="/services/apps/local/SplunkDeploymentMonitor" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/apps/local/SplunkDeploymentMonitor" rel="list"/>
    <link href="/services/apps/local/SplunkDeploymentMonitor/_reload" rel="_reload"/>
    <link href="/services/apps/local/SplunkDeploymentMonitor" rel="edit"/>
    <link href="/services/apps/local/SplunkDeploymentMonitor" rel="remove"/>
    <link href="/services/apps/local/SplunkDeploymentMonitor/update" rel="update"/>
    <content type="text/xml">
      <s:dict>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="update.appurl">
          https://splunkbase.splunk.com/api/apps:download/Splunk+Deployment+Monitor/4.2.2/SplunkDeploymentMonitor_for_4.2.2.tgz
        </s:key>
        <s:key name="update.checksum">039fc2a1bac2da5c056b7340c98ab168</s:key>
        <s:key name="update.checksum.type">md5</s:key>
        <s:key name="update.homepage">https://splunkbase.splunk.com/apps/Splunk+Deployment+Monitor</s:key>
        <s:key name="update.implicit_id_required">1</s:key>
        <s:key name="update.name">Splunk Deployment Monitor</s:key>
        <s:key name="update.size">31845</s:key>
        <s:key name="update.version">4.2.2</s:key>
      </s:dict>
    </content>
  </entry>
</feed>
PREVIOUS
Access control
  NEXT
Clusters

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters