Splunk® Enterprise

REST API Reference Manual

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Knowledge

Use the Knowledge endpoints to define data configurations indexed and searched by Splunk.

data/lookup-table-files/*
data/props/*
data/transforms/*
directory/*
Manage how Splunk handles data through look-ups, field extractions, filed aliases, sourcetypes, and transforms.


saved/eventypes/*
Manage saved event types


search/fields/*
search/tags/*
Manage search field configurations and search time tags.


data/lookup-table-files

Provides access to lookup table files.

GET data/lookup-table-files

List lookup table files.

Request

Name Type Required Default Description
count Number 30 Indicates the maximum number of entries to return. To return all entries, specify -1.
offset Number 0 Index for first item to return.
search String Search expression to filter the response. The response matches field values against the search expression. For example:

search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.

sort_dir Enum asc Valid values: (asc | desc)

Indicates whether to sort returned entries in ascending or descending order.

sort_key String name Field to use for sorting.
sort_mode Enum auto Valid values: (auto | alpha | alpha_case | num)

Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view lookup-table file.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
eai:appName The app for which the lookup table applies.
eai:data The source path for the lookup staging area. The lookup table file is moved from here into $SPLUNK_HOME.
eai:userName The Splunk user who created the lookup table.

Example

Retrieve the list of lookup table files.


curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/lookup-table-files


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>lookup-table-files</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files</id>
  <updated>2011-07-21T19:26:11-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/lookup-table-files/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/lookup-table-files/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>lookup.csv</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv</id>
    <updated>2011-07-21T19:26:11-07:00</updated>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="list"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="edit"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="remove"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:data">
<![CDATA[/opt/splunk/etc/users/admin/search/lookups/lookup.csv]]>        </s:key>
        <s:key name="eai:userName">admin</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/lookup-table-files

Create a lookup table file by moving a file from the upload staging area into $SPLUNK_HOME.

Request

Name Type Required Default Description
eai:data String
Move a lookup table file from the given path into $SPLUNK_HOME. This path must have the lookup staging area as an ancestor.
name String
The lookup table filename.

Response Codes

Status Code Description
201 Created successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to create lookup-table file.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

Attribute Description
eai:appName The app for which the lookup table applies.
eai:data The source path for the lookup staging area. The lookup table file is moved from here into $SPLUNK_HOME.
eai:userName The Splunk user who created the lookup table.

Example

Create a private lookup table file from a file in the lookup staging area.


curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/lookup-table-files \
	-d eai:data=/opt/splunk/var/run/splunk/lookup_tmp/lookup-in-staging-dir.csv \
	-d name=lookup.csv


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>lookup-table-files</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files</id>
  <updated>2011-07-21T18:26:35-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/lookup-table-files/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/lookup-table-files/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>lookup.csv</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv</id>
    <updated>2011-07-21T18:26:35-07:00</updated>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="list"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="edit"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="remove"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:data">
<![CDATA[/opt/splunk/etc/users/admin/search/lookups/lookup.csv]]>        </s:key>
        <s:key name="eai:userName">admin</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/lookup-table-files/{name}

DELETE data/lookup-table-files/{name}

Delete the named lookup table file.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Deleted successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to delete look-up table file.
404 Look-up table file does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

No values returned for this request.

Example

Delete the lookup table file created earlier.


curl -k -u admin:pass --request DELETE \
	https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>lookup-table-files</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files</id>
  <updated>2011-07-21T18:43:11-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/lookup-table-files/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/lookup-table-files/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

GET data/lookup-table-files/{name}

List a single lookup table file.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view look-up table files.
404 Look-up table file does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
eai:appName The app for which the lookup table applies.
eai:attributes See Accessing Splunk resources
eai:data The source path for the lookup staging area. The lookup table file is moved from here into $SPLUNK_HOME.
eai:userName The Splunk user who created the lookup table.

Example

Retrieve the newly created lookup table file.


curl -k -u admin:pass \
	https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>lookup-table-files</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files</id>
  <updated>2011-07-21T18:37:25-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/lookup-table-files/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/lookup-table-files/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>lookup.csv</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv</id>
    <updated>2011-07-21T18:37:25-07:00</updated>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="list"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="edit"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="remove"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list/>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>eai:data</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:data">
<![CDATA[/opt/splunk/etc/users/admin/search/lookups/lookup.csv]]>        </s:key>
        <s:key name="eai:userName">admin</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/lookup-table-files/{name}

Modify a lookup table file by replacing it with a file from the upload staging area.

Request

Name Type Required Default Description
eai:data String
Move a lookup table file from the given path into $SPLUNK_HOME. This path must have the lookup staging area as an ancestor.

Response Codes

Status Code Description
200 Updated successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to edit look-up tble file.
404 Look-up table file does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

Attribute Description
eai:appName The app for which the lookup table applies.
eai:data The source path for the lookup staging area. The lookup table file is moved from here into $SPLUNK_HOME.
eai:userName The Splunk user who created the lookup table.

Example

Replace the contents of an existing lookup table file with the contents of a file in the lookup staging area.


curl -k -u admin:pass \
	https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv \
	-d eai:data=/opt/splunk/var/run/splunk/lookup_tmp/another-lookup-in-staging-dir.csv


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>lookup-table-files</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files</id>
  <updated>2011-07-21T18:41:52-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/lookup-table-files/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/lookup-table-files/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>lookup.csv</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv</id>
    <updated>2011-07-21T18:41:52-07:00</updated>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="list"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="edit"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="remove"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:data">
<![CDATA[/opt/splunk/etc/users/admin/search/lookups/lookup.csv]]>        </s:key>
        <s:key name="eai:userName">admin</s:key>
      </s:dict>
    </content>
  </entry>
</feed>


data/props/calcfields

Provides access to calculated fields, which are eval expressions in props.conf. See Define calculated fields in the Splunk Knowledge Manager manual for more information.

GET data/props/calcfields

Returns information on calculated fields for this instance of Splunk.

Request

Name Type Required Default Description
count Number 30 Indicates the maximum number of entries to return. To return all entries, specify -1.
offset Number 0 Index for first item to return.
search String Search expression to filter the response. The response matches field values against the search expression. For example:

search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.

sort_dir Enum asc Valid values: (asc | desc)

Indicates whether to sort returned entries in ascending or descending order.

sort_key String name Field to use for sorting.
sort_mode Enum auto Valid values: (auto | alpha | alpha_case | num)

Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view the calculated field.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
attribute The name of the calculated field, which includes the "EVAL-" prefix.
field.name The name of the field which is being calculated with an EVAL expression.
stanza The name of the stanza in props.conf that defines the calculated field.
type The type of the calculated field.

This is always EVAL.

value The EVAL statement for the calculated field.

Example

List the calculated fields for this Splunk instance.

curl -k -u admin:pass https://localhost:8089/services/data/props/calcfields
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>props-eval</title>
  <id>https://localhost:8089/services/data/props/calcfields</id>
  <updated>2012-10-01T15:01:50-07:00</updated>
  <generator build="138753" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/props/calcfields/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title><access_common> : EVAL-response_time</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time</id>
    <updated>2012-10-01T15:01:50-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">EVAL-response_time</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="field.name">response_time</s:key>
        <s:key name="stanza"><access_common></s:key>
        <s:key name="type">EVAL</s:key>
        <s:key name="value">response_time/1000</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/props/calcfields

Create an eval expression defining a calculated field in props.conf.

Request

Name Type Required Default Description
name String
The name of the calculated field. Do not specify the "EVAL-" prefix for the field.

When Splunk writes the calculated field to props.conf, it adds the "EVAL-" prefix.

stanza String
The name of the stanza in props.conf for the calculated field.

The name can be any of the following:

  • Sourcetype of an event
  • host::<host>, where <host> is the host for an event
  • source::<source>, where <source> is the source for an event.
Note: Use URL-encoding to ensure that Splunk interprets the name of the stanza correctly.
value String
The eval statement, which can be evaluated to any value type, including multivals, boolean, or null.
Note: Use URL-encoding to ensure that Splunk interprets the name of the stanza correctly.

See Create a calculated field by editing props.conf in the Splunk Knowledge Manager manual for details.

Response Codes

Status Code Description
201 Created successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to create the calculated field.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

Attribute Description
attribute The name of the calculated field, which includes the "EVAL-" prefix.
field.name The name of the field which is being calculated with an EVAL expression.
stanza The name of the stanza in props.conf that defines the calculated field.
type The type of the calculated field.

This is always EVAL.

value The EVAL statement for the calculated field.

Example

Create the following calculated field in props.conf:

[<access_common>]
EVAL-response_time = response_time/1000
curl -k -u admin:pass https://localhost:8089/services/data/props/calcfields \
	-d name=response_time \
	-d stanza=%3Caccess_common%3E \
	-d value=response_time/1000
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>props-eval</title>
  <id>https://localhost:8089/services/data/props/calcfields</id>
  <updated>2012-10-01T14:58:45-07:00</updated>
  <generator build="138753" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/props/calcfields/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title><access_common> : EVAL-response_time</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time</id>
    <updated>2012-10-01T14:58:45-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">EVAL-response_time</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="field.name">response_time</s:key>
        <s:key name="stanza"><access_common></s:key>
        <s:key name="type">EVAL</s:key>
        <s:key name="value">response_time/1000</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/calcfields/{name}

DELETE data/props/calcfields/{name}

Deletes the named calculated field.

Note: Use URL-encoding to ensure that Splunk interprets the name of the calculated field correctly.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Deleted successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to delete the calculated field.
404 The caolculated field does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

No values returned for this request.

Example

Deletes the following calculated field:

<access_common> : EVAL-response_time

Note: Use URL encoding to make sure Splunk interprets the named field correctly.

curl -k -u admin:pass --request DELETE \
	https://localhost:8089/services/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time
<feed xmlns="http://www.w3.org/2005/Atom" 
      xmlns:s="http://dev.splunk.com/ns/rest" 
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>props-eval</title>
  <id>https://localhost:8089/services/data/props/calcfields</id>
  <updated>2012-10-01T15:33:06-07:00</updated>
  <generator build="138753" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/props/calcfields/_new" rel="create"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
</feed>

GET data/props/calcfields/{name}

Returns details about the named calculated field.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view the calculated field.
404 The calculated field does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
attribute The name of the calculated field, which includes the "EVAL-" prefix.
field.name The name of the field which is being calculated with an EVAL expression.
stanza The name of the stanza in props.conf that defines the calculated field.
type The type of the calculated field.

This is always EVAL.

value The EVAL statement for the calculated field.

Example

List the details of the following named calculated field:

<access_common> : EVAL-response_time

Note: Use URL encoding to make sure Splunk interprets the named field correctly.


curl -k -u admin:pass \
	https://localhost:8089/services/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>props-eval</title>
  <id>https://localhost:8089/services/data/props/calcfields</id>
  <updated>2012-10-01T15:05:09-07:00</updated>
  <generator build="138753" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/props/calcfields/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title><access_common> : EVAL-response_time</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time</id>
    <updated>2012-10-01T15:05:09-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">EVAL-response_time</s:key>
	<!-- eai:acl nodes elided for brevity. -->
	<!-- eai:attributes nodes elided for brevity. -->
        <s:key name="field.name">response_time</s:key>
        <s:key name="stanza"><access_common></s:key>
        <s:key name="type">EVAL</s:key>
        <s:key name="value">response_time/1000</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/props/calcfields/{name}

Update the named calculated field.

Request

Name Type Required Default Description
value String The eval statement, which can be evaluated to any value type, including multivals, boolean, or null.
Note: Use URL-encoding to ensure that Splunk interprets the name of the stanza correctly.

See Create a calculated field by editing props.conf in the Splunk Knowledge Manager manual for details.

Response Codes

Status Code Description
200 Updated successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to edit the calculated field.
404 The calculated field does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

Attribute Description
attribute The name of the calculated field, which includes the "EVAL-" prefix.
field.name The name of the field which is being calculated with an EVAL expression.
stanza The name of the stanza in props.conf that defines the calculated field.
type The type of the calculated field.

This is always EVAL.

value The EVAL statement for the calculated field.

Example

Change the value of the exisiting calculated field from response_time/1000 to response_time/100. The resulting field in props.conf becomes:

[<access_common>]
EVAL-response_time = response_time/100

Note: Use URL encoding to make sure Splunk interprets the named field correctly.

curl -k -u admin:pass \
	https://localhost:8089/services/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time \
	-d value=response_time/100
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>props-eval</title>
  <id>https://localhost:8089/services/data/props/calcfields</id>
  <updated>2012-10-01T15:14:19-07:00</updated>
  <generator build="138753" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/props/calcfields/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title><access_common> : EVAL-response_time</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time</id>
    <updated>2012-10-01T15:14:19-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">EVAL-response_time</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="field.name">response_time</s:key>
        <s:key name="stanza"><access_common></s:key>
        <s:key name="type">EVAL</s:key>
        <s:key name="value">response_time/100</s:key>
      </s:dict>
    </content>
  </entry>
</feed>


data/props/extractions

Provides access to search-time field extractions in props.conf.

GET data/props/extractions

List field extractions.

Request

Name Type Required Default Description
count Number 30 Indicates the maximum number of entries to return. To return all entries, specify -1.
offset Number 0 Index for first item to return.
search String Search expression to filter the response. The response matches field values against the search expression. For example:

search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.

sort_dir Enum asc Valid values: (asc | desc)

Indicates whether to sort returned entries in ascending or descending order.

sort_key String name Field to use for sorting.
sort_mode Enum auto Valid values: (auto | alpha | alpha_case | num)

Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view extractions.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
attribute Specifies the field extraction configuration.

For example, REPORT-<name> or EXTRACT-<name>.

stanza The props.conf stanza to which this field extraction applies.

for example, the sourcetype or source that triggers this field extraction. The full name of the field extraction includes this stanza name as a prefix.

type Specifies the field extraction type, which can be either inline or uses transform.
value If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.

If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply.

Example

Retrieve the list of search-time extractions.


curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/extractions


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>props-extract</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/extractions</id>
  <updated>2011-07-10T22:55:04-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/extractions/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>access_combined : REPORT-access</title>
    <id>https://localhost:8089/servicesNS/nobody/system/data/props/extractions/access_combined%20%3A%20REPORT-access</id>
    <updated>2011-07-10T22:55:04-07:00</updated>
    <link href="/servicesNS/nobody/system/data/props/extractions/access_combined%20%3A%20REPORT-access" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/props/extractions/access_combined%20%3A%20REPORT-access" rel="list"/>
    <link href="/servicesNS/nobody/system/data/props/extractions/access_combined%20%3A%20REPORT-access" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">REPORT-access</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="stanza">access_combined</s:key>
        <s:key name="type">Uses transform</s:key>
        <s:key name="value">access-extractions</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/props/extractions

Create a new field extraction.

Request

Name Type Required Default Description
name String
The user-specified part of the field extraction name. The full name of the field extraction includes this identifier as a suffix.
stanza String
The props.conf stanza to which this field extraction applies, e.g. the sourcetype or source that triggers this field extraction. The full name of the field extraction includes this stanza name as a prefix.
type Enum
Valid values: (REPORT | EXTRACT)

An EXTRACT-type field extraction is defined with an "inline" regular expression. A REPORT-type field extraction refers to a transforms.conf stanza.

value String
If this is an EXTRACT-type field extraction, specify a regular expression with named capture groups that define the desired fields. If this is a REPORT-type field extraction, specify a comma- or space-delimited list of transforms.conf stanza names that define the field transformations to apply.

Response Codes

Status Code Description
201 Created successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to create extraction.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

Attribute Description
attribute Specifies the field extraction configuration.

For example, REPORT-<name> or EXTRACT-<name>.

stanza Specifies the name of the stanza for the field extraction.
type Specifies the field extraction type, which can be either inline or uses transform.
value If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.

If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply.

Example

Create a new search-time extraction that extracts the port value from this FTP server log.


curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/extractions \
	-d name=port \
	-d stanza=ftp_log \
	-d type=EXTRACT \
	-d "value=port (?<port_number>\d+)"


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>props-extract</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/extractions</id>
  <updated>2011-07-10T22:56:17-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/extractions/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>ftp_log : EXTRACT-port</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port</id>
    <updated>2011-07-10T22:56:17-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">EXTRACT-port</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="stanza">ftp_log</s:key>
        <s:key name="type">Inline</s:key>
        <s:key name="value">port (?<port_number>\d )</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/extractions/{name}

DELETE data/props/extractions/{name}

Delete the named field extraction.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Deleted successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to delete named extraction.
404 Named extraction does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

No values returned for this request.

Example

Remove the extraction created earlier.


curl -k -u admin:pass --request DELETE \
	https://localhost:8089/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>props-extract</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/extractions</id>
  <updated>2011-07-10T23:05:42-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/extractions/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

GET data/props/extractions/{name}

List a single field extraction.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view named extraction.
404 Named extraction does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
attribute Specifies the field extraction configuration.

For example, REPORT-<name> or EXTRACT-<name>.

eai:attributes See Accessing Splunk resources
stanza The props.conf stanza to which this field extraction applies.

for example, the sourcetype or source that triggers this field extraction. The full name of the field extraction includes this stanza name as a prefix.

type Specifies the field extraction type, which can be either inline or uses transform.
value If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.

If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply.

Example

Retrieve the newly created extraction. Note that the name is an aggregate of extraction, affected stanza, and extraction type.


curl -k -u admin:pass \
	https://localhost:8089/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>props-extract</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/extractions</id>
  <updated>2011-07-10T23:02:31-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/extractions/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>ftp_log : EXTRACT-port</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port</id>
    <updated>2011-07-10T23:02:31-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">EXTRACT-port</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list/>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>value</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="stanza">ftp_log</s:key>
        <s:key name="type">Inline</s:key>
        <s:key name="value">connection on port (?<port_number>\d )</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/props/extractions/{name}

Modify the named field extraction.

Request

Name Type Required Default Description
value String
If this is an EXTRACT-type field extraction, specify a regular expression with named capture groups that define the desired fields. If this is a REPORT-type field extraction, specify a comma- or space-delimited list of transforms.conf stanza names that define the field transformations to apply.

Response Codes

Status Code Description
200 Updated successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to edit named extraction.
404 Named extraction does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

Attribute Description
attribute Specifies the field extraction configuration.

For example, REPORT-<name> or EXTRACT-<name>.

stanza Specifies the name of the stanza for the field extraction.
type Specifies the field extraction type, which can be either inline or uses transform.
value If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.

If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply.

Example

Adjust the regular expression for the recently created extraction.


curl -k -u admin:pass \
	https://localhost:8089/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port \
	-d "value=connection on port (?<port_number>\d+)"


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>props-extract</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/extractions</id>
  <updated>2011-07-10T23:05:05-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/extractions/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>ftp_log : EXTRACT-port</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port</id>
    <updated>2011-07-10T23:05:05-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">EXTRACT-port</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="stanza">ftp_log</s:key>
        <s:key name="type">Inline</s:key>
        <s:key name="value">connection on port (?<port_number>\d )</s:key>
      </s:dict>
    </content>
  </entry>
</feed>


data/props/fieldaliases

Provides access to field aliases in props.conf.

GET data/props/fieldaliases

List field aliases.

Request

Name Type Required Default Description
count Number 30 Indicates the maximum number of entries to return. To return all entries, specify -1.
offset Number 0 Index for first item to return.
search String Search expression to filter the response. The response matches field values against the search expression. For example:

search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.

sort_dir Enum asc Valid values: (asc | desc)

Indicates whether to sort returned entries in ascending or descending order.

sort_key String name Field to use for sorting.
sort_mode Enum auto Valid values: (auto | alpha | alpha_case | num)

Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view filed aliases.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
alias.* The user-specified part of the field alias name. The full name of the field alias includes this identifier as a suffix.
attribute Specifies the field extraction configuration.

For example, REPORT-<name> or EXTRACT-<name>.

stanza The props.conf stanza to which this field alias applies, e.g. the sourcetype or source that causes this field alias to be applied. The full name of the field alias includes this stanza name as a prefix.
type Specifies the field extraction type, which can be either inline or uses transform.
value If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.

If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply.

Example

Retrieve the list of field aliases.


curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>fieldaliases</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases</id>
  <updated>2011-07-21T19:31:41-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/fieldaliases/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>my_sourcetype : FIELDALIAS-alias_name</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name</id>
    <updated>2011-07-21T19:31:41-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="alias.foo">bar</s:key>
        <s:key name="attribute">FIELDALIAS-alias_name</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="stanza">my_sourcetype</s:key>
        <s:key name="type">FIELDALIAS</s:key>
        <s:key name="value">foo AS bar</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/props/fieldaliases

Create a new field alias.

Request

Name Type Required Default Description
name String
The user-specified part of the field alias name. The full name of the field alias includes this identifier as a suffix.
stanza String
The props.conf stanza to which this field alias applies, e.g. the sourcetype or source that causes this field alias to be applied. The full name of the field alias includes this stanza name as a prefix.
alias.* String The alias for a given field. For example, supply a value of "bar" for an argument "alias.foo" to alias "foo" to "bar".

Response Codes

Status Code Description
201 Created successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to create field alias.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

Attribute Description
alias.* The user-specified part of the field alias name. The full name of the field alias includes this identifier as a suffix.
attribute Specifies the field extraction configuration.

For example, REPORT-<name> or EXTRACT-<name>.

stanza The props.conf stanza to which this field alias applies, e.g. the sourcetype or source that causes this field alias to be applied. The full name of the field alias includes this stanza name as a prefix.
type Specifies the field extraction type, which can be either inline or uses transform.
value If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.

If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply.

Example

Create a new field alias.

Alias the field "foo" as "bar" for sourcetype "my_sourctype".


curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases \
	-d name=alias_name \
	-d stanza=my_sourcetype \
	-d alias.foo=bar


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>fieldaliases</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases</id>
  <updated>2011-07-21T19:30:17-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/fieldaliases/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>my_sourcetype : FIELDALIAS-alias_name</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name</id>
    <updated>2011-07-21T19:30:17-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="alias.foo">bar</s:key>
        <s:key name="attribute">FIELDALIAS-alias_name</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="stanza">my_sourcetype</s:key>
        <s:key name="type">FIELDALIAS</s:key>
        <s:key name="value">foo AS bar</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/fieldaliases/{name}

DELETE data/props/fieldaliases/{name}

Delete the named field alias.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Deleted successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to delete field alias.
404 Field alias does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

No values returned for this request.

Example

Remove the recently created field alias.


curl -k -u admin:pass --request DELETE \
	https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>fieldaliases</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases</id>
  <updated>2011-07-21T19:37:45-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/fieldaliases/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

GET data/props/fieldaliases/{name}

List a single field alias.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view field alias.
404 Field alias does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
alias.* The user-specified part of the field alias name. The full name of the field alias includes this identifier as a suffix.
attribute Specifies the field extraction configuration.

For example, REPORT-<name> or EXTRACT-<name>.

eai:attributes See Accessing Splunk resources
stanza The props.conf stanza to which this field alias applies, e.g. the sourcetype or source that causes this field alias to be applied. The full name of the field alias includes this stanza name as a prefix.
type Specifies the field extraction type, which can be either inline or uses transform.
value If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.

If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply.

Example

Retrieve the newly created field alias.


curl -k -u admin:pass \
	https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>fieldaliases</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases</id>
  <updated>2011-07-21T19:33:00-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/fieldaliases/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>my_sourcetype : FIELDALIAS-alias_name</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name</id>
    <updated>2011-07-21T19:33:00-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="alias.foo">bar</s:key>
        <s:key name="attribute">FIELDALIAS-alias_name</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list/>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list>
                <s:item>alias\..*</s:item>
              </s:list>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="stanza">my_sourcetype</s:key>
        <s:key name="type">FIELDALIAS</s:key>
        <s:key name="value">foo AS bar</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/props/fieldaliases/{name}

Modify the named field alias.

Request

Name Type Required Default Description
alias.* String The alias for a given field. For example, supply a value of "bar" for an argument "alias.foo" to alias "foo" to "bar".

Response Codes

Status Code Description
200 Updated successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to edit field alias.
404 Field alias does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

Attribute Description
alias.* The alias for a given field. For example, supply a value of "bar" for an argument "alias.foo" to alias "foo" to "bar".
attribute Specifies the field extraction configuration.

For example, REPORT-<name> or EXTRACT-<name>.

stanza The props.conf stanza to which this field alias applies, e.g. the sourcetype or source that causes this field alias to be applied. The full name of the field alias includes this stanza name as a prefix.
type Specifies the field extraction type, which can be either inline or uses transform.
value If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.

If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply.

Example

Adjust the newly created field alias.

Alias the fields "hi and "bye" as "hello" and "goodbye", respectively.


curl -k -u admin:pass \
	https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name \
	-d alias.hi=hello \
	-d alias.bye=goodbye


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>fieldaliases</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases</id>
  <updated>2011-07-21T19:34:36-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/fieldaliases/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>my_sourcetype : FIELDALIAS-alias_name</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name</id>
    <updated>2011-07-21T19:34:36-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="alias.bye">goodbye</s:key>
        <s:key name="alias.hi">hello</s:key>
        <s:key name="attribute">FIELDALIAS-alias_name</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="stanza">my_sourcetype</s:key>
        <s:key name="type">FIELDALIAS</s:key>
        <s:key name="value">bye AS goodbye hi AS hello</s:key>
      </s:dict>
    </content>
  </entry>
</feed>


data/props/lookups

Provides access to automatic lookups in props.conf.

GET data/props/lookups

List automatic lookups.

Request

Name Type Required Default Description
count Number 30 Indicates the maximum number of entries to return. To return all entries, specify -1.
offset Number 0 Index for first item to return.
search String Search expression to filter the response. The response matches field values against the search expression. For example:

search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.

sort_dir Enum asc Valid values: (asc | desc)

Indicates whether to sort returned entries in ascending or descending order.

sort_key String name Field to use for sorting.
sort_mode Enum auto Valid values: (auto | alpha | alpha_case | num)

Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view lookups.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
attribute Specifies the field extraction configuration.

For example, LOOKUP-my_lookup.

overwrite If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist.
stanza The props.conf stanza to which this automatic lookup applies.

For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix.

transform The transforms.conf stanza that defines the lookup to apply.
type Specifies the field extraction type.

For this endpoint, this is always LOOKUP

value The transform stanza with the value for the lookup.

Example

Retrieve the list of automatic lookups.

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/lookups
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>props-lookup</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/lookups</id>
  <updated>2011-08-01T20:43:53-07:00</updated>
  <generator version="105049"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/lookups/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>my_sourcetype : LOOKUP-my_lookup</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup</id>
    <updated>2011-08-01T20:43:53-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">LOOKUP-my_lookup</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="lookup.field.input.foo"/>
        <s:key name="lookup.field.output.fuzz"/>
        <s:key name="overwrite">1</s:key>
        <s:key name="stanza">my_sourcetype</s:key>
        <s:key name="transform">my_transform</s:key>
        <s:key name="type">LOOKUP</s:key>
        <s:key name="value">my_transform foo OUTPUT fuzz</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/props/lookups

Create a new automatic lookup.

Request

Name Type Required Default Description
name String
The user-specified part of the automatic lookup name. The full name of the automatic lookup includes this identifier as a suffix.
overwrite Boolean
If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist.
stanza String
The props.conf stanza to which this automatic lookup applies, e.g. the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix.
transform String
The transforms.conf stanza that defines the lookup to apply.
lookup.field.input.* String A column in the lookup table to match against. Supply a non-empty value if the corresponding field has a different name in your actual events.

Note: This parameter is new in Splunk 4.3.

lookup.field.output.* String A column in the lookup table to output. Supply a non-empty value if the field should have a different name in your actual events.

Note: This parameter is new in Splunk 4.3.

Response Codes

Status Code Description
201 Created successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to create a lookup.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

Attribute Description
attribute Specifies the field extraction configuration.

For example, LOOKUP-my_lookup.

lookup.field.input.* A column in the lookup table to match against. Supply a non-empty value if the corresponding field has a different name in your actual events.
lookup.field.output.* A column in the lookup table to output. Supply a non-empty value if the field should have a different name in your actual events.
overwrite If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist.
stanza The props.conf stanza to which this automatic lookup applies.

For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix.

transform The transforms.conf stanza that defines the lookup to apply.
type Specifies the field extraction type.

For this endpoint, this is alwqys LOOKUP.

value The props.conf stanza to which this automatic lookup applies.

For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix.

Example

Create an automatic lookup named "my_lookup" on the sourcetype "my_sourcetype".

Use the lookup definition named "my_transform".

Match on the field "foo", and output the field "fuzz".


curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/lookups \
	-d name=my_lookup \
	-d overwrite=1 \
	-d stanza=my_sourcetype \
	-d transform=my_transform \
	-d lookup.field.input.foo= \
	-d lookup.field.output.fuzz=
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>props-lookup</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/lookups</id>
  <updated>2011-08-01T20:43:31-07:00</updated>
  <generator version="105049"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/lookups/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>my_sourcetype : LOOKUP-my_lookup</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup</id>
    <updated>2011-08-01T20:43:31-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">LOOKUP-my_lookup</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="lookup.field.input.foo"/>
        <s:key name="lookup.field.output.fuzz"/>
        <s:key name="overwrite">1</s:key>
        <s:key name="stanza">my_sourcetype</s:key>
        <s:key name="transform">my_transform</s:key>
        <s:key name="type">LOOKUP</s:key>
        <s:key name="value">my_transform foo OUTPUT fuzz</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/lookups/{name}

DELETE data/props/lookups/{name}

Delete the named automatic lookup.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Deleted successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to delete lookup.
404 Lookup does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

No values returned for this request.

Example

Remove the recently created automatic lookup.


curl -k -u admin:pass --request DELETE \
	https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>props-lookup</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/lookups</id>
  <updated>2011-08-01T20:44:32-07:00</updated>
  <generator version="105049"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/lookups/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

GET data/props/lookups/{name}

List a single automatic lookup.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view lookup.
404 Lookup does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
attribute Specifies the field extraction configuration.

For example, LOOKUP-my_lookup.

eai:attributes See Accessing Splunk resources
overwrite If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist.
stanza The props.conf stanza to which this automatic lookup applies.

For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix.

transform The transforms.conf stanza that defines the lookup to apply.
type Specifies the field extraction type.

For this endpoint, this is always LOOKUP.

value The transform stanza with the value for the lookup.

Example

Retrieve the newly created automatic lookup.


curl -k -u admin:pass \
	https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>props-lookup</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/lookups</id>
  <updated>2011-08-01T20:44:06-07:00</updated>
  <generator version="105049"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/lookups/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>my_sourcetype : LOOKUP-my_lookup</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup</id>
    <updated>2011-08-01T20:44:06-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">LOOKUP-my_lookup</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list/>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>overwrite</s:item>
                <s:item>transform</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list>
                <s:item>lookup\.field\.input\..*</s:item>
                <s:item>lookup\.field\.output\..*</s:item>
              </s:list>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="lookup.field.input.foo"/>
        <s:key name="lookup.field.output.fuzz"/>
        <s:key name="overwrite">1</s:key>
        <s:key name="stanza">my_sourcetype</s:key>
        <s:key name="transform">my_transform</s:key>
        <s:key name="type">LOOKUP</s:key>
        <s:key name="value">my_transform foo OUTPUT fuzz</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/props/lookups/{name}

Modify the named automatic lookup.

Request

Name Type Required Default Description
overwrite Boolean
If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist.
transform String
The transforms.conf stanza that defines the lookup to apply.
lookup.field.input.* String A column in the lookup table to match against. Supply a non-empty value if the corresponding field has a different name in your actual events.

Note: This parameter is new in Splunk 4.3.

lookup.field.output.* String A column in the lookup table to output. Supply a non-empty value if the field should have a different name in your actual events.

Note: This parameter is new in Splunk 4.3.

Response Codes

Status Code Description
200 Updated successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to edit lookup.
404 Lookup does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

Attribute Description
attribute Specifies the field extraction configuration.

For example, LOOKUP-my_lookup.

lookup.field.input.* A column in the lookup table to match against. Supply a non-empty value if the corresponding field has a different name in your actual events.
lookup.field.output.* A column in the lookup table to output. Supply a non-empty value if the field should have a different name in your actual events.
overwrite If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist.
stanza The props.conf stanza to which this automatic lookup applies.

For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix.

transform The transforms.conf stanza that defines the lookup to apply.
type Specifies the field extraction type.

For this endpoint, this is alwqys LOOKUP.

value The props.conf stanza to which this automatic lookup applies.

For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix.

Example

Change the lookup and input/output fields for the recently created automatic lookup.


curl -k -u admin:pass \
	https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup \
	-d overwrite=1 \
	-d transform=other_transform \
	-d lookup.field.input.bar= \
	-d lookup.field.output.buzz=


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>props-lookup</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/lookups</id>
  <updated>2011-08-01T20:44:21-07:00</updated>
  <generator version="105049"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/lookups/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>my_sourcetype : LOOKUP-my_lookup</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup</id>
    <updated>2011-08-01T20:44:21-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">LOOKUP-my_lookup</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="lookup.field.input.bar"/>
        <s:key name="lookup.field.output.buzz"/>
        <s:key name="overwrite">1</s:key>
        <s:key name="stanza">my_sourcetype</s:key>
        <s:key name="transform">other_transform</s:key>
        <s:key name="type">LOOKUP</s:key>
        <s:key name="value">other_transform bar OUTPUT buzz</s:key>
      </s:dict>
    </content>
  </entry>
</feed>


data/props/sourcetype-rename

Provides access to renamed sourcetypes which are configured in props.conf.

GET data/props/sourcetype-rename

List renamed sourcetypes.

Request

Name Type Required Default Description
count Number 30 Indicates the maximum number of entries to return. To return all entries, specify -1.
offset Number 0 Index for first item to return.
search String Search expression to filter the response. The response matches field values against the search expression. For example:

search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.

sort_dir Enum asc Valid values: (asc | desc)

Indicates whether to sort returned entries in ascending or descending order.

sort_key String name Field to use for sorting.
sort_mode Enum auto Valid values: (auto | alpha | alpha_case | num)

Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view sourcetype renames.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
attribute The configuration key.
stanza The sourcetype to rename, which is the name of a stanza in props.conf.
type The value of the configuration key.
value The new name for the sourcetype.

Example

Retrieve the list of renamed sourcetypes. The sourcetype, hardware, was renamed to "hw" in the POST operation to this endpoint.


curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>sourcetype-rename</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename</id>
  <updated>2011-07-12T15:40:53-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/sourcetype-rename/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>hardware</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware</id>
    <updated>2011-07-12T15:40:53-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">rename</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="stanza">hardware</s:key>
        <s:key name="type">rename</s:key>
        <s:key name="value">hw</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/props/sourcetype-rename

Rename a sourcetype.

Request

Name Type Required Default Description
name String
The original sourcetype name.
value String
The new sourcetype name.

Response Codes

Status Code Description
201 Created successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to create a rename for a sourcetype.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

Attribute Description
attribute The configuration key.
stanza The sourcetype to rename, which is the name of a stanza in props.conf.
type The value of the configuration key.
value The new name for the sourcetype.

Example

Rename the sourcetype, hardware, to "hw."


curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename \
	-d name=hardware \
	-d value=hw


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>sourcetype-rename</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename</id>
  <updated>2011-07-12T15:39:57-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/sourcetype-rename/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>hardware</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware</id>
    <updated>2011-07-12T15:39:57-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">rename</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="stanza">hardware</s:key>
        <s:key name="type">rename</s:key>
        <s:key name="value">hw</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/sourcetype-rename/{name}

DELETE data/props/sourcetype-rename/{name}

Restore a sourcetype's original name.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Deleted successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to delete the rename for the sourcetype.
404 Rename for the sourcetype does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

No values returned for this request.

Example

Restore the sourcetype hardware to its original name.


curl -k -u admin:pass --request DELETE \
	https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>sourcetype-rename</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename</id>
  <updated>2011-07-12T15:49:16-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/sourcetype-rename/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

GET data/props/sourcetype-rename/{name}

List a single renamed sourcetype.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view renames for sourcetypes.
404 Rename for sourcetype does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
attribute The configuration key.
eai:attributes See Accessing Splunk resources
stanza The sourcetype to rename, which is the name of a stanza in props.conf.
type The value of the configuration key.
value The new name for the sourcetype.

Example

List the new name for the sourcetype, hardware.

This sourcetype was renamed to "hw" in the POST operation to this endpoint.


curl -k -u admin:pass \
	https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>sourcetype-rename</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename</id>
  <updated>2011-07-12T15:44:47-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/sourcetype-rename/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>hardware</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware</id>
    <updated>2011-07-12T15:44:47-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">rename</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list/>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>value</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="stanza">hardware</s:key>
        <s:key name="type">rename</s:key>
        <s:key name="value">hw</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/props/sourcetype-rename/{name}

Rename a sourcetype again, i.e. modify a sourcetype's new name.

Request

Name Type Required Default Description
value String
The new sourcetype name.

Response Codes

Status Code Description
200 Updated successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to edit renames for the sourcetype.
404 Rename for the sourcetype does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

Attribute Description
attribute The configuration key.
stanza The sourcetype to rename, which is the name of a stanza in props.conf.
type The value of the configuration key.
value The new name for the sourcetype.

Example

Rename the sourcetype hardware again, this time to hrdwr.


curl -k -u admin:pass \
	https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware \
	-d value=hrdwr


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>sourcetype-rename</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename</id>
  <updated>2011-07-12T15:46:58-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/sourcetype-rename/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>hardware</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware</id>
    <updated>2011-07-12T15:46:58-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">rename</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="stanza">hardware</s:key>
        <s:key name="type">rename</s:key>
        <s:key name="value">hrdwr</s:key>
      </s:dict>
    </content>
  </entry>
</feed>


data/transforms/extractions

Provides access to field transformations, i.e. field extraction definitions.

GET data/transforms/extractions

List field transformations.

Request

Name Type Required Default Description
count Number 30 Indicates the maximum number of entries to return. To return all entries, specify -1.
offset Number 0 Index for first item to return.
search String Search expression to filter the response. The response matches field values against the search expression. For example:

search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.

sort_dir Enum asc Valid values: (asc | desc)

Indicates whether to sort returned entries in ascending or descending order.

sort_key String name Field to use for sorting.
sort_mode Enum auto Valid values: (auto | alpha | alpha_case | num)

Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view field transformations.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
CAN_OPTIMIZE Controls whether Splunk can optimize this extraction out (another way of saying the extraction is disabled).

You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search.

CLEAN_KEYS If set to true, Splunk "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
DEFAULT_VALUE Optional attribute for index-time field extractions. Splunk writes the specified value to DEST_KEY if the specified REGEX fails.
DEST_KEY Valid for index-time field extractions, specifies where Splunk stores the REGEX results.
FORMAT This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.

This attribute specifies the format of the event, including any field names or values you want to add.

For details, refer to the documentation for this parameter in the POST operation.

KEEP_EMPTY_VALS If set to true, Splunk preserves extracted fields with empty values.
LOOKAHEAD Optional attribute for index-time filed extractions. specifies how many characters to search into an event.

Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking).

MV_ADD If Splunk extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
REGEX The regular expression to operate on your data.

This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms.

For details, see the documentation for this parameter in the POST operation.

SOURCE_KEY The KEY to which Splunk applies REGEX.
WRITE_META Indicates whether to automatically write REGEX to metadata.

This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute).

Use instead of DEST_KEY = meta.

disabled Indicates if the field transformation is disabled.
eai:appName The Splunk app for which the field extractions are defined. For example, the search app.
eai:userName The name of the Splunk user who created the field extraction definitions. For example, the admin user.

Example

Retrieve the list of field transformations.


curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/extractions


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>transforms-extract</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions</id>
  <updated>2011-07-21T20:28:03-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/transforms/extractions/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/transforms/extractions/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>access-extractions</title>
    <id>https://localhost:8089/servicesNS/nobody/system/data/transforms/extractions/access-extractions</id>
    <updated>2011-07-21T20:28:03-07:00</updated>
    <link href="/servicesNS/nobody/system/data/transforms/extractions/access-extractions" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/nobody/system/data/transforms/extractions/access-extractions" rel="list"/>
    <link href="/servicesNS/nobody/system/data/transforms/extractions/access-extractions/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/transforms/extractions/access-extractions" rel="edit"/>
    <link href="/servicesNS/nobody/system/data/transforms/extractions/access-extractions/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="CAN_OPTIMIZE">1</s:key>
        <s:key name="CLEAN_KEYS">1</s:key>
        <s:key name="DEFAULT_VALUE"/>
        <s:key name="DEST_KEY"/>
        <s:key name="FORMAT"/>
        <s:key name="KEEP_EMPTY_VALS">0</s:key>
        <s:key name="LOOKAHEAD">4096</s:key>
        <s:key name="MV_ADD">0</s:key>
        <s:key name="REGEX">
<![CDATA[^[[nspaces:clientip]]\s++[[nspaces:ident]]\s++[[nspaces:user]]\s++[[sbstring:req_time]]\s++[[access-request]]\s++[[nspaces:status]]\s++[[nspaces:bytes]](?:\s++"(?<referer>[[bc_domain:referer_]]?+[^"]*+)"(?:\s++[[qstring:useragent]](?:\s++[[qstring:cookie]])?+)?+)?[[all:other]]]]>        </s:key>
        <s:key name="SOURCE_KEY">_raw</s:key>
        <s:key name="WRITE_META">0</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:userName">admin</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/transforms/extractions

Create a new field transformation.

Request

Name Type Required Default Description
REGEX String
Specify a regular expression to operate on your data.

This attribute is valid for both index-time and search-time field extractions: \tREGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). \tREGEX is required for all index-time transforms.

REGEX and the FORMAT attribute:

Name-capturing groups in the REGEX are extracted directly to fields. This means that you do not need to specify the FORMAT attribute for simple field extraction cases.

If the REGEX extracts both the field name and its corresponding field value, you can use the following special capturing groups if you want to skip specifying the mapping in FORMAT: _KEY_<string>, _VAL_<string>.

For example, the following are equivalent: \tUsing FORMAT: \t\tREGEX = ([a-z]+)=([a-z]+) \t\tFORMAT = $1::$2 \tWithout using FORMAT \t\tREGEX = (?<_KEY_1>[a-z]+)=(?<_VAL_1>[a-z]+)

REGEX defaults to an empty string.

SOURCE_KEY String
_raw Specify the KEY to which Splunk applies REGEX.
name String
The name of the field transformation.
CAN_OPTIMIZE Bool True Controls whether Splunk can optimize this extraction out (another way of saying the extraction is disabled). You might use this when you have field discovery turned off--it ensures that certain fields are *always* discovered. Splunk only disables an extraction if it can determine that none of the fields identified by the extraction will ever be needed for the successful evaluation of a search.

NOTE: This option should rarely be set to false.

CLEAN_KEYS Boolean True If set to true, Splunk "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
FORMAT String This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.

This attribute specifies the format of the event, including any field names or values you want to add.

FORMAT for index-time extractions:

Use $n (for example $1, $2, etc) to specify the output of each REGEX match.

If REGEX does not have n groups, the matching fails.

The special identifier $0 represents what was in the DEST_KEY before the REGEX was performed.

At index-time only, you can use FORMAT to create concatenated fields: FORMAT = ipaddress::$1.$2.$3.$4

When you create concatenated fields with FORMAT, "$" is the only special character. It is treated as a prefix for regex-capturing groups only if it is followed by a number and only if the number applies to an existing capturing group. So if REGEX has only one capturing group and its value is "bar", then: \t"FORMAT = foo$1" yields "foobar" \t"FORMAT = foo$bar" yields "foo$bar" \t"FORMAT = foo$1234" yields "foo$1234" \t"FORMAT = foo$1\\$2" yields "foobar\\$2"

At index-time, FORMAT defaults to <stanza-name>::$1

FORMAT for search-time extractions:

The format of this field as used during search time extractions is as follows: \tFORMAT = <field-name>::<field-value>( <field-name>::<field-value>)* \tfield-name = [<string>|$<extracting-group-number>] \tfield-value = [<string>|$<extracting-group-number>]

Search-time extraction examples: \tFORMAT = first::$1 second::$2 third::other-value \tFORMAT = $1::$2

You cannot create concatenated fields with FORMAT at search time. That functionality is only available at index time.

At search-time, FORMAT defaults to an empty string.

KEEP_EMPTY_VALS Boolean False If set to true, Splunk preserves extracted fields with empty values.
MV_ADD Boolean False If Splunk extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
disabled Boolean Specifies whether the field transformation is disabled.

Response Codes

Status Code Description
201 Created successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to create field transformation.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

Attribute Description
CAN_OPTIMIZE Controls whether Splunk can optimize this extraction out (another way of saying the extraction is disabled).

You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search.

CLEAN_KEYS If set to true, Splunk "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
DEFAULT_VALUE Optional attribute for index-time field extractions. Splunk writes the specified value to DEST_KEY if the specified REGEX fails.
DEST_KEY Valid for index-time field extractions, specifies where Splunk stores the REGEX results.
FORMAT This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.

This attribute specifies the format of the event, including any field names or values you want to add.

For details, refer to the documentation for this parameter in the POST operation.

KEEP_EMPTY_VALS If set to true, Splunk preserves extracted fields with empty values.
LOOKAHEAD Optional attribute for index-time filed extractions. specifies how many characters to search into an event.

Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking).

MV_ADD If Splunk extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
REGEX The regular expression to operate on your data.

This attribute is valid for both index-time and search-time field extractions: \\tREGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). \\tREGEX is required for all index-time transforms.

For details, see the documentation for this parameter in the POST operation.

SOURCE_KEY The KEY to which Splunk applies REGEX.
WRITE_META Indicates whether to automatically write REGEX to metadata.

This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute).

Use instead of DEST_KEY = meta.

disabled Indicates if the field transformation is disabled.
eai:appName The Splunk app for which the field extractions are defined. For example, the search app.
eai:userName The name of the Splunk user who created the field extraction definitions. For example, the admin user.

Example

Create a new field transformation.


curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/extractions \
	-d REGEX="(?<_KEY_1>[a-z]*),(?<_VAL_1>[a-z]*)" \
	-d SOURCE_KEY=_raw \
	-d name=my_transform


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>transforms-extract</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions</id>
  <updated>2011-07-21T20:25:20-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/transforms/extractions/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/transforms/extractions/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>my_transform</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions/my_transform</id>
    <updated>2011-07-21T20:25:20-07:00</updated>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="list"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="edit"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="remove"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/move" rel="move"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="CAN_OPTIMIZE">1</s:key>
        <s:key name="CLEAN_KEYS">1</s:key>
        <s:key name="DEFAULT_VALUE"/>
        <s:key name="DEST_KEY"/>
        <s:key name="FORMAT"/>
        <s:key name="KEEP_EMPTY_VALS">0</s:key>
        <s:key name="LOOKAHEAD">4096</s:key>
        <s:key name="MV_ADD">0</s:key>
        <s:key name="REGEX">(?<_KEY_1>[a-z]*),(?<_VAL_1>[a-z]*)</s:key>
        <s:key name="SOURCE_KEY">_raw</s:key>
        <s:key name="WRITE_META">0</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:userName">admin</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/transforms/extractions/{name}

DELETE data/transforms/extractions/{name}

Delete the named field transformation.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Deleted successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to delete named field transformation.
404 Named field transformation does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

No values returned for this request.

Example

Remove the newly created field transformation.


curl -k -u admin:pass --request DELETE \
	https://localhost:8089/servicesNS/admin/search/data/transforms/extractions/my_transform


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>transforms-extract</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions</id>
  <updated>2011-07-21T20:34:30-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/transforms/extractions/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/transforms/extractions/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

GET data/transforms/extractions/{name}

List a single field transformation.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view named field transformation.
404 Named field transformation does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
CAN_OPTIMIZE Controls whether Splunk can optimize this extraction out (another way of saying the extraction is disabled).

You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search.

CLEAN_KEYS If set to true, Splunk "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
DEFAULT_VALUE Optional attribute for index-time field extractions. Splunk writes the specified value to DEST_KEY if the specified REGEX fails.
DEST_KEY Valid for index-time field extractions, specifies where Splunk stores the REGEX results.
FORMAT This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.

This attribute specifies the format of the event, including any field names or values you want to add.

For details, refer to the documentation for this parameter in the POST operation.

KEEP_EMPTY_VALS If set to true, Splunk preserves extracted fields with empty values.
LOOKAHEAD Optional attribute for index-time filed extractions. specifies how many characters to search into an event.

Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking).

MV_ADD If Splunk extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
REGEX The regular expression to operate on your data.

This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms.

For details, see the documentation for this parameter in the POST operation.

SOURCE_KEY The KEY to which Splunk applies REGEX.
WRITE_META Indicates whether to automatically write REGEX to metadata.

This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute).

Use instead of DEST_KEY = meta.

disabled Indicates if the field transformation is disabled.
eai:appName The Splunk app for which the field extractions are defined. For example, the search app.
eai:attributes See Accessing Splunk resources
eai:userName The name of the Splunk user who created the field extraction definitions. For example, the admin user.

Example

Retrieve the newly created field transformation.


curl -k -u admin:pass \
	https://localhost:8089/servicesNS/admin/search/data/transforms/extractions/my_transform


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>transforms-extract</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions</id>
  <updated>2011-07-21T20:29:00-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/transforms/extractions/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/transforms/extractions/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>my_transform</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions/my_transform</id>
    <updated>2011-07-21T20:29:00-07:00</updated>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="list"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="edit"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="remove"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/move" rel="move"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="CAN_OPTIMIZE">1</s:key>
        <s:key name="CLEAN_KEYS">1</s:key>
        <s:key name="DEFAULT_VALUE"/>
        <s:key name="DEST_KEY"/>
        <s:key name="FORMAT"/>
        <s:key name="KEEP_EMPTY_VALS">0</s:key>
        <s:key name="LOOKAHEAD">4096</s:key>
        <s:key name="MV_ADD">0</s:key>
        <s:key name="REGEX">(?<_KEY_1>[a-z]*),(?<_VAL_1>[a-z]*)</s:key>
        <s:key name="SOURCE_KEY">_raw</s:key>
        <s:key name="WRITE_META">0</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>CAN_OPTIMIZE</s:item>
                <s:item>CLEAN_KEYS</s:item>
                <s:item>FORMAT</s:item>
                <s:item>KEEP_EMPTY_VALS</s:item>
                <s:item>MV_ADD</s:item>
                <s:item>disabled</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>REGEX</s:item>
                <s:item>SOURCE_KEY</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:userName">admin</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/transforms/extractions/{name}

Modify the named field transformation.

Request

Name Type Required Default Description
REGEX String
Specify a regular expression to operate on your data.

This attribute is valid for both index-time and search-time field extractions: \tREGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). \tREGEX is required for all index-time transforms.

REGEX and the FORMAT attribute:

Name-capturing groups in the REGEX are extracted directly to fields. This means that you do not need to specify the FORMAT attribute for simple field extraction cases.

If the REGEX extracts both the field name and its corresponding field value, you can use the following special capturing groups if you want to skip specifying the mapping in FORMAT: _KEY_<string>, _VAL_<string>.

For example, the following are equivalent: \tUsing FORMAT: \t\tREGEX = ([a-z]+)=([a-z]+) \t\tFORMAT = $1::$2 \tWithout using FORMAT \t\tREGEX = (?<_KEY_1>[a-z]+)=(?<_VAL_1>[a-z]+)

REGEX defaults to an empty string.

SOURCE_KEY String
_raw Specify the KEY to which Splunk applies REGEX.
CAN_OPTIMIZE Bool True Controls whether Splunk can optimize this extraction out (another way of saying the extraction is disabled). You might use this when you have field discovery turned off--it ensures that certain fields are *always* discovered. Splunk only disables an extraction if it can determine that none of the fields identified by the extraction will ever be needed for the successful evaluation of a search.

NOTE: This option should rarely be set to false.

CLEAN_KEYS Boolean True If set to true, Splunk "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
FORMAT String This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.

This attribute specifies the format of the event, including any field names or values you want to add.

FORMAT for index-time extractions:

Use $n (for example $1, $2, etc) to specify the output of each REGEX match.

If REGEX does not have n groups, the matching fails.

The special identifier $0 represents what was in the DEST_KEY before the REGEX was performed.

At index-time only, you can use FORMAT to create concatenated fields: FORMAT = ipaddress::$1.$2.$3.$4

When you create concatenated fields with FORMAT, "$" is the only special character. It is treated as a prefix for regex-capturing groups only if it is followed by a number and only if the number applies to an existing capturing group. So if REGEX has only one capturing group and its value is "bar", then: \t"FORMAT = foo$1" yields "foobar" \t"FORMAT = foo$bar" yields "foo$bar" \t"FORMAT = foo$1234" yields "foo$1234" \t"FORMAT = foo$1\\$2" yields "foobar\\$2"

At index-time, FORMAT defaults to <stanza-name>::$1

FORMAT for search-time extractions:

The format of this field as used during search time extractions is as follows: \tFORMAT = <field-name>::<field-value>( <field-name>::<field-value>)* \tfield-name = [<string>|$<extracting-group-number>] \tfield-value = [<string>|$<extracting-group-number>]

Search-time extraction examples: \tFORMAT = first::$1 second::$2 third::other-value \tFORMAT = $1::$2

You cannot create concatenated fields with FORMAT at search time. That functionality is only available at index time.

At search-time, FORMAT defaults to an empty string.

KEEP_EMPTY_VALS Boolean False If set to true, Splunk preserves extracted fields with empty values.
MV_ADD Boolean False If Splunk extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
disabled Boolean Specifies whether the field transformation is disabled.

Response Codes

Status Code Description
200 Updated successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to edit named field transformation.
404 Named field transformation does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

Attribute Description
CAN_OPTIMIZE Controls whether Splunk can optimize this extraction out (another way of saying the extraction is disabled).

You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search.

CLEAN_KEYS If set to true, Splunk "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
DEFAULT_VALUE Optional attribute for index-time field extractions. Splunk writes the specified value to DEST_KEY if the specified REGEX fails.
DEST_KEY Valid for index-time field extractions, specifies where Splunk stores the REGEX results.
FORMAT This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.

This attribute specifies the format of the event, including any field names or values you want to add.

For details, refer to the documentation for this parameter in the POST operation.

KEEP_EMPTY_VALS If set to true, Splunk preserves extracted fields with empty values.
LOOKAHEAD Optional attribute for index-time filed extractions. specifies how many characters to search into an event.

Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking).

MV_ADD If Splunk extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
REGEX The regular expression to operate on your data.

This attribute is valid for both index-time and search-time field extractions: \\tREGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). \\tREGEX is required for all index-time transforms.

For details, see the documentation for this parameter in the POST operation.

SOURCE_KEY The KEY to which Splunk applies REGEX.
WRITE_META Indicates whether to automatically write REGEX to metadata.

This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute).

Use instead of DEST_KEY = meta.

disabled Indicates if the field transformation is disabled.
eai:appName The Splunk app for which the field extractions are defined. For example, the search app.
eai:userName The name of the Splunk user who created the field extraction definitions. For example, the admin user.

Example

Disable key cleaning on the newly created field transformation.


curl -k -u admin:pass \
	https://localhost:8089/servicesNS/admin/search/data/transforms/extractions/my_transform \
	-d REGEX="(?<_KEY_1>[a-z]*),(?<_VAL_1>[a-z]*)" \
	-d SOURCE_KEY=_raw \
	-d CLEAN_KEYS=false


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>transforms-extract</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions</id>
  <updated>2011-07-21T20:33:13-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/transforms/extractions/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/transforms/extractions/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>my_transform</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions/my_transform</id>
    <updated>2011-07-21T20:33:13-07:00</updated>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="list"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="edit"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="remove"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/move" rel="move"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="CAN_OPTIMIZE">1</s:key>
        <s:key name="CLEAN_KEYS">0</s:key>
        <s:key name="DEFAULT_VALUE"/>
        <s:key name="DEST_KEY"/>
        <s:key name="FORMAT"/>
        <s:key name="KEEP_EMPTY_VALS">0</s:key>
        <s:key name="LOOKAHEAD">4096</s:key>
        <s:key name="MV_ADD">0</s:key>
        <s:key name="REGEX">(?<_KEY_1>[a-z]*),(?<_VAL_1>[a-z]*)</s:key>
        <s:key name="SOURCE_KEY">_raw</s:key>
        <s:key name="WRITE_META">0</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:userName">admin</s:key>
      </s:dict>
    </content>
  </entry>
</feed>


data/transforms/lookups

Provides access to lookup definitions in transforms.conf.

GET data/transforms/lookups

List lookup definitions.

Request

Name Type Required Default Description
count Number 30 Indicates the maximum number of entries to return. To return all entries, specify -1.
offset Number 0 Index for first item to return.
search String Search expression to filter the response. The response matches field values against the search expression. For example:

search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.

sort_dir Enum asc Valid values: (asc | desc)

Indicates whether to sort returned entries in ascending or descending order.

sort_key String name Field to use for sorting.
sort_mode Enum auto Valid values: (auto | alpha | alpha_case | num)

Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view lookups.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
CAN_OPTIMIZE Controls whether Splunk can optimize this extraction out (another way of saying the extraction is disabled).

You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search.

CLEAN_KEYS If set to true, Splunk "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
DEFAULT_VALUE Optional attribute for index-time field extractions. Splunk writes the specified value to DEST_KEY if the specified REGEX fails.
DEST_KEY Valid for index-time field extractions, specifies where Splunk stores the REGEX results.
FORMAT This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.

This attribute specifies the format of the event, including any field names or values you want to add.

For details, refer to the documentation for this parameter in the POST operation for data/transforms/extractions.

KEEP_EMPTY_VALS If set to true, Splunk preserves extracted fields with empty values.
LOOKAHEAD Optional attribute for index-time filed extractions. specifies how many characters to search into an event.

Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking).

MV_ADD If Splunk extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
REGEX The regular expression to operate on your data.

This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms.

For details, see the documentation for this parameter in the POST operation.

SOURCE_KEY The KEY to which Splunk applies REGEX.
WRITE_META Indicates whether to automatically write REGEX to metadata.

This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute).

Use instead of DEST_KEY = meta.

disabled Indicates if this lookup is disabled.
eai:appName The Splunk app for which the lookups are defined. For example, the search app.
eai:userName The Splunk user for which the lookups are defined.
external_cmd Provides the command and arguments to invoke to perform a lookup. Use this for external (or "scripted") lookups, where you interface with with an external script rather than a lookup table.

This string is parsed like a shell command. The first argument is expected to be a python script located in:

$SPLUNK_HOME/etc/<app_name>/bin (or ../etc/searchscripts)

Presence of this field indicates that the lookup is external and command based.

fields_list List of all fields that are supported by the external command.
type Specifies the field extraction type.

Can be either external or file.

Example

Retrieve the list of lookup definitions.


curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/lookups


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>transforms-lookup</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups</id>
  <updated>2011-08-01T21:10:44-07:00</updated>
  <generator version="105049"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/transforms/lookups/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/transforms/lookups/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>dnslookup</title>
    <id>https://localhost:8089/servicesNS/nobody/system/data/transforms/lookups/dnslookup</id>
    <updated>2011-08-01T21:10:44-07:00</updated>
    <link href="/servicesNS/nobody/system/data/transforms/lookups/dnslookup" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/transforms/lookups/dnslookup" rel="list"/>
    <link href="/servicesNS/nobody/system/data/transforms/lookups/dnslookup/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/transforms/lookups/dnslookup" rel="edit"/>
    <link href="/servicesNS/nobody/system/data/transforms/lookups/dnslookup/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="CAN_OPTIMIZE">1</s:key>
        <s:key name="CLEAN_KEYS">1</s:key>
        <s:key name="DEFAULT_VALUE"/>
        <s:key name="DEST_KEY"/>
        <s:key name="FORMAT"/>
        <s:key name="KEEP_EMPTY_VALS">0</s:key>
        <s:key name="LOOKAHEAD">4096</s:key>
        <s:key name="MV_ADD">0</s:key>
        <s:key name="REGEX"/>
        <s:key name="SOURCE_KEY">_raw</s:key>
        <s:key name="WRITE_META">0</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="external_cmd">external_lookup.py clienthost clientip</s:key>
        <s:key name="fields_list">clienthost clientip</s:key>
        <s:key name="type">external</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/transforms/lookups

Create a new lookup definition.

Request

Name Type Required Default Description
name String
The name of the lookup definition.
default_match String If min_matches is greater than zero and Splunk has less than min_matches for any given input, it provides this default_match value one or more times until the min_matches threshold is reached.
disabled Boolean Specifies whether the lookup definition is disabled.
external_cmd String Provides the command and arguments to invoke to perform a lookup. Use this for external (or "scripted") lookups, where you interface with with an external script rather than a lookup table.

This string is parsed like a shell command. The first argument is expected to be a python script located in:

$SPLUNK_HOME/etc/<app_name>/bin (or ../etc/searchscripts)

Presence of this field indicates that the lookup is external and command based.

fields_list String A comma- and space-delimited list of all fields that are supported by the external command. Use this for external (or "scripted") lookups.
filename String The name of the static lookup table file.
max_matches Number The maximum number of possible matches for each input lookup value.
max_offset_secs Number For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur.
min_matches Number The minimum number of possible matches for each input lookup value.
min_offset_secs Number For temporal lookups, this is the minimum time (in seconds) that the event timestamp can be later than the lookup entry timestamp for a match to occur.
time_field String For temporal lookups, this is the field in the lookup table that represents the timestamp.
time_format String For temporal lookups, this specifies the "strptime" format of the timestamp field.

Response Codes

Status Code Description
201 Created successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to create lookup.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

Attribute Description
CAN_OPTIMIZE Controls whether Splunk can optimize this extraction out (another way of saying the extraction is disabled).

You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search.

CLEAN_KEYS If set to true, Splunk "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
DEFAULT_VALUE Optional attribute for index-time field extractions. Splunk writes the specified value to DEST_KEY if the specified REGEX fails.
DEST_KEY Valid for index-time field extractions, specifies where Splunk stores the REGEX results.
FORMAT This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.

This attribute specifies the format of the event, including any field names or values you want to add.

For details, refer to the documentation for this parameter in the POST operation for data/transforms/extractions.

KEEP_EMPTY_VALS If set to true, Splunk preserves extracted fields with empty values.
LOOKAHEAD Optional attribute for index-time filed extractions. specifies how many characters to search into an event.

Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking).

MV_ADD If Splunk extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
REGEX The regular expression to operate on your data.

This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms.

For details, see the documentation for this parameter in the POST operation.

SOURCE_KEY The KEY to which Splunk applies REGEX.
WRITE_META Indicates whether to automatically write REGEX to metadata.

This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute).

Use instead of DEST_KEY = meta.

default_match If min_matches is greater than zero and Splunk has less than min_matches for any given input, it provides this default_match value one or more times until the min_matches threshold is reached.
disabled Specifies whether the lookup definition is disabled.
eai:appName The Splunk app for which the lookups are defined. For example, the search app.
eai:userName The Splunk user for which the lookups are defined.
external_cmd Provides the command and arguments to invoke to perform a lookup. Use this for external (or "scripted") lookups, where you interface with with an external script rather than a lookup table.

This string is parsed like a shell command. The first argument is expected to be a python script located in:

$SPLUNK_HOME/etc/<app_name>/bin (or ../etc/searchscripts)

Presence of this field indicates that the lookup is external and command based.

fields_list List of all fields that are supported by the external command. Use this for external (or "scripted") lookups.
filename The name of the static lookup table file.
max_matches The maximum number of possible matches for each input lookup value.

If the lookup is non-temporal (not time-bounded, meaning the time_field attribute is not specified), Splunk uses the first <integer> entries, in file order.

If the lookup is temporal, Splunk uses the first <integer> entries in descending time order.

Default = 100 if the lookup is not temporal, default = 1 if it is temporal.

max_offset_secs For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur.
min_matches The minimum number of possible matches for each input lookup value.
min_offset_secs For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur.
time_field For temporal lookups, this is the field in the lookup table that represents the timestamp.
time_format For temporal lookups, this specifies the \\"strptime\\" format of the timestamp field.
type Specifies the field extraction type.

Can be either external or file.

Example

Create a new file-based lookup associated with lookup.csv.


curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/lookups \
	-d name=my_lookup \
	-d filename=lookup.csv


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>transforms-lookup</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups</id>
  <updated>2011-08-01T21:10:33-07:00</updated>
  <generator version="105049"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/transforms/lookups/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/transforms/lookups/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>my_lookup</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups/my_lookup</id>
    <updated>2011-08-01T21:10:33-07:00</updated>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="list"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="edit"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="remove"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/move" rel="move"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="CAN_OPTIMIZE">1</s:key>
        <s:key name="CLEAN_KEYS">1</s:key>
        <s:key name="DEFAULT_VALUE"/>
        <s:key name="DEST_KEY"/>
        <s:key name="FORMAT"/>
        <s:key name="KEEP_EMPTY_VALS">0</s:key>
        <s:key name="LOOKAHEAD">4096</s:key>
        <s:key name="MV_ADD">0</s:key>
        <s:key name="REGEX"/>
        <s:key name="SOURCE_KEY">_raw</s:key>
        <s:key name="WRITE_META">0</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="filename">lookup.csv</s:key>
        <s:key name="type">file</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/transforms/lookups/{name}

DELETE data/transforms/lookups/{name}

Delete the named lookup definition.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Deleted successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to delete named lookup.
404 Named lookup does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

No values returned for this request.

Example

Remove the newly created lookup definition.


curl -k -u admin:pass --request DELETE \
	https://localhost:8089/servicesNS/admin/search/data/transforms/lookups/my_lookup


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>transforms-lookup</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups</id>
  <updated>2011-07-21T20:03:24-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/transforms/lookups/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/transforms/lookups/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

GET data/transforms/lookups/{name}

List a single lookup definition.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view named lookup.
404 Named lookup does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
CAN_OPTIMIZE Indicates whether Splunk can optimize this extraction out (another way of saying the extraction is disabled).

You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search.

CLEAN_KEYS Indicates whether Splunk "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
DEFAULT_VALUE Optional attribute for index-time field extractions. Splunk writes the specified value to DEST_KEY if the specified REGEX fails.
DEST_KEY Valid for index-time field extractions, specifies where Splunk stores the REGEX results.
FORMAT This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.

This attribute specifies the format of the event, including any field names or values you want to add.

For details, refer to the documentation for this parameter in the POST operation for data/transforms/extractions.

KEEP_EMPTY_VALS Indicates whether Splunk preserves extracted fields with empty values.
LOOKAHEAD For index-time filed extractions. Specifies how many characters to search into an event.

Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking).

MV_ADD "If Splunk extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
REGEX The regular expression to operate on your data.

This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms.

For details, see the documentation for this parameter in the POST operation.

SOURCE_KEY The KEY to which Splunk applies REGEX.
WRITE_META Indicates whether to automatically write REGEX to metadata.

This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute).

Use instead of DEST_KEY = meta.

disabled Indicates if this lookup is disabled.
eai:appName The Splunk app for which the lookups are defined. For example, the search app.
eai:attributes See Accessing Splunk resources
eai:userName The Splunk user for which the lookups are defined.
filename The name of the static lookup table file.
type Specifies the field extraction type.

Can be either external or file.

Example

Retrieve the newly created lookup definition.


curl -k -u admin:pass \
	https://localhost:8089/servicesNS/admin/search/data/transforms/lookups/my_lookup


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>transforms-lookup</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups</id>
  <updated>2011-08-01T21:11:01-07:00</updated>
  <generator version="105049"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/transforms/lookups/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/transforms/lookups/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>my_lookup</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups/my_lookup</id>
    <updated>2011-08-01T21:11:01-07:00</updated>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="list"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="edit"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="remove"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/move" rel="move"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="CAN_OPTIMIZE">1</s:key>
        <s:key name="CLEAN_KEYS">1</s:key>
        <s:key name="DEFAULT_VALUE"/>
        <s:key name="DEST_KEY"/>
        <s:key name="FORMAT"/>
        <s:key name="KEEP_EMPTY_VALS">0</s:key>
        <s:key name="LOOKAHEAD">4096</s:key>
        <s:key name="MV_ADD">0</s:key>
        <s:key name="REGEX"/>
        <s:key name="SOURCE_KEY">_raw</s:key>
        <s:key name="WRITE_META">0</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>default_match</s:item>
                <s:item>disabled</s:item>
                <s:item>external_cmd</s:item>
                <s:item>fields_list</s:item>
                <s:item>filename</s:item>
                <s:item>max_matches</s:item>
                <s:item>max_offset_secs</s:item>
                <s:item>min_matches</s:item>
                <s:item>min_offset_secs</s:item>
                <s:item>time_field</s:item>
                <s:item>time_format</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="filename">lookup.csv</s:key>
        <s:key name="type">file</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST data/transforms/lookups/{name}

Modify the named lookup definition.

Request

Name Type Required Default Description
default_match String If min_matches is greater than zero and Splunk has less than min_matches for any given input, it provides this default_match value one or more times until the min_matches threshold is reached.
disabled Boolean Specifies whether the lookup definition is disabled.
external_cmd String Provides the command and arguments to invoke to perform a lookup. Use this for external (or "scripted") lookups, where you interface with with an external script rather than a lookup table.

This string is parsed like a shell command. The first argument is expected to be a python script located in:

$SPLUNK_HOME/etc/<app_name>/bin (or ../etc/searchscripts)

Presence of this field indicates that the lookup is external and command based.

fields_list String A comma- and space-delimited list of all fields that are supported by the external command. Use this for external (or "scripted") lookups.
filename String The name of the static lookup table file.
max_matches Number The maximum number of possible matches for each input lookup value.
max_offset_secs Number For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur.
min_matches Number The minimum number of possible matches for each input lookup value.
min_offset_secs Number For temporal lookups, this is the minimum time (in seconds) that the event timestamp can be later than the lookup entry timestamp for a match to occur.
time_field String For temporal lookups, this is the field in the lookup table that represents the timestamp.
time_format String For temporal lookups, this specifies the "strptime" format of the timestamp field.

Response Codes

Status Code Description
200 Updated successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to edit named lookup.
404 Named lookup does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

Attribute Description
CAN_OPTIMIZE Controls whether Splunk can optimize this extraction out (another way of saying the extraction is disabled).

You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search.

CLEAN_KEYS If set to true, Splunk \\"cleans\\" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
DEFAULT_VALUE Optional attribute for index-time field extractions. Splunk writes the specified value to DEST_KEY if the specified REGEX fails.
DEST_KEY Valid for index-time field extractions, specifies where Splunk stores the REGEX results.
FORMAT This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.

This attribute specifies the format of the event, including any field names or values you want to add.

For details, refer to the documentation for this parameter in the POST operation for data/transforms/extractions.

KEEP_EMPTY_VALS If set to true, Splunk preserves extracted fields with empty values.
LOOKAHEAD Optional attribute for index-time filed extractions. specifies how many characters to search into an event.

Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking).

MV_ADD If Splunk extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
REGEX The regular expression to operate on your data.

This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms.

For details, see the documentation for this parameter in the POST operation.

SOURCE_KEY The KEY to which Splunk applies REGEX.
WRITE_META Indicates whether to automatically write REGEX to metadata.

This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute).

Use instead of DEST_KEY = meta.

default_match If min_matches is greater than zero and Splunk has less than min_matches for any given input, it provides this default_match value one or more times until the min_matches threshold is reached.
disabled Specifies whether the lookup definition is disabled.
eai:appName The Splunk app for which the lookups are defined. For example, the search app.
eai:userName The Splunk user for which the lookups are defined.
external_cmd Provides the command and arguments to invoke to perform a lookup. Use this for external (or "scripted") lookups, where you interface with with an external script rather than a lookup table.

This string is parsed like a shell command. The first argument is expected to be a python script located in:

$SPLUNK_HOME/etc/<app_name>/bin (or ../etc/searchscripts)

Presence of this field indicates that the lookup is external and command based.

fields_list List of all fields that are supported by the external command. Use this for external (or "scripted") lookups.
filename The name of the static lookup table file.
max_matches The maximum number of possible matches for each input lookup value.
max_offset_secs For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur.
min_matches The minimum number of possible matches for each input lookup value.
min_offset_secs For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur.
time_field For temporal lookups, this is the field in the lookup table that represents the timestamp.
time_format For temporal lookups, this specifies the "strptime" format of the timestamp field.
type Specifies the field extraction type.

Can be either external or file.

Example

Change the newly created lookup to be based on a script instead of a lookup table file.


curl -k -u admin:pass \
	https://localhost:8089/servicesNS/admin/search/data/transforms/lookups/my_lookup \
	-d external_cmd=myscript.py \
	-d fields_list=a,b,c


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>transforms-lookup</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups</id>
  <updated>2011-07-21T20:00:07-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/transforms/lookups/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/transforms/lookups/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>my_lookup</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups/my_lookup</id>
    <updated>2011-07-21T20:00:07-07:00</updated>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="list"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="edit"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="remove"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/move" rel="move"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="CAN_OPTIMIZE">1</s:key>
        <s:key name="CLEAN_KEYS">1</s:key>
        <s:key name="DEFAULT_VALUE"/>
        <s:key name="DEST_KEY"/>
        <s:key name="FORMAT"/>
        <s:key name="KEEP_EMPTY_VALS">0</s:key>
        <s:key name="LOOKAHEAD">4096</s:key>
        <s:key name="MV_ADD">0</s:key>
        <s:key name="REGEX"/>
        <s:key name="SOURCE_KEY">_raw</s:key>
        <s:key name="WRITE_META">0</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="external_cmd">myscript.py</s:key>
        <s:key name="fields_list">a,b,c</s:key>
        <s:key name="type">external</s:key>
      </s:dict>
    </content>
  </entry>
</feed>


directory

Provides access to user configurable objects.

These objects includes search commands, UI views, UI navigation, saved searches and event types. This is useful to see which objects are provided by all apps, or a specific app when the call is namespaced. The specific configuration in restmap.conf is showInDirSvc.

Note: This endpoint is new for Splunk 4.3. It replaces the deprecated endpoint accessible from /admin/directory.

GET directory

Provides an enumeration of the following app scoped objects:

  • event types
  • saved searches
  • time configurations
  • views
  • navs
  • manager XML
  • quickstart XML
  • search commands
  • macros
  • tags
  • field extractions
  • lookups
  • workflow actions
  • field aliases
  • sourcetype renames

This is useful to see which apps provide which objects, or all the objects provided by a specific app. To change the visibility of an object type in this listing, use the showInDirSvc in restmap.conf.

Request

Name Type Required Default Description
count Number 30 Indicates the maximum number of entries to return. To return all entries, specify -1.
offset Number 0 Index for first item to return.
search String Search expression to filter the response. The response matches field values against the search expression. For example:

search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.

sort_dir Enum asc Valid values: (asc | desc)

Indicates whether to sort returned entries in ascending or descending order.

sort_key String name Field to use for sorting.
sort_mode Enum auto Valid values: (auto | alpha | alpha_case | num)

Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view user configurable objects.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

No returned values.

Example

Lists a variety of configuration object types visible to the admin user in the context of the search app. Note that this includes objects that belong to other users or apps, but are exported into this context.

Most results in this example have been elided for brevity.


curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/directory


<feed xmlns="http://www.w3.org/2005/Atom" 
  xmlns:s="http://dev.splunk.com/ns/rest" 
  xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>directory</title>
  <id>https://localhost:8089/services/directory</id>
  <updated>2011-05-16T19:03:40-0700</updated>
  <generator version="98144"/>
  <author>
    <name>Splunk</name>
  </author>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>_admin</title>
    <id>https://localhost:8089/servicesNS/nobody/system/data/ui/views/_admin</id>
    <updated>2011-05-16T19:03:40-0700</updated>
    <link href="/servicesNS/nobody/system/data/ui/views/_admin" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/ui/views/_admin" rel="list"/>
    <link href="/servicesNS/nobody/system/data/ui/views/_admin/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/ui/views/_admin" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:type">views</s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>abc</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/ui/views/abc</id>
    <updated>2011-05-16T19:03:40-0700</updated>
    <link href="/servicesNS/nobody/search/data/ui/views/abc" rel="alternate"/>
    <author>
      <name>ssorkin</name>
    </author>
    <link href="/servicesNS/nobody/search/data/ui/views/abc" rel="list"/>
    <link href="/servicesNS/nobody/search/data/ui/views/abc/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/ui/views/abc" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:type">views</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

directory/{name}

GET directory/{name}

Displays information about a single entity in the directory service enumeration.

This is rarely used. Typically after using the directory service enumeration, a client follows the specific link for an object in an enumeration.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view the user configurable object.
404 User configurable object does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
eai:attributes See Accessing Splunk resources

Example

This example displays information about a single enitity in the directory service enumeration.


curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/directory/dashboard_live


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>directory</title>
  <id>https://localhost:8089/services/directory</id>
  <updated>2011-05-16T19:09:59-0700</updated>
  <generator version="98144"/>
  <author>
    <name>Splunk</name>
  </author>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>dashboard_live</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/ui/views/dashboard_live</id>
    <updated>2011-05-16T19:09:59-0700</updated>
    <link href="/servicesNS/nobody/search/data/ui/views/dashboard_live" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/ui/views/dashboard_live" rel="list"/>
    <link href="/servicesNS/nobody/search/data/ui/views/dashboard_live/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/ui/views/dashboard_live" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:attributes">
            <s:dict>
                <s:key name="optionalFields">
                    <s:list/>
                </s:key>
                <s:key name="requiredFields">
                    <s:list/>
                </s:key>
                <s:key name="wildcardFields">
                    <s:list/>
                </s:key>
            </s:dict>
        </s:key>
        <s:key name="eai:type">views</s:key>
      </s:dict>
    </content>
  </entry>
</feed>


saved/eventtypes

Provides access to saved event types.

GET saved/eventtypes

Retrieve saved event types.

Request

Name Type Required Default Description
count Number 30 Indicates the maximum number of entries to return. To return all entries, specify -1.
offset Number 0 Index for first item to return.
search String Search expression to filter the response. The response matches field values against the search expression. For example:

search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.

sort_dir Enum asc Valid values: (asc | desc)

Indicates whether to sort returned entries in ascending or descending order.

sort_key String name Field to use for sorting.
sort_mode Enum auto Valid values: (auto | alpha | alpha_case | num)

Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view event types.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
description Description of this event type.
disabled Indicates if the event type is disabled.
eai:appName The Splunk app for which this event type applies. For example, the Splunk search app.
eai:userName Splunk user name of the creator of this event type. For example, the Splunk admin user.
priority The value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority.
search Search terms for this event type.
tags Deprecated. Tags associated with this event type.

Use the tags.conf.spec file to assign tags to groups of events with related field values.

Example

Lists all saved event types accessible to the admin user in the search app.


curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/eventtypes


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>eventtypes</title>
  <id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes</id>
  <updated>2011-07-10T23:46:52-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/saved/eventtypes/_new" rel="create"/>
  <link href="/servicesNS/admin/search/saved/eventtypes/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>internal_search_terms</title>
    <id>https://localhost:8089/servicesNS/nobody/system/saved/eventtypes/internal_search_terms</id>
    <updated>2011-07-10T23:46:52-07:00</updated>
    <link href="/servicesNS/nobody/system/saved/eventtypes/internal_search_terms" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/saved/eventtypes/internal_search_terms" rel="list"/>
    <link href="/servicesNS/nobody/system/saved/eventtypes/internal_search_terms/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/saved/eventtypes/internal_search_terms" rel="edit"/>
    <link href="/servicesNS/nobody/system/saved/eventtypes/internal_search_terms/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="description"/>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="priority">1</s:key>
        <s:key name="search">
<![CDATA[( "After evaluating args" OR "Before evaluating args" OR "context dispatched for search=" OR "SearchParser - PARSING" OR "got search" OR "_dispatchNewSearch - search" OR "search:* - q" OR ( decomposition fullsearch ) OR "PAAAAAARSER! - search" OR "view:* - DECOMPOSITION" OR "Splunk.Module.SearchBar .setInputField" OR ( typeahead prefix ) OR "DEBUG HTTPServer - Deleting request=GET" OR /en-US/api/search/typeahead )]]>        </s:key>
        <s:key name="tags">
          <s:list/>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST saved/eventtypes

Creates a new event type.

Request

Name Type Required Default Description
name String
The name for the event type.
search String
Search terms for this event type.
description String Human-readable description of this event type.
disabled Boolean 0 If True, disables the event type.
priority Number 1 Specify an integer from 1 to 10 for the value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority.
tags String Deprecated. Use tags.conf.spec file to assign tags to groups of events with related field values.

Response Codes

Status Code Description
201 Created successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to create an event type.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

Attribute Description
description Description of this event type.
disabled Indicates if this event type is disabled.
eai:appName The Splunk app for which this event type applies. For example, the Splunk search app.
eai:userName Splunk user name of the creator of this event type. For example, the Splunk admin user.
priority The value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority.
search Search terms for this event type.
tags Deprecated. Tags associated with this event type.

Use tags.conf.spec file to assign tags to groups of events with related field values.

Example

Creates an event type, client-errors, for the specified search.

URI-encode the search string if it contains any of the following characters: =, &, ?, %

Otherwise, these characters can be interpreted as part of the HTTP request.


curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/eventtypes \
	-d name="client-errors" \
	--data-urlencode search=search="http client error NOT (403 OR 404)"


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>eventtypes</title>
  <id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes</id>
  <updated>2011-07-10T23:47:10-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/saved/eventtypes/_new" rel="create"/>
  <link href="/servicesNS/admin/search/saved/eventtypes/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>client-errors</title>
    <id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes/client-errors</id>
    <updated>2011-07-10T23:47:10-07:00</updated>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="list"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="edit"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="remove"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors/move" rel="move"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="description"/>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="priority">1</s:key>
        <s:key name="search">search</s:key>
        <s:key name="tags">
          <s:list/>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>

saved/eventtypes/{name}

DELETE saved/eventtypes/{name}

Deletes this event type.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Deleted successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to delete event type.
404 Event type does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

No values returned for this request.

Example

Deletes the saved event type, client-errors.


curl -k -u admin:pass --request DELETE \
	https://localhost:8089/servicesNS/admin/search/saved/eventtypes/client-errors


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>eventtypes</title>
  <id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes</id>
  <updated>2011-07-10T23:48:29-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/saved/eventtypes/_new" rel="create"/>
  <link href="/servicesNS/admin/search/saved/eventtypes/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>

GET saved/eventtypes/{name}

Returns information on this event type.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view event type.
404 Event type does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
description Description of this event type.
disabled Indicates if the event type is disabled.
eai:appName The Splunk app for which this event type applies. For example, the Splunk search app.
eai:attributes See Accessing Splunk resources
eai:userName Splunk user name of the creator of this event type. For example, the Splunk admin user.
priority The value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority.
search Search terms for this event type.
tags Deprecated. Tags associated with this event type.

Use the tags.conf.spec file to assign tags to groups of events with related field values.

Example

Returns details on the event type, client-errors.

The example for the POST operation of saved/eventtypes creates this event type.


curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/eventtypes/client-errors


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>eventtypes</title>
  <id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes</id>
  <updated>2011-07-10T23:47:17-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/saved/eventtypes/_new" rel="create"/>
  <link href="/servicesNS/admin/search/saved/eventtypes/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>client-errors</title>
    <id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes/client-errors</id>
    <updated>2011-07-10T23:47:17-07:00</updated>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="list"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="edit"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="remove"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors/move" rel="move"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="description"/>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>description</s:item>
                <s:item>disabled</s:item>
                <s:item>priority</s:item>
                <s:item>tags</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>search</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="priority">1</s:key>
        <s:key name="search">search</s:key>
        <s:key name="tags">
          <s:list/>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST saved/eventtypes/{name}

Updates this event type.

Request

Name Type Required Default Description
search String
Search terms for this event type.
description String Human-readable description of this event type.
disabled Boolean 0 If True, disables the event type.
priority Number 1 Specify an integer from 1 to 10 for the value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority.
tags String Deprecated. Use tags.conf.spec file to assign tags to groups of events with related field values.

Response Codes

Status Code Description
200 Updated successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to edit event type.
404 Event type does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

Attribute Description
description Description of this event type.
disabled Indicates if this event type is disabled.
eai:appName The Splunk app for which this event type applies. For example, the Splunk search app.
eai:userName Splunk user name of the creator of this event type. For example, the Splunk admin user.
priority The value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority.
search Search terms for this event type.
tags Deprecated. Tags associated with this event type.

Use tags.conf.spec file to assign tags to groups of events with related field values.

Example

Updates the event type, client-errors, to specify a description for the event type. Note that the search must be re-specified for this edit.

URI-encode the search string if it contains any of the following characters: =, &, ?, %

Otherwise, these characters can be interpreted as part of the HTTP request.


curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/eventtypes/client-errors \
	-d description="HTTP Client Errors" \
	--data-urlencode search=search="http client error NOT (403 OR 404)"


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>eventtypes</title>
  <id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes</id>
  <updated>2011-07-10T23:48:22-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/saved/eventtypes/_new" rel="create"/>
  <link href="/servicesNS/admin/search/saved/eventtypes/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>client-errors</title>
    <id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes/client-errors</id>
    <updated>2011-07-10T23:48:22-07:00</updated>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="list"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="edit"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="remove"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors/move" rel="move"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="description">HTTP Client Errors</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="priority">1</s:key>
        <s:key name="search">search</s:key>
        <s:key name="tags">
          <s:list/>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>


search/fields

Provides management for search field configurations.

Field configuration is specified in $SPLUNK_HOME/etc/system/default/fields.conf, with overriden values in $SPLUNK_HOME/etc/system/local/fields.conf.

GET search/fields

Returns a list of fields registered for field configuration.

Request

Name Type Required Default Description
output_mode String xml Specify output formatting. Select from either:
xml: XML formatting
json: JSON formatting

See JSON and other response formats for more information.

Response Codes

Status Code Description
200 Listed successfully.

Returned Values

No values returned for this request.

Example

Returns the list of fields that have tags applied to them.


curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/fields


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>Fields</title>
  <id>/servicesNS/admin/search/search/fields</id>
  <updated>2011-07-11T10:04:51-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <entry>
    <title>_indextime</title>
    <id>/servicesNS/admin/search/search/fields/_indextime</id>
    <updated>2011-07-11T10:04:51-07:00</updated>
    <link href="/servicesNS/admin/search/search/fields/_indextime" rel="alternate"/>
  </entry>
  <entry>
    <title>_sourcetype</title>
    <id>/servicesNS/admin/search/search/fields/_sourcetype</id>
    <updated>2011-07-11T10:04:51-07:00</updated>
    <link href="/servicesNS/admin/search/search/fields/_sourcetype" rel="alternate"/>
  </entry>
  <entry>
    <title>date_hour</title>
    <id>/servicesNS/admin/search/search/fields/date_hour</id>
    <updated>2011-07-11T10:04:51-07:00</updated>
    <link href="/servicesNS/admin/search/search/fields/date_hour" rel="alternate"/>
  </entry>

  . . .

  <entry>
    <title>splunk_server</title>
    <id>/servicesNS/admin/search/search/fields/splunk_server</id>
    <updated>2011-07-11T10:04:51-07:00</updated>
    <link href="/servicesNS/admin/search/search/fields/splunk_server" rel="alternate"/>
  </entry>
  <entry>
    <title>timeendpos</title>
    <id>/servicesNS/admin/search/search/fields/timeendpos</id>
    <updated>2011-07-11T10:04:51-07:00</updated>
    <link href="/servicesNS/admin/search/search/fields/timeendpos" rel="alternate"/>
  </entry>
  <entry>
    <title>timestartpos</title>
    <id>/servicesNS/admin/search/search/fields/timestartpos</id>
    <updated>2011-07-11T10:04:51-07:00</updated>
    <link href="/servicesNS/admin/search/search/fields/timestartpos" rel="alternate"/>
  </entry>
</feed>

search/fields/{field_name}

GET search/fields/{field_name}

Retrieves information about the named field.

Request

Name Type Required Default Description
output_mode String xml Specify output formatting. Select from either:
xml: XML formatting
json: JSON formatting

See JSON and other response formats for more information.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.

Returned Values

No values returned for this request.

Example

Returns information about the field configuration for the sourcetype search field.


curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/fields/sourcetype


<entry xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest">
  <title>sourcetype</title>
  <id>/servicesNS/admin/search/search/fields/sourcetype</id>
  <updated>2011-07-11T10:08:54-07:00</updated>
  <link href="/servicesNS/admin/search/search/fields/sourcetype" rel="alternate"/>
  <content type="text">	Attr:INDEXED	True
	Attr:INDEXED_VALUE	False
	Attr:TOKENIZER	
</content>
</entry>

search/fields/{field_name}/tags

GET search/fields/{field_name}/tags

Returns a list of tags that have been associated with the field specified by {field_name}.

Request

No parameters for this request.

Response Codes

Because fields exist only at search time, this endpoint returns a 200 response for any non-empty request.

Status Code Description
200 Listed successfully.
404 Named field does not exist.

Returned Values

No values returned for this request.

Example

Return the tags associated with the field host.


curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/fields/host/tags


<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest">
  <title>Tags for the host field</title>
  <id>/servicesNS/admin/search/search/fields/host/tags</id>
  <updated>2011-07-11T10:41:46-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <entry>
    <title>location::sfo</title>
    <id>/servicesNS/admin/search/search/fields/host/tags#location::sfo</id>
    <updated>2011-07-11T10:41:46-07:00</updated>
    <link href="/servicesNS/admin/search/search/fields/host/tags#location::sfo" rel="alternate"/>
  </entry>
</feed>

POST search/fields/{field_name}/tags

Update the tags associated with the field specified by {field_name}.

The value parameter specifies the specific value on which to bind tag actions. Multiple tags can be attached by passing multiple add or delete form parameters. The server processes all of the adds first, and then processes the deletes.

You must specify at least one add or delete parameter.

Request

Name Type Required Default Description
value String
The specific field value on which to bind the tags.
add String The tag to attach to this field_name:value combination.
delete String The tag to remove to this field_name::value combination.

Response Codes

Status Code Description
200 Tags updated.
400 Request error. See response body for details.

Returned Values

No values returned for this request.

Example

For the field host, adds the tag sfo and deletes the tag nyc for the value location.


curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/fields/host/tags \
	-d add=sfo \
	-d delete=nyc \
	-d value=location


<response>
  <messages>
    <msg type='INFO'>Successfully processed adds/deletes for field host</msg>
  </messages>
</response>


search/tags

Provides management of search time tags.

GET search/tags

Returns a list of all search time tags.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Listed successfully.

Returned Values

No values returned for this request.

Example

Display search time tags for this Splunk instance.


curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/tags


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>Tags</title>
  <id>/servicesNS/admin/search/search/tags</id>
  <updated>2011-07-08T01:35:09-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <entry>
    <title>machine</title>
    <id>/servicesNS/admin/search/search/tags/machine</id>
    <updated>2011-07-08T01:35:09-07:00</updated>
    <link href="/servicesNS/admin/search/search/tags/machine" rel="alternate"/>
  </entry>
  <entry>
    <title>user</title>
    <id>/servicesNS/admin/search/search/tags/user</id>
    <updated>2011-07-08T01:35:09-07:00</updated>
    <link href="/servicesNS/admin/search/search/tags/user" rel="alternate"/>
  </entry>
</feed>

search/tags/{tag_name}

DELETE search/tags/{tag_name}

Deletes the tag, and its associated field:value pair assignments. The resulting change in tags.conf is to set all field:value pairs to disabled.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Deleted successfully.
404 Search tag does not exist.

Returned Values

No values returned for this request.

Example

Deletes the user tag.

tags.conf has been updated to mark this tag disabled.


curl -k -u admin:pass --request DELETE \
	https://localhost:8089/servicesNS/admin/search/search/tags/user


<response>
  <messages>
    <msg type="INFO">Tag successfully deleted</msg>
  </messages>
</response>

GET search/tags/{tag_name}

Returns a list of field:value pairs that have been associated with the tag specified by {tag_name}.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Listed successfully.
404 Search tag does not exist.

Returned Values

No values returned for this request.

Example

Returns field:value pairs associated with the tag name "user."


curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/tags/user


<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>Field::Value pairs with tag user</title>
  <id>/servicesNS/admin/search/search/tags/user</id>
  <updated>2011-07-08T01:35:28-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <entry>
    <title>eventtype::userupdate</title>
    <id>/servicesNS/admin/search/search/tags/user#eventtype::userupdate</id>
    <updated>2011-07-08T01:35:28-07:00</updated>
    <link href="/servicesNS/admin/search/search/tags/user#eventtype::userupdate" rel="alternate"/>
  </entry>
</feed>

POST search/tags/{tag_name}

Updates the field:value pairs associated with {tag_name}.

Multiple field:value pairs can be attached by passing multiple add or delete form parameters. The server processes all of the adds first, and then deletes.

If {tag_name} does not exist, then the tag is created inline. Notification is sent to the client using the HTTP 201 status.

Request

Name Type Required Default Description
add String A field:value pair to tag with {tag_name}.
delete String A field:value pair to remove from {tag_name}.

Response Codes

Status Code Description
200 Updated successfully.
201 Field successfuly added to tag.
400 Request error. See response body for details.

Returned Values

No values returned for this request.

Example

Adds a field::value pair and deletes an existing field::value pair.


curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/tags/user \
	-d add=eventtype::userupdate \
	-d delete=eventtype::useradd-suse


<response>
  <messages>
    <msg type="INFO">Processed adds/deletes for tag</msg>
  </messages>
</response>
PREVIOUS
Inputs
  NEXT
Licenses

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters