Splunk Enterprise versions higher than version 9.4.2 are documented on our new documentation portal only. To get started, see the Splunk Enterprise page on help.splunk.com and the Splunk Enterprise 9.4.3 release notes. For information about how version selection works in the new portal, see Version selection on the About This Site page.
Knowledge endpoint descriptions
Work with searches and other knowledge objects.
- Define data configurations indexed and searched by the Splunk platform.
- Manage how data is handled, using look-ups, field extractions, field aliases, sourcetypes, and transforms.
- Manage saved event types.
- Manage search field configurations and search time tags.
Usage details
Review ACL information for an endpoint
To check Access Control List (ACL) properties for an endpoint, append /acl to the path. For more information see Access Control List in the REST API User Manual.
Authentication and Authorization
Username and password authentication is required for access to endpoints and REST operations.
Splunk users must have role and/or capability-based authorization to use REST endpoints. Users with an administrative role, such as admin, can access authorization information in Splunk Web. To view the roles assigned to a user, select Settings > Access controls and click Users. To determine the capabilities assigned to a role, select Settings > Access controls and click Roles.
App and user context
Typically, knowledge objects, such as saved searches or event types, have an app/user context that is the namespace. For more information about specifying a namespace, see Namespace in the REST API User Manual.
Splunk Cloud Platform URL for REST API access
Splunk Cloud Platform has a different host and management port syntax than Splunk Enterprise. Use the following URL for Splunk Cloud Platform deployments. If necessary, submit a support case using the Splunk Support Portal to open port 8089 on your deployment.
https://<deployment-name>.splunkcloud.com:8089
Free trial Splunk Cloud Platform accounts cannot access the REST API.
See Access requirements and limitations for the Splunk Cloud Platform REST API in the the REST API Tutorials manual for more information.
admin/summarization
https://<host>:<mPort>/services/admin/summarization/?by_tstats=1
Get aggregated details about all accelerated data model summaries.
Authentication and authorization
Authorization to access data model acceleration information is role-based.
GET
Get a list of field:value pairs that provide details about accelerated data models and their summaries.
Request parameters
None.
Returned values
| Name | Description |
|---|---|
| search | The data models, represented as search strings. |
| summary.access_count | The total number of times that the summary for each data model has been accessed. |
| summary.access_time | The last time that the summary of each data model was accessed. |
| summary.average_time | The average runtime of the past 48 summarization search jobs for this data model. |
| summary.buckets | The total number of buckets in the summaries of each data model. |
| summary.buckets_size | The total size of the buckets in the summaries of each data model. The size is reported in terms of megabytes (MB). |
| summary.complete | Reports whether or not the summaries for each data model are complete. |
| summary.earliest_time | The timestamp of the earliest event in the summaries for each data model. |
| summary.id | The ID of the data models being summarized. The format is DM_<app_name>_<data_model_ID>.
|
| summary.is_inprogress | Indicates whether or not the summary build is currently in progress for each data model. |
| summary.last_error | Lists errors that were logged in the latest run (from last_sid) of the summary creation search.
|
| summary.last_sid | The SID of the latest creation search job for each data model summary. |
| summary.latest_time | The timestamp of the latest events in each data model summary. |
| summary.latest_dispatch_time | The timestamp of the latest summary creation search for each data model. |
| summary.latest_run_duration | The runtime of the latest summary creation search for each data model. |
| summary.mod_time | The last time each data model summary was modified. |
| summary.p50 | The 50th percentile of summarization search runtimes for each data model. 50 percent of the summarization searches for a given data model had runtimes that were less than this value. |
| summary.p90 | The 90th percentile of summarization search runtimes for each data model. 90 percent of the summarization searches for a given data model had runtimes that were less than this value. |
| summary.run_stats | The start and duration of all saved previous summarization search jobs, up to 100 jobs. |
| summary.size | The total size of each summary, in bytes. |
| summary.time_range | The range of time covered by each summary. |
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/services/admin/summarization/?by_tstats=1
XML Response
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>summarization</title>
<id>https://localhost:8089/services/admin/summarization</id>
<updated>2015-06-01T15:21:20-07:00</updated>
<generator build="e343948e242181aa7b94257ede83830605c853d9" version="20150526"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/admin/summarization/_acl" rel="_acl"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>tstats:DM_search_mydatamodel</title>
<id>https://localhost:8089/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_mydatamodel</id>
<updated>2015-06-01T15:21:20-07:00</updated>
<link href="/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_mydatamodel" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_mydatamodel" rel="list"/>
<link href="/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_mydatamodel" rel="remove"/>
<link href="/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_mydatamodel/details" rel="details"/>
<link href="/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_mydatamodel/reschedule" rel="reschedule"/>
<link href="/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_mydatamodel/touch" rel="touch"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms"/>
<s:key name="removable">0</s:key>
<s:key name="sharing">user</s:key>
</s:dict>
</s:key>
<s:key name="search"><![CDATA[search search (index=* OR index=_*) (index=_internal) | eval nodename = "rootevent"| eval is_Age=if(searchmatch("(avg_age)"),1,0), is_not_Age=1-is_Age | eval nodename = if(nodename == "rootevent" AND searchmatch("(avg_age)"), mvappend(nodename, "rootevent.Age"), nodename) | rename abandoned_channels AS rootevent.abandoned_channels average_kbps AS rootevent.average_kbps avg_age AS rootevent.avg_age bytes AS rootevent.bytes clientip AS rootevent.clientip color AS rootevent.color component AS rootevent.component cookie AS rootevent.cookie cpu_seconds AS rootevent.cpu_seconds cumulative_hits AS rootevent.cumulative_hits current_queue_size AS rootevent.current_queue_size current_size AS rootevent.current_size current_size_kb AS rootevent.current_size_kb date_hour AS rootevent.date_hour is_Age AS rootevent.is_Age is_not_Age AS rootevent.is_not_Age | fields nodename, _time, host, source, sourcetype, rootevent.abandoned_channels, rootevent.average_kbps, rootevent.avg_age, rootevent.bytes, rootevent.clientip, rootevent.color, rootevent.component, rootevent.cookie, rootevent.cpu_seconds, rootevent.cumulative_hits, rootevent.current_queue_size, rootevent.current_size, rootevent.current_size_kb, rootevent.date_hour, rootevent.is_Age, rootevent.is_not_Age]]></s:key>
<s:key name="summary.access_count">0</s:key>
<s:key name="summary.access_time">0</s:key>
<s:key name="summary.buckets">22</s:key>
<s:key name="summary.buckets_size">273</s:key>
<s:key name="summary.complete">1.000000</s:key>
<s:key name="summary.earliest_time">1432174156</s:key>
<s:key name="summary.id">DM_search_mydatamodel</s:key>
<s:key name="summary.is_inprogress">0</s:key>
<s:key name="summary.last_error"></s:key>
<s:key name="summary.last_sid">scheduler__nobody__search__RMD5692d85674596d683_at_1433197200_18815</s:key>
<s:key name="summary.latest_time">1432684089</s:key>
<s:key name="summary.mod_time">1433196908</s:key>
<s:key name="summary.size">61153280</s:key>
<s:key name="summary.time_range">604800</s:key>
</s:dict>
</content>
</entry>
</feed>
admin/summarization/tstats:DM_{app}_{data_model_ID}
https://<host>:<mPort>/services/admin/summarization/tstats:DM_{app}_{data_model_ID}
Review information about the summaries of a specific data model. Identify specific data models by providing their app short name and their data model ID.
Authentication and authorization
Authorization to access data model acceleration information is role-based.
GET
Get detailed information about the acceleration summaries of a specific datamodel. See statistics about data model usage and information about the latest summary creation run.
Request parameters
| Name | Type | Default | Description |
|---|---|---|---|
| app required |
string | The short name of the app to which the data set belongs. | |
| data model ID required |
string | The ID of the data model. |
Returned values
| Name | Description |
|---|---|
| search | The data model, represented as a search string. |
| summary.access_count | The total number of times that the summary for this data model has been accessed. |
| summary.access_time | The last time that the summary of this data model was accessed. |
| summary.average_time | The average runtime of the past 48 summarization search jobs for this data model. |
| summary.buckets | The total number of buckets in the summary of this data model. |
| summary.buckets_size | The total size of the buckets in the summary of this data model. The size is reported in terms of megabytes (MB). |
| summary.complete | Reports whether or not the summary for the data model are complete. |
| summary.earliest_time | The timestamp of the earliest event in the summary for this data model. |
| summary.id | The ID of the data model being summarized. The format is DM_<app_name>_<data_model_ID>.
|
| summary.is_inprogress | Indicates whether or not the data model summary build is currently in progress. |
| summary.last_error | Lists errors that were logged in the latest run (from last_sid) of the summary creation search.
|
| summary.last_sid | The SID of the latest data model summary creation search job. |
| summary.latest_time | The timestamp of the latest event in the data model summary. |
| summary.latest_dispatch_time | The timestamp of the latest summary creation search for the data model. |
| summary.latest_run_duration | The runtime of the latest summary creation search for the data model. |
| summary.mod_time | The last time the data model summary was modified. |
| summary.p50 | The 50th percentile of summarization search runtimes for the data model. 50 percent of the summarization searches for this data model had runtimes that were less than this value. |
| summary.p90 | The 90th percentile of summarization search runtimes for the data model. 90 percent of the summarization searches for this data model had runtimes that were less than this value. |
| summary.run_stats | The start and duration of all saved previous summarization search jobs, up to 100 jobs. |
| summary.size | The total size of the summary, in bytes. |
| summary.time_range | The range of time covered by the summary. |
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/services/admin/summarization/tstats:DM_search_test_new_accel
XML Response
... <title>summarization</title> <id>https://localhost:1413/servicesNS/nobody/search/admin/summarization</id> <updated>2019-08-13T14:58:12-07:00</updated> <generator build="2ec8251a07e11294725aa6800463f8a975e18641" version="20190809"/> <author> <name>Splunk</name> </author> <opensearch:totalResults>1</opensearch:totalResults> <opensearch:itemsPerPage>30</opensearch:itemsPerPage> <opensearch:startIndex>0</opensearch:startIndex> <s:messages/> <entry> <title>tstats:DM_search_test_new_accel</title> <id>https://localhost:1413/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_test_new_accel</id> <updated>1969-12-31T16:00:00-08:00</updated> <link href="/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_test_new_accel" rel="alternate"/> <author> <name>nobody</name> </author> <link href="/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_test_new_accel" rel="list"/> <link href="/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_test_new_accel" rel="remove"/> <link href="/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_test_new_accel/details" rel="details"/> <link href="/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_test_new_accel/reschedule" rel="reschedule"/> <link href="/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_test_new_accel/touch" rel="touch"/> <content type="text/xml"> <s:dict> <s:key name="eai:acl"> <s:dict> <s:key name="app">search</s:key> <s:key name="can_list">1</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">0</s:key> <s:key name="owner">nobody</s:key> <s:key name="perms"/> <s:key name="removable">0</s:key> <s:key name="sharing">user</s:key> </s:dict> </s:key> <s:key name="eai:attributes"> <s:dict> <s:key name="optionalFields"> <s:list> <s:item>isProxyRequest</s:item> <s:item>noProxy</s:item> <s:item>time_format</s:item> </s:list> </s:key> <s:key name="requiredFields"> <s:list/> </s:key> <s:key name="wildcardFields"> <s:list/> </s:key> </s:dict> </s:key> <s:key name="search">search search (index=* OR index=_*) (index=_internal date_second=31) | eval nodename = "test" | fields nodename, _time, host, source, sourcetype</s:key> <s:key name="summary.access_count">0</s:key> <s:key name="summary.access_time">0</s:key> <s:key name="summary.average_time">3.028</s:key> <s:key name="summary.buckets">11</s:key> <s:key name="summary.buckets_size">461</s:key> <s:key name="summary.complete">1</s:key> <s:key name="summary.earliest_time">1565398764</s:key> <s:key name="summary.id">DM_search_test_new_accel</s:key> <s:key name="summary.is_inprogress">0</s:key> <s:key name="summary.last_error">[ronnie.sv.splunk.com] A second test error message just because. [ronnie.sv.splunk.com] Test error message in remote server.</s:key> <s:key name="summary.last_sid">scheduler__nobody__search__RMD5837da1d4b8a764d1_at_1565733480_379</s:key> <s:key name="summary.latest_dispatch_time">1565733481</s:key> <s:key name="summary.latest_run_duration">5.691</s:key> <s:key name="summary.latest_time">1565730106</s:key> <s:key name="summary.mod_time">1565733421</s:key> <s:key name="summary.p50">1.287</s:key> <s:key name="summary.p90">5.859</s:key> <s:key name="summary.run_stats"> <s:dict> <s:key name="1565730661"> <s:dict> <s:key name="dispatch_time">1565730661</s:key> <s:key name="run_duration">0.357</s:key> </s:dict> </s:key> <s:key name="1565730721"> <s:dict> <s:key name="dispatch_time">1565730721</s:key> <s:key name="run_duration">0.240</s:key> </s:dict> </s:key> <s:key name="1565730780"> <s:dict> <s:key name="dispatch_time">1565730780</s:key> <s:key name="run_duration">0.253</s:key> </s:dict> </s:key> <s:key name="1565730840"> <s:dict> <s:key name="dispatch_time">1565730840</s:key> <s:key name="run_duration">0.247</s:key> </s:dict> </s:key> <s:key name="1565730900"> <s:dict> <s:key name="dispatch_time">1565730900</s:key> <s:key name="run_duration">0.233</s:key> </s:dict> </s:key> <s:key name="1565730960"> <s:dict> <s:key name="dispatch_time">1565730960</s:key> <s:key name="run_duration">0.266</s:key> </s:dict> </s:key> <s:key name="1565731020"> <s:dict> <s:key name="dispatch_time">1565731020</s:key> <s:key name="run_duration">0.268</s:key> </s:dict> </s:key> </s:dict> </s:key> <s:key name="summary.size">614400</s:key> <s:key name="summary.time_range">86400</s:key> </s:dict> </content> </entry> </feed>
data/lookup-table-files
https://<host>:<mPort>/services/data/lookup-table-files/
Access lookup table files.
This endpoint is available only in Splunk Enterprise.
GET
List lookup table files.
Request parameters
Pagination and filtering parameters can be used with this method.
Returned values
| Name | Description |
|---|---|
| eai:appName | The app for which the lookup table applies. |
| eai:data | The source path for the lookup staging area. The lookup table file is moved from here into $SPLUNK_HOME. |
| eai:userName | The Splunk user who created the lookup table. |
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/lookup-table-files
XML Response
...
<title>lookup-table-files</title>
<id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files</id>
<updated>2011-07-21T19:26:11-07:00</updated>
<generator version="104309"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/lookup-table-files/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>lookup.csv</title>
<id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv</id>
<updated>2011-07-21T19:26:11-07:00</updated>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="list"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="edit"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="remove"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/move" rel="move"/>
<content type="text/xml">
<s:dict>
... eai:acl nodes elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:data">
<![CDATA[/opt/splunk/etc/users/admin/search/lookups/lookup.csv]]> </s:key>
<s:key name="eai:userName">admin</s:key>
</s:dict>
</content>
</entry>
</feed>
POST
Create a lookup table file by moving a file from the upload staging area into $SPLUNK_HOME.
Request parameters
| Name | Type | Default | Description |
|---|---|---|---|
| eai:data required |
String | Move a lookup table file from the given path into $SPLUNK_HOME. This path must have the lookup staging area as an ancestor. | |
| name required |
String | The lookup table filename. |
Returned values
| Name | Description |
|---|---|
| eai:appName | The app for which the lookup table applies. |
| eai:data | The source path for the lookup staging area. The lookup table file is moved from here into $SPLUNK_HOME. |
| eai:userName | The Splunk user who created the lookup table. |
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/lookup-table-files -d eai:data=/opt/splunk/var/run/splunk/lookup_tmp/lookup-in-staging-dir.csv -d name=lookup.csv
XML Response
...
<title>lookup-table-files</title>
<id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files</id>
<updated>2011-07-21T18:26:35-07:00</updated>
<generator version="104309"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/lookup-table-files/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>lookup.csv</title>
<id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv</id>
<updated>2011-07-21T18:26:35-07:00</updated>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="list"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="edit"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="remove"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/move" rel="move"/>
<content type="text/xml">
<s:dict>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:data">
<![CDATA[/opt/splunk/etc/users/admin/search/lookups/lookup.csv]]> </s:key>
<s:key name="eai:userName">admin</s:key>
</s:dict>
</content>
</entry>
</feed>
data/lookup-table-files/{name}
https://<host>:<mPort>/services/data/lookup-table-files/{name}
Manage the {name} lookup table file.
This endpoint is available only in Splunk Enterprise.
DELETE
Delete the named lookup table file.
Request parameters
None
Returned values
None
Example request and response
XML Request
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>lookup-table-files</title>
<id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files</id>
<updated>2011-07-21T18:43:11-07:00</updated>
<generator version="104309"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/lookup-table-files/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
GET
List a single lookup table file.
Request parameters
None
Returned values
| Name | Description |
|---|---|
| eai:appName | The app for which the lookup table applies. |
| eai:attributes | Field control information. |
| eai:data | The source path for the lookup staging area. The lookup table file is moved from here into $SPLUNK_HOME. |
| eai:userName | The Splunk user who created the lookup table. |
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv
XML Response
...
<title>lookup-table-files</title>
<id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files</id>
<updated>2011-07-21T18:37:25-07:00</updated>
<generator version="104309"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/lookup-table-files/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>lookup.csv</title>
<id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv</id>
<updated>2011-07-21T18:37:25-07:00</updated>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="list"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="edit"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="remove"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/move" rel="move"/>
<content type="text/xml">
<s:dict>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list/>
</s:key>
<s:key name="requiredFields">
<s:list>
<s:item>eai:data</s:item>
</s:list>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="eai:data">
<![CDATA[/opt/splunk/etc/users/admin/search/lookups/lookup.csv]]> </s:key>
<s:key name="eai:userName">admin</s:key>
</s:dict>
</content>
</entry>
</feed>
POST
Modify a lookup table file by replacing it with a file from the upload staging area.
Request parameters
| Name | Type | Default | Description |
|---|---|---|---|
| eai:data required |
String | Move a lookup table file from the given path into $SPLUNK_HOME. This path must have the lookup staging area as an ancestor. |
Returned values
| Name | Description |
|---|---|
| eai:appName | The app for which the lookup table applies. |
| eai:data | The source path for the lookup staging area. The lookup table file is moved from here into $SPLUNK_HOME. |
| eai:userName | The Splunk user who created the lookup table. |
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv -d eai:data=/opt/splunk/var/run/splunk/lookup_tmp/another-lookup-in-staging-dir.csv
XML Response
...
<title>lookup-table-files</title>
<id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files</id>
<updated>2011-07-21T18:41:52-07:00</updated>
<generator version="104309"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/lookup-table-files/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>lookup.csv</title>
<id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv</id>
<updated>2011-07-21T18:41:52-07:00</updated>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="list"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="edit"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="remove"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/move" rel="move"/>
<content type="text/xml">
<s:dict>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:data">
<![CDATA[/opt/splunk/etc/users/admin/search/lookups/lookup.csv]]> </s:key>
<s:key name="eai:userName">admin</s:key>
</s:dict>
</content>
</entry>
</feed>
data/props/calcfields
https://<host>:<mPort>/services/data/props/calcfields
Provides access to calculated fields, which are eval expressions in props.conf.
GET
Returns information on calculated fields for this instance of your Splunk deployment.
Request parameters
Pagination and filtering parameters can be used with this method.
Returned values
| Name | Description |
|---|---|
| attribute | The name of the calculated field, which includes the "EVAL-" prefix. |
| field.name | The name of the field which is being calculated with an EVAL expression. |
| stanza | The name of the stanza in props.conf that defines the calculated field. |
| type | The type of the calculated field.
This is always EVAL. |
| value | The EVAL statement for the calculated field. |
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/services/data/props/calcfields
XML Response
<title>props-eval</title>
<id>https://localhost:8089/services/data/props/calcfields</id>
<updated>2012-10-01T15:01:50-07:00</updated>
<generator build="138753" version="5.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/props/calcfields/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title><access_common> : EVAL-response_time</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time</id>
<updated>2012-10-01T15:01:50-07:00</updated>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="list"/>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="attribute">EVAL-response_time</s:key>
... eai:acl node elided ...
<s:key name="field.name">response_time</s:key>
<s:key name="stanza"><access_common></s:key>
<s:key name="type">EVAL</s:key>
<s:key name="value">response_time/1000</s:key>
</s:dict>
</content>
</entry>
</feed>
POST
Create an eval expression defining a calculated field in props.conf.
See Create a calculated field by editing props.conf in the Knowledge Manager Manual for more details.
Request parameters
| Name | Type | Default | Description |
|---|---|---|---|
| name required |
String | The name of the calculated field. Do not specify the "EVAL-" prefix for the field.
When Splunk software writes the calculated field to props.conf, it adds the "EVAL-" prefix. | |
| stanza required |
String | The name of the stanza in props.conf for the calculated field.
The name can be any of the following:
Note: Use URL-encoding to ensure that Splunk software interprets the name of the stanza correctly. | |
| value required |
String | The eval statement, which can be evaluated to any value type, including multivals, boolean, or null.
Note: Use URL-encoding to ensure that Splunk software interprets the name of the stanza correctly. |
Returned values
| Name | Description |
|---|---|
| attribute | The name of the calculated field, which includes the "EVAL-" prefix. |
| field.name | The name of the field which is being calculated with an EVAL expression. |
| stanza | The name of the stanza in props.conf that defines the calculated field. |
| type | The type of the calculated field.
This is always EVAL. |
| value | The EVAL statement for the calculated field. |
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/services/data/props/calcfields -d name=response_time -d stanza=%3Caccess_common%3E -d value=response_time/1000
XML Response
...
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>props-eval</title>
<id>https://localhost:8089/services/data/props/calcfields</id>
<updated>2012-10-01T14:58:45-07:00</updated>
<generator build="138753" version="5.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/props/calcfields/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title><access_common> : EVAL-response_time</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time</id>
<updated>2012-10-01T14:58:45-07:00</updated>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="list"/>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="attribute">EVAL-response_time</s:key>
... eai:acl node elided ...
<s:key name="field.name">response_time</s:key>
<s:key name="stanza"><access_common></s:key>
<s:key name="type">EVAL</s:key>
<s:key name="value">response_time/1000</s:key>
</s:dict>
</content>
</entry>
</feed>
data/props/calcfields/{name}
https://<host>:<mPort>/services/data/props/calcfields/{name}
Manage the {name} calculated field.
DELETE
Deletes the named calculated field.
Usage details
Use URL-encoding to ensure that Splunk software interprets the name of the calculated field correctly.
Request parameters
None
Returned values
None
Example request and response
XML Request
curl -k -u admin:pass --request DELETE https://localhost:8089/services/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>props-eval</title>
<id>https://localhost:8089/services/data/props/calcfields</id>
<updated>2012-10-01T15:33:06-07:00</updated>
<generator build="138753" version="5.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/props/calcfields/_new" rel="create"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
</feed>
GET
Access the named calculated field.
Request parameters
None
Returned values
| Name | Description |
|---|---|
| attribute | The name of the calculated field, which includes the "EVAL-" prefix. |
| field.name | The name of the field which is being calculated with an EVAL expression. |
| stanza | The name of the stanza in props.conf that defines the calculated field. |
| type | The type of the calculated field.
This is always EVAL. |
| value | The EVAL statement for the calculated field. |
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/services/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time
XML Response
<title>props-eval</title>
<id>https://localhost:8089/services/data/props/calcfields</id>
<updated>2012-10-01T15:05:09-07:00</updated>
<generator build="138753" version="5.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/props/calcfields/_new" rel="create"/>
... opensearch nodes elided ...
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title><access_common> : EVAL-response_time</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time</id>
<updated>2012-10-01T15:05:09-07:00</updated>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="list"/>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="attribute">EVAL-response_time</s:key>
... eai:acl node elided ...
... eai:attributes node elided ...
<s:key name="field.name">response_time</s:key>
<s:key name="stanza"><access_common></s:key>
<s:key name="type">EVAL</s:key>
<s:key name="value">response_time/1000</s:key>
</s:dict>
</content>
</entry>
</feed>
POST
Update the named calculated field.
Request parameters
| Name | Type | Default | Description |
|---|---|---|---|
| value | String | The eval statement, which can be evaluated to any value type, including multivals, boolean, or null.
See Create a calculated field by editing props.conf in the Knowledge Manager Manual for details. |
Returned values
| Name | Description |
|---|---|
| attribute | The name of the calculated field, which includes the "EVAL-" prefix. |
| field.name | The name of the field which is being calculated with an EVAL expression. |
| stanza | The name of the stanza in props.conf that defines the calculated field. |
| type | The type of the calculated field.
This is always EVAL. |
| value | The EVAL statement for the calculated field. |
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/services/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time -d value=response_time/100
XML Response
<title>props-eval</title>
<id>https://localhost:8089/services/data/props/calcfields</id>
<updated>2012-10-01T15:14:19-07:00</updated>
<generator build="138753" version="5.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/props/calcfields/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title><access_common> : EVAL-response_time</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time</id>
<updated>2012-10-01T15:14:19-07:00</updated>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="list"/>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="attribute">EVAL-response_time</s:key>
... eai:acl node elided ...
<s:key name="field.name">response_time</s:key>
<s:key name="stanza"><access_common></s:key>
<s:key name="type">EVAL</s:key>
<s:key name="value">response_time/100</s:key>
</s:dict>
</content>
</entry>
</feed>
data/props/extractions
https://<host>:<mPort>/services/data/props/extractions
GET
List field extractions.
Request parameters
Pagination and filtering parameters can be used with this method.
Returned values
| Name | Description |
|---|---|
| attribute | Specifies the field extraction configuration.
For example, REPORT-<name> or EXTRACT-<name>. |
| stanza | The props.conf stanza to which this field extraction applies.
for example, the sourcetype or source that triggers this field extraction. The full name of the field extraction includes this stanza name as a prefix. |
| type | Specifies the field extraction type, which can be either inline or uses transform.
|
| value | If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.
If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply. |
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/extractions
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>props-extract</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/extractions</id>
<updated>2011-07-10T22:55:04-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/extractions/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>access_combined : REPORT-access</title>
<id>https://localhost:8089/servicesNS/nobody/system/data/props/extractions/access_combined%20%3A%20REPORT-access</id>
<updated>2011-07-10T22:55:04-07:00</updated>
<link href="/servicesNS/nobody/system/data/props/extractions/access_combined%20%3A%20REPORT-access" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/props/extractions/access_combined%20%3A%20REPORT-access" rel="list"/>
<link href="/servicesNS/nobody/system/data/props/extractions/access_combined%20%3A%20REPORT-access" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="attribute">REPORT-access</s:key>
... eai:acl node elided ...
<s:key name="stanza">access_combined</s:key>
<s:key name="type">Uses transform</s:key>
<s:key name="value">access-extractions</s:key>
</s:dict>
</content>
</entry>
</feed>
POST
Create a new field extraction.
Request parameters
| Name | Type | Default | Description |
|---|---|---|---|
| name required |
String | The user-specified part of the field extraction name. The full name of the field extraction includes this identifier as a suffix. | |
| stanza required |
String | The props.conf stanza to which this field extraction applies, e.g. the sourcetype or source that triggers this field extraction. The full name of the field extraction includes this stanza name as a prefix. | |
| type required |
Enum | Valid values: (REPORT | EXTRACT)
An EXTRACT-type field extraction is defined with an "inline" regular expression. A REPORT-type field extraction refers to a transforms.conf stanza. | |
| value required |
String | If this is an EXTRACT-type field extraction, specify a regular expression with named capture groups that define the desired fields. If this is a REPORT-type field extraction, specify a comma- or space-delimited list of transforms.conf stanza names that define the field transformations to apply. |
Returned values
| Name | Description |
|---|---|
| attribute | Specifies the field extraction configuration.
For example, REPORT-<name> or EXTRACT-<name>. |
| stanza | Specifies the name of the stanza for the field extraction. |
| type | Specifies the field extraction type, which can be either inline or uses transform.
|
| value | If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.
If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply. |
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/extractions -d name=port -d stanza=ftp_log -d type=EXTRACT -d "value=port (?<port_number>\d+)"
XML Response
...
<title>props-extract</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/extractions</id>
<updated>2011-07-10T22:56:17-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/extractions/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>ftp_log : EXTRACT-port</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port</id>
<updated>2011-07-10T22:56:17-07:00</updated>
<link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="list"/>
<link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="attribute">EXTRACT-port</s:key>
... eai:acl node elided ...
<s:key name="stanza">ftp_log</s:key>
<s:key name="type">Inline</s:key>
<s:key name="value">port (?<port_number>\d )</s:key>
</s:dict>
</content>
</entry>
data/props/extractions/{name}
https://<host>:<mPort>/services/data/props/extractions/{name}
Manage the {name} field extraction.
DELETE
Delete the named field extraction.
Request parameters
None
Returned values
None
Example request and response
XML Request
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>props-extract</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/extractions</id>
<updated>2011-07-10T23:05:42-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/extractions/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
GET
List a single field extraction.
Request parameters
None
Returned values
| Name | Description |
|---|---|
| attribute | Specifies the field extraction configuration.
For example, REPORT-<name> or EXTRACT-<name>. |
| stanza | The props.conf stanza to which this field extraction applies.
for example, the sourcetype or source that triggers this field extraction. The full name of the field extraction includes this stanza name as a prefix. |
| type | Specifies the field extraction type, which can be either inline or uses transform.
|
| value | If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.
If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply. |
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>props-extract</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/extractions</id>
<updated>2011-07-10T23:02:31-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/extractions/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>ftp_log : EXTRACT-port</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port</id>
<updated>2011-07-10T23:02:31-07:00</updated>
<link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="list"/>
<link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="attribute">EXTRACT-port</s:key>
... eai:acl node elided ...
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list/>
</s:key>
<s:key name="requiredFields">
<s:list>
<s:item>value</s:item>
</s:list>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="stanza">ftp_log</s:key>
<s:key name="type">Inline</s:key>
<s:key name="value">connection on port (?<port_number>\d )</s:key>
</s:dict>
</content>
</entry>
</feed>
POST
Modify the named field extraction.
Request parameters
| Name | Type | Default | Description |
|---|---|---|---|
| value required |
String | If this is an EXTRACT-type field extraction, specify a regular expression with named capture groups that define the desired fields. If this is a REPORT-type field extraction, specify a comma- or space-delimited list of transforms.conf stanza names that define the field transformations to apply. |
Returned values
| Name | Description |
|---|---|
| attribute | Specifies the field extraction configuration.
For example, REPORT-<name> or EXTRACT-<name>. |
| stanza | Specifies the name of the stanza for the field extraction. |
| type | Specifies the field extraction type, which can be either inline or uses transform.
|
| value | If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.
If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply. |
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port -d "value=connection on port (?<port_number>\d+)"
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>props-extract</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/extractions</id>
<updated>2011-07-10T23:05:05-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/extractions/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>ftp_log : EXTRACT-port</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port</id>
<updated>2011-07-10T23:05:05-07:00</updated>
<link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="list"/>
<link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="attribute">EXTRACT-port</s:key>
... eai:acl node elided ...
<s:key name="stanza">ftp_log</s:key>
<s:key name="type">Inline</s:key>
<s:key name="value">connection on port (?<port_number>\d )</s:key>
</s:dict>
</content>
</entry>
</feed>
data/props/fieldaliases
https://<host>:<mPort>/services/data/props/fieldaliases
Access or create field aliases.
GET
List field aliases.
Request parameters
Pagination and filtering parameters can be used with this method.
Returned values
| Name | Description |
|---|---|
| alias.* | The user-specified part of the field alias name. The full name of the field alias includes this identifier as a suffix. |
| attribute | Specifies the field extraction configuration.
For example, REPORT-<name> or EXTRACT-<name>. |
| stanza | The props.conf stanza to which this field alias applies, e.g. the sourcetype or source that causes this field alias to be applied. The full name of the field alias includes this stanza name as a prefix. |
| type | Specifies the field extraction type, which can be either inline or uses transform.
|
| value | If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.
If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply. |
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>fieldaliases</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases</id>
<updated>2011-07-21T19:31:41-07:00</updated>
<generator version="104309"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/fieldaliases/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>my_sourcetype : FIELDALIAS-alias_name</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name</id>
<updated>2011-07-21T19:31:41-07:00</updated>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="list"/>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="alias.foo">bar</s:key>
<s:key name="attribute">FIELDALIAS-alias_name</s:key>
... eai:acl node elided ...
<s:key name="stanza">my_sourcetype</s:key>
<s:key name="type">FIELDALIAS</s:key>
<s:key name="value">foo AS bar</s:key>
</s:dict>
</content>
</entry>
</feed>
POST
Create a new field alias.
| Name | Type | Default | Description |
|---|---|---|---|
| alias.* | String | The alias for a given field. For example, supply a value of "bar" for an argument "alias.foo" to alias "foo" to "bar". | |
| name required |
String | The user-specified part of the field alias name. The full name of the field alias includes this identifier as a suffix. | |
| stanza required |
String | The props.conf stanza to which this field alias applies, e.g. the sourcetype or source that causes this field alias to be applied. The full name of the field alias includes this stanza name as a prefix. |
Returned values
| Name | Description |
|---|---|
| alias.* | The user-specified part of the field alias name. The full name of the field alias includes this identifier as a suffix. |
| attribute | Specifies the field extraction configuration.
For example, REPORT-<name> or EXTRACT-<name>. |
| stanza | The props.conf stanza to which this field alias applies, e.g. the sourcetype or source that causes this field alias to be applied. The full name of the field alias includes this stanza name as a prefix. |
| type | Specifies the field extraction type, which can be either inline or uses transform. |
| value | If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.
If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply. |
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases -d name=alias_name -d stanza=my_sourcetype -d alias.foo=bar
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>fieldaliases</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases</id>
<updated>2011-07-21T19:30:17-07:00</updated>
<generator version="104309"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/fieldaliases/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>my_sourcetype : FIELDALIAS-alias_name</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name</id>
<updated>2011-07-21T19:30:17-07:00</updated>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="list"/>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="alias.foo">bar</s:key>
<s:key name="attribute">FIELDALIAS-alias_name</s:key>
... eai:acl node elided ...
<s:key name="stanza">my_sourcetype</s:key>
<s:key name="type">FIELDALIAS</s:key>
<s:key name="value">foo AS bar</s:key>
</s:dict>
</content>
</entry>
</feed>
data/props/fieldaliases/{name}
https://<host>:<mPort>/services/data/props/fieldaliases/{name}
Manage the {name} field alias.
DELETE
Delete the named field alias.
Request parameters
None
Returned values
None
Example request and response
XML Request
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>fieldaliases</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases</id>
<updated>2011-07-21T19:37:45-07:00</updated>
<generator version="104309"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/fieldaliases/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
GET
Access a field alias.
Request parameters
None
Returned values
| Name | Description |
|---|---|
| alias.* | The user-specified part of the field alias name. The full name of the field alias includes this identifier as a suffix. |
| attribute | Specifies the field extraction configuration.
For example, REPORT-<name> or EXTRACT-<name>. |
| stanza | The props.conf stanza to which this field alias applies, e.g. the sourcetype or source that causes this field alias to be applied. The full name of the field alias includes this stanza name as a prefix. |
| type | Specifies the field extraction type, which can be either inline or uses transform.
|
| value | If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.
If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply. |
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>fieldaliases</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases</id>
<updated>2011-07-21T19:33:00-07:00</updated>
<generator version="104309"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/fieldaliases/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>my_sourcetype : FIELDALIAS-alias_name</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name</id>
<updated>2011-07-21T19:33:00-07:00</updated>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="list"/>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="alias.foo">bar</s:key>
<s:key name="attribute">FIELDALIAS-alias_name</s:key>
... eai:acl node elided ...
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list/>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list>
<s:item>alias\..*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="stanza">my_sourcetype</s:key>
<s:key name="type">FIELDALIAS</s:key>
<s:key name="value">foo AS bar</s:key>
</s:dict>
</content>
</entry>
</feed>
POST
Update a field alias.
Request parameters
| Name | Type | Default | Description |
|---|---|---|---|
| alias.* | String | The alias for a given field. For example, supply a value of "bar" for an argument "alias.foo" to alias "foo" to "bar". |
Returned values
| Name | Description |
|---|---|
| alias.* | The alias for a given field. For example, supply a value of "bar" for an argument "alias.foo" to alias "foo" to "bar". |
| attribute | Specifies the field extraction configuration.
For example, REPORT-<name> or EXTRACT-<name>. |
| stanza | The props.conf stanza to which this field alias applies, e.g. the sourcetype or source that causes this field alias to be applied. The full name of the field alias includes this stanza name as a prefix. |
| type | Specifies the field extraction type, which can be either inline or uses transform. |
| value | If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.
If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply. |
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name -d alias.hi=hello -d alias.bye=goodbye
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>fieldaliases</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases</id>
<updated>2011-07-21T19:34:36-07:00</updated>
<generator version="104309"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/fieldaliases/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>my_sourcetype : FIELDALIAS-alias_name</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name</id>
<updated>2011-07-21T19:34:36-07:00</updated>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="list"/>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="alias.bye">goodbye</s:key>
<s:key name="alias.hi">hello</s:key>
<s:key name="attribute">FIELDALIAS-alias_name</s:key>
... eai:acl node elided ...
<s:key name="stanza">my_sourcetype</s:key>
<s:key name="type">FIELDALIAS</s:key>
<s:key name="value">bye AS goodbye hi AS hello</s:key>
</s:dict>
</content>
</entry>
</feed>
data/props/lookups
https://<host>:<mPort>/services/data/props/lookups
Access or create automatic lookups.
GET
List automatic lookups.
Request parameters
Pagination and filtering parameters can be used with this method.
Returned values
| Name | Description |
|---|---|
| attribute | Specifies the field extraction configuration.
For example, LOOKUP-my_lookup. |
| overwrite | If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist. |
| stanza | The props.conf stanza to which this automatic lookup applies.
For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix. |
| transform | The transforms.conf stanza that defines the lookup to apply. |
| type | Specifies the field extraction type.
For this endpoint, this is always |
| value | The transform stanza with the value for the lookup. |
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/lookups
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>props-lookup</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/lookups</id>
<updated>2011-08-01T20:43:53-07:00</updated>
<generator version="105049"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/lookups/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>my_sourcetype : LOOKUP-my_lookup</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup</id>
<updated>2011-08-01T20:43:53-07:00</updated>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="list"/>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="attribute">LOOKUP-my_lookup</s:key>
... eai:acl node elided ...
<s:key name="lookup.field.input.foo"/>
<s:key name="lookup.field.output.fuzz"/>
<s:key name="overwrite">1</s:key>
<s:key name="stanza">my_sourcetype</s:key>
<s:key name="transform">my_transform</s:key>
<s:key name="type">LOOKUP</s:key>
<s:key name="value">my_transform foo OUTPUT fuzz</s:key>
</s:dict>
</content>
</entry>
</feed>
POST
Create an automatic lookup.
Request parameters
| Name | Type | Default | Description |
|---|---|---|---|
| lookup.field.input.* | String | A column in the lookup table to match against. Supply a non-empty value if the corresponding field has a different name in your actual events. | |
| lookup.field.output.* | String | A column in the lookup table to output. Supply a non-empty value if the field should have a different name in your actual events. | |
| name required |
String | The user-specified part of the automatic lookup name. The full name of the automatic lookup includes this identifier as a suffix. | |
| overwrite required |
Boolean | If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist. | |
| stanza required |
String | The props.conf stanza to which this automatic lookup applies, e.g. the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix. | |
| transform required |
String | The transforms.conf stanza that defines the lookup to apply. |
Returned values
| Name | Description |
|---|---|
| attribute | Specifies the field extraction configuration.
For example, LOOKUP-my_lookup. |
| lookup.field.input.* | A column in the lookup table to match against. Supply a non-empty value if the corresponding field has a different name in your actual events. |
| lookup.field.output.* | A column in the lookup table to output. Supply a non-empty value if the field should have a different name in your actual events. |
| overwrite | If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist. |
| stanza | The props.conf stanza to which this automatic lookup applies.
For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix. |
| transform | The transforms.conf stanza that defines the lookup to apply. |
| type | Specifies the field extraction type.
For this endpoint, this is alwqys |
| value | The props.conf stanza to which this automatic lookup applies.
For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix. |
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/lookups -d name=my_lookup -d overwrite=1 -d stanza=my_sourcetype -d transform=my_transform -d lookup.field.input.foo= -d lookup.field.output.fuzz=
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>props-lookup</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/lookups</id>
<updated>2011-08-01T20:43:31-07:00</updated>
<generator version="105049"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/lookups/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>my_sourcetype : LOOKUP-my_lookup</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup</id>
<updated>2011-08-01T20:43:31-07:00</updated>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="list"/>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="attribute">LOOKUP-my_lookup</s:key>
... eai:acl node elided ...
<s:key name="lookup.field.input.foo"/>
<s:key name="lookup.field.output.fuzz"/>
<s:key name="overwrite">1</s:key>
<s:key name="stanza">my_sourcetype</s:key>
<s:key name="transform">my_transform</s:key>
<s:key name="type">LOOKUP</s:key>
<s:key name="value">my_transform foo OUTPUT fuzz</s:key>
</s:dict>
</content>
</entry>
</feed>
data/props/lookups/{name}
https://<host>:<mPort>/services/data/props/lookups/{name}
Manage the {name} automatic lookup.
DELETE
Delete an automatic lookup.
Request parameters
None
Returned values
None
Example request and response
XML Request
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>props-lookup</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/lookups</id>
<updated>2011-08-01T20:44:32-07:00</updated>
<generator version="105049"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/lookups/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
GET
Access an automatic lookup.
Request parameters
None
Returned values
| Name | Description |
|---|---|
| attribute | Specifies the field extraction configuration.
For example, LOOKUP-my_lookup. |
| overwrite | If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist. |
| stanza | The props.conf stanza to which this automatic lookup applies.
For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix. |
| transform | The transforms.conf stanza that defines the lookup to apply. |
| type | Specifies the field extraction type.
For this endpoint, this is always |
| value | The transform stanza with the value for the lookup. |
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>props-lookup</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/lookups</id>
<updated>2011-08-01T20:44:06-07:00</updated>
<generator version="105049"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/lookups/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>my_sourcetype : LOOKUP-my_lookup</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup</id>
<updated>2011-08-01T20:44:06-07:00</updated>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="list"/>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="attribute">LOOKUP-my_lookup</s:key>
... eai:acl node elided ...
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list/>
</s:key>
<s:key name="requiredFields">
<s:list>
<s:item>overwrite</s:item>
<s:item>transform</s:item>
</s:list>
</s:key>
<s:key name="wildcardFields">
<s:list>
<s:item>lookup\.field\.input\..*</s:item>
<s:item>lookup\.field\.output\..*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="lookup.field.input.foo"/>
<s:key name="lookup.field.output.fuzz"/>
<s:key name="overwrite">1</s:key>
<s:key name="stanza">my_sourcetype</s:key>
<s:key name="transform">my_transform</s:key>
<s:key name="type">LOOKUP</s:key>
<s:key name="value">my_transform foo OUTPUT fuzz</s:key>
</s:dict>
</content>
</entry>
</feed>
POST
Update an automatic lookup.
Request parameters
| Name | Type | Default | Description |
|---|---|---|---|
| lookup.field.input.* | String | A column in the lookup table to match against. Supply a non-empty value if the corresponding field has a different name in your actual events. | |
| lookup.field.output.* | String | A column in the lookup table to output. Supply a non-empty value if the field should have a different name in your actual events. | |
| overwrite required |
Boolean | If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist. | |
| transform required |
String | The transforms.conf stanza that defines the lookup to apply. |
Returned values
| Name | Description |
|---|---|
| attribute | Specifies the field extraction configuration.
For example, LOOKUP-my_lookup. |
| lookup.field.input.* | A column in the lookup table to match against. Supply a non-empty value if the corresponding field has a different name in your actual events. |
| lookup.field.output.* | A column in the lookup table to output. Supply a non-empty value if the field should have a different name in your actual events. |
| overwrite | If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist. |
| stanza | The props.conf stanza to which this automatic lookup applies.
For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix. |
| transform | The transforms.conf stanza that defines the lookup to apply. |
| type | Specifies the field extraction type.
For this endpoint, this is alwqys |
| value | The props.conf stanza to which this automatic lookup applies.
For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix. |
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup -d overwrite=1 -d transform=other_transform -d lookup.field.input.bar= -d lookup.field.output.buzz=
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>props-lookup</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/lookups</id>
<updated>2011-08-01T20:44:21-07:00</updated>
<generator version="105049"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/lookups/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>my_sourcetype : LOOKUP-my_lookup</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup</id>
<updated>2011-08-01T20:44:21-07:00</updated>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="list"/>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="attribute">LOOKUP-my_lookup</s:key>
... eai:acl node elided ...
<s:key name="lookup.field.input.bar"/>
<s:key name="lookup.field.output.buzz"/>
<s:key name="overwrite">1</s:key>
<s:key name="stanza">my_sourcetype</s:key>
<s:key name="transform">other_transform</s:key>
<s:key name="type">LOOKUP</s:key>
<s:key name="value">other_transform bar OUTPUT buzz</s:key>
</s:dict>
</content>
</entry>
</feed>
data/props/sourcetype-rename
https://<host>:<mPort>/services/data/props/sourcetype-rename
Access or rename props.conf sourcetypes.
GET
List renamed sourcetypes.
Request parameters
Pagination and filtering parameters can be used with this method.
Returned values
| Name | Description |
|---|---|
| attribute | The configuration key. |
| stanza | The sourcetype to rename, which is the name of a stanza in props.conf. |
| type | The value of the configuration key. |
| value | The new name for the sourcetype. |
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>sourcetype-rename</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename</id>
<updated>2011-07-12T15:40:53-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>hardware</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware</id>
<updated>2011-07-12T15:40:53-07:00</updated>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="list"/>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="attribute">rename</s:key>
... eai:acl node elided ...
<s:key name="stanza">hardware</s:key>
<s:key name="type">rename</s:key>
<s:key name="value">hw</s:key>
</s:dict>
</content>
</entry>
</feed>
POST
Rename a sourcetype.
Request parameters
| Name | Type | Default | Description |
|---|---|---|---|
| name required |
String | The original sourcetype name. | |
| value required |
String | The new sourcetype name. |
Returned values
| Name | Description |
|---|---|
| attribute | The configuration key. |
| stanza | The sourcetype to rename, which is the name of a stanza in props.conf. |
| type | The value of the configuration key. |
| value | The new name for the sourcetype. |
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename -d name=hardware -d value=hw
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>sourcetype-rename</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename</id>
<updated>2011-07-12T15:39:57-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>hardware</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware</id>
<updated>2011-07-12T15:39:57-07:00</updated>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="list"/>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="attribute">rename</s:key>
... eai:acl node elided ...
<s:key name="stanza">hardware</s:key>
<s:key name="type">rename</s:key>
<s:key name="value">hw</s:key>
</s:dict>
</content>
</entry>
</feed>
data/props/sourcetype-rename/{name}
https://<host>:<mPort>/services/data/props/sourcetype-rename/{name}
Access, delete, or update a sourcetype name.
DELETE
Restore the original sourcetype name for {name}.
Request parameters
None
Returned values
None
Example request and response
XML Request
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>sourcetype-rename</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename</id>
<updated>2011-07-12T15:49:16-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
GET
Access a specific renamed sourcetype.
Request parameters
None
Returned values
| Name | Description |
|---|---|
| attribute | The configuration key. |
| stanza | The sourcetype to rename, which is the name of a stanza in props.conf. |
| type | The value of the configuration key. |
| value | The new name for the sourcetype. |
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>sourcetype-rename</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename</id>
<updated>2011-07-12T15:44:47-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>hardware</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware</id>
<updated>2011-07-12T15:44:47-07:00</updated>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="list"/>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="attribute">rename</s:key>
... eai:acl node elided ...
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list/>
</s:key>
<s:key name="requiredFields">
<s:list>
<s:item>value</s:item>
</s:list>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="stanza">hardware</s:key>
<s:key name="type">rename</s:key>
<s:key name="value">hw</s:key>
</s:dict>
</content>
</entry>
</feed>
POST
Update a renamed sourcetype name.
Request parameters
| Name | Type | Default | Description |
|---|---|---|---|
| value required |
String | The new sourcetype name. |
Returned values
| Name | Description |
|---|---|
| attribute | The configuration key. |
| stanza | The sourcetype to rename, which is the name of a stanza in props.conf. |
| type | The value of the configuration key. |
| value | The new name for the sourcetype. |
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware -d value=hrdwr
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>sourcetype-rename</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename</id>
<updated>2011-07-12T15:46:58-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>hardware</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware</id>
<updated>2011-07-12T15:46:58-07:00</updated>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="list"/>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="attribute">rename</s:key>
... eai:acl node elided ...
<s:key name="stanza">hardware</s:key>
<s:key name="type">rename</s:key>
<s:key name="value">hrdwr</s:key>
</s:dict>
</content>
</entry>
</feed>
data/transforms/extractions
https://<host>:<mPort>/services/data/transforms/extractions
Access field extraction definitions.
GET
List field extractions.
Request parameters
Pagination and filtering parameters can be used with this method.
Returned values
| Name | Description |
|---|---|
| CAN_OPTIMIZE | Controls whether Splunk software can optimize this extraction out (another way of saying the extraction is disabled).
You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk software only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search. |
| CLEAN_KEYS | If set to true, Splunk software "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores. |
| DEFAULT_VALUE | Optional attribute for index-time field extractions. Splunk software writes the specified value to DEST_KEY if the specified REGEX fails. |
| DEST_KEY | Valid for index-time field extractions, specifies where Splunk software stores the REGEX results. |
| FORMAT | This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.
This attribute specifies the format of the event, including any field names or values you want to add. For details, refer to the documentation for this parameter in the POST operation. |
| KEEP_EMPTY_VALS | If set to true, Splunk software preserves extracted fields with empty values. |
| LOOKAHEAD | Optional attribute for index-time filed extractions. specifies how many characters to search into an event.
Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking). |
| MV_ADD | If Splunk software extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded. |
| REGEX | The regular expression to operate on your data.
This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms. For details, see the documentation for this parameter in the POST operation. |
| SOURCE_KEY | The KEY to which Splunk software applies REGEX. |
| WRITE_META | Indicates whether to automatically write REGEX to metadata.
This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute). Use instead of DEST_KEY = meta. |
| disabled | Indicates if the field transformation is disabled. |
| eai:appName | The Splunk app for which the field extractions are defined. For example, the search app. |
| eai:userName | The name of the Splunk user who created the field extraction definitions. For example, the admin user. |
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/extractions
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>transforms-extract</title>
<id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions</id>
<updated>2011-07-21T20:28:03-07:00</updated>
<generator version="104309"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/transforms/extractions/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>access-extractions</title>
<id>https://localhost:8089/servicesNS/nobody/system/data/transforms/extractions/access-extractions</id>
<updated>2011-07-21T20:28:03-07:00</updated>
<link href="/servicesNS/nobody/system/data/transforms/extractions/access-extractions" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/nobody/system/data/transforms/extractions/access-extractions" rel="list"/>
<link href="/servicesNS/nobody/system/data/transforms/extractions/access-extractions/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/transforms/extractions/access-extractions" rel="edit"/>
<link href="/servicesNS/nobody/system/data/transforms/extractions/access-extractions/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="CAN_OPTIMIZE">1</s:key>
<s:key name="CLEAN_KEYS">1</s:key>
<s:key name="DEFAULT_VALUE"/>
<s:key name="DEST_KEY"/>
<s:key name="FORMAT"/>
<s:key name="KEEP_EMPTY_VALS">0</s:key>
<s:key name="LOOKAHEAD">4096</s:key>
<s:key name="MV_ADD">0</s:key>
<s:key name="REGEX">
<![CDATA[^[[nspaces:clientip]]\s++[[nspaces:ident]]\s++[[nspaces:user]]\s++[[sbstring:req_time]]\s++[[access-request]]\s++[[nspaces:status]]\s++[[nspaces:bytes]](?:\s++"(?<referer>[[bc_domain:referer_]]?+[^"]*+)"(?:\s++[[qstring:useragent]](?:\s++[[qstring:cookie]])?+)?+)?[[all:other]]]]> </s:key>
<s:key name="SOURCE_KEY">_raw</s:key>
<s:key name="WRITE_META">0</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:userName">admin</s:key>
</s:dict>
</content>
</entry>
</feed>
POST
Create a new field transformation.
Request parameters
| Name | Type | Default | Description |
|---|---|---|---|
| CAN_OPTIMIZE | Bool | True | Controls whether Splunk software can optimize this extraction out (another way of saying the extraction is disabled). You might use this when you have field discovery turned off--it ensures that certain fields are *always* discovered. Splunk software only disables an extraction if it can determine that none of the fields identified by the extraction is needed for the successful evaluation of a search.
NOTE: This option should rarely be set to false. |
| CLEAN_KEYS | Boolean | True | If set to true, Splunk software "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores. |
| disabled | Boolean | Specifies whether the field transformation is disabled. | |
| FORMAT | String | This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.
This attribute specifies the format of the event, including any field names or values you want to add. FORMAT for index-time extractions: Use $n (for example $1, $2, etc) to specify the output of each REGEX match. If REGEX does not have n groups, the matching fails. The special identifier $0 represents what was in the DEST_KEY before the REGEX was performed. At index-time only, you can use FORMAT to create concatenated fields: FORMAT = ipaddress::$1.$2.$3.$4 When you create concatenated fields with FORMAT, "$" is the only special character. It is treated as a prefix for regex-capturing groups only if it is followed by a number and only if the number applies to an existing capturing group. So if REGEX has only one capturing group and its value is "bar", then: \t"FORMAT = foo$1" yields "foobar" \t"FORMAT = foo$bar" yields "foo$bar" \t"FORMAT = foo$1234" yields "foo$1234" \t"FORMAT = foo$1\\$2" yields "foobar\\$2" At index-time, FORMAT defaults to <stanza-name>::$1 FORMAT for search-time extractions: The format of this field as used during search time extractions is as follows: \tFORMAT = <field-name>::<field-value>( <field-name>::<field-value>)* \tfield-name = [<string>|$<extracting-group-number>] \tfield-value = [<string>|$<extracting-group-number>] Search-time extraction examples: \tFORMAT = first::$1 second::$2 third::other-value \tFORMAT = $1::$2 You cannot create concatenated fields with FORMAT at search time. That functionality is only available at index time. At search-time, FORMAT defaults to an empty string. | |
| KEEP_EMPTY_VALS | Boolean | False | If set to true, Splunk software preserves extracted fields with empty values. |
| MV_ADD | Boolean | False | If Splunk software extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded. |
| name required |
String | The name of the field transformation. | |
| REGEX required |
String | Specify a regular expression to operate on your data.
This attribute is valid for both index-time and search-time field extractions: \tREGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). \tREGEX is required for all index-time transforms. REGEX and the FORMAT attribute: Name-capturing groups in the REGEX are extracted directly to fields. This means that you do not need to specify the FORMAT attribute for simple field extraction cases. If the REGEX extracts both the field name and its corresponding field value, you can use the following special capturing groups if you want to skip specifying the mapping in FORMAT: _KEY_<string>, _VAL_<string>. For example, the following are equivalent: \tUsing FORMAT: \t\tREGEX = ([a-z]+)=([a-z]+) \t\tFORMAT = $1::$2 \tWithout using FORMAT \t\tREGEX = (?<_KEY_1>[a-z]+)=(?<_VAL_1>[a-z]+) REGEX defaults to an empty string. | |
| SOURCE_KEY required |
String | _raw | Specify the KEY to which Splunk software applies REGEX. |
Returned values
| Name | Description |
|---|---|
| CAN_OPTIMIZE | Controls whether Splunk software can optimize this extraction out (another way of saying the extraction is disabled).
You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk software only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search. |
| CLEAN_KEYS | If set to true, Splunk software "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores. |
| DEFAULT_VALUE | Optional attribute for index-time field extractions. Splunk software writes the specified value to DEST_KEY if the specified REGEX fails. |
| DEST_KEY | Valid for index-time field extractions, specifies where Splunk software stores the REGEX results. |
| FORMAT | This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.
This attribute specifies the format of the event, including any field names or values you want to add. For details, refer to the documentation for this parameter in the POST operation. |
| KEEP_EMPTY_VALS | If set to true, Splunk software preserves extracted fields with empty values. |
| LOOKAHEAD | Optional attribute for index-time filed extractions. specifies how many characters to search into an event.
Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking). |
| MV_ADD | If Splunk software extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded. |
| REGEX | The regular expression to operate on your data.
This attribute is valid for both index-time and search-time field extractions: \\tREGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). \\tREGEX is required for all index-time transforms. For details, see the documentation for this parameter in the POST operation. |
| SOURCE_KEY | The KEY to which Splunk software applies REGEX. |
| WRITE_META | Indicates whether to automatically write REGEX to metadata.
This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute). Use instead of DEST_KEY = meta. |
| disabled | Indicates if the field transformation is disabled. |
| eai:appName | The Splunk app for which the field extractions are defined. For example, the search app. |
| eai:userName | The name of the Splunk user who created the field extraction definitions. For example, the admin user. |
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/extractions -d REGEX="(?<_KEY_1>[a-z]*),(?<_VAL_1>[a-z]*)" -d SOURCE_KEY=_raw -d name=my_transform
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>transforms-extract</title>
<id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions</id>
<updated>2011-07-21T20:25:20-07:00</updated>
<generator version="104309"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/transforms/extractions/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>my_transform</title>
<id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions/my_transform</id>
<updated>2011-07-21T20:25:20-07:00</updated>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="list"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="edit"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="remove"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/move" rel="move"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="CAN_OPTIMIZE">1</s:key>
<s:key name="CLEAN_KEYS">1</s:key>
<s:key name="DEFAULT_VALUE"/>
<s:key name="DEST_KEY"/>
<s:key name="FORMAT"/>
<s:key name="KEEP_EMPTY_VALS">0</s:key>
<s:key name="LOOKAHEAD">4096</s:key>
<s:key name="MV_ADD">0</s:key>
<s:key name="REGEX">(?<_KEY_1>[a-z]*),(?<_VAL_1>[a-z]*)</s:key>
<s:key name="SOURCE_KEY">_raw</s:key>
<s:key name="WRITE_META">0</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:userName">admin</s:key>
</s:dict>
</content>
</entry>
</feed>
data/transforms/extractions/{name}
https://<host>:<mPort>/services/data/transforms/extractions/{name}
Access, delete, or update the {name} field extraction.
DELETE
Delete a field extraction.
Request parameters
None
Returned values
None
Example request and response
XML Request
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/data/transforms/extractions/my_transform
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>transforms-extract</title>
<id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions</id>
<updated>2011-07-21T20:34:30-07:00</updated>
<generator version="104309"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/transforms/extractions/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
GET
Access a specific field extraction.
Request parameters
None
Returned values
| Name | Description |
|---|---|
| CAN_OPTIMIZE | Controls whether Splunk software can optimize this extraction out (another way of saying the extraction is disabled).
You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk software only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search. |
| CLEAN_KEYS | If set to true, Splunk software "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores. |
| DEFAULT_VALUE | Optional attribute for index-time field extractions. Splunk software writes the specified value to DEST_KEY if the specified REGEX fails. |
| DEST_KEY | Valid for index-time field extractions, specifies where Splunk software stores the REGEX results. |
| FORMAT | This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.
This attribute specifies the format of the event, including any field names or values you want to add. For details, refer to the documentation for this parameter in the POST operation. |
| KEEP_EMPTY_VALS | If set to true, Splunk software preserves extracted fields with empty values. |
| LOOKAHEAD | Optional attribute for index-time filed extractions. specifies how many characters to search into an event.
Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking). |
| MV_ADD | If Splunk software extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded. |
| REGEX | The regular expression to operate on your data.
This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms. For details, see the documentation for this parameter in the POST operation. |
| SOURCE_KEY | The KEY to which Splunk software applies REGEX. |
| WRITE_META | Indicates whether to automatically write REGEX to metadata.
This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute). Use instead of DEST_KEY = meta. |
| disabled | Indicates if the field transformation is disabled. |
| eai:appName | The Splunk app for which the field extractions are defined. For example, the search app. |
| eai:attributes | Field control information. |
| eai:userName | The name of the Splunk user who created the field extraction definitions. For example, the admin user. |
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/extractions/my_transform
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>transforms-extract</title>
<id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions</id>
<updated>2011-07-21T20:29:00-07:00</updated>
<generator version="104309"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/transforms/extractions/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>my_transform</title>
<id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions/my_transform</id>
<updated>2011-07-21T20:29:00-07:00</updated>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="list"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="edit"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="remove"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/move" rel="move"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="CAN_OPTIMIZE">1</s:key>
<s:key name="CLEAN_KEYS">1</s:key>
<s:key name="DEFAULT_VALUE"/>
<s:key name="DEST_KEY"/>
<s:key name="FORMAT"/>
<s:key name="KEEP_EMPTY_VALS">0</s:key>
<s:key name="LOOKAHEAD">4096</s:key>
<s:key name="MV_ADD">0</s:key>
<s:key name="REGEX">(?<_KEY_1>[a-z]*),(?<_VAL_1>[a-z]*)</s:key>
<s:key name="SOURCE_KEY">_raw</s:key>
<s:key name="WRITE_META">0</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>CAN_OPTIMIZE</s:item>
<s:item>CLEAN_KEYS</s:item>
<s:item>FORMAT</s:item>
<s:item>KEEP_EMPTY_VALS</s:item>
<s:item>MV_ADD</s:item>
<s:item>disabled</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list>
<s:item>REGEX</s:item>
<s:item>SOURCE_KEY</s:item>
</s:list>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="eai:userName">admin</s:key>
</s:dict>
</content>
</entry>
</feed>
POST
Update a field extraction.
Request parameters
| Name | Type | Default | Description | |
|---|---|---|---|---|
| REGEX | String | Specify a regular expression to operate on your data.
This attribute is valid for both index-time and search-time field extractions: \tREGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). \tREGEX is required for all index-time transforms. REGEX and the FORMAT attribute: Name-capturing groups in the REGEX are extracted directly to fields. This means that you do not need to specify the FORMAT attribute for simple field extraction cases. If the REGEX extracts both the field name and its corresponding field value, you can use the following special capturing groups if you want to skip specifying the mapping in FORMAT: _KEY_<string>, _VAL_<string>. For example, the following are equivalent: \tUsing FORMAT: \t\tREGEX = ([a-z]+)=([a-z]+) \t\tFORMAT = $1::$2 \tWithout using FORMAT \t\tREGEX = (?<_KEY_1>[a-z]+)=(?<_VAL_1>[a-z]+) REGEX defaults to an empty string. | ||
| SOURCE_KEY | String | _raw | Specify the KEY to which Splunk software applies REGEX. | |
| CAN_OPTIMIZE | Bool | True | Controls whether Splunk software can optimize this extraction out (another way of saying the extraction is disabled). You might use this when you have field discovery turned off--it ensures that certain fields are *always* discovered. Splunk software only disables an extraction if it can determine that none of the fields identified by the extraction is needed for the successful evaluation of a search.
NOTE: This option should rarely be set to false. | |
| CLEAN_KEYS | Boolean | True | If set to true, Splunk software "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores. | |
| FORMAT | String | This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.
This attribute specifies the format of the event, including any field names or values you want to add. FORMAT for index-time extractions: Use $n (for example $1, $2, etc) to specify the output of each REGEX match. If REGEX does not have n groups, the matching fails. The special identifier $0 represents what was in the DEST_KEY before the REGEX was performed. At index-time only, you can use FORMAT to create concatenated fields: FORMAT = ipaddress::$1.$2.$3.$4 When you create concatenated fields with FORMAT, "$" is the only special character. It is treated as a prefix for regex-capturing groups only if it is followed by a number and only if the number applies to an existing capturing group. So if REGEX has only one capturing group and its value is "bar", then: \t"FORMAT = foo$1" yields "foobar" \t"FORMAT = foo$bar" yields "foo$bar" \t"FORMAT = foo$1234" yields "foo$1234" \t"FORMAT = foo$1\\$2" yields "foobar\\$2" At index-time, FORMAT defaults to <stanza-name>::$1 FORMAT for search-time extractions: The format of this field as used during search time extractions is as follows: \tFORMAT = <field-name>::<field-value>( <field-name>::<field-value>)* \tfield-name = [<string>|$<extracting-group-number>] \tfield-value = [<string>|$<extracting-group-number>] Search-time extraction examples: \tFORMAT = first::$1 second::$2 third::other-value \tFORMAT = $1::$2 You cannot create concatenated fields with FORMAT at search time. That functionality is only available at index time. At search-time, FORMAT defaults to an empty string. | ||
| KEEP_EMPTY_VALS | Boolean | False | If set to true, Splunk software preserves extracted fields with empty values. | |
| MV_ADD | Boolean | False | If Splunk software extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded. | |
| disabled | Boolean | Specifies whether the field transformation is disabled. |
Returned values
| Name | Description |
|---|---|
| CAN_OPTIMIZE | Controls whether Splunk software can optimize this extraction out (another way of saying the extraction is disabled).
You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk software only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search. |
| CLEAN_KEYS | If set to true, Splunk software "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores. |
| DEFAULT_VALUE | Optional attribute for index-time field extractions. Splunk software writes the specified value to DEST_KEY if the specified REGEX fails. |
| DEST_KEY | Valid for index-time field extractions, specifies where Splunk software stores the REGEX results. |
| FORMAT | This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.
This attribute specifies the format of the event, including any field names or values you want to add. For details, refer to the documentation for this parameter in the POST operation. |
| KEEP_EMPTY_VALS | If set to true, Splunk software preserves extracted fields with empty values. |
| LOOKAHEAD | Optional attribute for index-time filed extractions. specifies how many characters to search into an event.
Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking). |
| MV_ADD | If Splunk software extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded. |
| REGEX | The regular expression to operate on your data.
This attribute is valid for both index-time and search-time field extractions: \\tREGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). \\tREGEX is required for all index-time transforms. For details, see the documentation for this parameter in the POST operation. |
| SOURCE_KEY | The KEY to which Splunk software applies REGEX. |
| WRITE_META | Indicates whether to automatically write REGEX to metadata.
This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute). Use instead of DEST_KEY = meta. |
| disabled | Indicates if the field transformation is disabled. |
| eai:appName | The Splunk app for which the field extractions are defined. For example, the search app. |
| eai:userName | The name of the Splunk user who created the field extraction definitions. For example, the admin user. |
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/extractions/my_transform -d REGEX="(?<_KEY_1>[a-z]*),(?<_VAL_1>[a-z]*)" -d SOURCE_KEY=_raw -d CLEAN_KEYS=false
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>transforms-extract</title>
<id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions</id>
<updated>2011-07-21T20:33:13-07:00</updated>
<generator version="104309"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/transforms/extractions/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>my_transform</title>
<id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions/my_transform</id>
<updated>2011-07-21T20:33:13-07:00</updated>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="list"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="edit"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="remove"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/move" rel="move"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="CAN_OPTIMIZE">1</s:key>
<s:key name="CLEAN_KEYS">0</s:key>
<s:key name="DEFAULT_VALUE"/>
<s:key name="DEST_KEY"/>
<s:key name="FORMAT"/>
<s:key name="KEEP_EMPTY_VALS">0</s:key>
<s:key name="LOOKAHEAD">4096</s:key>
<s:key name="MV_ADD">0</s:key>
<s:key name="REGEX">(?<_KEY_1>[a-z]*),(?<_VAL_1>[a-z]*)</s:key>
<s:key name="SOURCE_KEY">_raw</s:key>
<s:key name="WRITE_META">0</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:userName">admin</s:key>
</s:dict>
</content>
</entry>
</feed>
data/transforms/lookups
https://<host>:<mPort>/services/data/transforms/lookups
Access or create lookup definitions.
GET
List lookup definitions.
Request parameters
Pagination and filtering parameters can be used with this method.
| Name | Datatype | Default | Description |
|---|---|---|---|
| getsize | Boolean | false
|
Enable to return the file size. |
| replicate_delta | Boolean | false
|
Enable to replicate only the changes to a CSV lookup table rather than replicating the entire lookup table. |
Returned values
| Name | Description |
|---|---|
| CAN_OPTIMIZE | Controls whether Splunk software can optimize this extraction out (another way of saying the extraction is disabled).
You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk software only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search. |
| CLEAN_KEYS | If set to true, Splunk software "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores. |
| DEFAULT_VALUE | Optional attribute for index-time field extractions. Splunk software writes the specified value to DEST_KEY if the specified REGEX fails. |
| DEST_KEY | Valid for index-time field extractions, specifies where Splunk software stores the REGEX results. |
| FORMAT | This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.
This attribute specifies the format of the event, including any field names or values you want to add. For details, refer to the documentation for this parameter in the POST operation for data/transforms/extractions. |
| GETSIZE | If enabled, returns the file size. |
| KEEP_EMPTY_VALS | If set to true, Splunk software preserves extracted fields with empty values. |
| LOOKAHEAD | Optional attribute for index-time filed extractions. specifies how many characters to search into an event.
Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking). |
| MV_ADD | If Splunk software extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded. |
| REGEX | The regular expression to operate on your data.
This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms. For details, see the documentation for this parameter in the POST operation. |
| SOURCE_KEY | The KEY to which Splunk software applies REGEX. |
| WRITE_META | Indicates whether to automatically write REGEX to metadata.
This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute). Use instead of DEST_KEY = meta. |
| disabled | Indicates if this lookup is disabled. |
| eai:appName | The Splunk app for which the lookups are defined. For example, the search app. |
| eai:userName | The Splunk user for which the lookups are defined. |
| external_cmd | Provides the command and arguments to invoke to perform a lookup. Use this for external (or "scripted") lookups, where you interface with with an external script rather than a lookup table.
This string is parsed like a shell command. The first argument is expected to be a python script located in: $SPLUNK_HOME/etc/<app_name>/bin (or ../etc/searchscripts) Presence of this field indicates that the lookup is external and command based. |
| fields_list | List of all fields that are supported by the external command. |
| replicate_delta | Indicates that only the changes to a CSV lookup table are replicated, rather than the entire lookup table. |
| type | Specifies the field extraction type.
Can be either external or file. |
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/lookups
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>transforms-lookup</title>
<id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups</id>
<updated>2011-08-01T21:10:44-07:00</updated>
<generator version="105049"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/transforms/lookups/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>dnslookup</title>
<id>https://localhost:8089/servicesNS/nobody/system/data/transforms/lookups/dnslookup</id>
<updated>2011-08-01T21:10:44-07:00</updated>
<link href="/servicesNS/nobody/system/data/transforms/lookups/dnslookup" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/transforms/lookups/dnslookup" rel="list"/>
<link href="/servicesNS/nobody/system/data/transforms/lookups/dnslookup/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/transforms/lookups/dnslookup" rel="edit"/>
<link href="/servicesNS/nobody/system/data/transforms/lookups/dnslookup/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="CAN_OPTIMIZE">1</s:key>
<s:key name="CLEAN_KEYS">1</s:key>
<s:key name="DEFAULT_VALUE"/>
<s:key name="DEST_KEY"/>
<s:key name="FORMAT"/>
<s:key name="KEEP_EMPTY_VALS">0</s:key>
<s:key name="LOOKAHEAD">4096</s:key>
<s:key name="MV_ADD">0</s:key>
<s:key name="REGEX"/>
<s:key name="SOURCE_KEY">_raw</s:key>
<s:key name="WRITE_META">0</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="external_cmd">external_lookup.py clienthost clientip</s:key>
<s:key name="fields_list">clienthost clientip</s:key>
<s:key name="type">external</s:key>
</s:dict>
</content>
</entry>
</feed>
POST
Update a lookup definition.
Request parameters
| Name | Type | Default | Description |
|---|---|---|---|
| collection | String | <empty> |
Name of the collection to use for this lookup. The collection should be defined in $SPLUNK_HOME/etc/<app_name>/collections.conf for the current app. To create a KV Store lookup, use collection to pass in the KV Store collection name and include the external_type parameter with a value of kvstore in your POST request.
|
| name | String | The name of the lookup definition. | |
| default_match | String | If min_matches is greater than zero and Splunk software has less than min_matches for any given input, it provides this default_match value one or more times until the min_matches threshold is reached. | |
| disabled | Boolean | Specifies whether the lookup definition is disabled. | |
| external_cmd | String | Provides the command and arguments to invoke to perform a lookup. Use this for external (or "scripted") lookups, where you interface with with an external script rather than a lookup table.
This string is parsed like a shell command. The first argument is expected to be a python script located in: $SPLUNK_HOME/etc/<app_name>/bin (or ../etc/searchscripts) Presence of this field indicates that the lookup is external and command based. | |
| external_type | One of the following values:
|
python
|
Type of external command for performing a lookup. To define a KV Store lookup, use
|
| fields_list | String | A comma- and space-delimited list of all fields that are supported by the external command. Use this for external (or "scripted") lookups. | |
| filename | String | The name of the static lookup table file. | |
| max_matches | Number | The maximum number of possible matches for each input lookup value. | |
| max_offset_secs | Number | For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur. | |
| min_matches | Number | The minimum number of possible matches for each input lookup value. | |
| min_offset_secs | Number | For temporal lookups, this is the minimum time (in seconds) that the event timestamp can be later than the lookup entry timestamp for a match to occur. | |
| replicate_delta | Boolean | false |
Enable to replicate only the changes to a CSV lookup table rather than replicating the entire lookup table. |
| time_field | String | For temporal lookups, this is the field in the lookup table that represents the timestamp. | |
| time_format | String | For temporal lookups, this specifies the "strptime" format of the timestamp field. |
Returned values
| Name | Description |
|---|---|
| CAN_OPTIMIZE | Controls whether Splunk software can optimize this extraction out (another way of saying the extraction is disabled).
You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk software only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search. |
| CLEAN_KEYS | If set to true, Splunk software "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores. |
| DEFAULT_VALUE | Optional attribute for index-time field extractions. Splunk software writes the specified value to DEST_KEY if the specified REGEX fails. |
| DEST_KEY | Valid for index-time field extractions, specifies where Splunk software stores the REGEX results. |
| FORMAT | This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.
This attribute specifies the format of the event, including any field names or values you want to add. For details, refer to the documentation for this parameter in the POST operation for data/transforms/extractions. |
| KEEP_EMPTY_VALS | If set to true, Splunk software preserves extracted fields with empty values. |
| LOOKAHEAD | Optional attribute for index-time filed extractions. specifies how many characters to search into an event.
Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking). |
| MV_ADD | If Splunk software extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded. |
| REGEX | The regular expression to operate on your data.
This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms. For details, see the documentation for this parameter in the POST operation. |
| SOURCE_KEY | The KEY to which Splunk software applies REGEX. |
| WRITE_META | Indicates whether to automatically write REGEX to metadata.
This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute). Use instead of DEST_KEY = meta. |
| default_match | If min_matches is greater than zero and Splunk software has less than min_matches for any given input, it provides this default_match value one or more times until the min_matches threshold is reached. |
| disabled | Specifies whether the lookup definition is disabled. |
| eai:appName | The Splunk app for which the lookups are defined. For example, the search app. |
| eai:userName | The Splunk user for which the lookups are defined. |
| external_cmd | Provides the command and arguments to invoke to perform a lookup. Use this for external (or "scripted") lookups, where you interface with with an external script rather than a lookup table.
This string is parsed like a shell command. The first argument is expected to be a python script located in: $SPLUNK_HOME/etc/<app_name>/bin (or ../etc/searchscripts) Presence of this field indicates that the lookup is external and command based. |
| fields_list | List of all fields that are supported by the external command. Use this for external (or "scripted") lookups. |
| filename | The name of the static lookup table file. |
| max_matches | The maximum number of possible matches for each input lookup value.
If the lookup is non-temporal (not time-bounded, meaning the time_field attribute is not specified), Splunk software uses the first <integer> entries, in file order. If the lookup is temporal, Splunk software uses the first <integer> entries in descending time order. Default = 100 if the lookup is not temporal, default = 1 if it is temporal. |
| max_offset_secs | For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur. |
| min_matches | The minimum number of possible matches for each input lookup value. |
| min_offset_secs | For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur. |
| time_field | For temporal lookups, this is the field in the lookup table that represents the timestamp. |
| time_format | For temporal lookups, this specifies the \\"strptime\\" format of the timestamp field. |
| type | Specifies the field extraction type.
Can be either external or file. |
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/lookups -d name=my_lookup -d filename=lookup.csv
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>transforms-lookup</title>
<id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups</id>
<updated>2011-08-01T21:10:33-07:00</updated>
<generator version="105049"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/transforms/lookups/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>my_lookup</title>
<id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups/my_lookup</id>
<updated>2011-08-01T21:10:33-07:00</updated>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="list"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="edit"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="remove"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/move" rel="move"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="CAN_OPTIMIZE">1</s:key>
<s:key name="CLEAN_KEYS">1</s:key>
<s:key name="DEFAULT_VALUE"/>
<s:key name="DEST_KEY"/>
<s:key name="FORMAT"/>
<s:key name="KEEP_EMPTY_VALS">0</s:key>
<s:key name="LOOKAHEAD">4096</s:key>
<s:key name="MV_ADD">0</s:key>
<s:key name="REGEX"/>
<s:key name="SOURCE_KEY">_raw</s:key>
<s:key name="WRITE_META">0</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="filename">lookup.csv</s:key>
<s:key name="type">file</s:key>
</s:dict>
</content>
</entry>
</feed>
data/transforms/lookups/{name}
https://<host>:<mPort>/services/data/transforms/lookups/{name}
Manage the {name} lookup definition.
DELETE
Delete a specific lookup definition.
Request parameters
None
Returned values
None
Example request and response
XML Request
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/data/transforms/lookups/my_lookup
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>transforms-lookup</title>
<id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups</id>
<updated>2011-07-21T20:03:24-07:00</updated>
<generator version="104309"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/transforms/lookups/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
GET
Access a specific lookup definition.
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| replicate_delta | Boolean | false
|
Enable to replicate only the changes to a CSV lookup table rather than replicating the entire lookup table. |
Returned values
| Name | Description |
|---|---|
| CAN_OPTIMIZE | Indicates whether Splunk software can optimize this extraction out (another way of saying the extraction is disabled).
You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk software only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search. |
| CLEAN_KEYS | Indicates whether Splunk software "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores. |
| DEFAULT_VALUE | Optional attribute for index-time field extractions. Splunk software writes the specified value to DEST_KEY if the specified REGEX fails. |
| DEST_KEY | Valid for index-time field extractions, specifies where Splunk software stores the REGEX results. |
| FORMAT | This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.
This attribute specifies the format of the event, including any field names or values you want to add. For details, refer to the documentation for this parameter in the POST operation for data/transforms/extractions. |
| KEEP_EMPTY_VALS | Indicates whether Splunk software preserves extracted fields with empty values. |
| LOOKAHEAD | For index-time filed extractions. Specifies how many characters to search into an event.
Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking). |
| MV_ADD | "If Splunk software extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded. |
| REGEX | The regular expression to operate on your data.
This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms. For details, see the documentation for this parameter in the POST operation. |
| SOURCE_KEY | The KEY to which Splunk software applies REGEX. |
| WRITE_META | Indicates whether to automatically write REGEX to metadata.
This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute). Use instead of DEST_KEY = meta. |
| disabled | Indicates if this lookup is disabled. |
| eai:appName | The Splunk software app for which the lookups are defined. For example, the search app. |
| eai:attributes | Field control information. |
| eai:userName | The Splunk user for which the lookups are defined. |
| filename | The name of the static lookup table file. |
| replicate_delta | Indicates that only the changes to a CSV lookup table are replicated, rather than the entire lookup table. |
| type | Specifies the field extraction type.
Can be either external or file. |
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/lookups/my_lookup
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>transforms-lookup</title>
<id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups</id>
<updated>2011-08-01T21:11:01-07:00</updated>
<generator version="105049"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/transforms/lookups/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>my_lookup</title>
<id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups/my_lookup</id>
<updated>2011-08-01T21:11:01-07:00</updated>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="list"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="edit"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="remove"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/move" rel="move"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="CAN_OPTIMIZE">1</s:key>
<s:key name="CLEAN_KEYS">1</s:key>
<s:key name="DEFAULT_VALUE"/>
<s:key name="DEST_KEY"/>
<s:key name="FORMAT"/>
<s:key name="KEEP_EMPTY_VALS">0</s:key>
<s:key name="LOOKAHEAD">4096</s:key>
<s:key name="MV_ADD">0</s:key>
<s:key name="REGEX"/>
<s:key name="SOURCE_KEY">_raw</s:key>
<s:key name="WRITE_META">0</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>default_match</s:item>
<s:item>disabled</s:item>
<s:item>external_cmd</s:item>
<s:item>fields_list</s:item>
<s:item>filename</s:item>
<s:item>max_matches</s:item>
<s:item>max_offset_secs</s:item>
<s:item>min_matches</s:item>
<s:item>min_offset_secs</s:item>
<s:item>replicate_delta</s:item>
<s:item>time_field</s:item>
<s:item>time_format</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="filename">lookup.csv</s:key>
<s:key name="replicate_delta">1</s:key>
<s:key name="type">file</s:key>
</s:dict>
</content>
</entry>
</feed>
POST
Update a lookup definition.
Request parameters
| Name | Type | Default | Description |
|---|---|---|---|
| collection | String | <empty> |
Name of the collection to use for this lookup. The collection should be defined in $SPLUNK_HOME/etc/<app_name>/collections.conf for the current app. To create a KV Store lookup, use collection to pass in the KV Store collection name and include the external_type parameter with a value of kvstore in your POST request.
|
| default_match | String | If min_matches is greater than zero and Splunk software has less than min_matches for any given input, it provides this default_match value one or more times until the min_matches threshold is reached. | |
| disabled | Boolean | Specifies whether the lookup definition is disabled. | |
| external_cmd | String | Provides the command and arguments to invoke to perform a lookup. Use this for external (or "scripted") lookups, where you interface with with an external script rather than a lookup table.
This string is parsed like a shell command. The first argument is expected to be a python script located in: $SPLUNK_HOME/etc/<app_name>/bin (or ../etc/searchscripts) Presence of this field indicates that the lookup is external and command based. | |
| external_type | One of the following values:
|
python
|
Type of external command for performing a lookup. To define a KV Store lookup, use
|
| fields_list | String | A comma- and space-delimited list of all fields that are supported by the external command. Use this for external (or "scripted") lookups. | |
| filename | String | The name of the static lookup table file. | |
| max_matches | Number | The maximum number of possible matches for each input lookup value. | |
| max_offset_secs | Number | For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur. | |
| min_matches | Number | The minimum number of possible matches for each input lookup value. | |
| min_offset_secs | Number | For temporal lookups, this is the minimum time (in seconds) that the event timestamp can be later than the lookup entry timestamp for a match to occur. | |
| replicate_delta | Boolean | false |
Enable to replicate only the changes to a CSV lookup table rather than replicating the entire lookup table. |
| time_field | String | For temporal lookups, this is the field in the lookup table that represents the timestamp. | |
| time_format | String | For temporal lookups, this specifies the "strptime" format of the timestamp field. |
Returned values
| Name | Description |
|---|---|
| CAN_OPTIMIZE | Controls whether Splunk software can optimize this extraction out (another way of saying the extraction is disabled).
You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk software only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search. |
| CLEAN_KEYS | If set to true, Splunk software "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores. |
| DEFAULT_VALUE | Optional attribute for index-time field extractions. Splunk software writes the specified value to DEST_KEY if the specified REGEX fails. |
| DEST_KEY | Valid for index-time field extractions, specifies where Splunk software stores the REGEX results. |
| FORMAT | This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.
This attribute specifies the format of the event, including any field names or values you want to add. For details, refer to the documentation for this parameter in the POST operation for data/transforms/extractions. |
| KEEP_EMPTY_VALS | If set to true, Splunk software preserves extracted fields with empty values. |
| LOOKAHEAD | Optional attribute for index-time filed extractions. specifies how many characters to search into an event.
Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking). |
| MV_ADD | If Splunk software extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded. |
| REGEX | The regular expression to operate on your data.
This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms. For details, see the documentation for this parameter in the POST operation. |
| SOURCE_KEY | The KEY to which Splunk software applies REGEX. |
| WRITE_META | Indicates whether to automatically write REGEX to metadata.
This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute). Use instead of DEST_KEY = meta. |
| default_match | If min_matches is greater than zero and Splunk software has less than min_matches for any given input, it provides this default_match value one or more times until the min_matches threshold is reached. |
| disabled | Specifies whether the lookup definition is disabled. |
| eai:appName | The Splunk app for which the lookups are defined. For example, the search app. |
| eai:userName | The Splunk user for which the lookups are defined. |
| external_cmd | Provides the command and arguments to invoke to perform a lookup. Use this for external (or "scripted") lookups, where you interface with with an external script rather than a lookup table.
This string is parsed like a shell command. The first argument is expected to be a python script located in: $SPLUNK_HOME/etc/<app_name>/bin (or ../etc/searchscripts) Presence of this field indicates that the lookup is external and command based. |
| fields_list | List of all fields that are supported by the external command. Use this for external (or "scripted") lookups. |
| filename | The name of the static lookup table file. |
| max_matches | The maximum number of possible matches for each input lookup value. |
| max_offset_secs | For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur. |
| min_matches | The minimum number of possible matches for each input lookup value. |
| min_offset_secs | For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur. |
| time_field | For temporal lookups, this is the field in the lookup table that represents the timestamp. |
| time_format | For temporal lookups, this specifies the "strptime" format of the timestamp field. |
| type | Specifies the field extraction type.
Can be either external or file. |
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/lookups/my_lookup -d external_cmd=myscript.py -d fields_list=a,b,c
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>transforms-lookup</title>
<id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups</id>
<updated>2011-07-21T20:00:07-07:00</updated>
<generator version="104309"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/transforms/lookups/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>my_lookup</title>
<id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups/my_lookup</id>
<updated>2011-07-21T20:00:07-07:00</updated>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="list"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="edit"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="remove"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/move" rel="move"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="CAN_OPTIMIZE">1</s:key>
<s:key name="CLEAN_KEYS">1</s:key>
<s:key name="DEFAULT_VALUE"/>
<s:key name="DEST_KEY"/>
<s:key name="FORMAT"/>
<s:key name="KEEP_EMPTY_VALS">0</s:key>
<s:key name="LOOKAHEAD">4096</s:key>
<s:key name="MV_ADD">0</s:key>
<s:key name="REGEX"/>
<s:key name="SOURCE_KEY">_raw</s:key>
<s:key name="WRITE_META">0</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="external_cmd">myscript.py</s:key>
<s:key name="fields_list">a,b,c</s:key>
<s:key name="replicate_delta">1</s:key>
<s:key name="type">external</s:key>
</s:dict>
</content>
</entry>
</feed>
data/transforms/metric-schema
https://<host>:<mPort>/services/data/transforms/metric-schema
Use this endpoint to configure ingest-time log-to-metrics transformations. Identify measurements and blacklist dimensions. Design transformations that target specific event schemas within a log.
Authentication and Authorization
Use of this endpoint is restricted to roles that have the edit_metric_schema capability.
Usage Details
For more information about carrying out ingest-time log-to-metrics transformations using this endpoint, see Convert event logs to metric data points in Metrics.
GET
List existing log-to-metrics configurations.
Request parameters
None.
Returned parameters
None
Example request and response
XML Request
curl -k -u admin:ch@ngeme -X GET https://localhost:8089/services/data/transforms/metric-schema/splunk_metrics
XML Response
<title>metric-schema</title> <id>https://localhost:8089/services/data/transforms/metric-schema</id> <updated>2018-07-31T17:00:21-07:00</updated> <generator build="06d0f1f682cc" version="7.1.0"/> <author> <name>Splunk</name> </author> <link href="/services/data/transforms/metric-schema/_new" rel="create"/> <link href="/services/data/transforms/metric-schema/_reload" rel="_reload"/> <link href="/services/data/transforms/metric-schema/_acl" rel="_acl"/> <opensearch:totalResults>1</opensearch:totalResults> <opensearch:itemsPerPage>30</opensearch:itemsPerPage> <opensearch:startIndex>0</opensearch:startIndex> <s:messages/> <entry> <title>metric-schema:splunk_metrics</title> <id>https://localhost:8089/servicesNS/nobody/search/data/transforms/metric-schema/metric-schema%3Asplunk_metrics</id> <updated>1969-12-31T16:00:00-08:00</updated> <link href="/servicesNS/nobody/search/data/transforms/metric-schema/metric-schema%3Asplunk_metrics" rel="alternate"/> <author> <name>nobody</name> </author> <link href="/servicesNS/nobody/search/data/transforms/metric-schema/metric-schema%3Asplunk_metrics" rel="list"/> <link href="/servicesNS/nobody/search/data/transforms/metric-schema/metric-schema%3Asplunk_metrics/_reload" rel="_reload"/> <link href="/servicesNS/nobody/search/data/transforms/metric-schema/metric-schema%3Asplunk_metrics" rel="edit"/> <link href="/servicesNS/nobody/search/data/transforms/metric-schema/metric-schema%3Asplunk_metrics" rel="remove"/> <link href="/servicesNS/nobody/search/data/transforms/metric-schema/metric-schema%3Asplunk_metrics/move" rel="move"/> <link href="/servicesNS/nobody/search/data/transforms/metric-schema/metric-schema%3Asplunk_metrics/disable" rel="disable"/> <content type="text/xml"> <s:dict> <s:key name="METRIC-SCHEMA-BLACKLIST-DIMS-queue">location,corp</s:key> <s:key name="METRIC-SCHEMA-MEASURES-queue">max_size_kb,current_size_kb,current_size,largest_size,smallest_size</s:key> <s:key name="disabled">0</s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app">search</s:key> <s:key name="can_change_perms">1</s:key> <s:key name="can_list">1</s:key> <s:key name="can_share_app">1</s:key> <s:key name="can_share_global">1</s:key> <s:key name="can_share_user">0</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">1</s:key> <s:key name="owner">nobody</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="write"> <s:list> <s:item>*</s:item> </s:list> </s:key> </s:dict> </s:key> <s:key name="removable">1</s:key> <s:key name="sharing">app</s:key> </s:dict> </s:key> <s:key name="eai:attributes"> <s:dict> <s:key name="optionalFields"> <s:list> <s:item>blacklist_dimensions</s:item> <s:item>field_names</s:item> <s:item>metric_name_prefix</s:item> </s:list> </s:key> <s:key name="requiredFields"> <s:list/> </s:key> <s:key name="wildcardFields"> <s:list/> </s:key> </s:dict> </s:key> </s:dict> </content> </entry> </feed>
POST
Configures ingest-time conversion of log events to metric data points.
Request parameters
| Name | Type | Description |
|---|---|---|
| name required |
String | Required. Name of the metric-schema stanza in transforms.conf.
|
| field_name required |
String | Comma-separated list of measure fields to be extracted from a log line. |
| blacklist_dimension optional |
String | Comma-separated list of dimension fields to be omitted when log events are converted to metric data points. |
| metric_name_prefix optional |
String | Used when the events in a log have more than one schema, meaning that they have differing sets of measure fields and blacklist dimension fields. Takes the value of a field that is shared by all events in the log, and whose values correspond to the different event schemas. |
Returned parameters
| Name | Type | Description |
|---|---|---|
| METRIC-SCHEMA-MEASURES-<metric_name_prefix> | String | Comma-separated list of measure fields to be extracted from a log line. |
| METRIC-SCHEMA-BLACKLIST-DIMS-<metric_name_prefix> | String | Comma-separated list of dimension fields to be omitted when log events are converted to metric data points. |
Example request and response
XML Request
curl -k -u admin:ch@ngeme -X POST https://localhost:8089/services/data/transforms/metric-schema -d "name=splunk_metrics" -d "metric_name_prefix=queue" -d "field_names=max_size_kb,current_size_kb,current_size,largest_size,smallest_size" -d "blacklist_dimensions=location,corp"
XML Response
...
<title>metric-schema</title>
<id>https://localhost:8089/services/data/transforms/metric-schema</id>
<updated>2018-07-31T16:33:54-07:00</updated>
<generator build="06d0f1f682cc" version="7.1.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/transforms/metric-schema/_new" rel="create"/>
<link href="/services/data/transforms/metric-schema/_reload" rel="_reload"/>
<link href="/services/data/transforms/metric-schema/_acl" rel="_acl"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>metric-schema:splunk_metrics</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/transforms/metric-schema/metric-schema%3Asplunk_metrics</id>
<updated>1969-12-31T16:00:00-08:00</updated>
<link href="/servicesNS/nobody/search/data/transforms/metric-schema/metric-schema%3Asplunk_metrics" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/transforms/metric-schema/metric-schema%3Asplunk_metrics" rel="list"/>
<link href="/servicesNS/nobody/search/data/transforms/metric-schema/metric-schema%3Asplunk_metrics/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/transforms/metric-schema/metric-schema%3Asplunk_metrics" rel="edit"/>
<link href="/servicesNS/nobody/search/data/transforms/metric-schema/metric-schema%3Asplunk_metrics" rel="remove"/>
<link href="/servicesNS/nobody/search/data/transforms/metric-schema/metric-schema%3Asplunk_metrics/move" rel="move"/>
<link href="/servicesNS/nobody/search/data/transforms/metric-schema/metric-schema%3Asplunk_metrics/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="METRIC-SCHEMA-BLACKLIST-DIMS-queue">location,corp</s:key>
<s:key name="METRIC-SCHEMA-MEASURES-queue">max_size_kb,current_size_kb,current_size,largest_size,smallest_size</s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
</s:dict>
</content>
</entry>
</feed>
DELETE
Delete existing log-to-metrics configurations.
Request parameters
None.
Returned parameters
None
Example request and response
XML Request
curl -k -u admin:ch@ngeme -X DELETE https://localhost:8089/services/data/transforms/metric-schema/splunk_metrics
XML Response
<title>metric-schema</title> <id>https://localhost:8089/services/data/transforms/metric-schema</id> <updated>2018-07-31T16:56:36-07:00</updated> <generator build="06d0f1f682cc" version="7.1.0"/> <author> <name>Splunk</name> </author> <link href="/services/data/transforms/metric-schema/_new" rel="create"/> <link href="/services/data/transforms/metric-schema/_reload" rel="_reload"/> <link href="/services/data/transforms/metric-schema/_acl" rel="_acl"/> <opensearch:totalResults>0</opensearch:totalResults> <opensearch:itemsPerPage>30</opensearch:itemsPerPage> <opensearch:startIndex>0</opensearch:startIndex> <s:messages/> </feed>
data/transforms/statsdextractions
https://<host>:<mPort>/services/data/transforms/statsdextractions
Use this endpoint to configure dimension extraction from StatsD metrics.
Authentication and Authorization
Use of this endpoint is restricted to roles that have the edit_statsd_transforms capability.
Usage Details
For more information about StatsD dimension extraction using this endpoint, see Get metrics in with StatsD in Metrics.
POST
Configures dimension extraction from StatsD metrics.
Request parameters
| Name | Type | Description |
|---|---|---|
| unique_transforms_stanza_name | String | A unique name for this stanza. |
| REGEX = <regular expression> | String | A regular expression that defines how to match and extract dimensions from StatsD metrics data. Splunk supports a named capturing-group extraction format (?<diml>group)(?dim2>group) ... to provide dimension names for the corresponding values that are extracted.
|
| REMOVE_DIMS_FROM_METRIC_NAME= <Boolean> | Boolean | Specifies whether unmatched segments of the StatsD dotted name segment are used as the metric_name.
When When For example, a metric measurement name is "x.y.z". The regular expression matches "y" and "z". When REMOVE_DIMS_FROM_METRIC_NAME is |
Example request and response
Request
curl -k -u admin:pass https://localhost:8089/services/data/transforms/statsdextractions \-d "name=statsd-ex®EX=\.(?<hostname>\S%2B?)\.(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})&REMOVE_DIMS_FROM_METRIC_NAME=true"
Response
...
<title>transforms-statsd</title>
<id>https://<localhost>:<mport>/services/data/transforms/statsdextractions</id>
<updated>2017-08-08T23:53:45+00:00</updated>
<generator build="eb729684699b" version="7.0.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/transforms/statsdextractions/_new" rel="create"/>
<link href="/services/data/transforms/statsdextractions/_reload" rel="_reload"/>
<link href="/services/data/transforms/statsdextractions/_acl" rel="_acl"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>statsd-dims:statsd-ex</title>
<id>https://epic-metriks-splk.sv.splunk.com:8089/servicesNS/nobody/search/data/transforms/statsdextractions/statsd-dims%3Astatsd-ex</id>
<updated>1970-01-01T00:00:00+00:00</updated>
<link href="/servicesNS/nobody/search/data/transforms/statsdextractions/statsd-dims%3Astatsd-ex" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/transforms/statsdextractions/statsd-dims%3Astatsd-ex" rel="list"/>
<link href="/servicesNS/nobody/search/data/transforms/statsdextractions/statsd-dims%3Astatsd-ex/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/transforms/statsdextractions/statsd-dims%3Astatsd-ex" rel="edit"/>
<link href="/servicesNS/nobody/search/data/transforms/statsdextractions/statsd-dims%3Astatsd-ex" rel="remove"/>
<link href="/servicesNS/nobody/search/data/transforms/statsdextractions/statsd-dims%3Astatsd-ex/move" rel="move"/>
<link href="/servicesNS/nobody/search/data/transforms/statsdextractions/statsd-dims%3Astatsd-ex/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="REGEX">\.(?<hostname>\S+?)\.(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})</s:key>
<s:key name="REMOVE_DIMS_FROM_METRIC_NAME">1</s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_change_perms">0</s:key>
<s:key name="can_list">0</s:key>
<s:key name="can_share_app">0</s:key>
<s:key name="can_share_global">0</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
</s:dict>
</content>
</entry>
</feed>
data/ui/global-banner
https://<host>:<mPort>/services/data/ui/global-banner
View or create a global banner.
Authentication and Authorization
Use of the POST function of this endpoint is restricted to users with an edit_global_banner capability. The GET function of this endpoint is not restricted.
GET
View a global banner.
Request parameters
None.
Returned values
| Name | Description |
|---|---|
| background_color | Indicates the color of the banner. |
| hyperlink | The link included in the banner. |
| hyperlink_text | Display text for the link in the banner. |
| message | Banner notification text. |
| visible | Boolean value indicating whether the banner is visible. |
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/system/data/ui/global-banner/BANNER_MESSAGE_SINGLETON
XML Response
...
<entry>
<title>BANNER_MESSAGE_SINGLETON</title>
<id>https://localhost:8089/servicesNS/nobody/system/data/ui/global-banner/BANNER_MESSAGE_SINGLETON</id>
<updated>1969-12-31T16:00:00-08:00</updated>
<link href="/servicesNS/nobody/system/data/ui/global-banner/BANNER_MESSAGE_SINGLETON" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/ui/global-banner/BANNER_MESSAGE_SINGLETON" rel="list"/>
<link href="/servicesNS/nobody/system/data/ui/global-banner/BANNER_MESSAGE_SINGLETON/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/ui/global-banner/BANNER_MESSAGE_SINGLETON" rel="edit"/>
<link href="/servicesNS/nobody/system/data/ui/global-banner/BANNER_MESSAGE_SINGLETON/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="eai:appName">search</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>global_banner.background_color</s:item>
<s:item>global_banner.hyperlink</s:item>
<s:item>global_banner.hyperlink_text</s:item>
<s:item>global_banner.message</s:item>
<s:item>global_banner.visible</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="global_banner.background_color">red</s:key>
<s:key name="global_banner.hyperlink"></s:key>
<s:key name="global_banner.hyperlink_text"></s:key>
<s:key name="global_banner.message">Server maintenance from 2am-6am</s:key>
<s:key name="global_banner.visible">1</s:key>
</s:dict>
</content>
</entry>
...
POST
Create a new global banner.
Request parameters
| Name | Type | Default | Description |
|---|---|---|---|
| background_color required |
String | blue | Indicates the color of the banner. The color can be any of the following:
|
| hyperlink optional |
String | The link included in the banner. The link must begin with http://or https://.
| |
| hyperlink_text optional |
String | Display text for the link in the banner. | |
| message required |
String | sample text | Banner notification text. |
| visible required |
Boolean | false | Indicates whether the banner is visible. |
Returned values
| Name | Description |
|---|---|
| background_color | Indicates the color of the banner. |
| hyperlink | The link included in the banner. |
| hyperlink_text | Display text for the link in the banner. |
| message | Banner notification text. |
| visible | Boolean value indicating whether the banner is visible. |
Example request and response
XML Request
curl -X POST -k -u admin:pass https://localhost:8089/servicesNS/nobody/system/data/ui/global-banner/BANNER_MESSAGE_SINGLETON -d global_banner.message="example banner message"
XML Response
...
<entry>
<title>BANNER_MESSAGE_SINGLETON</title>
<id>https://localhost:8089/servicesNS/admin/search/data/ui/global-banner/BANNER_MESSAGE_SINGLETON</id>
<updated>2020-04-02T16:39:12-07:00</updated>
<link href="/servicesNS/admin/search/data/ui/global-banner/BANNER_MESSAGE_SINGLETON" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/ui/global-banner/BANNER_MESSAGE_SINGLETON" rel="list"/>
<link href="/servicesNS/admin/search/data/ui/global-banner/BANNER_MESSAGE_SINGLETON/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/data/ui/global-banner/BANNER_MESSAGE_SINGLETON" rel="edit"/>
<link href="/servicesNS/admin/search/data/ui/global-banner/BANNER_MESSAGE_SINGLETON/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">admin</s:key>
<s:key name="perms"/>
<s:key name="removable">1</s:key>
<s:key name="sharing">user</s:key>
</s:dict>
</s:key>
<s:key name="eai:appName">search</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="global_banner.background_color">red</s:key>
<s:key name="global_banner.hyperlink"></s:key>
<s:key name="global_banner.hyperlink_text"></s:key>
<s:key name="global_banner.message">example banner message</s:key>
<s:key name="global_banner.visible">1</s:key>
</s:dict>
</content>
</entry>
...
data/ui/panels
https://<host>:<mPort>/servicesNS/{user}/{app_name}/data/ui/panels
View, add, or edit dashboard panels.
GET
Access all the XML definitions for existing panels.
Request parameters
None.
Returned values
| Name | Description |
|---|---|
| eai:appName | App context for the panel. |
| eai:data | XML definition for the panel. |
| eai:userName | User who created the panel. |
| label | Panel label. |
| panel.title | Panel title. |
| rootNode | XML root node. |
Example request and response
XML Request
curl --get -k -u username:password https://localhost:8089/servicesNS/admin/search/data/ui/panels
XML Response
<title>panels</title>
<id>https://localhost:8089/servicesNS/admin/search/data/ui/panels</id>
<updated>2018-12-17T12:03:14-08:00</updated>
<generator build="8f0ead9ec3db" version="7.1.1"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/ui/panels/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/ui/panels/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/data/ui/panels/_acl" rel="_acl"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>new_panel</title>
<id>https://localhost:8089/servicesNS/admin/search/data/ui/panels/new_panel</id>
<updated>2018-12-17T12:02:57-08:00</updated>
<link href="/servicesNS/admin/search/data/ui/panels/new_panel" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/ui/panels/new_panel" rel="list"/>
<link href="/servicesNS/admin/search/data/ui/panels/new_panel/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/data/ui/panels/new_panel" rel="edit"/>
<link href="/servicesNS/admin/search/data/ui/panels/new_panel" rel="remove"/>
<link href="/servicesNS/admin/search/data/ui/panels/new_panel/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">admin</s:key>
<s:key name="perms"/>
<s:key name="removable">1</s:key>
<s:key name="sharing">user</s:key>
</s:dict>
</s:key>
<s:key name="eai:appName">search</s:key>
<s:key name="eai:data"><![CDATA[<panel><label>the_new_label</label></panel>]]></s:key>
<s:key name="eai:digest">1c70628bb4aeec0470707e59e1b2d321</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="label">the_new_label</s:key>
<s:key name="panel.title">new_panel</s:key>
<s:key name="rootNode">panel</s:key>
</s:dict>
</content>
</entry>
POST
Create a new dashboard panel source XML definition.
Request parameters
| Name | Type | Default | Description |
|---|---|---|---|
| name | String | Panel name. | |
| eai:data | XML document | Panel XML definition. |
Returned values
| Name | Description |
|---|---|
| eai:appName | App context for the panel. |
| eai:data | XML definition for the panel. |
| eai:userName | User who created the panel. |
| label | Panel label. |
| panel.title | Panel title. |
| rootNode | XML root node. |
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/ui/panels -d "name=new_panel&eai:data=<panel><label>the_new_label</label></panel>"
XML Response
<title>panels</title>
<id>https://localhost:8089/servicesNS/admin/search/data/ui/panels</id>
<updated>2018-12-17T12:02:57-08:00</updated>
<generator build="8f0ead9ec3db" version="7.1.1"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/ui/panels/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/ui/panels/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/data/ui/panels/_acl" rel="_acl"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>new_panel</title>
<id>https://localhost:8089/servicesNS/admin/search/data/ui/panels/new_panel</id>
<updated>2018-12-17T12:02:57-08:00</updated>
<link href="/servicesNS/admin/search/data/ui/panels/new_panel" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/ui/panels/new_panel" rel="list"/>
<link href="/servicesNS/admin/search/data/ui/panels/new_panel/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/data/ui/panels/new_panel" rel="edit"/>
<link href="/servicesNS/admin/search/data/ui/panels/new_panel" rel="remove"/>
<link href="/servicesNS/admin/search/data/ui/panels/new_panel/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">admin</s:key>
<s:key name="perms"/>
<s:key name="removable">1</s:key>
<s:key name="sharing">user</s:key>
</s:dict>
</s:key>
<s:key name="eai:appName">search</s:key>
<s:key name="eai:data"><![CDATA[<panel><label>the_new_label</label></panel>]]></s:key>
<s:key name="eai:digest">1c70628bb4aeec0470707e59e1b2d321</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="label">the_new_label</s:key>
<s:key name="panel.title">new_panel</s:key>
<s:key name="rootNode">panel</s:key>
</s:dict>
</content>
</entry>
data/ui/views
https://<host>:<mPort>/servicesNS/{user}/{app_name}/data/ui/views
View or create a dashboard source XML definition.
GET
Access all the XML definitions for existing dashboards.
Request parameters
None.
Returned values
| Name | Description |
|---|---|
| eai:appName | App context for the dashboard. |
| eai:data | XML definition for the dashboard. |
| eai:type | User interface type. For dashboards, this type is view.
|
| eai:userName | User who created the dashboard. |
| isDashboard | Boolean value indicating whether the knowledge object is a dashboard. |
| isVisible | Boolean value indicating whether the dashboard is visible. |
| label | Dashboard label. |
| rootNode | XML root node. |
Example request and response
XML Request
curl --get -k -u username:password https://localhost:8089/servicesNS/admin/search/data/ui/views
XML Response
<title>views</title>
<id>https://localhost:8089/servicesNS/admin/search/data/ui/views</id>
<updated>2015-10-08T16:17:03-07:00</updated>
<generator build="a1c9b18fdcfc" version="6.3.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/ui/views/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/ui/views/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/data/ui/views/_acl" rel="_acl"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title> my_dashboard </title>
<id>https://localhost:8089/servicesNS/admin/search/data/ui/views/my_dashboard</id>
<updated>2015-10-08T16:17:03-07:00</updated>
<link href="/servicesNS/admin/search/data/ui/views/my_dashboard" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/ui/views/my_dashboard" rel="list"/>
<link href="/servicesNS/admin/search/data/ui/views/my_dashboard/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/data/ui/views/my_dashboard" rel="edit"/>
<link href="/servicesNS/admin/search/data/ui/views/my_dashboard" rel="remove"/>
<link href="/servicesNS/admin/search/data/ui/views/my_dashboard/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">admin</s:key>
<s:key name="perms"/>
<s:key name="removable">1</s:key>
<s:key name="sharing">user</s:key>
</s:dict>
</s:key>
<s:key name="eai:appName">search</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>eai:type</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list>
<s:item>eai:data</s:item>
</s:list>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="eai:data"><![CDATA[<dashboard><label>my_dashboard_label</label></dashboard>]]></s:key>
<s:key name="eai:digest">01778119e0d9352ca0c6eb0aa7f00950</s:key>
<s:key name="eai:type">views</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="isDashboard">1</s:key>
<s:key name="isVisible">1</s:key>
<s:key name="label">my_dashboard_label</s:key>
<s:key name="rootNode">dashboard</s:key>
</s:dict>
</content>
</entry>
POST
Create a new dashboard source XML definition.
Request parameters
| Name | Type | Default | Description |
|---|---|---|---|
| name | String | Dashboard name. | |
| eai:data | XML document | Dashboard XML definition. |
Returned values
| Name | Description |
|---|---|
| eai:appName | App context for the dashboard. |
| eai:data | XML definition for the dashboard. |
| eai:type | User interface type. For dashboards, this type is view.
|
| eai:userName | User who created the dashboard. |
| isDashboard | Boolean value indicating whether the knowledge object is a dashboard. |
| isVisible | Boolean value indicating whether the dashboard is visible. |
| label | Dashboard label. |
| rootNode | XML root node. |
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/ui/views -d "name=new_dashboard&eai:data=<dashboard><label>the_new_label</label></dashboard>"
XML Response
<title>views</title>
<id>https://localhost:8089/servicesNS/admin/search/data/ui/views</id>
<updated>2015-10-08T15:50:01-07:00</updated>
<generator build="a1c9b18fdcfc" version="6.3.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/ui/views/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/ui/views/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/data/ui/views/_acl" rel="_acl"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>new_dashboard</title>
<id>https://localhost:8089/servicesNS/admin/search/data/ui/views/new_dashboard</id>
<updated>2015-10-08T15:50:01-07:00</updated>
<link href="/servicesNS/admin/search/data/ui/views/new_dashboard" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/ui/views/new_dashboard" rel="list"/>
<link href="/servicesNS/admin/search/data/ui/views/new_dashboard/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/data/ui/views/new_dashboard" rel="edit"/>
<link href="/servicesNS/admin/search/data/ui/views/new_dashboard" rel="remove"/>
<link href="/servicesNS/admin/search/data/ui/views/new_dashboard/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">admin</s:key>
<s:key name="perms"/>
<s:key name="removable">1</s:key>
<s:key name="sharing">user</s:key>
</s:dict>
</s:key>
<s:key name="eai:appName">search</s:key>
<s:key name="eai:data"><![CDATA[<dashboard><label> the_new_label </label></dashboard>]]></s:key>
<s:key name="eai:digest">533c60e648b7c4733321ae205d2627d8</s:key>
<s:key name="eai:type">views</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="isDashboard">1</s:key>
<s:key name="isVisible">1</s:key>
<s:key name="label">the_new_label</s:key>
<s:key name="rootNode">dashboard</s:key>
</s:dict>
</content>
</entry>
data/ui/views/{name}
https://<host>:<mPort>/servicesNS/{user}/{app_name}/data/ui/views/{name}
Access or update source XML for an existing dashboard.
GET
Access an existing dashboard XML definition.
Request parameters
None.
Returned values
| Name | Description |
|---|---|
| eai:appName | App context for the dashboard. |
| eai:data | XML definition for the dashboard. |
| eai:type | User interface type. For dashboards, this type is view.
|
| eai:userName | User who created the dashboard. |
| isDashboard | Boolean value indicating whether the knowledge object is a dashboard. |
| isVisible | Boolean value indicating whether the dashboard is visible. |
| label | Dashboard label. |
| rootNode | XML root node. |
Example request and response
XML Request
curl -k -u username:password https://localhost:8089/servicesNS/admin/search/data/ui/views/my_dashboard
XML Response
<title>views</title>
<id>https://localhost:8089/servicesNS/admin/search/data/ui/views</id>
<updated>2015-10-08T16:17:03-07:00</updated>
<generator build="a1c9b18fdcfc" version="6.3.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/ui/views/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/ui/views/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/data/ui/views/_acl" rel="_acl"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title> my_dashboard </title>
<id>https://localhost:8089/servicesNS/admin/search/data/ui/views/my_dashboard</id>
<updated>2015-10-08T16:17:03-07:00</updated>
<link href="/servicesNS/admin/search/data/ui/views/my_dashboard" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/ui/views/my_dashboard" rel="list"/>
<link href="/servicesNS/admin/search/data/ui/views/my_dashboard/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/data/ui/views/my_dashboard" rel="edit"/>
<link href="/servicesNS/admin/search/data/ui/views/my_dashboard" rel="remove"/>
<link href="/servicesNS/admin/search/data/ui/views/my_dashboard/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">admin</s:key>
<s:key name="perms"/>
<s:key name="removable">1</s:key>
<s:key name="sharing">user</s:key>
</s:dict>
</s:key>
<s:key name="eai:appName">search</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>eai:type</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list>
<s:item>eai:data</s:item>
</s:list>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="eai:data"><![CDATA[<dashboard><label>my_dashboard_label</label></dashboard>]]></s:key>
<s:key name="eai:digest">01778119e0d9352ca0c6eb0aa7f00950</s:key>
<s:key name="eai:type">views</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="isDashboard">1</s:key>
<s:key name="isVisible">1</s:key>
<s:key name="label">my_dashboard_label</s:key>
<s:key name="rootNode">dashboard</s:key>
</s:dict>
</content>
</entry>
POST
Update a specific dashboard XML definition.
Request parameters
| Name | Type | Default | Description |
|---|---|---|---|
| eai:changelog optional |
string | Enables to specify a revision message when modifying a dashboard. The message appears in the response from the data/ui/views/{name}/history endpoint.
| |
| eai:data | XML document | Dashboard XML definition. |
Returned values
| Name | Description |
|---|---|
| eai:appName | App context for the dashboard. |
| eai:data | XML definition for the dashboard. |
| eai:type | User interface type. For dashboards, this type is view.
|
| eai:userName | User who created the dashboard. |
| isDashboard | Boolean value indicating whether the knowledge object is a dashboard. |
| isVisible | Boolean value indicating whether the dashboard is visible. |
| label | Dashboard label. |
| rootNode | XML root node. |
Example request and response
JSON Request
curl -X POST -u username:password -k "https://localhost:8106/servicesNS/admin/search/data/ui/views/my_dashboard?output_mode=json" \ > -d eai:data="<dashboard><label>new label</label></dashboard>" \ > -d eai:changelog="Second version"
JSON Response
{
"links": {
"create": "/servicesNS/admin/search/data/ui/views/_new",
"_reload": "/servicesNS/admin/search/data/ui/views/_reload",
"_acl": "/servicesNS/admin/search/data/ui/views/_acl"
},
"origin": "https://localhost:8106/servicesNS/admin/search/data/ui/views",
"updated": "2024-09-09T02:54:23-07:00",
"generator": {
"build": "b0122e4d425e5c0d37a7278576a02b962b3505f7",
"version": "20240906"
},
"entry": [
{
"name": "new_dashboard_from_rest_api",
"id": "https://localhost:8106/servicesNS/admin/search/data/ui/views/new_dashboard_from_rest_api",
"updated": "2024-09-09T02:54:23-07:00",
"links": {
"alternate": "/servicesNS/admin/search/data/ui/views/new_dashboard_from_rest_api",
"list": "/servicesNS/admin/search/data/ui/views/new_dashboard_from_rest_api",
"_reload": "/servicesNS/admin/search/data/ui/views/new_dashboard_from_rest_api/_reload",
"edit": "/servicesNS/admin/search/data/ui/views/new_dashboard_from_rest_api",
"remove": "/servicesNS/admin/search/data/ui/views/new_dashboard_from_rest_api",
"move": "/servicesNS/admin/search/data/ui/views/new_dashboard_from_rest_api/move"
},
"author": "admin",
"acl": {
"app": "search",
"can_change_perms": true,
"can_list": true,
"can_share_app": true,
"can_share_global": true,
"can_share_user": true,
"can_write": true,
"modifiable": true,
"owner": "admin",
"perms": null,
"removable": true,
"sharing": "user"
},
"content": {
"disabled": false,
"eai:acl": null,
"eai:appName": "search",
"eai:data": "<dashboard><label>new label</label></dashboard>",
"eai:digest": "7ae3fd31bfc2387a3ab8e1e2244f44ce",
"eai:type": "views",
"eai:userName": "admin",
"isDashboard": true,
"isVisible": true,
"label": "new label",
"rootNode": "dashboard",
"version": ""
}
}
],
"paging": {
"total": 1,
"perPage": 30,
"offset": 0
},
"messages": []
}
DELETE
Delete a specific dashboard.
Request parameters
| Name | Type | Default | Description |
|---|---|---|---|
| eai:changelog optional |
string | Enables to specify a message when deleting a dashboard. |
Returned values
None.
Example request and response
JSON Request
curl -X DELETE -u username:password -k "https://localhost:8106/servicesNS/admin/search/data/ui/views/my_dashboard?output_mode=json" \ > -d eai:changelog="Removed as agreed on Sep. 15"
JSON Response
{
"links": {
"create": "/servicesNS/admin/search/data/ui/views/_new",
"_reload": "/servicesNS/admin/search/data/ui/views/_reload",
"_acl": "/servicesNS/admin/search/data/ui/views/_acl"
},
"origin": "https://localhost:8106/servicesNS/admin/search/data/ui/views",
"updated": "2024-09-09T02:59:04-07:00",
"generator": {
"build": "b0122e4d425e5c0d37a7278576a02b962b3505f7",
"version": "20240906"
},
"entry": [],
"paging": {
"total": 0,
"perPage": 30,
"offset": 0
},
"messages": []
}
data/ui/views/{name}/history
https://<host>:<mPort>/servicesNS/{user}/{app_name}/data/ui/views/{name}/history?output_mode=json"
View the revision history of a {name} dashboard.
GET
Access revisions made to a {name} dashboard.
Request parameters
| Name | Type | Default | Description |
|---|---|---|---|
| with_message optional |
String | Enable to return the revisions with a non-empty commit message. . |
Example request and response
JSON Request
curl -X GET -u admin:changeme -k "https://localhost:8106/servicesNS/admin/search//data/ui/views/my_dashboard/history?output_mode=json"
JSON Response
{
"links": {
"create": "/servicesNS/admin/search/data/ui/views/_new",
"_reload": "/servicesNS/admin/search/data/ui/views/_reload",
"_acl": "/servicesNS/admin/search/data/ui/views/_acl"
},
"origin": "https://localhost:8106/servicesNS/admin/search/data/ui/views",
"updated": "2024-09-09T02:42:12-07:00",
"generator": {
"build": "b0122e4d425e5c0d37a7278576a02b962b3505f7",
"version": "20240906"
},
"entry": [
{
"name": "0000000",
"id": "https://localhost:8106/servicesNS/admin/search/data/ui/views/0000000",
"updated": "1969-12-31T16:00:00-08:00",
"links": {
"alternate": "/servicesNS/admin/search/data/ui/views/0000000",
"list": "/servicesNS/admin/search/data/ui/views/0000000",
"_reload": "/servicesNS/admin/search/data/ui/views/0000000/_reload",
"edit": "/servicesNS/admin/search/data/ui/views/0000000",
"remove": "/servicesNS/admin/search/data/ui/views/0000000",
"move": "/servicesNS/admin/search/data/ui/views/0000000/move"
},
"author": "system",
"acl": {
"app": "",
"can_list": true,
"can_write": true,
"modifiable": false,
"owner": "system",
"perms": {
"read": [
"*"
],
"write": [
"*"
]
},
"removable": false,
"sharing": "system"
},
"content": {
"eai:acl": null,
"email": "admin",
"message": "Adding a simple pie chart\nto what we discussed today\nduring our team meeting with the whole team.",
"sha": "b1e95cd497095b428ebcf40ea6667e0dc9fb1634",
"time": "2024-09-06T09:59:46+00:00",
"user": "admin"
}
},
{
"name": "0000001",
"id": "https://localhost:8106/servicesNS/admin/search/data/ui/views/0000001",
"updated": "1969-12-31T16:00:00-08:00",
"links": {
"alternate": "/servicesNS/admin/search/data/ui/views/0000001",
"list": "/servicesNS/admin/search/data/ui/views/0000001",
"_reload": "/servicesNS/admin/search/data/ui/views/0000001/_reload",
"edit": "/servicesNS/admin/search/data/ui/views/0000001",
"remove": "/servicesNS/admin/search/data/ui/views/0000001",
"move": "/servicesNS/admin/search/data/ui/views/0000001/move"
},
"author": "system",
"acl": {
"app": "",
"can_list": true,
"can_write": true,
"modifiable": false,
"owner": "system",
"perms": {
"read": [
"*"
],
"write": [
"*"
]
},
"removable": false,
"sharing": "system"
},
"content": {
"eai:acl": null,
"email": "admin",
"message": "Adding chart",
"sha": "2e5ec14d8c59e466eb019836f494dc86e3a6b34f",
"time": "2024-09-06T09:58:20+00:00",
"user": "admin"
}
},
{
"name": "0000002",
"id": "https://localhost:8106/servicesNS/admin/search/data/ui/views/0000002",
"updated": "1969-12-31T16:00:00-08:00",
"links": {
"alternate": "/servicesNS/admin/search/data/ui/views/0000002",
"list": "/servicesNS/admin/search/data/ui/views/0000002",
"_reload": "/servicesNS/admin/search/data/ui/views/0000002/_reload",
"edit": "/servicesNS/admin/search/data/ui/views/0000002",
"remove": "/servicesNS/admin/search/data/ui/views/0000002",
"move": "/servicesNS/admin/search/data/ui/views/0000002/move"
},
"author": "system",
"acl": {
"app": "",
"can_list": true,
"can_write": true,
"modifiable": false,
"owner": "system",
"perms": {
"read": [
"*"
],
"write": [
"*"
]
},
"removable": false,
"sharing": "system"
},
"content": {
"eai:acl": null,
"email": "admin",
"message": "",
"sha": "5f049c0d58bde449cacf72e5a5d282525b6f20d5",
"time": "2024-09-06T09:57:26+00:00",
"user": "admin"
}
}
],
"paging": {
"total": 3,
"perPage": 30,
"offset": 0
},
"messages": []
}
data/ui/views/{name}/revision
https://<host>:<mPort>/servicesNS/{user}/{app_name}/data/ui/views/{name}/revision?output_mode=json" -d {revision_id}
View a specific revision of a {name} dashboard.
GET
Access a specific revision made to a {name} dashboard.
Request parameters
| Name | Type | Default | Description |
|---|---|---|---|
| revision_id required |
String | A SHA hash value returned in response from the data/ui/views/{name} endpoint. . |
Example request and response
JSON Request
curl -X GET -u admin:changeme -k "https://localhost:8106/servicesNS/admin/search/data/ui/views/my_dashboard/revision?output_mode=json" -d revision_id=2e5ec14d8c59e466eb019836f494dc86e3a6b34f"
JSON Response
{
"links": {
"create": "/servicesNS/admin/search/data/ui/views/_new",
"_reload": "/servicesNS/admin/search/data/ui/views/_reload",
"_acl": "/servicesNS/admin/search/data/ui/views/_acl"
},
"origin": "https://localhost:8106/servicesNS/admin/search/data/ui/views",
"updated": "2024-09-09T02:39:43-07:00",
"generator": {
"build": "b0122e4d425e5c0d37a7278576a02b962b3505f7",
"version": "20240906"
},
"entry": [
{
"name": "revision",
"id": "https://localhost:8106/servicesNS/admin/search/data/ui/views/revision",
"updated": "1969-12-31T16:00:00-08:00",
"links": {
"alternate": "/servicesNS/admin/search/data/ui/views/revision",
"list": "/servicesNS/admin/search/data/ui/views/revision",
"_reload": "/servicesNS/admin/search/data/ui/views/revision/_reload",
"edit": "/servicesNS/admin/search/data/ui/views/revision",
"remove": "/servicesNS/admin/search/data/ui/views/revision",
"move": "/servicesNS/admin/search/data/ui/views/revision/move"
},
"author": "system",
"acl": {
"app": "",
"can_list": true,
"can_write": true,
"modifiable": false,
"owner": "system",
"perms": {
"read": [
"*"
],
"write": [
"*"
]
},
"removable": false,
"sharing": "system"
},
"content": {
"eai:acl": null,
"eai:data": "\n<dashboard version=\"2\" theme=\"light\">\n <label>my_dashboard</label>\n <description></description>\n <definition><![CDATA[\n{\n\t\"visualizations\": {\n\t\t\"viz_DqjYhNwU\": {\n\t\t\t\"type\": \"splunk.line\",\n\t\t\t\"options\": {}\n\t\t},\n\t\t\"viz_fapFXy0Y\": {\n\t\t\t\"type\": \"splunk.bar\",\n\t\t\t\"options\": {}\n\t\t}\n\t},\n\t\"dataSources\": {},\n\t\"defaults\": {\n\t\t\"dataSources\": {\n\t\t\t\"ds.search\": {\n\t\t\t\t\"options\": {\n\t\t\t\t\t\"queryParameters\": {\n\t\t\t\t\t\t\"latest\": \"$global_time.latest$\",\n\t\t\t\t\t\t\"earliest\": \"$global_time.earliest$\"\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t},\n\t\"inputs\": {\n\t\t\"input_global_trp\": {\n\t\t\t\"type\": \"input.timerange\",\n\t\t\t\"options\": {\n\t\t\t\t\"token\": \"global_time\",\n\t\t\t\t\"defaultValue\": \"-24h@h,now\"\n\t\t\t},\n\t\t\t\"title\": \"Global Time Range\"\n\t\t}\n\t},\n\t\"layout\": {\n\t\t\"options\": {},\n\t\t\"globalInputs\": [\n\t\t\t\"input_global_trp\"\n\t\t],\n\t\t\"tabs\": {\n\t\t\t\"items\": [\n\t\t\t\t{\n\t\t\t\t\t\"layoutId\": \"layout_1\",\n\t\t\t\t\t\"label\": \"New tab\"\n\t\t\t\t}\n\t\t\t]\n\t\t},\n\t\t\"layoutDefinitions\": {\n\t\t\t\"layout_1\": {\n\t\t\t\t\"type\": \"absolute\",\n\t\t\t\t\"structure\": [\n\t\t\t\t\t{\n\t\t\t\t\t\t\"item\": \"viz_DqjYhNwU\",\n\t\t\t\t\t\t\"type\": \"block\",\n\t\t\t\t\t\t\"position\": {\n\t\t\t\t\t\t\t\"x\": 0,\n\t\t\t\t\t\t\t\"y\": 0,\n\t\t\t\t\t\t\t\"w\": 300,\n\t\t\t\t\t\t\t\"h\": 300\n\t\t\t\t\t\t}\n\t\t\t\t\t},\n\t\t\t\t\t{\n\t\t\t\t\t\t\"item\": \"viz_fapFXy0Y\",\n\t\t\t\t\t\t\"type\": \"block\",\n\t\t\t\t\t\t\"position\": {\n\t\t\t\t\t\t\t\"x\": 300,\n\t\t\t\t\t\t\t\"y\": 0,\n\t\t\t\t\t\t\t\"w\": 300,\n\t\t\t\t\t\t\t\"h\": 300\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t],\n\t\t\t\t\"options\": {\n\t\t\t\t\t\"width\": 1440,\n\t\t\t\t\t\"height\": 960,\n\t\t\t\t\t\"display\": \"auto\"\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t},\n\t\"description\": \"\",\n\t\"title\": \"my_dashboard\"\n}\n ]]></definition>\n <meta type=\"hiddenElements\"><![CDATA[\n{\n\t\"hideEdit\": false,\n\t\"hideOpenInSearch\": false,\n\t\"hideExport\": false\n}\n ]]></meta>\n</dashboard>",
"email": "admin",
"message": "Adding chart",
"sha": "2e5ec14d8c59e466eb019836f494dc86e3a6b34f",
"time": "2024-09-06T09:58:20+00:00",
"user": "admin"
}
}
],
"paging": {
"total": 1,
"perPage": 30,
"offset": 0
},
"messages": []
}
datamodel/acceleration (DEPRECATED)
https://<host>:<mPort>/services/datamodel/acceleration
Access information about data models that have acceleration enabled.
datamodel/acceleration/{name} (DEPRECATED)
https://<host>:<mPort>/services/datamodel/acceleration/{name}
Get information about the {name} datamodel.
Note: This endpoint is deprecated.
GET
Get information about a specific data model.
Request parameters
None
Returned values
| Name | Description |
|---|---|
| acceleration | Indicates if acceleration is enabled for this data model. |
| acceleration.earliest_time | The earliest time to dispatch the search. |
| search | Specifies the search to accelerate this data model. |
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/services/datamodel/acceleration/simpleMyAppModel
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title></title>
<id>https://myserver-centos62x64-4:8789/services/datamodel/acceleration</id>
<updated>2013-08-24T12:55:07-07:00</updated>
<generator build="178272" version="6.0"/>
<author>
<name>Splunk</name>
</author>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>simpleMyAppModel</title>
<id>https://myserver-centos62x64-4:8789/servicesNS/nobody/search/datamodel/acceleration/simpleMyAppModel</id>
<updated>2013-08-24T12:55:07-07:00</updated>
<link href="/servicesNS/nobody/search/datamodel/acceleration/simpleMyAppModel" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/datamodel/acceleration/simpleMyAppModel" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="acceleration">1</s:key>
<s:key name="acceleration.earliest_time">-1mon</s:key>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list/>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="eai:digest">9a9dba7c96b3f81554e3773b8d8fe45e</s:key>
<s:key name="eai:type">datamodels</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="search"><![CDATA[uri=* status=* clientip=* referer=* useragent=* (sourcetype=access_*) (status < 600) |
. . . elided . . .
"HTTP_Request.HTTP_Success.is_not_Pageview", "HTTP_Request.HTTP_Success.Pageview.myevalfield2"]]>
</s:key>
</s:dict>
</content>
</entry>
</feed>
datamodel/model
https://<host>:<mPort>/services/datamodel/model
Access or create data models.
GET
List data models on the server.
Request parameters
| Name | Type | Default | Description |
|---|---|---|---|
| concise | Boolean | Indicates whether to list a concise JSON description of the data model.
The concise description is a summary for human readability. It is not used to create the data model. |
Request parameters
Pagination and filtering parameters can be used with this method.
Returned values
| Name | Description |
|---|---|
| acceleration | Indicates whether acceleration is enabled for the data model. |
| concise | Indicates whether to list a concise JSON description of the data model. |
| description | The JSON describing the data model. |
| displayName | The name displayed for the data model in Splunk Web. |
| eai:appName | The Splunk app in which the data model was created. |
| eai:userName | The name of the user who created the data model. |
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/services/datamodel/model
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title></title>
<id>https://myserver-centos62x64-4:8789/services/datamodel/model</id>
<updated>2013-08-15T11:42:06-07:00</updated>
<generator build="176231" version="6.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/datamodel/model/_new" rel="create"/>
<link href="/services/datamodel/model/desc" rel="desc"/>
<link href="/services/datamodel/model/report" rel="report"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>MyApp</title>
<id>https://myserver-centos62x64-4:8789/servicesNS/nobody/search/datamodel/model/MyApp</id>
<updated>2013-08-23T15:03:13-07:00</updated>
<link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="list"/>
<link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="acceleration">{"enabled": false}</s:key>
<s:key name="description"><![CDATA[{"objects": [{"lineage": "HTTP_Request", "previewSearch": " | search (sourcetype=access_* OR sourcetype=iis*)
. . . elided . . .
"modelName": "MyApp", "displayName": "Web Intelligence"}]]>
</s:key>
<s:key name="displayName">Web Intelligence</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>power</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="eai:appName">search</s:key>
<s:key name="eai:digest">b8ebd9315dddf8a5e572187f57ddc9de</s:key>
<s:key name="eai:type">models</s:key>
<s:key name="eai:userName">admin</s:key>
</s:dict>
</content>
</entry>
. . . elided . . .
</feed>
POST
Create a new data model.
Request parameters
| Name | Type | Default | Description |
|---|---|---|---|
| description | String | JSON description of the data model. | |
| name | String | Name of the data model. | |
| acceleration | String | Specify the acceleration settings for the data model. Supply JSON to specify any or all of the following settings.
Example acceleration= ' {
"enabled": true,
"earliest_time": -1mon,
"cron_schedule": 0 */12 * * *
} '
| |
| Hunk data model acceleration settings | See description | Use these settings to configure acceleration for Hunk data models.
Example
acceleration= ' {
"hunk.file_format": "orc",
"hunk.compression_codec": "snappy"
} '
|
Returned values
None
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/services/datamodel/model -d name=Debugger --data-urlencode description='{"modelName":"Debugger","displayName":"Debugger", "description": "A data model for debugging purposes". . . elided . . . }'
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title></title>
<id>https://qa-sv-rh61x64-10:8089/services/datamodel/model</id>
<updated>2013-10-16T11:19:24-07:00</updated>
<generator build="183095" version="6.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/datamodel/model/_new" rel="create"/>
<link href="/services/datamodel/model/desc" rel="desc"/>
<link href="/services/datamodel/model/report" rel="report"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>Debugger</title>
<id>https://qa-sv-rh61x64-10:8089/servicesNS/admin/search/datamodel/model/Debugger</id>
<updated>2013-10-16T11:19:24-07:00</updated>
<link href="/servicesNS/admin/search/datamodel/model/Debugger" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/datamodel/model/Debugger" rel="list"/>
<link href="/servicesNS/admin/search/datamodel/model/Debugger" rel="edit"/>
<link href="/servicesNS/admin/search/datamodel/model/Debugger" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="acceleration">{"enabled": false}</s:key>
<s:key name="description">
<![CDATA[{"displayName": "Debugger", "modelName": "Debugger", "objectSummary": \
...
"autoextractSearch": " (index = _internal) "}]}]]>
</s:key>
<s:key name="displayName">Debugger</s:key>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:attributes">
{'optionalFields': ['acceleration', 'acceleration.cron_schedule', \
'acceleration.earliest_time', 'eai:data'], 'requiredFields': [], 'wildcardFields': []}
</s:key>
<s:key name="eai:digest">05ca1a193365a3b613b919c6401591e3</s:key>
<s:key name="eai:type">models</s:key>
<s:key name="eai:userName">admin</s:key>
</s:dict>
</content>
</entry>
</feed>
datamodel/model/{name}
https://<host>:<mPort>/services/datamodel/model/{name}
Access, delete, or update the {name} data model.
DELETE
Delete a specific data model.
Request parameters
None
Returned values
None
Example request and response
XML Request
curl -k -u admin:pass --request DELETE https://localhost:8089/services/datamodel/model/MyApp
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title></title>
<id>https://myserver-centos62x64-4:8789/services/datamodel/model</id>
<updated>2013-08-24T15:00:54-07:00</updated>
<generator build="178272" version="6.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/datamodel/model/_new" rel="create"/>
<link href="/services/datamodel/model/desc" rel="desc"/>
<link href="/services/datamodel/model/report" rel="report"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
</feed>
GET
Access a specific data model.
Request parameters
| Name | Type | Default | Description |
|---|---|---|---|
| concise | Boolean | Indicates whether to list a concise JSON description of the data model.
The concise description is a summary for human readability. It is not used to create the data model. |
Returned values
| Name | Description |
|---|---|
| acceleration | Indicates whether acceleration is enabled for the data model. |
| concise | Indicates whether to list a concise JSON description of the data model. |
| description | The JSON describing the data model. |
| displayName | The name displayed for the data model in Splunk Web. |
| eai:appName | The Splunk app in which the data model was created. |
| eai:attributes | Field control information. |
| eai:userName | The name of the Splunk user who created the data model. |
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/services/datamodel/model/MyApp
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title></title>
<id>https://myserver-centos62x64-4:8789/services/datamodel/model</id>
<updated>2013-08-24T13:07:36-07:00</updated>
<generator build="178272" version="6.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/datamodel/model/_new" rel="create"/>
<link href="/services/datamodel/model/desc" rel="desc"/>
<link href="/services/datamodel/model/report" rel="report"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>MyApp</title>
<id>https://myserver-centos62x64-4:8789/servicesNS/nobody/search/datamodel/model/MyApp</id>
<updated>2013-08-24T13:07:36-07:00</updated>
<link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="list"/>
<link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="acceleration">{"enabled": false}</s:key>
<s:key name="description"><![CDATA[{"modelName": "MyApp", "objectNameList": ["HTTP_Request", "ApacheAccessSearch", "IISAccessSearch",
. . . elided . . .
"Interface Implementations": 0, "Search-Based": 1}, "description": "Data model for web analytics.", "displayName": "Web Intelligence"}]]>
</s:key>
<s:key name="displayName">Web Intelligence</s:key>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>acceleration</s:item>
<s:item>concise</s:item>
<s:item>description</s:item>
<s:item>provisional</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="eai:digest">b8ebd9315dddf8a5e572187f57ddc9de</s:key>
<s:key name="eai:type">models</s:key>
<s:key name="eai:userName">admin</s:key>
</s:dict>
</content>
</entry>
</feed>
POST
Update a specific data model.
Request parameters
| Name | Type | Default | Description |
|---|---|---|---|
| acceleration | String | Specify the acceleration settings for the data model. Supply JSON to specify any or all of the following settings.
Example acceleration= ' {
"enabled": true,
"earliest_time": -1mon,
"cron_schedule": 0 */12 * * *
} '
| |
| Hunk data model acceleration settings | See description | Use these settings to configure acceleration for Hunk data models.
Example
acceleration= ' {
"hunk.file_format": "orc",
"hunk.compression_codec": "snappy"
} '
| |
| description | String | JSON description of the data model. | |
| provisional | Boolean | Indicates whether the data model is provisional. Provisional data models are not saved.
Specify true to validate a data model before saving it. If the endpoint returns with no errors, then specify this endpoint again, with provisional set to false, to save the data model. |
Returned values
| Name | Description |
|---|---|
| acceleration | Indicates whether acceleration is enabled for the data model. |
| concise | Indicates whether to list a concise JSON description of the data model. |
| description | The JSON describing the data model. |
| displayName | The name displayed for the data model in Splunk Web. |
| eai:appName | The Splunk app in which the data model was created. |
| eai:attributes | Field control information. |
| eai:userName | The name of the Splunk user who created the data model. |
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/services/datamodel/model/MyApp -d concise=true
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title></title>
<id>https://myserver-centos62x64-4:8789/services/datamodel/model</id>
<updated>2013-08-24T13:35:54-07:00</updated>
<generator build="178272" version="6.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/datamodel/model/_new" rel="create"/>
<link href="/services/datamodel/model/desc" rel="desc"/>
<link href="/services/datamodel/model/report" rel="report"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>MyApp</title>
<id>https://myserver-centos62x64-4:8789/servicesNS/nobody/search/datamodel/model/MyApp</id>
<updated>2013-08-24T13:35:54-07:00</updated>
<link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="list"/>
<link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="acceleration">{"enabled": false, "earliest_time": "-1mon"}</s:key>
<s:key name="description"><![CDATA[{"modelName": "MyApp", "objects": [{"constraints": [{"search": "sourcetype=access_* OR
. . . elided . . .
"PodcastDownload", "WebSession", "User"], "description": "Data model for web analytics."}]]>
</s:key>
<s:key name="displayName">Web Intelligence</s:key>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:attributes">{'wildcardFields': [], 'requiredFields': [], 'optionalFields': ['acceleration', 'acceleration.cron_schedule', 'acceleration.earliest_time', 'eai:data']}</s:key>
<s:key name="eai:digest">d73ff2d833e3104eed99a8fd258dbae1</s:key>
<s:key name="eai:type">datamodels</s:key>
<s:key name="eai:userName">admin</s:key>
</s:dict>
</content>
</entry>
</feed>
datamodel/pivot
https://<host>:<mPort>/services/datamodel/pivot/{name}
Access pivots that are based on named data models.
GET
Get information about a specific pivot.
Usage details
{name} refers to a data model on the system.
Specify a pivot using either the pivot_search or pivot_json parameter.
Request parameters
| Name | Type | Default | Description |
|---|---|---|---|
| pivot_json | String | JSON specifying a pivot based on the named data model.
Typically, you URL encode this parameter. This endpoint requires either this pivot_json parameter or a pivot_search parameter. | |
| pivot_search | String | A pivot search command based on the named data model.
Typically, you URL encode this parameter. This endpoint requires either a pivot_json or this pivot_search parameter. |
Returned values
| Name | Description |
|---|---|
| drilldown_search | The search for running this pivot report using drilldown |
| open_in_search | Equivalent to search parameter, but listed more simply. |
| pivot_json | JSON specifying a pivot based on the named data model. |
| pivot_search | A pivot search command based on the named data model. |
| search | The search string for running the pivot report |
| tstats_search | The search for running this pivot report using tstats |
Example request and response
XML Request
curl -k -u admin:pass -G https://localhost:8089/services/datamodel/pivot/Authentication --data-urlencode pivot_search='| pivot Authentication Untagged_Authentication count(Untagged_Authentication) AS "Count of Untagged Authentication (S.o.S)"'
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title></title>
<id>https://localhost:8089/services/datamodel/pivot</id>
<updated>2013-08-26T15:07:57-07:00</updated>
<generator build="178683" version="20130826"/>
<author>
<name>Splunk</name>
</author>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>Authentication</title>
<id>https://localhost:8089/servicesNS/nobody/search/datamodel/pivot/Authentication</id>
<updated>2013-08-26T15:07:57-07:00</updated>
<link href="/servicesNS/nobody/search/datamodel/pivot/Authentication" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/datamodel/pivot/Authentication" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="drilldown_search">| search (login OR "log in" OR authenticated) sourcetype!=stash NOT tag=authentication | stats count AS "Count of Untagged Authentication (S.o.S)" | fields , "Count of Untagged Authentication (S.o.S)"| fillnull "Count of Untagged Authentication (S.o.S)"</s:key>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>is_pivot_command</s:item>
<s:item>namespace</s:item>
<s:item>pivot_json</s:item>
<s:item>pivot_search</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="eai:digest">e74d56a3b4a25256028f3a236e3d2cbc</s:key>
<s:key name="eai:type">models</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="open_in_search">| search (login OR "log in" OR authenticated) sourcetype!=stash NOT tag=authentication | stats count AS "Count of Untagged Authentication (S.o.S)" | fields , "Count of Untagged Authentication (S.o.S)"| fillnull "Count of Untagged Authentication (S.o.S)"</s:key>
<s:key name="pivot_json"><![CDATA[{"rowFormat": {"showSummary": false}, "cells": [{"label": "Count of Untagged Authentication (S.o.S)", "value": "count", "fieldName": "Untagged_Authentication", "type": "objectCount", "owner": "Untagged_Authentication"}], "filters": [], "modelName": "Authentication", "baseClass": "Untagged_Authentication", "rows": [], "columns": [], "colFormat": {"showSummary": false, "showOther": true}}]]></s:key>
<s:key name="pivot_search">| pivot Authentication Untagged_Authentication count(Untagged_Authentication) AS "Count of Untagged Authentication (S.o.S)"</s:key>
<s:key name="search">| search (login OR "log in" OR authenticated) sourcetype!=stash NOT tag=authentication | stats count AS "Count of Untagged Authentication (S.o.S)" | fields , "Count of Untagged Authentication (S.o.S)"| fillnull "Count of Untagged Authentication (S.o.S)"</s:key>
<s:key name="tstats_search"></s:key>
</s:dict>
</content>
</entry>
</feed>
directory
https://<host>:<mPort>/services/directory
Access user configurable objects.
These objects includes search commands, UI views, UI navigation, saved searches and event types. This is useful to see which objects are provided by all apps, or a specific app when the call is namespaced.
GET
List app-scoped objects.
Usage details
Returns an enumeration of the following app scoped objects.
* event types * saved searches * time configurations * views * navs * manager XML * quickstart XML * search commands * tags * field extractions * lookups * workflow actions * field aliases * sourcetype renames
This is useful to see which apps provide which objects, or all the objects provided by a specific app. To change the visibility of an object type in this listing, use the showInDirSvc setting in restmap.conf.
Request parameters
Pagination and filtering parameters can be used with this method.
Returned values
None
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/directory
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>directory</title>
<id>https://localhost:8089/services/directory</id>
<updated>2011-05-16T19:03:40-0700</updated>
<generator version="98144"/>
<author>
<name>Splunk</name>
</author>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>_admin</title>
<id>https://localhost:8089/servicesNS/nobody/system/data/ui/views/_admin</id>
<updated>2011-05-16T19:03:40-0700</updated>
<link href="/servicesNS/nobody/system/data/ui/views/_admin" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/ui/views/_admin" rel="list"/>
<link href="/servicesNS/nobody/system/data/ui/views/_admin/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/ui/views/_admin" rel="edit"/>
<content type="text/xml">
<s:dict>
... eai:acl node elided ...
<s:key name="eai:type">views</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>abc</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/ui/views/abc</id>
<updated>2011-05-16T19:03:40-0700</updated>
<link href="/servicesNS/nobody/search/data/ui/views/abc" rel="alternate"/>
<author>
<name>ssorkin</name>
</author>
<link href="/servicesNS/nobody/search/data/ui/views/abc" rel="list"/>
<link href="/servicesNS/nobody/search/data/ui/views/abc/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/ui/views/abc" rel="edit"/>
<content type="text/xml">
<s:dict>
... eai:acl node elided ...
<s:key name="eai:type">views</s:key>
</s:dict>
</content>
</entry>
</feed>
directory/{name}
https://<host>:<mPort>/services/directory/{name}
Get information about the {name} directory entity.
Usage details
This is rarely used. Typically after using the directory service enumeration, a client follows the specific link for an object in an enumeration.
GET
Get information about a specific directory entity.
Request parameters
None
Returned values
| Name | Description |
|---|---|
| eai:type | Entity type. |
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/directory/dashboard_live
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>directory</title>
<id>https://localhost:8089/services/directory</id>
<updated>2011-05-16T19:09:59-0700</updated>
<generator version="98144"/>
<author>
<name>Splunk</name>
</author>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>dashboard_live</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/ui/views/dashboard_live</id>
<updated>2011-05-16T19:09:59-0700</updated>
<link href="/servicesNS/nobody/search/data/ui/views/dashboard_live" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/ui/views/dashboard_live" rel="list"/>
<link href="/servicesNS/nobody/search/data/ui/views/dashboard_live/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/ui/views/dashboard_live" rel="edit"/>
<content type="text/xml">
<s:dict>
... eai:acl node elided ...
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list/>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="eai:type">views</s:key>
</s:dict>
</content>
</entry>
</feed>
saved/bookmarks/monitoring_console
https://<host>:<mPort>/services/saved/bookmarks/monitoring_console
Add URLs that link to monitoring consoles of your other deployments. For example, if you're admin overseeing multiple separate Splunk deployments for different teams.
GET
List deployment bookmarks.
Request parameters
Optional request parameters:
| Name | Type | Description |
|---|---|---|
| count | Number | Number of bookmark URLs to list. |
| offset | Number | Lists bookmark URLs, offset from the first bookmark. |
| search | String | Items to search for, must be valid as SPL. |
| sort_dir | Enum | asc or desc; ascending or descending |
| sort_key | String | Key to sort on, must be existing key in the stanza |
Returned values
None
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/services/saved/bookmarks/monitoring_console
XML Response
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>bookmarks-mc</title>
<id>https://qa-ubuntu-022:8089/services/saved/bookmarks/monitoring_console</id>
<updated>2019-10-13T16:47:42-07:00</updated>
<generator build="324da9f5a506" version="8.0.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/saved/bookmarks/monitoring_console/_new" rel="create"/>
<link href="/services/saved/bookmarks/monitoring_console/_reload" rel="_reload"/>
<link href="/services/saved/bookmarks/monitoring_console/_acl" rel="_acl"/>
<opensearch:totalResults>2</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>deployment-2</title>
<id>https://qa-ubuntu-022:8089/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2</id>
<updated>1969-12-31T16:00:00-08:00</updated>
<link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2" rel="list"/>
<link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2" rel="edit"/>
<link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2" rel="remove"/>
<link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="url">https://deployment-2-host:8000/en-US/app/splunk_monitoring_console</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>deployment-3</title>
<id>https://localhost:8089/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-3</id>
<updated>1969-12-31T16:00:00-08:00</updated>
<link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-3" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-3" rel="list"/>
<link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-3/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-3" rel="edit"/>
<link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-3" rel="remove"/>
<link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-3/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="url">https://deployment-3-host:8000/en-US/app/splunk_monitoring_console</s:key>
</s:dict>
</content>
</entry>
</feed>
POST
Add deployment bookmark URLs.
Request parameters
| Name | Type | Description |
|---|---|---|
| name | String | Name of the deployment bookmark. |
| url | string | Full URL to the monitoring console of a different Splunk deployment. |
Returned values
None
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/services/saved/bookmarks/monitoring_console -d name=deployment-2 -d url=https://deployment-2-host:8000/en-US/app/splunk_monitoring_console
XML Response
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>bookmarks-mc</title>
<id>https://localhost:8089/services/saved/bookmarks/monitoring_console</id>
<updated>2019-10-13T16:16:38-07:00</updated>
<generator build="324da9f5a506" version="8.0.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/saved/bookmarks/monitoring_console/_new" rel="create"/>
<link href="/services/saved/bookmarks/monitoring_console/_reload" rel="_reload"/>
<link href="/services/saved/bookmarks/monitoring_console/_acl" rel="_acl"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>deployment-2</title>
<id>https://localhost:8089/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2</id>
<updated>1969-12-31T16:00:00-08:00</updated>
<link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2" rel="list"/>
<link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2" rel="edit"/>
<link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2" rel="remove"/>
<link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="url">https://deployment-2-host:8000/en-US/app/splunk_monitoring_console</s:key>
</s:dict>
</content>
</entry>
</feed>
DELETE
Remove deployment bookmark URLs.
Request parameters
None
Returned values
None
Example request and response
XML Request
curl -k -u admin:pass --request DELETE https://localhost:8089/services/saved/bookmarks/monitoring_console/{name}
XML Response
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>bookmarks-mc</title>
<id>https://localhost:8089/services/saved/bookmarks/monitoring_console</id>
<updated>2019-10-13T16:25:38-07:00</updated>
<generator build="324da9f5a506" version="8.0.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/saved/bookmarks/monitoring_console/_new" rel="create"/>
<link href="/services/saved/bookmarks/monitoring_console/_reload" rel="_reload"/>
<link href="/services/saved/bookmarks/monitoring_console/_acl" rel="_acl"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>deployment-2</title>
<id>https://localhost:8089/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2</id>
<updated>1969-12-31T16:00:00-08:00</updated>
<link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2" rel="list"/>
<link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2" rel="edit"/>
<link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2" rel="remove"/>
<link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="url">https://deployment-2-host:8000/en-US/app/splunk_monitoring_console</s:key>
</s:dict>
</content>
</entry>
</feed>
saved/eventtypes
https://<host>:<mPort>/services/saved/eventtypes
Access or create an event type.
GET
Retrieve saved event types.
Request parameters
Pagination and filtering parameters can be used with this method.
Response data keys
| Name | Description |
|---|---|
| description | Description of this event type. |
| disabled | Indicates if the event type is disabled. |
| eai:appName | The Splunk app for which this event type applies. For example, the Splunk search app. |
| eai:userName | Splunk user name of the creator of this event type. For example, the Splunk admin user. |
| priority | The value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority. |
| search | Search terms for this event type. |
| tags | [Deprecated] Tags associated with this event type.
Use the tags.conf.spec file to assign tags to groups of events with related field values. |
Returned values
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/eventtypes
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>eventtypes</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes</id>
<updated>2011-07-10T23:46:52-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/saved/eventtypes/_new" rel="create"/>
<link href="/servicesNS/admin/search/saved/eventtypes/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>internal_search_terms</title>
<id>https://localhost:8089/servicesNS/nobody/system/saved/eventtypes/internal_search_terms</id>
<updated>2011-07-10T23:46:52-07:00</updated>
<link href="/servicesNS/nobody/system/saved/eventtypes/internal_search_terms" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/saved/eventtypes/internal_search_terms" rel="list"/>
<link href="/servicesNS/nobody/system/saved/eventtypes/internal_search_terms/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/saved/eventtypes/internal_search_terms" rel="edit"/>
<link href="/servicesNS/nobody/system/saved/eventtypes/internal_search_terms/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="description"/>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="priority">1</s:key>
<s:key name="search">
<![CDATA[( "After evaluating args" OR "Before evaluating args" OR "context dispatched for search=" OR "SearchParser - PARSING" OR "got search" OR "_dispatchNewSearch - search" OR "search:* - q" OR ( decomposition fullsearch ) OR "PAAAAAARSER! - search" OR "view:* - DECOMPOSITION" OR "Splunk.Module.SearchBar .setInputField" OR ( typeahead prefix ) OR "DEBUG HTTPServer - Deleting request=GET" OR /en-US/api/search/typeahead )]]> </s:key>
<s:key name="tags">
<s:list/>
</s:key>
</s:dict>
</content>
</entry>
</feed>
POST
Create an event type.
Request parameters
| Name | Type | Default | Description |
|---|---|---|---|
| name | String | The name for the event type. | |
| search | String | Search terms for this event type. | |
| description | String | Human-readable description of this event type. | |
| disabled | Boolean | 0 | If True, disables the event type. |
| priority | Number | 1 | Specify an integer from 1 to 10 for the value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority. |
| tags | String | [Deprecated] Use tags.conf.spec file to assign tags to groups of events with related field values. |
Returned values
| Name | Description |
|---|---|
| description | Description of this event type. |
| disabled | Indicates if this event type is disabled. |
| eai:appName | The Splunk app for which this event type applies. For example, the Splunk search app. |
| eai:userName | Splunk user name of the creator of this event type. For example, the Splunk admin user. |
| priority | The value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority. |
| search | Search terms for this event type. |
| tags | [Deprecated] Tags associated with this event type.
Use tags.conf.spec file to assign tags to groups of events with related field values. |
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/eventtypes -d name="client-errors" --data-urlencode search=search="http client error NOT (403 OR 404)"
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>eventtypes</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes</id>
<updated>2011-07-10T23:47:10-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/saved/eventtypes/_new" rel="create"/>
<link href="/servicesNS/admin/search/saved/eventtypes/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>client-errors</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes/client-errors</id>
<updated>2011-07-10T23:47:10-07:00</updated>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="list"/>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="edit"/>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="remove"/>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors/move" rel="move"/>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="description"/>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="priority">1</s:key>
<s:key name="search">search</s:key>
<s:key name="tags">
<s:list/>
</s:key>
</s:dict>
</content>
</entry>
</feed>
saved/eventtypes/{name}
https://<host>:<mPort>/services/saved/eventtypes/{name}
Manage the {name} event type.
DELETE
Delete an event type.
Request parameters
None
Returned values
None
Example request and response
XML Request
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/saved/eventtypes/client-errors
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>eventtypes</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes</id>
<updated>2011-07-10T23:48:29-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/saved/eventtypes/_new" rel="create"/>
<link href="/servicesNS/admin/search/saved/eventtypes/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
GET
Access the {name} event type.
Requets parameters
None
Returned values
| Name | Description |
|---|---|
| description | Description of this event type. |
| disabled | Indicates if the event type is disabled. |
| eai:appName | The Splunk app for which this event type applies. For example, the Splunk search app. |
| eai:attributes | Field control information. |
| eai:userName | Splunk user name of the creator of this event type. For example, the Splunk admin user. |
| priority | The value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority. |
| search | Search terms for this event type. |
| tags | [Deprecated] Tags associated with this event type.
Use the tags.conf.spec file to assign tags to groups of events with related field values. |
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/eventtypes/client-errors
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>eventtypes</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes</id>
<updated>2011-07-10T23:47:17-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/saved/eventtypes/_new" rel="create"/>
<link href="/servicesNS/admin/search/saved/eventtypes/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>client-errors</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes/client-errors</id>
<updated>2011-07-10T23:47:17-07:00</updated>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="list"/>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="edit"/>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="remove"/>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors/move" rel="move"/>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="description"/>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>description</s:item>
<s:item>disabled</s:item>
<s:item>priority</s:item>
<s:item>tags</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list>
<s:item>search</s:item>
</s:list>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="priority">1</s:key>
<s:key name="search">search</s:key>
<s:key name="tags">
<s:list/>
</s:key>
</s:dict>
</content>
</entry>
</feed>
POST
Update an event type.
Usage details
The search must be re-specified for this edit.
URI-encode the search string if it contains any of the following characters: =, &, ?, %
If the search string is not URI-encoded, these characters can be interpreted as part of the HTTP request.
Request parameters
| Name | Type | Default | Description |
|---|---|---|---|
| search | String | Search terms for this event type. | |
| description | String | Human-readable description of this event type. | |
| disabled | Boolean | 0 | If True, disables the event type. |
| priority | Number | 1 | Specify an integer from 1 to 10 for the value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority. |
| tags | String | [Deprecated] Use tags.conf.spec file to assign tags to groups of events with related field values. |
Returned values
| Name | Description |
|---|---|
| description | Description of this event type. |
| disabled | Indicates if this event type is disabled. |
| eai:appName | The Splunk app for which this event type applies. For example, the Splunk search app. |
| eai:userName | Splunk user name of the creator of this event type. For example, the Splunk admin user. |
| priority | The value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority. |
| search | Search terms for this event type. |
| tags | [Deprecated] Tags associated with this event type.
Use tags.conf.spec file to assign tags to groups of events with related field values. |
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/eventtypes/client-errors -d description="HTTP Client Errors" --data-urlencode search=search="http client error NOT (403 OR 404)"
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>eventtypes</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes</id>
<updated>2011-07-10T23:48:22-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/saved/eventtypes/_new" rel="create"/>
<link href="/servicesNS/admin/search/saved/eventtypes/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>client-errors</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes/client-errors</id>
<updated>2011-07-10T23:48:22-07:00</updated>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="list"/>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="edit"/>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="remove"/>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors/move" rel="move"/>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="description">HTTP Client Errors</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="priority">1</s:key>
<s:key name="search">search</s:key>
<s:key name="tags">
<s:list/>
</s:key>
</s:dict>
</content>
</entry>
</feed>
search/fields
https://<host>:<mPort>/services/search/fields
Access search field configurations.
Usage details
Field configuration is specified in $SPLUNK_HOME/etc/system/default/fields.conf, with overriden values in $SPLUNK_HOME/etc/system/local/fields.conf.
GET
Get a list of fields registered for field configuration.
Request parameters
None
Returned values
None
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/fields
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>Fields</title>
<id>/servicesNS/admin/search/search/fields</id>
<updated>2011-07-11T10:04:51-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<entry>
<title>_indextime</title>
<id>/servicesNS/admin/search/search/fields/_indextime</id>
<updated>2011-07-11T10:04:51-07:00</updated>
<link href="/servicesNS/admin/search/search/fields/_indextime" rel="alternate"/>
</entry>
<entry>
<title>_sourcetype</title>
<id>/servicesNS/admin/search/search/fields/_sourcetype</id>
<updated>2011-07-11T10:04:51-07:00</updated>
<link href="/servicesNS/admin/search/search/fields/_sourcetype" rel="alternate"/>
</entry>
<entry>
<title>date_hour</title>
<id>/servicesNS/admin/search/search/fields/date_hour</id>
<updated>2011-07-11T10:04:51-07:00</updated>
<link href="/servicesNS/admin/search/search/fields/date_hour" rel="alternate"/>
</entry>
. . . elided . . .
<entry>
<title>splunk_server</title>
<id>/servicesNS/admin/search/search/fields/splunk_server</id>
<updated>2011-07-11T10:04:51-07:00</updated>
<link href="/servicesNS/admin/search/search/fields/splunk_server" rel="alternate"/>
</entry>
<entry>
<title>timeendpos</title>
<id>/servicesNS/admin/search/search/fields/timeendpos</id>
<updated>2011-07-11T10:04:51-07:00</updated>
<link href="/servicesNS/admin/search/search/fields/timeendpos" rel="alternate"/>
</entry>
<entry>
<title>timestartpos</title>
<id>/servicesNS/admin/search/search/fields/timestartpos</id>
<updated>2011-07-11T10:04:51-07:00</updated>
<link href="/servicesNS/admin/search/search/fields/timestartpos" rel="alternate"/>
</entry>
</feed>
search/fields/{field_name}
https://<host>:<mPort>/services/search/fields/{field_name}
Access the {field_name} field.
GET
Get information about the {field_name} field.
Request parameters
None
Returned values
None
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/fields/sourcetype
XML Response
<entry xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest"> <title>sourcetype</title> <id>/servicesNS/admin/search/search/fields/sourcetype</id> <updated>2011-07-11T10:08:54-07:00</updated> <link href="/servicesNS/admin/search/search/fields/sourcetype" rel="alternate"/> <content type="text"> Attr:INDEXED True Attr:INDEXED_VALUE False Attr:TOKENIZER </content> </entry>
search/fields/{field_name}/tags
https://<host>:<mPort>/services/search/fields/{field_name}/tags
Access or update the tags associated with the {field_name} field.
GET
Get tags associated with the {field_name} field.
Request parameters
None
Returned values
None
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/fields/host/tags
XML Response
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest">
<title>Tags for the host field</title>
<id>/servicesNS/admin/search/search/fields/host/tags</id>
<updated>2011-07-11T10:41:46-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<entry>
<title>location::sfo</title>
<id>/servicesNS/admin/search/search/fields/host/tags#location::sfo</id>
<updated>2011-07-11T10:41:46-07:00</updated>
<link href="/servicesNS/admin/search/search/fields/host/tags#location::sfo" rel="alternate"/>
</entry>
</feed>
POST
Update tags associated with the {field_name} field.
Usage details
The value parameter specifies the specific value on which to bind tag actions. Multiple tags can be attached by passing multiple add or delete form parameters. The server processes all of the adds first, and then processes the deletes.
You must specify at least one add or delete parameter.
Request parameters
| Name | Type | Default | Description |
|---|---|---|---|
| value | String | The specific field value on which to bind the tags. | |
| add | String | The tag to attach to this field_name:value combination.
| |
| delete | String | The tag to remove to this field_name::value combination.
|
Returned values
None
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/fields/host/tags -d add=sfo -d delete=nyc -d value=location
XML Response
<response>
<messages>
<msg type='INFO'>Successfully processed adds/deletes for field host</msg>
</messages>
</response>
search/tags
https://<host>:<mPort>/services/search/tags
Access search time tags.
GET
List all search time tags.
Request parameters
None
Returned values
None
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/tags
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>Tags</title>
<id>/servicesNS/admin/search/search/tags</id>
<updated>2011-07-08T01:35:09-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<entry>
<title>machine</title>
<id>/servicesNS/admin/search/search/tags/machine</id>
<updated>2011-07-08T01:35:09-07:00</updated>
<link href="/servicesNS/admin/search/search/tags/machine" rel="alternate"/>
</entry>
<entry>
<title>user</title>
<id>/servicesNS/admin/search/search/tags/user</id>
<updated>2011-07-08T01:35:09-07:00</updated>
<link href="/servicesNS/admin/search/search/tags/user" rel="alternate"/>
</entry>
</feed>
search/tags/{tag_name}
https://<host>:<mPort>/services/search/tags/{tag_name}
Access, update, or delete {tag_name} values.
DELETE
Delete the tag and its associated field:value pair assignments.
Usage details
When a tag is deleted, field:value pairs are set to disabled in tags.conf.
Request parameters
None
Returned values
None
Example request and response
XML Request
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/search/tags/user
XML Response
<response>
<messages>
<msg type="INFO">Tag successfully deleted</msg>
</messages>
</response>
GET
Returns a list of field:value pairs associated with the {tag_name} tag.
Request parameters
None
Returned values
None
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/tags/user
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>Field::Value pairs with tag user</title>
<id>/servicesNS/admin/search/search/tags/user</id>
<updated>2011-07-08T01:35:28-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<entry>
<title>eventtype::userupdate</title>
<id>/servicesNS/admin/search/search/tags/user#eventtype::userupdate</id>
<updated>2011-07-08T01:35:28-07:00</updated>
<link href="/servicesNS/admin/search/search/tags/user#eventtype::userupdate" rel="alternate"/>
</entry>
</feed>
POST
Update the field:value pairs associated with the {tag_name} tag.
Usage details
Multiple field:value pairs can be attached by passing multiple add or delete form parameters. The server processes all of the adds first, and then deletes.
If {tag_name} does not exist, then the tag is created inline. Notification is sent to the client using the HTTP 201 status.
Request parameters
| Name | Type | Default | Description |
|---|---|---|---|
| add | String | A field:value pair to tag with {tag_name}. | |
| delete | String | A field:value pair to remove from {tag_name}. |
Returned values
None
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/tags/user -d add=eventtype::userupdate -d delete=eventtype::useradd-suse
XML Response
<response>
<messages>
<msg type="INFO">Processed adds/deletes for tag</msg>
</messages>
</response>
Last modified on 25 October, 2024
| Introspection endpoint descriptions | KV store endpoint descriptions |
This documentation applies to the following versions of Splunk® Enterprise: 9.4.0, 9.4.1, 9.4.2
Download manual
Feedback submitted, thanks!