Splunk® Enterprise

REST API Reference Manual

Acrobat logo Download manual as PDF


Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

Knowledge endpoint descriptions

Knowledge type endpoints,

  • Define data configurations indexed and searched by the Splunk platform.
  • Manage how data is handled, using look-ups, field extractions, field aliases, sourcetypes, and transforms.
  • Manage saved event types.
  • Manage search field configurations and search time tags.


  • Note: Username and password authentication is required for most endpoints and REST operations. Additional capability or role-based authorization may also be required, particularly for POST or DELETE operations.


data/lookup-table-files

https://<host>:<mPort>/services/data/lookup-table-files


Description

Provides access to lookup table files.

Method summary

Method Description Formats
GET List lookup table files. XML, JSON
POST Create a lookup table file by moving a file from the upload staging area into $SPLUNK_HOME. XML, JSON

GET data/lookup-table-files method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
eai:appName The app for which the lookup table applies.
eai:data The source path for the lookup staging area. The lookup table file is moved from here into $SPLUNK_HOME.
eai:userName The Splunk Enterprise user who created the lookup table.

POST data/lookup-table-files method detail

Example

Request parameters
Name Type Default Description
eai:data
required		 String Move a lookup table file from the given path into $SPLUNK_HOME. This path must have the lookup staging area as an ancestor.
name
required		 String The lookup table filename.
Response data keys
Name Description
eai:appName The app for which the lookup table applies.
eai:data The source path for the lookup staging area. The lookup table file is moved from here into $SPLUNK_HOME.
eai:userName The Splunk Enterprise user who created the lookup table.

[ Top ]

data/lookup-table-files/{name}

https://<host>:<mPort>/services/data/lookup-table-files/{name}

Description

Manage the {name} lookup table file.

Method summary

Method Description Formats
DELETE Delete the named lookup table file. XML, JSON
GET List a single lookup table file. XML, JSON
POST Modify a lookup table file by replacing it with a file from the upload staging area. XML, JSON

DELETE data/lookup-table-files/{name} method detail

Example

Request parameters

None

Response data keys

None

GET data/lookup-table-files/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
eai:appName The app for which the lookup table applies.
eai:attributes Field control information.
eai:data The source path for the lookup staging area. The lookup table file is moved from here into $SPLUNK_HOME.
eai:userName The Splunk Enterprise user who created the lookup table.

POST data/lookup-table-files/{name} method detail

Example

Request parameters
Name Type Default Description
eai:data
required		 String Move a lookup table file from the given path into $SPLUNK_HOME. This path must have the lookup staging area as an ancestor.
Response data keys
Name Description
eai:appName The app for which the lookup table applies.
eai:data The source path for the lookup staging area. The lookup table file is moved from here into $SPLUNK_HOME.
eai:userName The Splunk Enterprise user who created the lookup table.

[ Top ]

data/props/calcfields

https://<host>:<mPort>/services/data/props/calcfields

Description

Provides access to calculated fields, which are eval expressions in props.conf.

Method summary

Method Description Formats
GET Returns information on calculated fields for this instance of your Splunk deployment. XML, JSON
POST Create an eval expression defining a calculated field in props.conf. XML, JSON

GET data/props/calcfields method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
attribute The name of the calculated field, which includes the "EVAL-" prefix.
field.name The name of the field which is being calculated with an EVAL expression.
stanza The name of the stanza in props.conf that defines the calculated field.
type The type of the calculated field.

This is always EVAL.

value The EVAL statement for the calculated field.
Application usage

See Define calculated fields in the Splunk Knowledge Manager manual for more information.

POST data/props/calcfields method detail

Example

Request parameters
Name Type Default Description
name
required		 String The name of the calculated field. Do not specify the "EVAL-" prefix for the field.

When Splunk Enterprise writes the calculated field to props.conf, it adds the "EVAL-" prefix.

stanza
required		 String The name of the stanza in props.conf for the calculated field.

The name can be any of the following:

  • Sourcetype of an event
  • host::<host>, where <host> is the host for an event
  • source::<source>, where <source> is the source for an event.
Note: Use URL-encoding to ensure that Splunk Enterprise interprets the name of the stanza correctly.
value
required		 String The eval statement, which can be evaluated to any value type, including multivals, boolean, or null.
Note: Use URL-encoding to ensure that Splunk Enterprise interprets the name of the stanza correctly.

See Create a calculated field by editing props.conf in the Splunk Knowledge Manager manual for details.

Response data keys
Name Description
attribute The name of the calculated field, which includes the "EVAL-" prefix.
field.name The name of the field which is being calculated with an EVAL expression.
stanza The name of the stanza in props.conf that defines the calculated field.
type The type of the calculated field.

This is always EVAL.

value The EVAL statement for the calculated field.
Application usage

See Define calculated fields in the Splunk Knowledge Manager manual for more information.

[ Top ]

data/props/calcfields/{name}

https://<host>:<mPort>/services/data/props/calcfields/{name}

Description

Manage the {name} calculated field.

Method summary

Method Description Formats
DELETE Deletes the named calculated field. XML, JSON
GET Returns details about the named calculated field. XML, JSON
POST Update the named calculated field. XML, JSON

DELETE data/props/calcfields/{name} method detail

Example

Request parameters

None

Response data keys

None

Application usage

Use URL-encoding to ensure that Splunk Enterprise interprets the name of the calculated field correctly.

GET data/props/calcfields/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
attribute The name of the calculated field, which includes the "EVAL-" prefix.
field.name The name of the field which is being calculated with an EVAL expression.
stanza The name of the stanza in props.conf that defines the calculated field.
type The type of the calculated field.

This is always EVAL.

value The EVAL statement for the calculated field.

POST data/props/calcfields/{name} method detail

Example

Request parameters
Name Type Default Description
value String The eval statement, which can be evaluated to any value type, including multivals, boolean, or null.
Note: Use URL-encoding to ensure that Splunk Enterprise interprets the name of the stanza correctly.

See Create a calculated field by editing props.conf in the Splunk Knowledge Manager manual for details.

Response data keys
Name Description
attribute The name of the calculated field, which includes the "EVAL-" prefix.
field.name The name of the field which is being calculated with an EVAL expression.
stanza The name of the stanza in props.conf that defines the calculated field.
type The type of the calculated field.

This is always EVAL.

value The EVAL statement for the calculated field.

[ Top ]

data/props/extractions

https://<host>:<mPort>/services/data/props/extractions

Description

Provides access to search-time field extractions in props.conf.

Method summary

Method Description Formats
GET List field extractions. XML, JSON
POST Create a new field extraction. XML, JSON

GET data/props/extractions method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
attribute Specifies the field extraction configuration.

For example, REPORT-<name> or EXTRACT-<name>.

stanza The props.conf stanza to which this field extraction applies.

for example, the sourcetype or source that triggers this field extraction. The full name of the field extraction includes this stanza name as a prefix.

type Specifies the field extraction type, which can be either inline or uses transform.
value If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.

If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply.

POST data/props/extractions method detail

Example

Request parameters
Name Type Default Description
name
required		 String The user-specified part of the field extraction name. The full name of the field extraction includes this identifier as a suffix.
stanza
required		 String The props.conf stanza to which this field extraction applies, e.g. the sourcetype or source that triggers this field extraction. The full name of the field extraction includes this stanza name as a prefix.
type
required		 Enum Valid values: (REPORT | EXTRACT)

An EXTRACT-type field extraction is defined with an "inline" regular expression. A REPORT-type field extraction refers to a transforms.conf stanza.

value
required		 String If this is an EXTRACT-type field extraction, specify a regular expression with named capture groups that define the desired fields. If this is a REPORT-type field extraction, specify a comma- or space-delimited list of transforms.conf stanza names that define the field transformations to apply.
Response data keys
Name Description
attribute Specifies the field extraction configuration.

For example, REPORT-<name> or EXTRACT-<name>.

stanza Specifies the name of the stanza for the field extraction.
type Specifies the field extraction type, which can be either inline or uses transform.
value If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.

If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply.

[ Top ]

data/props/extractions/{name}

https://<host>:<mPort>/services/data/props/extractions/{name}

Description

Manage the {name} field extraction.

Method summary

Method Description Formats
DELETE Delete the named field extraction. XML, JSON
GET List a single field extraction. XML, JSON
POST Modify the named field extraction. XML, JSON

DELETE data/props/extractions/{name} method detail

Example

Request parameters

None

Response data keys

None

GET data/props/extractions/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
attribute Specifies the field extraction configuration.

For example, REPORT-<name> or EXTRACT-<name>.

stanza The props.conf stanza to which this field extraction applies.

for example, the sourcetype or source that triggers this field extraction. The full name of the field extraction includes this stanza name as a prefix.

type Specifies the field extraction type, which can be either inline or uses transform.
value If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.

If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply.

POST data/props/extractions/{name} method detail

Example

Request parameters
Name Type Default Description
value
required		 String If this is an EXTRACT-type field extraction, specify a regular expression with named capture groups that define the desired fields. If this is a REPORT-type field extraction, specify a comma- or space-delimited list of transforms.conf stanza names that define the field transformations to apply.
Response data keys
Name Description
attribute Specifies the field extraction configuration.

For example, REPORT-<name> or EXTRACT-<name>.

stanza Specifies the name of the stanza for the field extraction.
type Specifies the field extraction type, which can be either inline or uses transform.
value If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.

If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply.

[ Top ]

data/props/fieldaliases

https://<host>:<mPort>/services/data/props/fieldaliases

Description

Provides access to field aliases in props.conf.

Method summary

Method Description Formats
GET List field aliases. XML, JSON
POST Create a new field alias. XML, JSON

GET data/props/fieldaliases method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
alias.* The user-specified part of the field alias name. The full name of the field alias includes this identifier as a suffix.
attribute Specifies the field extraction configuration.

For example, REPORT-<name> or EXTRACT-<name>.

stanza The props.conf stanza to which this field alias applies, e.g. the sourcetype or source that causes this field alias to be applied. The full name of the field alias includes this stanza name as a prefix.
type Specifies the field extraction type, which can be either inline or uses transform.
value If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.

If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply.

POST data/props/fieldaliases method detail

Example

Request parameters
Name Type Default Description
alias.* String The alias for a given field. For example, supply a value of "bar" for an argument "alias.foo" to alias "foo" to "bar".
name
required		 String The user-specified part of the field alias name. The full name of the field alias includes this identifier as a suffix.
stanza
required		 String The props.conf stanza to which this field alias applies, e.g. the sourcetype or source that causes this field alias to be applied. The full name of the field alias includes this stanza name as a prefix.
Response data keys
Name Description
alias.* The user-specified part of the field alias name. The full name of the field alias includes this identifier as a suffix.
attribute Specifies the field extraction configuration.

For example, REPORT-<name> or EXTRACT-<name>.

stanza The props.conf stanza to which this field alias applies, e.g. the sourcetype or source that causes this field alias to be applied. The full name of the field alias includes this stanza name as a prefix.
type Specifies the field extraction type, which can be either inline or uses transform.
value If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.

If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply.

[ Top ]

data/props/fieldaliases/{name}

https://<host>:<mPort>/services/data/props/fieldaliases/{name}

Description

Manage the {name} field alias.

Method summary

Method Description Formats
DELETE Delete the named field alias. XML, JSON
GET List a single field alias. XML, JSON
POST Modify the named field alias. XML, JSON

DELETE data/props/fieldaliases/{name} method detail

Example

Request parameters

None

Response data keys

None

GET data/props/fieldaliases/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
alias.* The user-specified part of the field alias name. The full name of the field alias includes this identifier as a suffix.
attribute Specifies the field extraction configuration.

For example, REPORT-<name> or EXTRACT-<name>.

stanza The props.conf stanza to which this field alias applies, e.g. the sourcetype or source that causes this field alias to be applied. The full name of the field alias includes this stanza name as a prefix.
type Specifies the field extraction type, which can be either inline or uses transform.
value If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.

If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply.

POST data/props/fieldaliases/{name} method detail

Example

Request parameters
Name Type Default Description
alias.* String The alias for a given field. For example, supply a value of "bar" for an argument "alias.foo" to alias "foo" to "bar".
Response data keys
Name Description
alias.* The alias for a given field. For example, supply a value of "bar" for an argument "alias.foo" to alias "foo" to "bar".
attribute Specifies the field extraction configuration.

For example, REPORT-<name> or EXTRACT-<name>.

stanza The props.conf stanza to which this field alias applies, e.g. the sourcetype or source that causes this field alias to be applied. The full name of the field alias includes this stanza name as a prefix.
type Specifies the field extraction type, which can be either inline or uses transform.
value If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.

If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply.

[ Top ]

data/props/lookups

https://<host>:<mPort>/services/data/props/lookups

Description

Provides access to automatic lookups in props.conf.

Method summary

Method Description Formats
GET List automatic lookups. XML, JSON
POST Create a new automatic lookup. XML, JSON

GET data/props/lookups method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
attribute Specifies the field extraction configuration.

For example, LOOKUP-my_lookup.

overwrite If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist.
stanza The props.conf stanza to which this automatic lookup applies.

For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix.

transform The transforms.conf stanza that defines the lookup to apply.
type Specifies the field extraction type.

For this endpoint, this is always LOOKUP

value The transform stanza with the value for the lookup.

POST data/props/lookups method detail

Example

Request parameters
Name Type Default Description
lookup.field.input.* String A column in the lookup table to match against. Supply a non-empty value if the corresponding field has a different name in your actual events.
lookup.field.output.* String A column in the lookup table to output. Supply a non-empty value if the field should have a different name in your actual events.
name
required		 String The user-specified part of the automatic lookup name. The full name of the automatic lookup includes this identifier as a suffix.
overwrite
required		 Boolean If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist.
stanza
required		 String The props.conf stanza to which this automatic lookup applies, e.g. the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix.
transform
required		 String The transforms.conf stanza that defines the lookup to apply.
Response data keys
Name Description
attribute Specifies the field extraction configuration.

For example, LOOKUP-my_lookup.

lookup.field.input.* A column in the lookup table to match against. Supply a non-empty value if the corresponding field has a different name in your actual events.
lookup.field.output.* A column in the lookup table to output. Supply a non-empty value if the field should have a different name in your actual events.
overwrite If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist.
stanza The props.conf stanza to which this automatic lookup applies.

For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix.

transform The transforms.conf stanza that defines the lookup to apply.
type Specifies the field extraction type.

For this endpoint, this is alwqys LOOKUP.

value The props.conf stanza to which this automatic lookup applies.

For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix.

[ Top ]

data/props/lookups/{name}

https://<host>:<mPort>/services/data/props/lookups/{name}

Description

Manage the {name} automatic lookup.

Method summary

Method Description Formats
DELETE Delete the named automatic lookup. XML, JSON
GET List a single automatic lookup. XML, JSON
POST Modify the named automatic lookup. XML, JSON

DELETE data/props/lookups/{name} method detail

Example

Request parameters

None

Response data keys

None

GET data/props/lookups/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
attribute Specifies the field extraction configuration.

For example, LOOKUP-my_lookup.

overwrite If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist.
stanza The props.conf stanza to which this automatic lookup applies.

For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix.

transform The transforms.conf stanza that defines the lookup to apply.
type Specifies the field extraction type.

For this endpoint, this is always LOOKUP.

value The transform stanza with the value for the lookup.

POST data/props/lookups/{name} method detail

Example

Request parameters
Name Type Default Description
lookup.field.input.* String A column in the lookup table to match against. Supply a non-empty value if the corresponding field has a different name in your actual events.
lookup.field.output.* String A column in the lookup table to output. Supply a non-empty value if the field should have a different name in your actual events.
overwrite
required		 Boolean If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist.
transform
required		 String The transforms.conf stanza that defines the lookup to apply.
Response data keys
Name Description
attribute Specifies the field extraction configuration.

For example, LOOKUP-my_lookup.

lookup.field.input.* A column in the lookup table to match against. Supply a non-empty value if the corresponding field has a different name in your actual events.
lookup.field.output.* A column in the lookup table to output. Supply a non-empty value if the field should have a different name in your actual events.
overwrite If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist.
stanza The props.conf stanza to which this automatic lookup applies.

For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix.

transform The transforms.conf stanza that defines the lookup to apply.
type Specifies the field extraction type.

For this endpoint, this is alwqys LOOKUP.

value The props.conf stanza to which this automatic lookup applies.

For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix.

[ Top ]

data/props/sourcetype-rename

https://<host>:<mPort>/services/data/props/sourcetype-rename

Description

Provides access to renamed sourcetypes which are configured in props.conf.

Method summary

Method Description Formats
GET List renamed sourcetypes. XML, JSON
POST Rename a sourcetype. XML, JSON

GET data/props/sourcetype-rename method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
attribute The configuration key.
stanza The sourcetype to rename, which is the name of a stanza in props.conf.
type The value of the configuration key.
value The new name for the sourcetype.

POST data/props/sourcetype-rename method detail

Example

Request parameters
Name Type Default Description
name
required		 String The original sourcetype name.
value
required		 String The new sourcetype name.
Response data keys
Name Description
attribute The configuration key.
stanza The sourcetype to rename, which is the name of a stanza in props.conf.
type The value of the configuration key.
value The new name for the sourcetype.

[ Top ]

data/props/sourcetype-rename/{name}

https://<host>:<mPort>/services/data/props/sourcetype-rename/{name}

Description

Manage {name} sourcetype renaming.

Method summary

Method Description Formats
DELETE Restore original sourcetype name. XML, JSON
GET List a single renamed sourcetype. XML, JSON
POST Rename a sourcetype again, i.e. modify a sourcetype's new name. XML, JSON

DELETE data/props/sourcetype-rename/{name} method detail

Example

Request parameters

None

Response data keys

None

GET data/props/sourcetype-rename/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
attribute The configuration key.
stanza The sourcetype to rename, which is the name of a stanza in props.conf.
type The value of the configuration key.
value The new name for the sourcetype.

POST data/props/sourcetype-rename/{name} method detail

Example

Request parameters
Name Type Default Description
value
required		 String The new sourcetype name.
Response data keys
Name Description
attribute The configuration key.
stanza The sourcetype to rename, which is the name of a stanza in props.conf.
type The value of the configuration key.
value The new name for the sourcetype.

[ Top ]

data/transforms/extractions

https://<host>:<mPort>/services/data/transforms/extractions

Description

Provides access to field transformations, i.e. field extraction definitions.

Method summary

Method Description Formats
GET List field transformations. XML, JSON
POST Create a new field transformation. XML, JSON

GET data/transforms/extractions method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
CAN_OPTIMIZE Controls whether Splunk Enterprise can optimize this extraction out (another way of saying the extraction is disabled).

You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk Enterprise only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search.

CLEAN_KEYS If set to true, Splunk Enterprise "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
DEFAULT_VALUE Optional attribute for index-time field extractions. Splunk Enterprise writes the specified value to DEST_KEY if the specified REGEX fails.
DEST_KEY Valid for index-time field extractions, specifies where Splunk Enterprise stores the REGEX results.
FORMAT This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.

This attribute specifies the format of the event, including any field names or values you want to add.

For details, refer to the documentation for this parameter in the POST operation.

KEEP_EMPTY_VALS If set to true, Splunk Enterprise preserves extracted fields with empty values.
LOOKAHEAD Optional attribute for index-time filed extractions. specifies how many characters to search into an event.

Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking).

MV_ADD If Splunk Enterprise extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
REGEX The regular expression to operate on your data.

This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms.

For details, see the documentation for this parameter in the POST operation.

SOURCE_KEY The KEY to which Splunk Enterprise applies REGEX.
WRITE_META Indicates whether to automatically write REGEX to metadata.

This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute).

Use instead of DEST_KEY = meta.

disabled Indicates if the field transformation is disabled.
eai:appName The Splunk Enterprise app for which the field extractions are defined. For example, the search app.
eai:userName The name of the Splunk Enterprise user who created the field extraction definitions. For example, the admin user.

POST data/transforms/extractions method detail

Example

Request parameters
Name Type Default Description
CAN_OPTIMIZE Bool True Controls whether Splunk Enterprise can optimize this extraction out (another way of saying the extraction is disabled). You might use this when you have field discovery turned off--it ensures that certain fields are *always* discovered. Splunk Enterprise only disables an extraction if it can determine that none of the fields identified by the extraction is needed for the successful evaluation of a search.

NOTE: This option should rarely be set to false.

CLEAN_KEYS Boolean True If set to true, Splunk Enterprise "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
disabled Boolean Specifies whether the field transformation is disabled.
FORMAT String This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.

This attribute specifies the format of the event, including any field names or values you want to add.

FORMAT for index-time extractions:

Use $n (for example $1, $2, etc) to specify the output of each REGEX match.

If REGEX does not have n groups, the matching fails.

The special identifier $0 represents what was in the DEST_KEY before the REGEX was performed.

At index-time only, you can use FORMAT to create concatenated fields: FORMAT = ipaddress::$1.$2.$3.$4

When you create concatenated fields with FORMAT, "$" is the only special character. It is treated as a prefix for regex-capturing groups only if it is followed by a number and only if the number applies to an existing capturing group. So if REGEX has only one capturing group and its value is "bar", then: \t"FORMAT = foo$1" yields "foobar" \t"FORMAT = foo$bar" yields "foo$bar" \t"FORMAT = foo$1234" yields "foo$1234" \t"FORMAT = foo$1\\$2" yields "foobar\\$2"

At index-time, FORMAT defaults to <stanza-name>::$1

FORMAT for search-time extractions:

The format of this field as used during search time extractions is as follows: \tFORMAT = <field-name>::<field-value>( <field-name>::<field-value>)* \tfield-name = [<string>|$<extracting-group-number>] \tfield-value = [<string>|$<extracting-group-number>]

Search-time extraction examples: \tFORMAT = first::$1 second::$2 third::other-value \tFORMAT = $1::$2

You cannot create concatenated fields with FORMAT at search time. That functionality is only available at index time.

At search-time, FORMAT defaults to an empty string.

KEEP_EMPTY_VALS Boolean False If set to true, Splunk Enterprise preserves extracted fields with empty values.
MV_ADD Boolean False If Splunk Enterprise extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
name
required		 String The name of the field transformation.
REGEX
required		 String Specify a regular expression to operate on your data.

This attribute is valid for both index-time and search-time field extractions: \tREGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). \tREGEX is required for all index-time transforms.

REGEX and the FORMAT attribute:

Name-capturing groups in the REGEX are extracted directly to fields. This means that you do not need to specify the FORMAT attribute for simple field extraction cases.

If the REGEX extracts both the field name and its corresponding field value, you can use the following special capturing groups if you want to skip specifying the mapping in FORMAT: _KEY_<string>, _VAL_<string>.

For example, the following are equivalent: \tUsing FORMAT: \t\tREGEX = ([a-z]+)=([a-z]+) \t\tFORMAT = $1::$2 \tWithout using FORMAT \t\tREGEX = (?<_KEY_1>[a-z]+)=(?<_VAL_1>[a-z]+)

REGEX defaults to an empty string.

SOURCE_KEY
required		 String _raw Specify the KEY to which Splunk Enterprise applies REGEX.
Response data keys
Name Description
CAN_OPTIMIZE Controls whether Splunk Enterprise can optimize this extraction out (another way of saying the extraction is disabled).

You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk Enterprise only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search.

CLEAN_KEYS If set to true, Splunk Enterprise "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
DEFAULT_VALUE Optional attribute for index-time field extractions. Splunk Enterprise writes the specified value to DEST_KEY if the specified REGEX fails.
DEST_KEY Valid for index-time field extractions, specifies where Splunk Enterprise stores the REGEX results.
FORMAT This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.

This attribute specifies the format of the event, including any field names or values you want to add.

For details, refer to the documentation for this parameter in the POST operation.

KEEP_EMPTY_VALS If set to true, Splunk Enterprise preserves extracted fields with empty values.
LOOKAHEAD Optional attribute for index-time filed extractions. specifies how many characters to search into an event.

Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking).

MV_ADD If Splunk Enterprise extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
REGEX The regular expression to operate on your data.

This attribute is valid for both index-time and search-time field extractions: \\tREGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). \\tREGEX is required for all index-time transforms.

For details, see the documentation for this parameter in the POST operation.

SOURCE_KEY The KEY to which Splunk Enterprise applies REGEX.
WRITE_META Indicates whether to automatically write REGEX to metadata.

This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute).

Use instead of DEST_KEY = meta.

disabled Indicates if the field transformation is disabled.
eai:appName The Splunk Enterprise app for which the field extractions are defined. For example, the search app.
eai:userName The name of the Splunk Enterprise user who created the field extraction definitions. For example, the admin user.

[ Top ]

data/transforms/extractions/{name}

https://<host>:<mPort>/services/data/transforms/extractions/{name}

Description

Manage {name} field transformation.

Method summary

Method Description Formats
DELETE Delete the named field transformation. XML, JSON
GET List a single field transformation. XML, JSON
POST Modify the named field transformation. XML, JSON

DELETE data/transforms/extractions/{name} method detail

Example

Request parameters

None

Response data keys

None

GET data/transforms/extractions/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
CAN_OPTIMIZE Controls whether Splunk Enterprise can optimize this extraction out (another way of saying the extraction is disabled).

You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk Enterprise only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search.

CLEAN_KEYS If set to true, Splunk Enterprise "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
DEFAULT_VALUE Optional attribute for index-time field extractions. Splunk Enterprise writes the specified value to DEST_KEY if the specified REGEX fails.
DEST_KEY Valid for index-time field extractions, specifies where Splunk Enterprise stores the REGEX results.
FORMAT This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.

This attribute specifies the format of the event, including any field names or values you want to add.

For details, refer to the documentation for this parameter in the POST operation.

KEEP_EMPTY_VALS If set to true, Splunk Enterprise preserves extracted fields with empty values.
LOOKAHEAD Optional attribute for index-time filed extractions. specifies how many characters to search into an event.

Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking).

MV_ADD If Splunk Enterprise extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
REGEX The regular expression to operate on your data.

This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms.

For details, see the documentation for this parameter in the POST operation.

SOURCE_KEY The KEY to which Splunk Enterprise applies REGEX.
WRITE_META Indicates whether to automatically write REGEX to metadata.

This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute).

Use instead of DEST_KEY = meta.

disabled Indicates if the field transformation is disabled.
eai:appName The Splunk Enterprise app for which the field extractions are defined. For example, the search app.
eai:attributes Field control information.
eai:userName The name of the Splunk Enterprise user who created the field extraction definitions. For example, the admin user.

POST data/transforms/extractions/{name} method detail

Example

Request parameters
Name Type Default Description
REGEX String Specify a regular expression to operate on your data.

This attribute is valid for both index-time and search-time field extractions: \tREGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). \tREGEX is required for all index-time transforms.

REGEX and the FORMAT attribute:

Name-capturing groups in the REGEX are extracted directly to fields. This means that you do not need to specify the FORMAT attribute for simple field extraction cases.

If the REGEX extracts both the field name and its corresponding field value, you can use the following special capturing groups if you want to skip specifying the mapping in FORMAT: _KEY_<string>, _VAL_<string>.

For example, the following are equivalent: \tUsing FORMAT: \t\tREGEX = ([a-z]+)=([a-z]+) \t\tFORMAT = $1::$2 \tWithout using FORMAT \t\tREGEX = (?<_KEY_1>[a-z]+)=(?<_VAL_1>[a-z]+)

REGEX defaults to an empty string.

SOURCE_KEY String _raw Specify the KEY to which Splunk Enterprise applies REGEX.
CAN_OPTIMIZE Bool True Controls whether Splunk Enterprise can optimize this extraction out (another way of saying the extraction is disabled). You might use this when you have field discovery turned off--it ensures that certain fields are *always* discovered. Splunk Enterprise only disables an extraction if it can determine that none of the fields identified by the extraction is needed for the successful evaluation of a search.

NOTE: This option should rarely be set to false.

CLEAN_KEYS Boolean True If set to true, Splunk Enterprise "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
FORMAT String This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.

This attribute specifies the format of the event, including any field names or values you want to add.

FORMAT for index-time extractions:

Use $n (for example $1, $2, etc) to specify the output of each REGEX match.

If REGEX does not have n groups, the matching fails.

The special identifier $0 represents what was in the DEST_KEY before the REGEX was performed.

At index-time only, you can use FORMAT to create concatenated fields: FORMAT = ipaddress::$1.$2.$3.$4

When you create concatenated fields with FORMAT, "$" is the only special character. It is treated as a prefix for regex-capturing groups only if it is followed by a number and only if the number applies to an existing capturing group. So if REGEX has only one capturing group and its value is "bar", then: \t"FORMAT = foo$1" yields "foobar" \t"FORMAT = foo$bar" yields "foo$bar" \t"FORMAT = foo$1234" yields "foo$1234" \t"FORMAT = foo$1\\$2" yields "foobar\\$2"

At index-time, FORMAT defaults to <stanza-name>::$1

FORMAT for search-time extractions:

The format of this field as used during search time extractions is as follows: \tFORMAT = <field-name>::<field-value>( <field-name>::<field-value>)* \tfield-name = [<string>|$<extracting-group-number>] \tfield-value = [<string>|$<extracting-group-number>]

Search-time extraction examples: \tFORMAT = first::$1 second::$2 third::other-value \tFORMAT = $1::$2

You cannot create concatenated fields with FORMAT at search time. That functionality is only available at index time.

At search-time, FORMAT defaults to an empty string.

KEEP_EMPTY_VALS Boolean False If set to true, Splunk Enterprise preserves extracted fields with empty values.
MV_ADD Boolean False If Splunk Enterprise extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
disabled Boolean Specifies whether the field transformation is disabled.
Response data keys
Name Description
CAN_OPTIMIZE Controls whether Splunk Enterprise can optimize this extraction out (another way of saying the extraction is disabled).

You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk Enterprise only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search.

CLEAN_KEYS If set to true, Splunk Enterprise "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
DEFAULT_VALUE Optional attribute for index-time field extractions. Splunk Enterprise writes the specified value to DEST_KEY if the specified REGEX fails.
DEST_KEY Valid for index-time field extractions, specifies where Splunk Enterprise stores the REGEX results.
FORMAT This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.

This attribute specifies the format of the event, including any field names or values you want to add.

For details, refer to the documentation for this parameter in the POST operation.

KEEP_EMPTY_VALS If set to true, Splunk Enterprise preserves extracted fields with empty values.
LOOKAHEAD Optional attribute for index-time filed extractions. specifies how many characters to search into an event.

Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking).

MV_ADD If Splunk Enterprise extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
REGEX The regular expression to operate on your data.

This attribute is valid for both index-time and search-time field extractions: \\tREGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). \\tREGEX is required for all index-time transforms.

For details, see the documentation for this parameter in the POST operation.

SOURCE_KEY The KEY to which Splunk Enterprise applies REGEX.
WRITE_META Indicates whether to automatically write REGEX to metadata.

This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute).

Use instead of DEST_KEY = meta.

disabled Indicates if the field transformation is disabled.
eai:appName The Splunk Enterprise app for which the field extractions are defined. For example, the search app.
eai:userName The name of the Splunk Enterprise user who created the field extraction definitions. For example, the admin user.

|}

[ Top ]

data/transforms/lookups

https://<host>:<mPort>/services/data/transforms/lookups

Description

Provides access to lookup definitions in transforms.conf.

Method summary

Method Description Formats
GET List lookup definitions. XML, JSON
POST Create a new lookup definition. XML, JSON

GET data/transforms/lookups method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
CAN_OPTIMIZE Controls whether Splunk Enterprise can optimize this extraction out (another way of saying the extraction is disabled).

You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk Enterprise only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search.

CLEAN_KEYS If set to true, Splunk Enterprise "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
DEFAULT_VALUE Optional attribute for index-time field extractions. Splunk Enterprise writes the specified value to DEST_KEY if the specified REGEX fails.
DEST_KEY Valid for index-time field extractions, specifies where Splunk Enterprise stores the REGEX results.
FORMAT This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.

This attribute specifies the format of the event, including any field names or values you want to add.

For details, refer to the documentation for this parameter in the POST operation for data/transforms/extractions.

KEEP_EMPTY_VALS If set to true, Splunk Enterprise preserves extracted fields with empty values.
LOOKAHEAD Optional attribute for index-time filed extractions. specifies how many characters to search into an event.

Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking).

MV_ADD If Splunk Enterprise extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
REGEX The regular expression to operate on your data.

This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms.

For details, see the documentation for this parameter in the POST operation.

SOURCE_KEY The KEY to which Splunk Enterprise applies REGEX.
WRITE_META Indicates whether to automatically write REGEX to metadata.

This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute).

Use instead of DEST_KEY = meta.

disabled Indicates if this lookup is disabled.
eai:appName The Splunk Enterprise app for which the lookups are defined. For example, the search app.
eai:userName The Splunk Enterprise user for which the lookups are defined.
external_cmd Provides the command and arguments to invoke to perform a lookup. Use this for external (or "scripted") lookups, where you interface with with an external script rather than a lookup table.

This string is parsed like a shell command. The first argument is expected to be a python script located in:

$SPLUNK_HOME/etc/<app_name>/bin (or ../etc/searchscripts)

Presence of this field indicates that the lookup is external and command based.

fields_list List of all fields that are supported by the external command.
type Specifies the field extraction type.

Can be either external or file.

POST data/transforms/lookups method detail

Example

Request parameters
Name Type Default Description
name String The name of the lookup definition.
default_match String If min_matches is greater than zero and Splunk Enterprise has less than min_matches for any given input, it provides this default_match value one or more times until the min_matches threshold is reached.
disabled Boolean Specifies whether the lookup definition is disabled.
external_cmd String Provides the command and arguments to invoke to perform a lookup. Use this for external (or "scripted") lookups, where you interface with with an external script rather than a lookup table.

This string is parsed like a shell command. The first argument is expected to be a python script located in:

$SPLUNK_HOME/etc/<app_name>/bin (or ../etc/searchscripts)

Presence of this field indicates that the lookup is external and command based.

fields_list String A comma- and space-delimited list of all fields that are supported by the external command. Use this for external (or "scripted") lookups.
filename String The name of the static lookup table file.
max_matches Number The maximum number of possible matches for each input lookup value.
max_offset_secs Number For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur.
min_matches Number The minimum number of possible matches for each input lookup value.
min_offset_secs Number For temporal lookups, this is the minimum time (in seconds) that the event timestamp can be later than the lookup entry timestamp for a match to occur.
time_field String For temporal lookups, this is the field in the lookup table that represents the timestamp.
time_format String For temporal lookups, this specifies the "strptime" format of the timestamp field.
Response data keys
Name Description
CAN_OPTIMIZE Controls whether Splunk Enterprise can optimize this extraction out (another way of saying the extraction is disabled).

You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk Enterprise only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search.

CLEAN_KEYS If set to true, Splunk Enterprise "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
DEFAULT_VALUE Optional attribute for index-time field extractions. Splunk Enterprise writes the specified value to DEST_KEY if the specified REGEX fails.
DEST_KEY Valid for index-time field extractions, specifies where Splunk Enterprise stores the REGEX results.
FORMAT This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.

This attribute specifies the format of the event, including any field names or values you want to add.

For details, refer to the documentation for this parameter in the POST operation for data/transforms/extractions.

KEEP_EMPTY_VALS If set to true, Splunk Enterprise preserves extracted fields with empty values.
LOOKAHEAD Optional attribute for index-time filed extractions. specifies how many characters to search into an event.

Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking).

MV_ADD If Splunk Enterprise extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
REGEX The regular expression to operate on your data.

This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms.

For details, see the documentation for this parameter in the POST operation.

SOURCE_KEY The KEY to which Splunk Enterprise applies REGEX.
WRITE_META Indicates whether to automatically write REGEX to metadata.

This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute).

Use instead of DEST_KEY = meta.

default_match If min_matches is greater than zero and Splunk Enterprise has less than min_matches for any given input, it provides this default_match value one or more times until the min_matches threshold is reached.
disabled Specifies whether the lookup definition is disabled.
eai:appName The Splunk Enterprise app for which the lookups are defined. For example, the search app.
eai:userName The Splunk Enterprise user for which the lookups are defined.
external_cmd Provides the command and arguments to invoke to perform a lookup. Use this for external (or "scripted") lookups, where you interface with with an external script rather than a lookup table.

This string is parsed like a shell command. The first argument is expected to be a python script located in:

$SPLUNK_HOME/etc/<app_name>/bin (or ../etc/searchscripts)

Presence of this field indicates that the lookup is external and command based.

fields_list List of all fields that are supported by the external command. Use this for external (or "scripted") lookups.
filename The name of the static lookup table file.
max_matches The maximum number of possible matches for each input lookup value.

If the lookup is non-temporal (not time-bounded, meaning the time_field attribute is not specified), Splunk Enterprise uses the first <integer> entries, in file order.

If the lookup is temporal, Splunk Enterprise uses the first <integer> entries in descending time order.

Default = 100 if the lookup is not temporal, default = 1 if it is temporal.

max_offset_secs For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur.
min_matches The minimum number of possible matches for each input lookup value.
min_offset_secs For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur.
time_field For temporal lookups, this is the field in the lookup table that represents the timestamp.
time_format For temporal lookups, this specifies the \\"strptime\\" format of the timestamp field.
type Specifies the field extraction type.

Can be either external or file.

[ Top ]

data/transforms/lookups/{name}

https://<host>:<mPort>/services/data/transforms/lookups/{name}

Description

Manage the {name} lookup definition.

Method summary

Method Description Formats
DELETE Delete the named lookup definition. XML, JSON
GET List a single lookup definition. XML, JSON
POST Modify the named lookup definition. XML, JSON

DELETE data/transforms/lookups/{name} method detail

Example

Request parameters

None

Response data keys

None

GET data/transforms/lookups/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
CAN_OPTIMIZE Indicates whether Splunk Enterprise can optimize this extraction out (another way of saying the extraction is disabled).

You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk Enterprise only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search.

CLEAN_KEYS Indicates whether Splunk Enterprise "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
DEFAULT_VALUE Optional attribute for index-time field extractions. Splunk Enterprise writes the specified value to DEST_KEY if the specified REGEX fails.
DEST_KEY Valid for index-time field extractions, specifies where Splunk Enterprise stores the REGEX results.
FORMAT This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.

This attribute specifies the format of the event, including any field names or values you want to add.

For details, refer to the documentation for this parameter in the POST operation for data/transforms/extractions.

KEEP_EMPTY_VALS Indicates whether Splunk Enterprise preserves extracted fields with empty values.
LOOKAHEAD For index-time filed extractions. Specifies how many characters to search into an event.

Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking).

MV_ADD "If Splunk Enterprise extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
REGEX The regular expression to operate on your data.

This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms.

For details, see the documentation for this parameter in the POST operation.

SOURCE_KEY The KEY to which Splunk Enterprise applies REGEX.
WRITE_META Indicates whether to automatically write REGEX to metadata.

This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute).

Use instead of DEST_KEY = meta.

disabled Indicates if this lookup is disabled.
eai:appName The Splunk Enterprise app for which the lookups are defined. For example, the search app.
eai:attributes Field control information.
eai:userName The Splunk Enterprise user for which the lookups are defined.
filename The name of the static lookup table file.
type Specifies the field extraction type.

Can be either external or file.

POST data/transforms/lookups/{name} method detail

Example

Request parameters
Name Type Default Description
default_match String If min_matches is greater than zero and Splunk Enterprise has less than min_matches for any given input, it provides this default_match value one or more times until the min_matches threshold is reached.
disabled Boolean Specifies whether the lookup definition is disabled.
external_cmd String Provides the command and arguments to invoke to perform a lookup. Use this for external (or "scripted") lookups, where you interface with with an external script rather than a lookup table.

This string is parsed like a shell command. The first argument is expected to be a python script located in:

$SPLUNK_HOME/etc/<app_name>/bin (or ../etc/searchscripts)

Presence of this field indicates that the lookup is external and command based.

fields_list String A comma- and space-delimited list of all fields that are supported by the external command. Use this for external (or "scripted") lookups.
filename String The name of the static lookup table file.
max_matches Number The maximum number of possible matches for each input lookup value.
max_offset_secs Number For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur.
min_matches Number The minimum number of possible matches for each input lookup value.
min_offset_secs Number For temporal lookups, this is the minimum time (in seconds) that the event timestamp can be later than the lookup entry timestamp for a match to occur.
time_field String For temporal lookups, this is the field in the lookup table that represents the timestamp.
time_format String For temporal lookups, this specifies the "strptime" format of the timestamp field.
Response data keys
Name Description
CAN_OPTIMIZE Controls whether Splunk Enterprise can optimize this extraction out (another way of saying the extraction is disabled).

You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk Enterprise only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search.

CLEAN_KEYS If set to true, Splunk Enterprise "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
DEFAULT_VALUE Optional attribute for index-time field extractions. Splunk Enterprise writes the specified value to DEST_KEY if the specified REGEX fails.
DEST_KEY Valid for index-time field extractions, specifies where Splunk Enterprise stores the REGEX results.
FORMAT This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.

This attribute specifies the format of the event, including any field names or values you want to add.

For details, refer to the documentation for this parameter in the POST operation for data/transforms/extractions.

KEEP_EMPTY_VALS If set to true, Splunk Enterprise preserves extracted fields with empty values.
LOOKAHEAD Optional attribute for index-time filed extractions. specifies how many characters to search into an event.

Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking).

MV_ADD If Splunk Enterprise extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
REGEX The regular expression to operate on your data.

This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms.

For details, see the documentation for this parameter in the POST operation.

SOURCE_KEY The KEY to which Splunk Enterprise applies REGEX.
WRITE_META Indicates whether to automatically write REGEX to metadata.

This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute).

Use instead of DEST_KEY = meta.

default_match If min_matches is greater than zero and Splunk Enterprise has less than min_matches for any given input, it provides this default_match value one or more times until the min_matches threshold is reached.
disabled Specifies whether the lookup definition is disabled.
eai:appName The Splunk Enterprise app for which the lookups are defined. For example, the search app.
eai:userName The Splunk Enterprise user for which the lookups are defined.
external_cmd Provides the command and arguments to invoke to perform a lookup. Use this for external (or "scripted") lookups, where you interface with with an external script rather than a lookup table.

This string is parsed like a shell command. The first argument is expected to be a python script located in:

$SPLUNK_HOME/etc/<app_name>/bin (or ../etc/searchscripts)

Presence of this field indicates that the lookup is external and command based.

fields_list List of all fields that are supported by the external command. Use this for external (or "scripted") lookups.
filename The name of the static lookup table file.
max_matches The maximum number of possible matches for each input lookup value.
max_offset_secs For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur.
min_matches The minimum number of possible matches for each input lookup value.
min_offset_secs For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur.
time_field For temporal lookups, this is the field in the lookup table that represents the timestamp.
time_format For temporal lookups, this specifies the "strptime" format of the timestamp field.
type Specifies the field extraction type.

Can be either external or file.

[ Top ]

data/ui/views

https://<host>:<mPort>/servicesNS/{user}/{app_name}/data/ui/views

Description

Create dashboard source XML.

Method summary

Method Description Formats
POST Create a new dashboard XML definition. XML

POST data/ui/views method detail

Example

Request parameters
Name Type Default Description
name String Dashboard name.
eai:data XML document Dashboard XML definition.
Response data keys
Name Description
eai:appName App context for the dashboard.
eai:data XML definition for the dashboard.
eai:type User interface type. For dashboards, this type is view.
eai:userName User who created the dashboard.
isDashboard Boolean value indicating whether the knowledge object is a dashboard.
isVisible Boolean value indicating whether the dashboard is visible.
label Dashboard label.
rootNode XML root node. 


data/ui/views/{name}




https://<host>:<mPort>/servicesNS/{user}/{app_name}/data/ui/views/{name}





Description


Access or update existing dashboard source XML.



Method summary






Method
Description
Formats




GET
Access an existing dashboard XML definition.
XML




POST
Update an existing dashboard XML definition.
XML




DELETE
Delete an existing dashboard XML definition.
XML



GET data/ui/views/{name} method detail


Example



Request parameters


None.



Response data keys






Name
Description




eai:appName
App context for the dashboard.




eai:data
XML definition for the dashboard.




eai:type
User interface type. For dashboards, this type is view.




eai:userName
User who created the dashboard.




isDashboard
Boolean value indicating whether the knowledge object is a dashboard.




isVisible
Boolean value indicating whether the dashboard is visible.




label
Dashboard label.




rootNode
XML root node.








POST data/ui/views/{name} method detail


Example



Request parameters






Name
Type
Default
Description




eai:data
XML document

Dashboard XML definition.



Response data keys






Name
Description




eai:appName
App context for the dashboard.




eai:data
XML definition for the dashboard.




eai:type
User interface type. For dashboards, this type is view.




eai:userName
User who created the dashboard.




isDashboard
Boolean value indicating whether the knowledge object is a dashboard.




isVisible
Boolean value indicating whether the dashboard is visible.




label
Dashboard label.




rootNode
XML root node.








DELETE data/ui/views/{name} method detail


Example



Request parameters


None.



Response data keys


None.





datamodel/acceleration (DEPRECATED)




https://<host>:<mPort>/services/datamodel/acceleration





Description


Access information about data models that have acceleration enabled.



Method summary






Method
Description
Formats




GET
List information about data models that have acceleration enabled.
XML, JSON





GET datamodel/acceleration method detail


Example



Request parameters


Pagination and filtering parameters can be used with this method.



Response data keys


None



Application usage


Refer to Manage data models for more implementation information about data models and acceleration.



[ Top ]






datamodel/acceleration/{name} (DEPRECATED)




https://<host>:<mPort>/services/datamodel/acceleration/{name}





Description


Get information about the {name} datamodel.



Method summary






Method
Description
Formats




GET
List information about the named data model, which has acceleration enabled.
XML, JSON





GET datamodel/acceleration/{name} method detail


Example



Request parameters


None



Response data keys






Name
Description




acceleration
Indicates if acceleration is enabled for this data model.




acceleration.earliest_time
The earliest time to dispatch the search.




search
Specifies the search to accelerate this data model.



[ Top ]






datamodel/model




https://<host>:<mPort>/services/datamodel/model





Description


Access information about data models. 



Method summary






Method
Description
Formats




GET
List data models on the server.
XML, JSON




POST
Create a new data model.
XML, JSON





GET datamodel/model method detail


Example



Request parameters






Name
Type
Default
Description




concise
Boolean

Indicates whether to list a concise JSON description of the data model.

The concise description is a summary for human readability. It is not used to create the data model.





Pagination and filtering parameters can be used with this method.



Response data keys






Name
Description




acceleration
Indicates whether acceleration is enabled for the data model.




concise
Indicates whether to list a concise JSON description of the data model.




description
The JSON describing the data model.




displayName
The name displayed for the data model in Splunk Web.




eai:appName
The Splunk Enterprise app in which the data model was created.




eai:userName
The name of the Splunk Enterprise user who created the data model.



Application usage


For more implementation information on data models refer to About data models in the Knowledge Manager manual.





POST datamodel/model method detail


Example



Request parameters






Name
Type
Default
Description




description
String

JSON description of the data model.




name
String

Name of the data model.




acceleration
String

Specify the acceleration settings for the data model. Supply JSON to specify any or all of the following settings:

enabled (true or false)


earliest_time (time modifier)


cron_schedule (cron string)


For example:

acceleration='{"enabled": true, "earliest_time": -1mon, "cron_schedule": 0 */12 * * *}'





Response data keys


None



Application usage


For more implementation information on data models refer to About data models in the Knowledge Manager manual.



[ Top ]






datamodel/model/{name}




https://<host>:<mPort>/services/datamodel/model/{name}





Description


Manage the {name} datamodel resource.



Method summary






Method
Description
Formats




DELETE
Deletes a data model resource.
XML, JSON




GET
List information about a data model resource.
XML, JSON




POST
Update a data model resource.
XML, JSON





DELETE datamodel/model/{name} method detail


Example



Request parameters


None



Response data keys


None





GET datamodel/model/{name} method detail


Example



Request parameters






Name
Type
Default
Description




concise
Boolean

Indicates whether to list a concise JSON description of the data model.

The concise description is a summary for human readability. It is not used to create the data model.





Response data keys






Name
Description




acceleration
Indicates whether acceleration is enabled for the data model.




concise
Indicates whether to list a concise JSON description of the data model.




description
The JSON describing the data model.




displayName
The name displayed for the data model in Splunk Web.




eai:appName
The Splunk Enterprise app in which the data model was created.




eai:attributes
Field control information.




eai:userName
The name of the Splunk Enterprise user who created the data model.





POST datamodel/model/{name} method detail


Example



Request parameters






Name
Type
Default
Description




acceleration
String

Specify the acceleration settings for the data model. Supply JSON to specify any or all of the following settings:

enabled (true or false)


earliest_time (time modifier)


cron_schedule (cron string)


For example:

acceleration='{"enabled": true, "earliest_time": -1mon, "cron_schedule": 0 */12 * * *}'






description
String

JSON description of the data model.




provisional
Boolean

Indicates whether the data model is provisional. Provisional data models are not saved.

Specify true to validate a data model before saving it. 

If the endpoint returns with no errors, then specify this endpoint again, with provisional set to false, to save the data model.





Response data keys






Name
Description




acceleration
Indicates whether acceleration is enabled for the data model.




concise
Indicates whether to list a concise JSON description of the data model.




description
The JSON describing the data model.




displayName
The name displayed for the data model in Splunk Web.




eai:appName
The Splunk Enterprise app in which the data model was created.




eai:attributes
Field control information.




eai:userName
The name of the Splunk Enterprise user who created the data model.



[ Top ]






datamodel/pivot




https://<host>:<mPort>/services/datamodel/pivot/{name}





Description


Provides access to pivots that are based on named data models.



Method summary






Method
Description
Formats




GET
List information about the supplied pivot based on the named data model.
XML, JSON





GET datamodel/pivot method detail


Example



Request parameters






Name
Type
Default
Description




pivot_json
String

JSON specifying a pivot based on the named data model.

Typically, you URL encode this parameter.

This endpoint requires either this pivot_json parameter or a pivot_search parameter.






pivot_search
String

A pivot search command based on the named data model.

Typically, you URL encode this parameter.

This endpoint requires either a pivot_json or this pivot_search parameter.





Response data keys






Name
Description




drilldown_search
The search for running this pivot report using drilldown




open_in_search
Equivalent to search parameter, but listed more simply.




pivot_json
JSON specifying a pivot based on the named data model.




pivot_search
A pivot search command based on the named data model.




search
The search string for running the pivot report




tstats_search
The search for running this pivot report using tstats



Application usage


For information on pivot implementation refer to the Splunk Pivot manual.

{name} refers to a data model on the system.

Specify a pivot using either the pivot_search or pivot_json parameter. 



[ Top ]






directory




https://<host>:<mPort>/services/directory





Description


Provides access to user configurable objects.

These objects includes search commands, UI views, UI navigation, saved searches and event types. This is useful to see which objects are provided by all apps, or a specific app when the call is namespaced. The specific configuration in restmap.conf is showInDirSvc. 



Method summary






Method
Description
Formats




GET
Provides an enumeration of app-scoped objects.
XML, JSON





GET directory method detail


Example



Request parameters


Pagination and filtering parameters can be used with this method.



Response data keys


None



Application usage


an enumeration of the following app scoped objects:



   event types
   saved searches
   time configurations
   views
   navs
   manager XML
   quickstart XML
   search commands
   macros
   tags
   field extractions
   lookups
   workflow actions
   field aliases
   sourcetype renames 



This is useful to see which apps provide which objects, or all the objects provided by a specific app. To change the visibility of an object type in this listing, use the showInDirSvc in restmap.conf. 



[ Top ]






directory/{name}




https://<host>:<mPort>/services/directory/{name}





Description


Get information about the {name} directory entity.



Method summary






Method
Description
Formats




GET
Displays information about a single entity in the directory service enumeration.
XML, JSON





GET directory/{name} method detail


Example



Request parameters


None



Response data keys






Name
Description




eai:type
Entity type.



Application usage


This is rarely used. Typically after using the directory service enumeration, a client follows the specific link for an object in an enumeration.



[ Top ]






saved/eventtypes




https://<host>:<mPort>/services/saved/eventtypes





Description


Provides access to saved event types.



Method summary






Method
Description
Formats




GET
Retrieve saved event types.
XML, JSON




POST
Creates a new event type.
XML, JSON





GET saved/eventtypes method detail


Example



Request parameters


Pagination and filtering parameters can be used with this method.



Response data keys






Name
Description




description
Description of this event type.




disabled
Indicates if the event type is disabled.




eai:appName
The Splunk Enterprise app for which this event type applies. For example, the Splunk search app.




eai:userName
Splunk Enterprise user name of the creator of this event type. For example, the Splunk admin user.




priority
The value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority.




search
Search terms for this event type.




tags
[Deprecated] Tags associated with this event type.

Use the tags.conf.spec file to assign tags to groups of events with related field values.







POST saved/eventtypes method detail


Example



Request parameters






Name
Type
Default
Description




name
String

The name for the event type.




search
String

Search terms for this event type.




description
String

Human-readable description of this event type.




disabled
Boolean
0
If True, disables the event type.




priority
Number
1
Specify an integer from 1 to 10 for the value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority.




tags
String

[Deprecated] Use tags.conf.spec file to assign tags to groups of events with related field values.



Response data keys






Name
Description




description
Description of this event type.




disabled
Indicates if this event type is disabled.




eai:appName
The Splunk Enterprise app for which this event type applies. For example, the Splunk search app.




eai:userName
Splunk Enterprise user name of the creator of this event type. For example, the Splunk admin user.




priority
The value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority.




search
Search terms for this event type.




tags
[Deprecated] Tags associated with this event type.

Use tags.conf.spec file to assign tags to groups of events with related field values.





[ Top ]






saved/eventtypes/{name}




https://<host>:<mPort>/services/saved/eventtypes/{name}





Description


Manage the {name} event type.



Method summary






Method
Description
Formats




DELETE
Deletes this event type.
XML, JSON




GET
Returns information on this event type.
XML, JSON




POST
Updates this event type.
XML, JSON





DELETE saved/eventtypes/{name} method detail


Example



Request parameters


None



Response data keys


None





GET saved/eventtypes/{name} method detail


Example



Request parameters


None



Response data keys






Name
Description




description
Description of this event type.




disabled
Indicates if the event type is disabled.




eai:appName
The Splunk Enterprise app for which this event type applies. For example, the Splunk search app.




eai:attributes
Field control information.




eai:userName
Splunk Enterprise user name of the creator of this event type. For example, the Splunk admin user.




priority
The value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority.




search
Search terms for this event type.




tags
[Deprecated] Tags associated with this event type.

Use the tags.conf.spec file to assign tags to groups of events with related field values.







POST saved/eventtypes/{name} method detail


Example



Request parameters






Name
Type
Default
Description




search
String

Search terms for this event type.




description
String

Human-readable description of this event type.




disabled
Boolean
0
If True, disables the event type.




priority
Number
1
Specify an integer from 1 to 10 for the value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority.




tags
String

[Deprecated] Use tags.conf.spec file to assign tags to groups of events with related field values.



Response data keys






Name
Description




description
Description of this event type.




disabled
Indicates if this event type is disabled.




eai:appName
The Splunk Enterprise app for which this event type applies. For example, the Splunk search app.




eai:userName
Splunk Enterprise user name of the creator of this event type. For example, the Splunk admin user.




priority
The value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority.




search
Search terms for this event type.




tags
[Deprecated] Tags associated with this event type.

Use tags.conf.spec file to assign tags to groups of events with related field values.





Application usage


the search must be re-specified for this edit.

URI-encode the search string if it contains any of the following characters: =, &, ?, %

Otherwise, these characters can be interpreted as part of the HTTP request. 



[ Top ]






search/fields




https://<host>:<mPort>/services/search/fields





Description


Provides management for search field configurations.

Field configuration is specified in $SPLUNK_HOME/etc/system/default/fields.conf, with overriden values in $SPLUNK_HOME/etc/system/local/fields.conf. 



Method summary






Method
Description
Formats




GET
Returns a list of fields registered for field configuration.
XML, JSON





GET search/fields method detail


Example



Request parameters


None



Response data keys


None



[ Top ]






search/fields/{field_name}




https://<host>:<mPort>/services/search/fields/{field_name}





Description


Get information about the {field_name} field.



Method summary






Method
Description
Formats




GET
Retrieves information about the named field.
XML, JSON





GET search/fields/{field_name} method detail


Example



Request parameters


None



Response data keys


None



[ Top ]






search/fields/{field_name}/tags




https://<host>:<mPort>/services/search/fields/{field_name}/tags





Description


Manage the tags associated with the {field_name} field.



Method summary






Method
Description
Formats




GET
Returns a list of tags  associated with the field specified by {field_name}.
XML, JSON




POST
Update the tags associated with the field specified by {field_name}.
XML, JSON





GET search/fields/{field_name}/tags method detail


Example



Request parameters


None



Response data keys


None





POST search/fields/{field_name}/tags method detail


Example



Request parameters






Name
Type
Default
Description




value
String

The specific field value on which to bind the tags.




add
String

The tag to attach to this field_name:value combination.




delete
String

The tag to remove to this field_name::value combination.



Response data keys


None



Application usage


The value parameter specifies the specific value on which to bind tag actions. Multiple tags can be attached by passing multiple add or delete form parameters. The server processes all of the adds first, and then processes the deletes.

You must specify at least one add or delete parameter. 



[ Top ]






search/tags




https://<host>:<mPort>/services/search/tags





Description


Provides management of search time tags.



Method summary






Method
Description
Formats




GET
Returns a list of all search time tags.
XML, JSON





GET search/tags method detail


Example



Request parameters


None



Response data keys


None



[ Top ]






search/tags/{tag_name}




https://<host>:<mPort>/services/search/tags/{tag_name}





Description


Manage {tag_name} values.



Method summary






Method
Description
Formats




DELETE
Deletes the tag, and its associated field:value pair assignments.
XML, JSON




GET
Returns a list of field:value pairs  associated with the tag specified by {tag_name}.
XML, JSON




POST
Updates the field:value pairs associated with {tag_name}.
XML, JSON





DELETE search/tags/{tag_name} method detail


Example



Request parameters


None



Response data keys


None



Application usage


The resulting change in tags.conf is to set all field:value pairs to disabled.





GET search/tags/{tag_name} method detail


Example



Request parameters


None



Response data keys


None





POST search/tags/{tag_name} method detail


Example



Request parameters






Name
Type
Default
Description




add
String

A field:value pair to tag with {tag_name}.




delete
String

A field:value pair to remove from {tag_name}.



Response data keys


None



Application usage


Multiple field:value pairs can be attached by passing multiple add or delete form parameters. The server processes all of the adds first, and then deletes.

If {tag_name} does not exist, then the tag is created inline. Notification is sent to the client using the HTTP 201 status. 



[ Top ]


services/admin/summarization




https://<host>:<mPort>/services/admin/summarization/?by_tstats=1 





Description


Review data model acceleration information.

Authentication: Required. Authorization to access data model acceleration information is role-based.







Method
Description
Formats




GET
Returns a list of field:value pairs giving current data model acceleration information.
XML, JSON



Example 






[ Top ]





						

					

                                    								 									 
 Last modified on 24 October, 2016 

								 						                 


									

						

															
									
										
									
								
								
									PREVIOUS

									
										Introspection endpoint examples									
										
															 
															
									NEXT

									
										Knowledge endpoint examples									
										
								
									
										
									
								
														

					

						

		This documentation applies to the following versions of Splunk® Enterprise: 
		6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11	

	



				
				

									

			

			
			
							

					
					
				

							
		

	







    

		
		
		

		
		

			

				

					

						

							

								
								

									

										

											

												
												
												

													Was this documentation topic helpful?
													
												


												

																								

													
													
												


												

												

                                                    
												


												
												
											

											
										

									

								

							

							
							
							

								

									

										

																							
You must be logged into splunk.com in order to post comments.
													Log in now.
												

																							

												Please try to keep this discussion focused on the content covered in this documentation topic.
												If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk,
												consider posting a question to Splunkbase Answers.
											

											

												
												
0
												out of 1000 Characters