
Knowledge endpoint descriptions
Knowledge type endpoints,
- Define data configurations indexed and searched by the Splunk platform.
- Manage how data is handled, using look-ups, field extractions, field aliases, sourcetypes, and transforms.
- Manage saved event types.
- Manage search field configurations and search time tags.
- Note: Username and password authentication is required for most endpoints and REST operations. Additional capability or role-based authorization may also be required, particularly for POST or DELETE operations.
data/lookup-table-files
https://<host>:<mPort>/services/data/lookup-table-files
Description
Provides access to lookup table files.
Method summary
Method | Description | Formats |
---|---|---|
GET | List lookup table files. | XML, JSON |
POST | Create a lookup table file by moving a file from the upload staging area into $SPLUNK_HOME. | XML, JSON |
GET data/lookup-table-files
method detail
Request parameters
Pagination and filtering parameters can be used with this method.
Response data keys
Name | Description |
---|---|
eai:appName | The app for which the lookup table applies. |
eai:data | The source path for the lookup staging area. The lookup table file is moved from here into $SPLUNK_HOME. |
eai:userName | The Splunk Enterprise user who created the lookup table. |
POST data/lookup-table-files
method detail
Request parameters
Name | Type | Default | Description |
---|---|---|---|
eai:data required |
String | Move a lookup table file from the given path into $SPLUNK_HOME. This path must have the lookup staging area as an ancestor. | |
name required |
String | The lookup table filename. |
Response data keys
Name | Description |
---|---|
eai:appName | The app for which the lookup table applies. |
eai:data | The source path for the lookup staging area. The lookup table file is moved from here into $SPLUNK_HOME. |
eai:userName | The Splunk Enterprise user who created the lookup table. |
[ Top ]
data/lookup-table-files/{name}
https://<host>:<mPort>/services/data/lookup-table-files/{name}
Description
Manage the {name} lookup table file.
Method summary
Method | Description | Formats |
---|---|---|
DELETE | Delete the named lookup table file. | XML, JSON |
GET | List a single lookup table file. | XML, JSON |
POST | Modify a lookup table file by replacing it with a file from the upload staging area. | XML, JSON |
DELETE data/lookup-table-files/{name}
method detail
Request parameters
None
Response data keys
None
GET data/lookup-table-files/{name}
method detail
Request parameters
None
Response data keys
Name | Description |
---|---|
eai:appName | The app for which the lookup table applies. |
eai:attributes | Field control information. |
eai:data | The source path for the lookup staging area. The lookup table file is moved from here into $SPLUNK_HOME. |
eai:userName | The Splunk Enterprise user who created the lookup table. |
POST data/lookup-table-files/{name}
method detail
Request parameters
Name | Type | Default | Description |
---|---|---|---|
eai:data required |
String | Move a lookup table file from the given path into $SPLUNK_HOME. This path must have the lookup staging area as an ancestor. |
Response data keys
Name | Description |
---|---|
eai:appName | The app for which the lookup table applies. |
eai:data | The source path for the lookup staging area. The lookup table file is moved from here into $SPLUNK_HOME. |
eai:userName | The Splunk Enterprise user who created the lookup table. |
[ Top ]
data/props/calcfields
https://<host>:<mPort>/services/data/props/calcfields
Description
Provides access to calculated fields, which are eval expressions in props.conf.
Method summary
Method | Description | Formats |
---|---|---|
GET | Returns information on calculated fields for this instance of your Splunk deployment. | XML, JSON |
POST | Create an eval expression defining a calculated field in props.conf. | XML, JSON |
GET data/props/calcfields
method detail
Request parameters
Pagination and filtering parameters can be used with this method.
Response data keys
Name | Description |
---|---|
attribute | The name of the calculated field, which includes the "EVAL-" prefix. |
field.name | The name of the field which is being calculated with an EVAL expression. |
stanza | The name of the stanza in props.conf that defines the calculated field. |
type | The type of the calculated field.
This is always EVAL. |
value | The EVAL statement for the calculated field. |
Application usage
See Define calculated fields in the Splunk Knowledge Manager manual for more information.
POST data/props/calcfields
method detail
Request parameters
Name | Type | Default | Description |
---|---|---|---|
name required |
String | The name of the calculated field. Do not specify the "EVAL-" prefix for the field.
When Splunk Enterprise writes the calculated field to props.conf, it adds the "EVAL-" prefix. | |
stanza required |
String | The name of the stanza in props.conf for the calculated field.
The name can be any of the following:
| |
value required |
String | The eval statement, which can be evaluated to any value type, including multivals, boolean, or null.
See Create a calculated field by editing props.conf in the Splunk Knowledge Manager manual for details. |
Response data keys
Name | Description |
---|---|
attribute | The name of the calculated field, which includes the "EVAL-" prefix. |
field.name | The name of the field which is being calculated with an EVAL expression. |
stanza | The name of the stanza in props.conf that defines the calculated field. |
type | The type of the calculated field.
This is always EVAL. |
value | The EVAL statement for the calculated field. |
Application usage
See Define calculated fields in the Splunk Knowledge Manager manual for more information.
[ Top ]
data/props/calcfields/{name}
https://<host>:<mPort>/services/data/props/calcfields/{name}
Description
Manage the {name} calculated field.
Method summary
Method | Description | Formats |
---|---|---|
DELETE | Deletes the named calculated field. | XML, JSON |
GET | Returns details about the named calculated field. | XML, JSON |
POST | Update the named calculated field. | XML, JSON |
DELETE data/props/calcfields/{name}
method detail
Request parameters
None
Response data keys
None
Application usage
Use URL-encoding to ensure that Splunk Enterprise interprets the name of the calculated field correctly.
GET data/props/calcfields/{name}
method detail
Request parameters
None
Response data keys
Name | Description |
---|---|
attribute | The name of the calculated field, which includes the "EVAL-" prefix. |
field.name | The name of the field which is being calculated with an EVAL expression. |
stanza | The name of the stanza in props.conf that defines the calculated field. |
type | The type of the calculated field.
This is always EVAL. |
value | The EVAL statement for the calculated field. |
POST data/props/calcfields/{name}
method detail
Request parameters
Name | Type | Default | Description |
---|---|---|---|
value | String | The eval statement, which can be evaluated to any value type, including multivals, boolean, or null.
See Create a calculated field by editing props.conf in the Splunk Knowledge Manager manual for details. |
Response data keys
Name | Description |
---|---|
attribute | The name of the calculated field, which includes the "EVAL-" prefix. |
field.name | The name of the field which is being calculated with an EVAL expression. |
stanza | The name of the stanza in props.conf that defines the calculated field. |
type | The type of the calculated field.
This is always EVAL. |
value | The EVAL statement for the calculated field. |
[ Top ]
data/props/extractions
https://<host>:<mPort>/services/data/props/extractions
Description
Provides access to search-time field extractions in props.conf.
Method summary
Method | Description | Formats |
---|---|---|
GET | List field extractions. | XML, JSON |
POST | Create a new field extraction. | XML, JSON |
GET data/props/extractions
method detail
Request parameters
Pagination and filtering parameters can be used with this method.
Response data keys
Name | Description |
---|---|
attribute | Specifies the field extraction configuration.
For example, REPORT-<name> or EXTRACT-<name>. |
stanza | The props.conf stanza to which this field extraction applies.
for example, the sourcetype or source that triggers this field extraction. The full name of the field extraction includes this stanza name as a prefix. |
type | Specifies the field extraction type, which can be either inline or uses transform .
|
value | If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.
If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply. |
POST data/props/extractions
method detail
Request parameters
Name | Type | Default | Description |
---|---|---|---|
name required |
String | The user-specified part of the field extraction name. The full name of the field extraction includes this identifier as a suffix. | |
stanza required |
String | The props.conf stanza to which this field extraction applies, e.g. the sourcetype or source that triggers this field extraction. The full name of the field extraction includes this stanza name as a prefix. | |
type required |
Enum | Valid values: (REPORT | EXTRACT)
An EXTRACT-type field extraction is defined with an "inline" regular expression. A REPORT-type field extraction refers to a transforms.conf stanza. | |
value required |
String | If this is an EXTRACT-type field extraction, specify a regular expression with named capture groups that define the desired fields. If this is a REPORT-type field extraction, specify a comma- or space-delimited list of transforms.conf stanza names that define the field transformations to apply. |
Response data keys
Name | Description |
---|---|
attribute | Specifies the field extraction configuration.
For example, REPORT-<name> or EXTRACT-<name>. |
stanza | Specifies the name of the stanza for the field extraction. |
type | Specifies the field extraction type, which can be either inline or uses transform .
|
value | If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.
If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply. |
[ Top ]
data/props/extractions/{name}
https://<host>:<mPort>/services/data/props/extractions/{name}
Description
Manage the {name} field extraction.
Method summary
Method | Description | Formats |
---|---|---|
DELETE | Delete the named field extraction. | XML, JSON |
GET | List a single field extraction. | XML, JSON |
POST | Modify the named field extraction. | XML, JSON |
DELETE data/props/extractions/{name}
method detail
Request parameters
None
Response data keys
None
GET data/props/extractions/{name}
method detail
Request parameters
None
Response data keys
Name | Description |
---|---|
attribute | Specifies the field extraction configuration.
For example, REPORT-<name> or EXTRACT-<name>. |
stanza | The props.conf stanza to which this field extraction applies.
for example, the sourcetype or source that triggers this field extraction. The full name of the field extraction includes this stanza name as a prefix. |
type | Specifies the field extraction type, which can be either inline or uses transform .
|
value | If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.
If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply. |
POST data/props/extractions/{name}
method detail
Request parameters
Name | Type | Default | Description |
---|---|---|---|
value required |
String | If this is an EXTRACT-type field extraction, specify a regular expression with named capture groups that define the desired fields. If this is a REPORT-type field extraction, specify a comma- or space-delimited list of transforms.conf stanza names that define the field transformations to apply. |
Response data keys
Name | Description |
---|---|
attribute | Specifies the field extraction configuration.
For example, REPORT-<name> or EXTRACT-<name>. |
stanza | Specifies the name of the stanza for the field extraction. |
type | Specifies the field extraction type, which can be either inline or uses transform .
|
value | If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.
If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply. |
[ Top ]
data/props/fieldaliases
https://<host>:<mPort>/services/data/props/fieldaliases
Description
Provides access to field aliases in props.conf.
Method summary
Method | Description | Formats |
---|---|---|
GET | List field aliases. | XML, JSON |
POST | Create a new field alias. | XML, JSON |
GET data/props/fieldaliases
method detail
Request parameters
Pagination and filtering parameters can be used with this method.
Response data keys
Name | Description |
---|---|
alias.* | The user-specified part of the field alias name. The full name of the field alias includes this identifier as a suffix. |
attribute | Specifies the field extraction configuration.
For example, REPORT-<name> or EXTRACT-<name>. |
stanza | The props.conf stanza to which this field alias applies, e.g. the sourcetype or source that causes this field alias to be applied. The full name of the field alias includes this stanza name as a prefix. |
type | Specifies the field extraction type, which can be either inline or uses transform .
|
value | If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.
If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply. |
POST data/props/fieldaliases
method detail
Request parameters
Name | Type | Default | Description |
---|---|---|---|
alias.* | String | The alias for a given field. For example, supply a value of "bar" for an argument "alias.foo" to alias "foo" to "bar". | |
name required |
String | The user-specified part of the field alias name. The full name of the field alias includes this identifier as a suffix. | |
stanza required |
String | The props.conf stanza to which this field alias applies, e.g. the sourcetype or source that causes this field alias to be applied. The full name of the field alias includes this stanza name as a prefix. |
Response data keys
Name | Description |
---|---|
alias.* | The user-specified part of the field alias name. The full name of the field alias includes this identifier as a suffix. |
attribute | Specifies the field extraction configuration.
For example, REPORT-<name> or EXTRACT-<name>. |
stanza | The props.conf stanza to which this field alias applies, e.g. the sourcetype or source that causes this field alias to be applied. The full name of the field alias includes this stanza name as a prefix. |
type | Specifies the field extraction type, which can be either inline or uses transform. |
value | If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.
If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply. |
[ Top ]
data/props/fieldaliases/{name}
https://<host>:<mPort>/services/data/props/fieldaliases/{name}
Description
Manage the {name} field alias.
Method summary
Method | Description | Formats |
---|---|---|
DELETE | Delete the named field alias. | XML, JSON |
GET | List a single field alias. | XML, JSON |
POST | Modify the named field alias. | XML, JSON |
DELETE data/props/fieldaliases/{name}
method detail
Request parameters
None
Response data keys
None
GET data/props/fieldaliases/{name}
method detail
Request parameters
None
Response data keys
Name | Description |
---|---|
alias.* | The user-specified part of the field alias name. The full name of the field alias includes this identifier as a suffix. |
attribute | Specifies the field extraction configuration.
For example, REPORT-<name> or EXTRACT-<name>. |
stanza | The props.conf stanza to which this field alias applies, e.g. the sourcetype or source that causes this field alias to be applied. The full name of the field alias includes this stanza name as a prefix. |
type | Specifies the field extraction type, which can be either inline or uses transform .
|
value | If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.
If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply. |
POST data/props/fieldaliases/{name}
method detail
Request parameters
Name | Type | Default | Description |
---|---|---|---|
alias.* | String | The alias for a given field. For example, supply a value of "bar" for an argument "alias.foo" to alias "foo" to "bar". |
Response data keys
Name | Description |
---|---|
alias.* | The alias for a given field. For example, supply a value of "bar" for an argument "alias.foo" to alias "foo" to "bar". |
attribute | Specifies the field extraction configuration.
For example, REPORT-<name> or EXTRACT-<name>. |
stanza | The props.conf stanza to which this field alias applies, e.g. the sourcetype or source that causes this field alias to be applied. The full name of the field alias includes this stanza name as a prefix. |
type | Specifies the field extraction type, which can be either inline or uses transform. |
value | If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.
If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply. |
[ Top ]
data/props/lookups
https://<host>:<mPort>/services/data/props/lookups
Description
Provides access to automatic lookups in props.conf.
Method summary
Method | Description | Formats |
---|---|---|
GET | List automatic lookups. | XML, JSON |
POST | Create a new automatic lookup. | XML, JSON |
GET data/props/lookups
method detail
Request parameters
Pagination and filtering parameters can be used with this method.
Response data keys
Name | Description |
---|---|
attribute | Specifies the field extraction configuration.
For example, LOOKUP-my_lookup. |
overwrite | If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist. |
stanza | The props.conf stanza to which this automatic lookup applies.
For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix. |
transform | The transforms.conf stanza that defines the lookup to apply. |
type | Specifies the field extraction type.
For this endpoint, this is always |
value | The transform stanza with the value for the lookup. |
POST data/props/lookups
method detail
Request parameters
Name | Type | Default | Description |
---|---|---|---|
lookup.field.input.* | String | A column in the lookup table to match against. Supply a non-empty value if the corresponding field has a different name in your actual events. | |
lookup.field.output.* | String | A column in the lookup table to output. Supply a non-empty value if the field should have a different name in your actual events. | |
name required |
String | The user-specified part of the automatic lookup name. The full name of the automatic lookup includes this identifier as a suffix. | |
overwrite required |
Boolean | If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist. | |
stanza required |
String | The props.conf stanza to which this automatic lookup applies, e.g. the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix. | |
transform required |
String | The transforms.conf stanza that defines the lookup to apply. |
Response data keys
Name | Description |
---|---|
attribute | Specifies the field extraction configuration.
For example, LOOKUP-my_lookup. |
lookup.field.input.* | A column in the lookup table to match against. Supply a non-empty value if the corresponding field has a different name in your actual events. |
lookup.field.output.* | A column in the lookup table to output. Supply a non-empty value if the field should have a different name in your actual events. |
overwrite | If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist. |
stanza | The props.conf stanza to which this automatic lookup applies.
For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix. |
transform | The transforms.conf stanza that defines the lookup to apply. |
type | Specifies the field extraction type.
For this endpoint, this is alwqys |
value | The props.conf stanza to which this automatic lookup applies.
For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix. |
[ Top ]
data/props/lookups/{name}
https://<host>:<mPort>/services/data/props/lookups/{name}
Description
Manage the {name} automatic lookup.
Method summary
Method | Description | Formats |
---|---|---|
DELETE | Delete the named automatic lookup. | XML, JSON |
GET | List a single automatic lookup. | XML, JSON |
POST | Modify the named automatic lookup. | XML, JSON |
DELETE data/props/lookups/{name}
method detail
Request parameters
None
Response data keys
None
GET data/props/lookups/{name}
method detail
Request parameters
None
Response data keys
Name | Description |
---|---|
attribute | Specifies the field extraction configuration.
For example, LOOKUP-my_lookup. |
overwrite | If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist. |
stanza | The props.conf stanza to which this automatic lookup applies.
For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix. |
transform | The transforms.conf stanza that defines the lookup to apply. |
type | Specifies the field extraction type.
For this endpoint, this is always |
value | The transform stanza with the value for the lookup. |
POST data/props/lookups/{name}
method detail
Request parameters
Name | Type | Default | Description |
---|---|---|---|
lookup.field.input.* | String | A column in the lookup table to match against. Supply a non-empty value if the corresponding field has a different name in your actual events. | |
lookup.field.output.* | String | A column in the lookup table to output. Supply a non-empty value if the field should have a different name in your actual events. | |
overwrite required |
Boolean | If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist. | |
transform required |
String | The transforms.conf stanza that defines the lookup to apply. |
Response data keys
Name | Description |
---|---|
attribute | Specifies the field extraction configuration.
For example, LOOKUP-my_lookup. |
lookup.field.input.* | A column in the lookup table to match against. Supply a non-empty value if the corresponding field has a different name in your actual events. |
lookup.field.output.* | A column in the lookup table to output. Supply a non-empty value if the field should have a different name in your actual events. |
overwrite | If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist. |
stanza | The props.conf stanza to which this automatic lookup applies.
For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix. |
transform | The transforms.conf stanza that defines the lookup to apply. |
type | Specifies the field extraction type.
For this endpoint, this is alwqys |
value | The props.conf stanza to which this automatic lookup applies.
For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix. |
[ Top ]
data/props/sourcetype-rename
https://<host>:<mPort>/services/data/props/sourcetype-rename
Description
Provides access to renamed sourcetypes which are configured in props.conf.
Method summary
Method | Description | Formats |
---|---|---|
GET | List renamed sourcetypes. | XML, JSON |
POST | Rename a sourcetype. | XML, JSON |
GET data/props/sourcetype-rename
method detail
Request parameters
Pagination and filtering parameters can be used with this method.
Response data keys
Name | Description |
---|---|
attribute | The configuration key. |
stanza | The sourcetype to rename, which is the name of a stanza in props.conf. |
type | The value of the configuration key. |
value | The new name for the sourcetype. |
POST data/props/sourcetype-rename
method detail
Request parameters
Name | Type | Default | Description |
---|---|---|---|
name required |
String | The original sourcetype name. | |
value required |
String | The new sourcetype name. |
Response data keys
Name | Description |
---|---|
attribute | The configuration key. |
stanza | The sourcetype to rename, which is the name of a stanza in props.conf. |
type | The value of the configuration key. |
value | The new name for the sourcetype. |
[ Top ]
data/props/sourcetype-rename/{name}
https://<host>:<mPort>/services/data/props/sourcetype-rename/{name}
Description
Manage {name} sourcetype renaming.
Method summary
Method | Description | Formats |
---|---|---|
DELETE | Restore original sourcetype name. | XML, JSON |
GET | List a single renamed sourcetype. | XML, JSON |
POST | Rename a sourcetype again, i.e. modify a sourcetype's new name. | XML, JSON |
DELETE data/props/sourcetype-rename/{name}
method detail
Request parameters
None
Response data keys
None
GET data/props/sourcetype-rename/{name}
method detail
Request parameters
None
Response data keys
Name | Description |
---|---|
attribute | The configuration key. |
stanza | The sourcetype to rename, which is the name of a stanza in props.conf. |
type | The value of the configuration key. |
value | The new name for the sourcetype. |
POST data/props/sourcetype-rename/{name}
method detail
Request parameters
Name | Type | Default | Description |
---|---|---|---|
value required |
String | The new sourcetype name. |
Response data keys
Name | Description |
---|---|
attribute | The configuration key. |
stanza | The sourcetype to rename, which is the name of a stanza in props.conf. |
type | The value of the configuration key. |
value | The new name for the sourcetype. |
[ Top ]
data/transforms/extractions
https://<host>:<mPort>/services/data/transforms/extractions
Description
Provides access to field transformations, i.e. field extraction definitions.
Method summary
Method | Description | Formats |
---|---|---|
GET | List field transformations. | XML, JSON |
POST | Create a new field transformation. | XML, JSON |
GET data/transforms/extractions
method detail
Request parameters
Pagination and filtering parameters can be used with this method.
Response data keys
Name | Description |
---|---|
CAN_OPTIMIZE | Controls whether Splunk Enterprise can optimize this extraction out (another way of saying the extraction is disabled).
You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk Enterprise only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search. |
CLEAN_KEYS | If set to true, Splunk Enterprise "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores. |
DEFAULT_VALUE | Optional attribute for index-time field extractions. Splunk Enterprise writes the specified value to DEST_KEY if the specified REGEX fails. |
DEST_KEY | Valid for index-time field extractions, specifies where Splunk Enterprise stores the REGEX results. |
FORMAT | This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.
This attribute specifies the format of the event, including any field names or values you want to add. For details, refer to the documentation for this parameter in the POST operation. |
KEEP_EMPTY_VALS | If set to true, Splunk Enterprise preserves extracted fields with empty values. |
LOOKAHEAD | Optional attribute for index-time filed extractions. specifies how many characters to search into an event.
Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking). |
MV_ADD | If Splunk Enterprise extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded. |
REGEX | The regular expression to operate on your data.
This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms. For details, see the documentation for this parameter in the POST operation. |
SOURCE_KEY | The KEY to which Splunk Enterprise applies REGEX. |
WRITE_META | Indicates whether to automatically write REGEX to metadata.
This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute). Use instead of DEST_KEY = meta. |
disabled | Indicates if the field transformation is disabled. |
eai:appName | The Splunk Enterprise app for which the field extractions are defined. For example, the search app. |
eai:userName | The name of the Splunk Enterprise user who created the field extraction definitions. For example, the admin user. |
POST data/transforms/extractions
method detail
Request parameters
Name | Type | Default | Description |
---|---|---|---|
CAN_OPTIMIZE | Bool | True | Controls whether Splunk Enterprise can optimize this extraction out (another way of saying the extraction is disabled). You might use this when you have field discovery turned off--it ensures that certain fields are *always* discovered. Splunk Enterprise only disables an extraction if it can determine that none of the fields identified by the extraction is needed for the successful evaluation of a search.
NOTE: This option should rarely be set to false. |
CLEAN_KEYS | Boolean | True | If set to true, Splunk Enterprise "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores. |
disabled | Boolean | Specifies whether the field transformation is disabled. | |
FORMAT | String | This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.
This attribute specifies the format of the event, including any field names or values you want to add. FORMAT for index-time extractions: Use $n (for example $1, $2, etc) to specify the output of each REGEX match. If REGEX does not have n groups, the matching fails. The special identifier $0 represents what was in the DEST_KEY before the REGEX was performed. At index-time only, you can use FORMAT to create concatenated fields: FORMAT = ipaddress::$1.$2.$3.$4 When you create concatenated fields with FORMAT, "$" is the only special character. It is treated as a prefix for regex-capturing groups only if it is followed by a number and only if the number applies to an existing capturing group. So if REGEX has only one capturing group and its value is "bar", then: \t"FORMAT = foo$1" yields "foobar" \t"FORMAT = foo$bar" yields "foo$bar" \t"FORMAT = foo$1234" yields "foo$1234" \t"FORMAT = foo$1\\$2" yields "foobar\\$2" At index-time, FORMAT defaults to <stanza-name>::$1 FORMAT for search-time extractions: The format of this field as used during search time extractions is as follows: \tFORMAT = <field-name>::<field-value>( <field-name>::<field-value>)* \tfield-name = [<string>|$<extracting-group-number>] \tfield-value = [<string>|$<extracting-group-number>] Search-time extraction examples: \tFORMAT = first::$1 second::$2 third::other-value \tFORMAT = $1::$2 You cannot create concatenated fields with FORMAT at search time. That functionality is only available at index time. At search-time, FORMAT defaults to an empty string. | |
KEEP_EMPTY_VALS | Boolean | False | If set to true, Splunk Enterprise preserves extracted fields with empty values. |
MV_ADD | Boolean | False | If Splunk Enterprise extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded. |
name required |
String | The name of the field transformation. | |
REGEX required |
String | Specify a regular expression to operate on your data.
This attribute is valid for both index-time and search-time field extractions: \tREGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). \tREGEX is required for all index-time transforms. REGEX and the FORMAT attribute: Name-capturing groups in the REGEX are extracted directly to fields. This means that you do not need to specify the FORMAT attribute for simple field extraction cases. If the REGEX extracts both the field name and its corresponding field value, you can use the following special capturing groups if you want to skip specifying the mapping in FORMAT: _KEY_<string>, _VAL_<string>. For example, the following are equivalent: \tUsing FORMAT: \t\tREGEX = ([a-z]+)=([a-z]+) \t\tFORMAT = $1::$2 \tWithout using FORMAT \t\tREGEX = (?<_KEY_1>[a-z]+)=(?<_VAL_1>[a-z]+) REGEX defaults to an empty string. | |
SOURCE_KEY required |
String | _raw | Specify the KEY to which Splunk Enterprise applies REGEX. |
Response data keys
Name | Description |
---|---|
CAN_OPTIMIZE | Controls whether Splunk Enterprise can optimize this extraction out (another way of saying the extraction is disabled).
You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk Enterprise only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search. |
CLEAN_KEYS | If set to true, Splunk Enterprise "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores. |
DEFAULT_VALUE | Optional attribute for index-time field extractions. Splunk Enterprise writes the specified value to DEST_KEY if the specified REGEX fails. |
DEST_KEY | Valid for index-time field extractions, specifies where Splunk Enterprise stores the REGEX results. |
FORMAT | This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.
This attribute specifies the format of the event, including any field names or values you want to add. For details, refer to the documentation for this parameter in the POST operation. |
KEEP_EMPTY_VALS | If set to true, Splunk Enterprise preserves extracted fields with empty values. |
LOOKAHEAD | Optional attribute for index-time filed extractions. specifies how many characters to search into an event.
Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking). |
MV_ADD | If Splunk Enterprise extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded. |
REGEX | The regular expression to operate on your data.
This attribute is valid for both index-time and search-time field extractions: \\tREGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). \\tREGEX is required for all index-time transforms. For details, see the documentation for this parameter in the POST operation. |
SOURCE_KEY | The KEY to which Splunk Enterprise applies REGEX. |
WRITE_META | Indicates whether to automatically write REGEX to metadata.
This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute). Use instead of DEST_KEY = meta. |
disabled | Indicates if the field transformation is disabled. |
eai:appName | The Splunk Enterprise app for which the field extractions are defined. For example, the search app. |
eai:userName | The name of the Splunk Enterprise user who created the field extraction definitions. For example, the admin user. |
[ Top ]
data/transforms/extractions/{name}
https://<host>:<mPort>/services/data/transforms/extractions/{name}
Description
Manage {name} field transformation.
Method summary
Method | Description | Formats |
---|---|---|
DELETE | Delete the named field transformation. | XML, JSON |
GET | List a single field transformation. | XML, JSON |
POST | Modify the named field transformation. | XML, JSON |
DELETE data/transforms/extractions/{name}
method detail
Request parameters
None
Response data keys
None
GET data/transforms/extractions/{name}
method detail
Request parameters
None
Response data keys
Name | Description |
---|---|
CAN_OPTIMIZE | Controls whether Splunk Enterprise can optimize this extraction out (another way of saying the extraction is disabled).
You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk Enterprise only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search. |
CLEAN_KEYS | If set to true, Splunk Enterprise "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores. |
DEFAULT_VALUE | Optional attribute for index-time field extractions. Splunk Enterprise writes the specified value to DEST_KEY if the specified REGEX fails. |
DEST_KEY | Valid for index-time field extractions, specifies where Splunk Enterprise stores the REGEX results. |
FORMAT | This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.
This attribute specifies the format of the event, including any field names or values you want to add. For details, refer to the documentation for this parameter in the POST operation. |
KEEP_EMPTY_VALS | If set to true, Splunk Enterprise preserves extracted fields with empty values. |
LOOKAHEAD | Optional attribute for index-time filed extractions. specifies how many characters to search into an event.
Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking). |
MV_ADD | If Splunk Enterprise extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded. |
REGEX | The regular expression to operate on your data.
This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms. For details, see the documentation for this parameter in the POST operation. |
SOURCE_KEY | The KEY to which Splunk Enterprise applies REGEX. |
WRITE_META | Indicates whether to automatically write REGEX to metadata.
This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute). Use instead of DEST_KEY = meta. |
disabled | Indicates if the field transformation is disabled. |
eai:appName | The Splunk Enterprise app for which the field extractions are defined. For example, the search app. |
eai:attributes | Field control information. |
eai:userName | The name of the Splunk Enterprise user who created the field extraction definitions. For example, the admin user. |
POST data/transforms/extractions/{name}
method detail
Request parameters
Name | Type | Default | Description | |
---|---|---|---|---|
REGEX | String | Specify a regular expression to operate on your data.
This attribute is valid for both index-time and search-time field extractions: \tREGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). \tREGEX is required for all index-time transforms. REGEX and the FORMAT attribute: Name-capturing groups in the REGEX are extracted directly to fields. This means that you do not need to specify the FORMAT attribute for simple field extraction cases. If the REGEX extracts both the field name and its corresponding field value, you can use the following special capturing groups if you want to skip specifying the mapping in FORMAT: _KEY_<string>, _VAL_<string>. For example, the following are equivalent: \tUsing FORMAT: \t\tREGEX = ([a-z]+)=([a-z]+) \t\tFORMAT = $1::$2 \tWithout using FORMAT \t\tREGEX = (?<_KEY_1>[a-z]+)=(?<_VAL_1>[a-z]+) REGEX defaults to an empty string. | ||
SOURCE_KEY | String | _raw | Specify the KEY to which Splunk Enterprise applies REGEX. | |
CAN_OPTIMIZE | Bool | True | Controls whether Splunk Enterprise can optimize this extraction out (another way of saying the extraction is disabled). You might use this when you have field discovery turned off--it ensures that certain fields are *always* discovered. Splunk Enterprise only disables an extraction if it can determine that none of the fields identified by the extraction is needed for the successful evaluation of a search.
NOTE: This option should rarely be set to false. | |
CLEAN_KEYS | Boolean | True | If set to true, Splunk Enterprise "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores. | |
FORMAT | String | This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.
This attribute specifies the format of the event, including any field names or values you want to add. FORMAT for index-time extractions: Use $n (for example $1, $2, etc) to specify the output of each REGEX match. If REGEX does not have n groups, the matching fails. The special identifier $0 represents what was in the DEST_KEY before the REGEX was performed. At index-time only, you can use FORMAT to create concatenated fields: FORMAT = ipaddress::$1.$2.$3.$4 When you create concatenated fields with FORMAT, "$" is the only special character. It is treated as a prefix for regex-capturing groups only if it is followed by a number and only if the number applies to an existing capturing group. So if REGEX has only one capturing group and its value is "bar", then: \t"FORMAT = foo$1" yields "foobar" \t"FORMAT = foo$bar" yields "foo$bar" \t"FORMAT = foo$1234" yields "foo$1234" \t"FORMAT = foo$1\\$2" yields "foobar\\$2" At index-time, FORMAT defaults to <stanza-name>::$1 FORMAT for search-time extractions: The format of this field as used during search time extractions is as follows: \tFORMAT = <field-name>::<field-value>( <field-name>::<field-value>)* \tfield-name = [<string>|$<extracting-group-number>] \tfield-value = [<string>|$<extracting-group-number>] Search-time extraction examples: \tFORMAT = first::$1 second::$2 third::other-value \tFORMAT = $1::$2 You cannot create concatenated fields with FORMAT at search time. That functionality is only available at index time. At search-time, FORMAT defaults to an empty string. | ||
KEEP_EMPTY_VALS | Boolean | False | If set to true, Splunk Enterprise preserves extracted fields with empty values. | |
MV_ADD | Boolean | False | If Splunk Enterprise extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded. | |
disabled | Boolean | Specifies whether the field transformation is disabled. |
Response data keys
Name | Description |
---|---|
CAN_OPTIMIZE | Controls whether Splunk Enterprise can optimize this extraction out (another way of saying the extraction is disabled).
You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk Enterprise only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search. |
CLEAN_KEYS | If set to true, Splunk Enterprise "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores. |
DEFAULT_VALUE | Optional attribute for index-time field extractions. Splunk Enterprise writes the specified value to DEST_KEY if the specified REGEX fails. |
DEST_KEY | Valid for index-time field extractions, specifies where Splunk Enterprise stores the REGEX results. |
FORMAT | This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.
This attribute specifies the format of the event, including any field names or values you want to add. For details, refer to the documentation for this parameter in the POST operation. |
KEEP_EMPTY_VALS | If set to true, Splunk Enterprise preserves extracted fields with empty values. |
LOOKAHEAD | Optional attribute for index-time filed extractions. specifies how many characters to search into an event.
Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking). |
MV_ADD | If Splunk Enterprise extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded. |
REGEX | The regular expression to operate on your data.
This attribute is valid for both index-time and search-time field extractions: \\tREGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). \\tREGEX is required for all index-time transforms. For details, see the documentation for this parameter in the POST operation. |
SOURCE_KEY | The KEY to which Splunk Enterprise applies REGEX. |
WRITE_META | Indicates whether to automatically write REGEX to metadata.
This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute). Use instead of DEST_KEY = meta. |
disabled | Indicates if the field transformation is disabled. |
eai:appName | The Splunk Enterprise app for which the field extractions are defined. For example, the search app. |
eai:userName | The name of the Splunk Enterprise user who created the field extraction definitions. For example, the admin user. |
|}
[ Top ]
data/transforms/lookups
https://<host>:<mPort>/services/data/transforms/lookups
Description
Provides access to lookup definitions in transforms.conf.
Method summary
Method | Description | Formats |
---|---|---|
GET | List lookup definitions. | XML, JSON |
POST | Create a new lookup definition. | XML, JSON |
GET data/transforms/lookups
method detail
Request parameters
Pagination and filtering parameters can be used with this method.
Response data keys
Name | Description |
---|---|
CAN_OPTIMIZE | Controls whether Splunk Enterprise can optimize this extraction out (another way of saying the extraction is disabled).
You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk Enterprise only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search. |
CLEAN_KEYS | If set to true, Splunk Enterprise "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores. |
DEFAULT_VALUE | Optional attribute for index-time field extractions. Splunk Enterprise writes the specified value to DEST_KEY if the specified REGEX fails. |
DEST_KEY | Valid for index-time field extractions, specifies where Splunk Enterprise stores the REGEX results. |
FORMAT | This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.
This attribute specifies the format of the event, including any field names or values you want to add. For details, refer to the documentation for this parameter in the POST operation for data/transforms/extractions. |
KEEP_EMPTY_VALS | If set to true, Splunk Enterprise preserves extracted fields with empty values. |
LOOKAHEAD | Optional attribute for index-time filed extractions. specifies how many characters to search into an event.
Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking). |
MV_ADD | If Splunk Enterprise extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded. |
REGEX | The regular expression to operate on your data.
This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms. For details, see the documentation for this parameter in the POST operation. |
SOURCE_KEY | The KEY to which Splunk Enterprise applies REGEX. |
WRITE_META | Indicates whether to automatically write REGEX to metadata.
This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute). Use instead of DEST_KEY = meta. |
disabled | Indicates if this lookup is disabled. |
eai:appName | The Splunk Enterprise app for which the lookups are defined. For example, the search app. |
eai:userName | The Splunk Enterprise user for which the lookups are defined. |
external_cmd | Provides the command and arguments to invoke to perform a lookup. Use this for external (or "scripted") lookups, where you interface with with an external script rather than a lookup table.
This string is parsed like a shell command. The first argument is expected to be a python script located in: $SPLUNK_HOME/etc/<app_name>/bin (or ../etc/searchscripts) Presence of this field indicates that the lookup is external and command based. |
fields_list | List of all fields that are supported by the external command. |
type | Specifies the field extraction type.
Can be either external or file. |
POST data/transforms/lookups
method detail
Request parameters
Name | Type | Default | Description |
---|---|---|---|
name | String | The name of the lookup definition. | |
default_match | String | If min_matches is greater than zero and Splunk Enterprise has less than min_matches for any given input, it provides this default_match value one or more times until the min_matches threshold is reached. | |
disabled | Boolean | Specifies whether the lookup definition is disabled. | |
external_cmd | String | Provides the command and arguments to invoke to perform a lookup. Use this for external (or "scripted") lookups, where you interface with with an external script rather than a lookup table.
This string is parsed like a shell command. The first argument is expected to be a python script located in: $SPLUNK_HOME/etc/<app_name>/bin (or ../etc/searchscripts) Presence of this field indicates that the lookup is external and command based. | |
fields_list | String | A comma- and space-delimited list of all fields that are supported by the external command. Use this for external (or "scripted") lookups. | |
filename | String | The name of the static lookup table file. | |
max_matches | Number | The maximum number of possible matches for each input lookup value. | |
max_offset_secs | Number | For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur. | |
min_matches | Number | The minimum number of possible matches for each input lookup value. | |
min_offset_secs | Number | For temporal lookups, this is the minimum time (in seconds) that the event timestamp can be later than the lookup entry timestamp for a match to occur. | |
time_field | String | For temporal lookups, this is the field in the lookup table that represents the timestamp. | |
time_format | String | For temporal lookups, this specifies the "strptime" format of the timestamp field. |
Response data keys
Name | Description |
---|---|
CAN_OPTIMIZE | Controls whether Splunk Enterprise can optimize this extraction out (another way of saying the extraction is disabled).
You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk Enterprise only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search. |
CLEAN_KEYS | If set to true, Splunk Enterprise "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores. |
DEFAULT_VALUE | Optional attribute for index-time field extractions. Splunk Enterprise writes the specified value to DEST_KEY if the specified REGEX fails. |
DEST_KEY | Valid for index-time field extractions, specifies where Splunk Enterprise stores the REGEX results. |
FORMAT | This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.
This attribute specifies the format of the event, including any field names or values you want to add. For details, refer to the documentation for this parameter in the POST operation for data/transforms/extractions. |
KEEP_EMPTY_VALS | If set to true, Splunk Enterprise preserves extracted fields with empty values. |
LOOKAHEAD | Optional attribute for index-time filed extractions. specifies how many characters to search into an event.
Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking). |
MV_ADD | If Splunk Enterprise extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded. |
REGEX | The regular expression to operate on your data.
This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms. For details, see the documentation for this parameter in the POST operation. |
SOURCE_KEY | The KEY to which Splunk Enterprise applies REGEX. |
WRITE_META | Indicates whether to automatically write REGEX to metadata.
This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute). Use instead of DEST_KEY = meta. |
default_match | If min_matches is greater than zero and Splunk Enterprise has less than min_matches for any given input, it provides this default_match value one or more times until the min_matches threshold is reached. |
disabled | Specifies whether the lookup definition is disabled. |
eai:appName | The Splunk Enterprise app for which the lookups are defined. For example, the search app. |
eai:userName | The Splunk Enterprise user for which the lookups are defined. |
external_cmd | Provides the command and arguments to invoke to perform a lookup. Use this for external (or "scripted") lookups, where you interface with with an external script rather than a lookup table.
This string is parsed like a shell command. The first argument is expected to be a python script located in: $SPLUNK_HOME/etc/<app_name>/bin (or ../etc/searchscripts) Presence of this field indicates that the lookup is external and command based. |
fields_list | List of all fields that are supported by the external command. Use this for external (or "scripted") lookups. |
filename | The name of the static lookup table file. |
max_matches | The maximum number of possible matches for each input lookup value.
If the lookup is non-temporal (not time-bounded, meaning the time_field attribute is not specified), Splunk Enterprise uses the first <integer> entries, in file order. If the lookup is temporal, Splunk Enterprise uses the first <integer> entries in descending time order. Default = 100 if the lookup is not temporal, default = 1 if it is temporal. |
max_offset_secs | For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur. |
min_matches | The minimum number of possible matches for each input lookup value. |
min_offset_secs | For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur. |
time_field | For temporal lookups, this is the field in the lookup table that represents the timestamp. |
time_format | For temporal lookups, this specifies the \\"strptime\\" format of the timestamp field. |
type | Specifies the field extraction type.
Can be either external or file. |
[ Top ]
data/transforms/lookups/{name}
https://<host>:<mPort>/services/data/transforms/lookups/{name}
Description
Manage the {name} lookup definition.
Method summary
Method | Description | Formats |
---|---|---|
DELETE | Delete the named lookup definition. | XML, JSON |
GET | List a single lookup definition. | XML, JSON |
POST | Modify the named lookup definition. | XML, JSON |
DELETE data/transforms/lookups/{name}
method detail
Request parameters
None
Response data keys
None
GET data/transforms/lookups/{name}
method detail
Request parameters
None
Response data keys
Name | Description |
---|---|
CAN_OPTIMIZE | Indicates whether Splunk Enterprise can optimize this extraction out (another way of saying the extraction is disabled).
You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk Enterprise only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search. |
CLEAN_KEYS | Indicates whether Splunk Enterprise "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores. |
DEFAULT_VALUE | Optional attribute for index-time field extractions. Splunk Enterprise writes the specified value to DEST_KEY if the specified REGEX fails. |
DEST_KEY | Valid for index-time field extractions, specifies where Splunk Enterprise stores the REGEX results. |
FORMAT | This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.
This attribute specifies the format of the event, including any field names or values you want to add. For details, refer to the documentation for this parameter in the POST operation for data/transforms/extractions. |
KEEP_EMPTY_VALS | Indicates whether Splunk Enterprise preserves extracted fields with empty values. |
LOOKAHEAD | For index-time filed extractions. Specifies how many characters to search into an event.
Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking). |
MV_ADD | "If Splunk Enterprise extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded. |
REGEX | The regular expression to operate on your data.
This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms. For details, see the documentation for this parameter in the POST operation. |
SOURCE_KEY | The KEY to which Splunk Enterprise applies REGEX. |
WRITE_META | Indicates whether to automatically write REGEX to metadata.
This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute). Use instead of DEST_KEY = meta. |
disabled | Indicates if this lookup is disabled. |
eai:appName | The Splunk Enterprise app for which the lookups are defined. For example, the search app. |
eai:attributes | Field control information. |
eai:userName | The Splunk Enterprise user for which the lookups are defined. |
filename | The name of the static lookup table file. |
type | Specifies the field extraction type.
Can be either external or file. |
POST data/transforms/lookups/{name}
method detail
Request parameters
Name | Type | Default | Description |
---|---|---|---|
default_match | String | If min_matches is greater than zero and Splunk Enterprise has less than min_matches for any given input, it provides this default_match value one or more times until the min_matches threshold is reached. | |
disabled | Boolean | Specifies whether the lookup definition is disabled. | |
external_cmd | String | Provides the command and arguments to invoke to perform a lookup. Use this for external (or "scripted") lookups, where you interface with with an external script rather than a lookup table.
This string is parsed like a shell command. The first argument is expected to be a python script located in: $SPLUNK_HOME/etc/<app_name>/bin (or ../etc/searchscripts) Presence of this field indicates that the lookup is external and command based. | |
fields_list | String | A comma- and space-delimited list of all fields that are supported by the external command. Use this for external (or "scripted") lookups. | |
filename | String | The name of the static lookup table file. | |
max_matches | Number | The maximum number of possible matches for each input lookup value. | |
max_offset_secs | Number | For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur. | |
min_matches | Number | The minimum number of possible matches for each input lookup value. | |
min_offset_secs | Number | For temporal lookups, this is the minimum time (in seconds) that the event timestamp can be later than the lookup entry timestamp for a match to occur. | |
time_field | String | For temporal lookups, this is the field in the lookup table that represents the timestamp. | |
time_format | String | For temporal lookups, this specifies the "strptime" format of the timestamp field. |
Response data keys
Name | Description |
---|---|
CAN_OPTIMIZE | Controls whether Splunk Enterprise can optimize this extraction out (another way of saying the extraction is disabled).
You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk Enterprise only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search. |
CLEAN_KEYS | If set to true, Splunk Enterprise "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores. |
DEFAULT_VALUE | Optional attribute for index-time field extractions. Splunk Enterprise writes the specified value to DEST_KEY if the specified REGEX fails. |
DEST_KEY | Valid for index-time field extractions, specifies where Splunk Enterprise stores the REGEX results. |
FORMAT | This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.
This attribute specifies the format of the event, including any field names or values you want to add. For details, refer to the documentation for this parameter in the POST operation for data/transforms/extractions. |
KEEP_EMPTY_VALS | If set to true, Splunk Enterprise preserves extracted fields with empty values. |
LOOKAHEAD | Optional attribute for index-time filed extractions. specifies how many characters to search into an event.
Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking). |
MV_ADD | If Splunk Enterprise extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded. |
REGEX | The regular expression to operate on your data.
This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms. For details, see the documentation for this parameter in the POST operation. |
SOURCE_KEY | The KEY to which Splunk Enterprise applies REGEX. |
WRITE_META | Indicates whether to automatically write REGEX to metadata.
This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute). Use instead of DEST_KEY = meta. |
default_match | If min_matches is greater than zero and Splunk Enterprise has less than min_matches for any given input, it provides this default_match value one or more times until the min_matches threshold is reached. |
disabled | Specifies whether the lookup definition is disabled. |
eai:appName | The Splunk Enterprise app for which the lookups are defined. For example, the search app. |
eai:userName | The Splunk Enterprise user for which the lookups are defined. |
external_cmd | Provides the command and arguments to invoke to perform a lookup. Use this for external (or "scripted") lookups, where you interface with with an external script rather than a lookup table.
This string is parsed like a shell command. The first argument is expected to be a python script located in: $SPLUNK_HOME/etc/<app_name>/bin (or ../etc/searchscripts) Presence of this field indicates that the lookup is external and command based. |
fields_list | List of all fields that are supported by the external command. Use this for external (or "scripted") lookups. |
filename | The name of the static lookup table file. |
max_matches | The maximum number of possible matches for each input lookup value. |
max_offset_secs | For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur. |
min_matches | The minimum number of possible matches for each input lookup value. |
min_offset_secs | For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur. |
time_field | For temporal lookups, this is the field in the lookup table that represents the timestamp. |
time_format | For temporal lookups, this specifies the "strptime" format of the timestamp field. |
type | Specifies the field extraction type.
Can be either external or file. |
[ Top ]
data/ui/views
https://<host>:<mPort>/servicesNS/{user}/{app_name}/data/ui/views
Description
Create dashboard source XML.
Method summary
Method | Description | Formats |
---|---|---|
POST | Create a new dashboard XML definition. | XML |
POST data/ui/views
method detail
Request parameters
Name | Type | Default | Description |
---|---|---|---|
name | String | Dashboard name. | |
eai:data | XML document | Dashboard XML definition. |
Response data keys
Name | Description |
---|---|
eai:appName | App context for the dashboard. |
eai:data | XML definition for the dashboard. |
eai:type | User interface type. For dashboards, this type is view .
|
eai:userName | User who created the dashboard. |
isDashboard | Boolean value indicating whether the knowledge object is a dashboard. |
isVisible | Boolean value indicating whether the dashboard is visible. |
label | Dashboard label. |
rootNode | XML root node. |
data/ui/views/{name}
https://<host>:<mPort>/servicesNS/{user}/{app_name}/data/ui/views/{name}
Description
Access or update existing dashboard source XML.
Method summary
Method | Description | Formats |
---|---|---|
GET | Access an existing dashboard XML definition. | XML |
POST | Update an existing dashboard XML definition. | XML |
DELETE | Delete an existing dashboard XML definition. | XML |
GET data/ui/views/{name}
method detail
Request parameters
None.
Response data keys
Name | Description |
---|---|
eai:appName | App context for the dashboard. |
eai:data | XML definition for the dashboard. |
eai:type | User interface type. For dashboards, this type is view .
|
eai:userName | User who created the dashboard. |
isDashboard | Boolean value indicating whether the knowledge object is a dashboard. |
isVisible | Boolean value indicating whether the dashboard is visible. |
label | Dashboard label. |
rootNode | XML root node. |
POST data/ui/views/{name}
method detail
Request parameters
Name | Type | Default | Description |
---|---|---|---|
eai:data | XML document | Dashboard XML definition. |
Response data keys
Name | Description |
---|---|
eai:appName | App context for the dashboard. |
eai:data | XML definition for the dashboard. |
eai:type | User interface type. For dashboards, this type is view .
|
eai:userName | User who created the dashboard. |
isDashboard | Boolean value indicating whether the knowledge object is a dashboard. |
isVisible | Boolean value indicating whether the dashboard is visible. |
label | Dashboard label. |
rootNode | XML root node. |
DELETE data/ui/views/{name}
method detail
Request parameters
None.
Response data keys
None.
datamodel/acceleration (DEPRECATED)
https://<host>:<mPort>/services/datamodel/acceleration
Description
Access information about data models that have acceleration enabled.
Method summary
Method | Description | Formats |
---|---|---|
GET | List information about data models that have acceleration enabled. | XML, JSON |
GET datamodel/acceleration
method detail
Request parameters
Pagination and filtering parameters can be used with this method.
Response data keys
None
Application usage
Refer to Manage data models for more implementation information about data models and acceleration.
[ Top ]
datamodel/acceleration/{name} (DEPRECATED)
https://<host>:<mPort>/services/datamodel/acceleration/{name}
Description
Get information about the {name} datamodel.
Method summary
Method | Description | Formats |
---|---|---|
GET | List information about the named data model, which has acceleration enabled. | XML, JSON |
GET datamodel/acceleration/{name}
method detail
Request parameters
None
Response data keys
Name | Description |
---|---|
acceleration | Indicates if acceleration is enabled for this data model. |
acceleration.earliest_time | The earliest time to dispatch the search. |
search | Specifies the search to accelerate this data model. |
[ Top ]
datamodel/model
https://<host>:<mPort>/services/datamodel/model
Description
Access information about data models.
Method summary
Method | Description | Formats |
---|---|---|
GET | List data models on the server. | XML, JSON |
POST | Create a new data model. | XML, JSON |
GET datamodel/model
method detail
Request parameters
Name | Type | Default | Description |
---|---|---|---|
concise | Boolean | Indicates whether to list a concise JSON description of the data model.
The concise description is a summary for human readability. It is not used to create the data model. |
Pagination and filtering parameters can be used with this method.
Response data keys
Name | Description |
---|---|
acceleration | Indicates whether acceleration is enabled for the data model. |
concise | Indicates whether to list a concise JSON description of the data model. |
description | The JSON describing the data model. |
displayName | The name displayed for the data model in Splunk Web. |
eai:appName | The Splunk Enterprise app in which the data model was created. |
eai:userName | The name of the Splunk Enterprise user who created the data model. |
Application usage
For more implementation information on data models refer to About data models in the Knowledge Manager manual.
POST datamodel/model
method detail
Request parameters
Name | Type | Default | Description |
---|---|---|---|
description | String | JSON description of the data model. | |
name | String | Name of the data model. | |
acceleration | String | Specify the acceleration settings for the data model. Supply JSON to specify any or all of the following settings:
For example: acceleration='{"enabled": true, "earliest_time": -1mon, "cron_schedule": 0 */12 * * *}' |
Response data keys
None
Application usage
For more implementation information on data models refer to About data models in the Knowledge Manager manual.
[ Top ]
datamodel/model/{name}
https://<host>:<mPort>/services/datamodel/model/{name}
Description
Manage the {name} datamodel resource.
Method summary
Method | Description | Formats |
---|---|---|
DELETE | Deletes a data model resource. | XML, JSON |
GET | List information about a data model resource. | XML, JSON |
POST | Update a data model resource. | XML, JSON |
DELETE datamodel/model/{name}
method detail
Request parameters
None
Response data keys
None
GET datamodel/model/{name}
method detail
Request parameters
Name | Type | Default | Description |
---|---|---|---|
concise | Boolean | Indicates whether to list a concise JSON description of the data model.
The concise description is a summary for human readability. It is not used to create the data model. |
Response data keys
Name | Description |
---|---|
acceleration | Indicates whether acceleration is enabled for the data model. |
concise | Indicates whether to list a concise JSON description of the data model. |
description | The JSON describing the data model. |
displayName | The name displayed for the data model in Splunk Web. |
eai:appName | The Splunk Enterprise app in which the data model was created. |
eai:attributes | Field control information. |
eai:userName | The name of the Splunk Enterprise user who created the data model. |
POST datamodel/model/{name}
method detail
Request parameters
Name | Type | Default | Description |
---|---|---|---|
acceleration | String | Specify the acceleration settings for the data model. Supply JSON to specify any or all of the following settings:
For example: acceleration='{"enabled": true, "earliest_time": -1mon, "cron_schedule": 0 */12 * * *}' | |
description | String | JSON description of the data model. | |
provisional | Boolean | Indicates whether the data model is provisional. Provisional data models are not saved.
Specify true to validate a data model before saving it. If the endpoint returns with no errors, then specify this endpoint again, with provisional set to false, to save the data model. |
Response data keys
Name | Description |
---|---|
acceleration | Indicates whether acceleration is enabled for the data model. |
concise | Indicates whether to list a concise JSON description of the data model. |
description | The JSON describing the data model. |
displayName | The name displayed for the data model in Splunk Web. |
eai:appName | The Splunk Enterprise app in which the data model was created. |
eai:attributes | Field control information. |
eai:userName | The name of the Splunk Enterprise user who created the data model. |
[ Top ]
datamodel/pivot
https://<host>:<mPort>/services/datamodel/pivot/{name}
Description
Provides access to pivots that are based on named data models.
Method summary
Method | Description | Formats |
---|---|---|
GET | List information about the supplied pivot based on the named data model. | XML, JSON |
GET datamodel/pivot
method detail
Request parameters
Name | Type | Default | Description |
---|---|---|---|
pivot_json | String | JSON specifying a pivot based on the named data model.
Typically, you URL encode this parameter. This endpoint requires either this pivot_json parameter or a pivot_search parameter. | |
pivot_search | String | A pivot search command based on the named data model.
Typically, you URL encode this parameter. This endpoint requires either a pivot_json or this pivot_search parameter. |
Response data keys
Name | Description |
---|---|
drilldown_search | The search for running this pivot report using drilldown |
open_in_search | Equivalent to search parameter, but listed more simply. |
pivot_json | JSON specifying a pivot based on the named data model. |
pivot_search | A pivot search command based on the named data model. |
search | The search string for running the pivot report |
tstats_search | The search for running this pivot report using tstats |
Application usage
For information on pivot implementation refer to the Splunk Pivot manual.
{name} refers to a data model on the system.
Specify a pivot using either the pivot_search or pivot_json parameter.
[ Top ]
directory
https://<host>:<mPort>/services/directory
Description
Provides access to user configurable objects.
These objects includes search commands, UI views, UI navigation, saved searches and event types. This is useful to see which objects are provided by all apps, or a specific app when the call is namespaced. The specific configuration in restmap.conf is showInDirSvc.
Method summary
Method | Description | Formats |
---|---|---|
GET | Provides an enumeration of app-scoped objects. | XML, JSON |
GET directory
method detail
Request parameters
Pagination and filtering parameters can be used with this method.
Response data keys
None
Application usage
an enumeration of the following app scoped objects:
event types saved searches time configurations views navs manager XML quickstart XML search commands macros tags field extractions lookups workflow actions field aliases sourcetype renames
This is useful to see which apps provide which objects, or all the objects provided by a specific app. To change the visibility of an object type in this listing, use the showInDirSvc in restmap.conf.
[ Top ]
directory/{name}
https://<host>:<mPort>/services/directory/{name}
Description
Get information about the {name} directory entity.
Method summary
Method | Description | Formats |
---|---|---|
GET | Displays information about a single entity in the directory service enumeration. | XML, JSON |
GET directory/{name}
method detail
Request parameters
None
Response data keys
Name | Description |
---|---|
eai:type | Entity type. |
Application usage
This is rarely used. Typically after using the directory service enumeration, a client follows the specific link for an object in an enumeration.
[ Top ]
saved/eventtypes
https://<host>:<mPort>/services/saved/eventtypes
Description
Provides access to saved event types.
Method summary
Method | Description | Formats |
---|---|---|
GET | Retrieve saved event types. | XML, JSON |
POST | Creates a new event type. | XML, JSON |
GET saved/eventtypes
method detail
Request parameters
Pagination and filtering parameters can be used with this method.
Response data keys
Name | Description |
---|---|
description | Description of this event type. |
disabled | Indicates if the event type is disabled. |
eai:appName | The Splunk Enterprise app for which this event type applies. For example, the Splunk search app. |
eai:userName | Splunk Enterprise user name of the creator of this event type. For example, the Splunk admin user. |
priority | The value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority. |
search | Search terms for this event type. |
tags | [Deprecated] Tags associated with this event type.
Use the tags.conf.spec file to assign tags to groups of events with related field values. |
POST saved/eventtypes
method detail
Request parameters
Name | Type | Default | Description |
---|---|---|---|
name | String | The name for the event type. | |
search | String | Search terms for this event type. | |
description | String | Human-readable description of this event type. | |
disabled | Boolean | 0 | If True, disables the event type. |
priority | Number | 1 | Specify an integer from 1 to 10 for the value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority. |
tags | String | [Deprecated] Use tags.conf.spec file to assign tags to groups of events with related field values. |
Response data keys
Name | Description |
---|---|
description | Description of this event type. |
disabled | Indicates if this event type is disabled. |
eai:appName | The Splunk Enterprise app for which this event type applies. For example, the Splunk search app. |
eai:userName | Splunk Enterprise user name of the creator of this event type. For example, the Splunk admin user. |
priority | The value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority. |
search | Search terms for this event type. |
tags | [Deprecated] Tags associated with this event type.
Use tags.conf.spec file to assign tags to groups of events with related field values. |
[ Top ]
saved/eventtypes/{name}
https://<host>:<mPort>/services/saved/eventtypes/{name}
Description
Manage the {name} event type.
Method summary
Method | Description | Formats |
---|---|---|
DELETE | Deletes this event type. | XML, JSON |
GET | Returns information on this event type. | XML, JSON |
POST | Updates this event type. | XML, JSON |
DELETE saved/eventtypes/{name}
method detail
Request parameters
None
Response data keys
None
GET saved/eventtypes/{name}
method detail
Request parameters
None
Response data keys
Name | Description |
---|---|
description | Description of this event type. |
disabled | Indicates if the event type is disabled. |
eai:appName | The Splunk Enterprise app for which this event type applies. For example, the Splunk search app. |
eai:attributes | Field control information. |
eai:userName | Splunk Enterprise user name of the creator of this event type. For example, the Splunk admin user. |
priority | The value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority. |
search | Search terms for this event type. |
tags | [Deprecated] Tags associated with this event type.
Use the tags.conf.spec file to assign tags to groups of events with related field values. |
POST saved/eventtypes/{name}
method detail
Request parameters
Name | Type | Default | Description |
---|---|---|---|
search | String | Search terms for this event type. | |
description | String | Human-readable description of this event type. | |
disabled | Boolean | 0 | If True, disables the event type. |
priority | Number | 1 | Specify an integer from 1 to 10 for the value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority. |
tags | String | [Deprecated] Use tags.conf.spec file to assign tags to groups of events with related field values. |
Response data keys
Name | Description |
---|---|
description | Description of this event type. |
disabled | Indicates if this event type is disabled. |
eai:appName | The Splunk Enterprise app for which this event type applies. For example, the Splunk search app. |
eai:userName | Splunk Enterprise user name of the creator of this event type. For example, the Splunk admin user. |
priority | The value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority. |
search | Search terms for this event type. |
tags | [Deprecated] Tags associated with this event type.
Use tags.conf.spec file to assign tags to groups of events with related field values. |
Application usage
the search must be re-specified for this edit.
URI-encode the search string if it contains any of the following characters: =, &, ?, %
Otherwise, these characters can be interpreted as part of the HTTP request.
[ Top ]
search/fields
https://<host>:<mPort>/services/search/fields
Description
Provides management for search field configurations.
Field configuration is specified in $SPLUNK_HOME/etc/system/default/fields.conf, with overriden values in $SPLUNK_HOME/etc/system/local/fields.conf.
Method summary
Method | Description | Formats |
---|---|---|
GET | Returns a list of fields registered for field configuration. | XML, JSON |
GET search/fields
method detail
Request parameters
None
Response data keys
None
[ Top ]
search/fields/{field_name}
https://<host>:<mPort>/services/search/fields/{field_name}
Description
Get information about the {field_name} field.
Method summary
Method | Description | Formats |
---|---|---|
GET | Retrieves information about the named field. | XML, JSON |
GET search/fields/{field_name}
method detail
Request parameters
None
Response data keys
None
[ Top ]
search/fields/{field_name}/tags
https://<host>:<mPort>/services/search/fields/{field_name}/tags
Description
Manage the tags associated with the {field_name} field.
Method summary
Method | Description | Formats |
---|---|---|
GET | Returns a list of tags associated with the field specified by {field_name}. | XML, JSON |
POST | Update the tags associated with the field specified by {field_name}. | XML, JSON |
GET search/fields/{field_name}/tags
method detail
Request parameters
None
Response data keys
None
POST search/fields/{field_name}/tags
method detail
Request parameters
Name | Type | Default | Description |
---|---|---|---|
value | String | The specific field value on which to bind the tags. | |
add | String | The tag to attach to this field_name:value combination.
| |
delete | String | The tag to remove to this field_name::value combination.
|
Response data keys
None
Application usage
The value parameter specifies the specific value on which to bind tag actions. Multiple tags can be attached by passing multiple add or delete form parameters. The server processes all of the adds first, and then processes the deletes.
You must specify at least one add or delete parameter.
[ Top ]
search/tags
https://<host>:<mPort>/services/search/tags
Description
Provides management of search time tags.
Method summary
Method | Description | Formats |
---|---|---|
GET | Returns a list of all search time tags. | XML, JSON |
GET search/tags
method detail
Request parameters
None
Response data keys
None
[ Top ]
search/tags/{tag_name}
https://<host>:<mPort>/services/search/tags/{tag_name}
Description
Manage {tag_name} values.
Method summary
Method | Description | Formats |
---|---|---|
DELETE | Deletes the tag, and its associated field:value pair assignments. | XML, JSON |
GET | Returns a list of field:value pairs associated with the tag specified by {tag_name}. | XML, JSON |
POST | Updates the field:value pairs associated with {tag_name}. | XML, JSON |
DELETE search/tags/{tag_name}
method detail
Request parameters
None
Response data keys
None
Application usage
The resulting change in tags.conf is to set all field:value pairs to disabled.
GET search/tags/{tag_name}
method detail
Request parameters
None
Response data keys
None
POST search/tags/{tag_name}
method detail
Request parameters
Name | Type | Default | Description |
---|---|---|---|
add | String | A field:value pair to tag with {tag_name}. | |
delete | String | A field:value pair to remove from {tag_name}. |
Response data keys
None
Application usage
Multiple field:value pairs can be attached by passing multiple add or delete form parameters. The server processes all of the adds first, and then deletes.
If {tag_name} does not exist, then the tag is created inline. Notification is sent to the client using the HTTP 201 status.
[ Top ]
services/admin/summarization
https://<host>:<mPort>/services/admin/summarization/?by_tstats=1
Description
Review data model acceleration information.
Authentication: Required. Authorization to access data model acceleration information is role-based.
Method | Description | Formats |
---|---|---|
GET | Returns a list of field:value pairs giving current data model acceleration information. | XML, JSON |
[ Top ]
PREVIOUS Introspection endpoint examples |
NEXT Knowledge endpoint examples |
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11
Feedback submitted, thanks!