Splunk® Enterprise

REST API Reference Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Output endpoint descriptions

Manage data from Splunk platform forwarders.

  • Note: Username and password authentication is required for most endpoints and REST operations. Additional capability or role-based authorization may also be required, particularly for POST or DELETE operations.

[ Top ]


data/outputs/tcp/default

https://<host>:<mPort>/services/data/outputs/tcp/default


Description

Provides access to global TCP out properties.

Method summary

Method Description Formats
GET Returns the current tcpout properties. XML, JSON
POST Configures global tcpout properties. XML, JSON

GET data/outputs/tcp/default method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
autoLB Specifies whether Auto Load balance method is used.
defaultGroup Target group names. The forwarder sends all data to the specified groups.

Starting with 4.2, this attribute is no longer required.

disabled Indicates if tcpout settings are disabled.
forwardedindex.0.whitelist Specifies 0th whitelist filter.

forwardedindex.<n>.whitelist decides which events get forwarded based on the indexes they belong to.

forwardedindex.1.blacklist Specifies 1st blacklist filter. forwardedindex.<n>.blacklist specifies index for which events are not forwarded.
forwardedindex.2.whitelist Specifies 2nd whitelist filter.

forwardedindex.<n>.whitelist decides which events get forwarded based on the indexes they belong to.

forwardedindex.filter.disable Specifies whether filtering of forwarded data based on index is diasbled.
indexAndForward Specifies whether to index all data locally, in addition to forwarding it. Defaults to false.

This is known as an "index-and-forward" configuration. This attribute is only available for heavy forwarders. It is available only at the top level [tcpout] stanza in outputs.conf. It cannot be overridden in a target group.

maxQueueSize Sets the maximum size of the forwarder output queue. It also sets the maximum size of the wait queue to 3x this value, if you have enabled indexer acknowledgment (useACK=true).

See the parmeter description for the POST operation for more information.


POST data/outputs/tcp/defaultx method detail

Example

Request parameters
Name Type Default Description
defaultGroup String Comma-separated list of one or more target group names, specified later in [tcpout:<target_group>] stanzas of outputs.conf.spec file.

The forwarder sends all data to the specified groups. If you do not want to forward data automatically, do not set this attribute. Can be overridden by an inputs.conf _TCP_ROUTING setting, which in turn can be overridden by a props.conf/transforms.conf modifier.

Starting with 4.2, this attribute is no longer required.

disabled Boolean Disables default tcpout settings
dropEventsOnQueueFull Number If set to a positive number, wait the specified number of seconds before throwing out all new events until the output queue has space. Defaults to -1 (do not drop events).

CAUTION: Do not set this value to a positive integer if you are monitoring files.

Setting this to -1 or 0 causes the output queue to block when it gets full, which causes further blocking up the processing chain. If any target group queue is blocked, no more data reaches any other target group.

Using auto load-balancing is the best way to minimize this condition, because, in that case, multiple receivers must be down (or jammed up) before queue blocking can occur.

heartbeatFrequency Number How often (in seconds) to send a heartbeat packet to the receiving server.

Heartbeats are only sent if sendCookedData=true. Defaults to 30 seconds.

indexAndForward Boolean Specifies whether to index all data locally, in addition to forwarding it. Defaults to false.

This is known as an "index-and-forward" configuration. This attribute is only available for heavy forwarders. It is available only at the top level [tcpout] stanza in outputs.conf. It cannot be overridden in a target group.

maxQueueSize Number Specify an integer or integer[KB|MB|GB].

Sets the maximum size of the forwarder output queue. It also sets the maximum size of the wait queue to 3x this value, if you have enabled indexer acknowledgment (useACK=true).

Although the wait queue and the output queues are both configured by this attribute, they are separate queues. The setting determines the maximum size of the queue in-memory (RAM) buffer.

For heavy forwarders sending parsed data, maxQueueSize is the maximum number of events. Since events are typically much shorter than data blocks, the memory consumed by the queue on a parsing forwarder is likely to be much smaller than on a non-parsing forwarder, if you use this version of the setting.

If specified as a lone integer (for example, maxQueueSize=100), maxQueueSize indicates the maximum number of queued events (for parsed data) or blocks of data (for unparsed data). A block of data is approximately 64KB. For non-parsing forwarders, such as universal forwarders, that send unparsed data, maxQueueSize is the maximum number of data blocks.

If specified as an integer followed by KB, MB, or GB (for example, maxQueueSize=100MB), maxQueueSize indicates the maximum RAM allocated to the queue buffer. Defaults to 500KB (which means a maximum size of 500KB for the output queue and 1500KB for the wait queue, if any).

name
required
String Configuration to be edited. The only valid value is "tcpout".
sendCookedData Boolean If true, events are cooked (processed by Splunk Enterprise). If false, events are raw and untouched prior to sending. Defaults to true.

Set to false if you are sending to a third-party system.

Response data keys

None

[ Top ]


data/outputs/tcp/default/{name}

https://<host>:<mPort>/services/data/outputs/tcp/default/{name}

Description

Manage forwarder settings.

Method summary

Method Description Formats
DELETE Disable the default forwarding settings. XML, JSON
GET Retrieve the named configuration. XML, JSON
POST Configure global forwarding properties. XML, JSON

DELETE data/outputs/tcp/default/{name} method detail

Example

Request parameters

None

Response data keys

None


GET data/outputs/tcp/default/{name} method detail

Example

Request parameters

None

Response data keys

None

Application usage

The only valid name here is "tcpout".


POST data/outputs/tcp/default/{name} method detail

Example

Request parameters
Name Type Default Description
defaultGroup String Comma-separated list of one or more target group names, specified later in [tcpout:<target_group>] stanzas of outputs.conf.spec file.

The forwarder sends all data to the specified groups. If you do not want to forward data automatically, do not set this attribute. Can be overridden by an inputs.conf _TCP_ROUTING setting, which in turn can be overridden by a props.conf/transforms.conf modifier.

Starting with 4.2, this attribute is no longer required.

disabled Boolean Disables default tcpout settings
dropEventsOnQueueFull Number If set to a positive number, wait the specified number of seconds before throwing out all new events until the output queue has space. Defaults to -1 (do not drop events).

CAUTION: Do not set this value to a positive integer if you are monitoring files.

Setting this to -1 or 0 causes the output queue to block when it gets full, which causes further blocking up the processing chain. If any target group queue is blocked, no more data reaches any other target group.

Using auto load-balancing is the best way to minimize this condition, because, in that case, multiple receivers must be down (or jammed up) before queue blocking can occur.

heartbeatFrequency Number How often (in seconds) to send a heartbeat packet to the receiving server.

Heartbeats are only sent if sendCookedData=true. Defaults to 30 seconds.

indexAndForward Boolean Specifies whether to index all data locally, in addition to forwarding it. Defaults to false.

This is known as an "index-and-forward" configuration. This attribute is only available for heavy forwarders. It is available only at the top level [tcpout] stanza in outputs.conf. It cannot be overridden in a target group.

maxQueueSize Number Specify an integer or integer[KB|MB|GB].

Sets the maximum size of the forwarder output queue. It also sets the maximum size of the wait queue to 3x this value, if you have enabled indexer acknowledgment (useACK=true).

Although the wait queue and the output queues are both configured by this attribute, they are separate queues. The setting determines the maximum size of the queue in-memory (RAM) buffer.

For heavy forwarders sending parsed data, maxQueueSize is the maximum number of events. Since events are typically much shorter than data blocks, the memory consumed by the queue on a parsing forwarder is likely to be much smaller than on a non-parsing forwarder, if you use this version of the setting.

If specified as a lone integer (for example, maxQueueSize=100), maxQueueSize indicates the maximum number of queued events (for parsed data) or blocks of data (for unparsed data). A block of data is approximately 64KB. For non-parsing forwarders, such as universal forwarders, that send unparsed data, maxQueueSize is the maximum number of data blocks.

If specified as an integer followed by KB, MB, or GB (for example, maxQueueSize=100MB), maxQueueSize indicates the maximum RAM allocated to the queue buffer. Defaults to 500KB (which means a maximum size of 500KB for the output queue and 1500KB for the wait queue, if any).

sendCookedData Boolean If true, events are cooked (processed by Splunk Enterprise). If false, events are raw and untouched prior to sending. Defaults to true.

Set to false if you are sending to a third-party system.

Response data keys

None

[ Top ]


data/outputs/tcp/group

https://<host>:<mPort>/services/data/outputs/tcp/group

Description

Provides access to the configuration of a group of one or more data forwarding destinations.

Method summary

Method Description Formats
GET Returns configuration information about target groups. XML, JSON
POST Configures a group of one or more data forwarding destinations. XML, JSON

GET data/outputs/tcp/group method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
disabled Indicates if tcpout is disabled for this group.
method Specifies the type of output processor.

Valid values: (tcpout | syslog)

servers Servers included in this group.

POST data/outputs/tcp/group method detail

Example

Request parameters
Name Type Default Description
compressed Boolean false If true, forwarder sends compressed data.

If set to true, the receiver port must also have compression turned on.

disabled Boolean false If true, disables the group.
dropEventsOnQueueFull Number -1 If set to a positive number, wait the specified number of seconds before throwing out all new events until the output queue has space. Defaults to -1 (do not drop events).

CAUTION: Do not set this value to a positive integer if you are monitoring files.

Setting this to -1 or 0 causes the output queue to block when it gets full, which causes further blocking up the processing chain. If any target group queue is blocked, no more data reaches any other target group.

Using auto load-balancing is the best way to minimize this condition, because, in that case, multiple receivers must be down (or jammed up) before queue blocking can occur.

heartbeatFrequency Number 30 How often (in seconds) to send a heartbeat packet to the group.

Heartbeats are only sent if sendCookedData=true. Defaults to 30 seconds.

maxQueueSize Number auto Specify either an integer or integer[KB|MB|GB].

Sets the maximum size of the forwarder output queue. It also sets the maximum size of the wait queue to 3x this value, if you have enabled indexer acknowledgment (useACK=true).

Although the wait queue and the output queues are both configured by this attribute, they are separate queues. The setting determines the maximum size of the queue in-memory (RAM) buffer.

For heavy forwarders sending parsed data, maxQueueSize is the maximum number of events. Since events are typically much shorter than data blocks, the memory consumed by the queue on a parsing forwarder is likely to be much smaller than on a non-parsing forwarder, if you use this version of the setting.

If specified as a lone integer (for example, maxQueueSize=100), maxQueueSize indicates the maximum number of queued events (for parsed data) or blocks of data (for unparsed data). A block of data is approximately 64KB. For non-parsing forwarders, such as universal forwarders, that send unparsed data, maxQueueSize is the maximum number of data blocks.

If specified as an integer followed by KB, MB, or GB (for example, maxQueueSize=100MB), maxQueueSize indicates the maximum RAM allocated to the queue buffer. Defaults to 500KB (which means a maximum size of 500KB for the output queue and 1500KB for the wait queue, if any).

method Enum Valid values: (tcpout | syslog)

Specifies the type of output processor.

name
required
String The name of the group of receivers.
sendCookedData Boolean true If true, send cooked events (events processed by Splunk).

If false, events are raw and untouched prior to sending. Set to false if you are sending to a third-party system.

Defaults to true.

servers
required
String Comma-separated list of servers to include in the group.
Response data keys

None

[ Top ]


data/outputs/tcp/group/{name}

https://<host>:<mPort>/services/data/outputs/tcp/group/{name}

Description

Manage the {name} target group.

Method summary

Method Description Formats
DELETE Deletes the target group specified by {name}. XML, JSON
GET Returns configuration information about the target group specified by {name}. XML, JSON
POST Updates the configuration of the target group. XML, JSON

DELETE data/outputs/tcp/group/{name} method detail

Example

Request parameters

None

Response data keys

None


GET data/outputs/tcp/group/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
autoLB Indicates if the forwarder performs automatic load balancing.

See the description for the autoLB parameter in POST data/outputs/tcp/group for details.

disabled Indicates if tcpout is disabled for this group.
method Specifies the type of output processor.

Valid values: (tcpout | syslog)

servers Servers included in this group.

POST data/outputs/tcp/group/{name} method detail

Example

Request parameters
Name Type Default Description
compressed Boolean false If true, forwarder sends compressed data.

If set to true, the receiver port must also have compression turned on.

disabled Boolean false If true, disables the group.
dropEventsOnQueueFull Number -1 If set to a positive number, wait the specified number of seconds before throwing out all new events until the output queue has space. Defaults to -1 (do not drop events).

CAUTION: Do not set this value to a positive integer if you are monitoring files.

Setting this to -1 or 0 causes the output queue to block when it gets full, which causes further blocking up the processing chain. If any target group queue is blocked, no more data reaches any other target group.

Using auto load-balancing is the best way to minimize this condition, because, in that case, multiple receivers must be down (or jammed up) before queue blocking can occur.

heartbeatFrequency Number 30 How often (in seconds) to send a heartbeat packet to the group.

Heartbeats are only sent if sendCookedData=true. Defaults to 30 seconds.

maxQueueSize Number auto Specify either an integer or integer[KB|MB|GB].

Sets the maximum size of the forwarder output queue. It also sets the maximum size of the wait queue to 3x this value, if you have enabled indexer acknowledgment (useACK=true).

Although the wait queue and the output queues are both configured by this attribute, they are separate queues. The setting determines the maximum size of the queue in-memory (RAM) buffer.

For heavy forwarders sending parsed data, maxQueueSize is the maximum number of events. Since events are typically much shorter than data blocks, the memory consumed by the queue on a parsing forwarder is likely to be much smaller than on a non-parsing forwarder, if you use this version of the setting.

If specified as a lone integer (for example, maxQueueSize=100), maxQueueSize indicates the maximum number of queued events (for parsed data) or blocks of data (for unparsed data). A block of data is approximately 64KB. For non-parsing forwarders, such as universal forwarders, that send unparsed data, maxQueueSize is the maximum number of data blocks.

If specified as an integer followed by KB, MB, or GB (for example, maxQueueSize=100MB), maxQueueSize indicates the maximum RAM allocated to the queue buffer. Defaults to 500KB (which means a maximum size of 500KB for the output queue and 1500KB for the wait queue, if any).

method Enum Valid values: (tcpout | syslog)

Specifies the type of output processor.

sendCookedData Boolean true If true, send cooked events (events processed by Splunk).

If false, events are raw and untouched prior to sending. Set to false if you are sending to a third-party system.

Defaults to true.

servers
required
String Comma-separated list of servers to include in the group.
Response data keys

None

[ Top ]


data/outputs/tcp/server

https://<host>:<mPort>/services/data/outputs/tcp/server

Description

Provides access to data forwarding configurations.

Method summary

Method Description Formats
GET Lists existing forwarded servers. XML, JSON
POST Creates a new forwarder output. XML, JSON

GET data/outputs/tcp/server method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
destHost DNS name of the destination server.
destIp IP address of the destination server.
destPort Port on which the destination server is listening.
disabled Indicates if the outputs to the destination server is disabled.
method The data distribution method used when two or more servers exist in the same forwarder group.

Valid values: (clone | balance | autobalance)

sourcePort Port on destination server where data is forwarded.
status Indicates the status of the connection to the server.

POST data/outputs/tcp/server method detail

Example

Request parameters
Name Type Default Description
disabled Boolean If true, disables the forwarder.
method Enum Valid values: (clone | balance | autobalance)

The data distribution method used when two or more servers exist in the same forwarder group.

name
required
String <host>:<port> of the Splunk Enterprise receiver. <host> can be either an ip address or server name. <port> is the that port that the Splunk receiver is listening on.
sslAltNameToCheck String The alternate name to match in the remote server's SSL certificate.
sslCertPath String Path to the client certificate. If specified, connection uses SSL.
sslCipher String SSL Cipher in the form ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
sslCommonNameToCheck String Check the common name of the server's certificate against this name.

If there is no match, assume that Splunk Enterprise is not authenticated against this server. You must specify this setting if sslVerifyServerCert is true.

sslPassword String The password associated with the CAcert.

The default Splunk Enterprise CAcert uses the password "password."

sslRootCAPath String The path to the root certificate authority file (optional).
sslVerifyServerCert Boolean If true, make sure that the server you are connecting to is a valid one (authenticated). Both the common name and the alternate name of the server are then checked for a match.
Response data keys

None

[ Top ]


data/outputs/tcp/server/{name}

https://<host>:<mPort>/services/data/outputs/tcp/server/{name}

Description

Manage the {name} forwarder.

Method summary

Method Description Formats
DELETE Deletes the configuration for the forwarded server specified by {name}. XML, JSON
GET Lists information aobut the forwarded server specified by {name}. XML, JSON
POST Configures the forwarded server specified by {name}. XML, JSON

DELETE data/outputs/tcp/server/{name} method detail

Example

Request parameters

None

Response data keys

None


GET data/outputs/tcp/server/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
disabled Indicates if the outputs to the destination server is disabled.
method The data distribution method used when two or more servers exist in the same forwarder group.

Valid values: (clone | balance | autobalance)


POST data/outputs/tcp/server/{name} method detail

Example

Request parameters
Name Type Default Description
disabled Boolean If true, disables the forwarder.
method Enum Valid values: (clone | balance | autobalance)

The data distribution method used when two or more servers exist in the same forwarder group.

sslAltNameToCheck String The alternate name to match in the remote server's SSL certificate.
sslCertPath String Path to the client certificate. If specified, connection uses SSL.
sslCipher String SSL Cipher in the form ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
sslCommonNameToCheck String Check the common name of the server's certificate against this name.

If there is no match, assume that Splunk Enterprise is not authenticated against this server. You must specify this setting if sslVerifyServerCert is true.

sslPassword String The password associated with the CAcert.

The default Splunk Enterprise CAcert uses the password "password."

sslRootCAPath String The path to the root certificate authority file (optional).
sslVerifyServerCert Boolean If true, make sure that the server you are connecting to is a valid one (authenticated). Both the common name and the alternate name of the server are then checked for a match.
Response data keys

None

[ Top ]


data/outputs/tcp/server/{name}/allconnections

https://<host>:<mPort>/services/data/outputs/tcp/server/{name}/allconnections

Description

Get {name} forwarder connections.

Method summary

Method Description Formats
GET List current connections to forwarded server specified by {name} XML, JSON

GET data/outputs/tcp/server/{name}/allconnections method detail

Example

Request parameters

None

Response data keys
Name Description
destHost DNS name of the destination server.
destIp IP address of the destination server.
destPort Port on which the destination server is listening.
sourcePort Port on destination server where data is forwarded.
status Indicates the status of the connection to the server.

[ Top ]


data/outputs/tcp/syslog

https://<host>:<mPort>/services/data/outputs/tcp/syslog

Description

Provides access to the configuration of a forwarded server configured to provide data in standard syslog format.

Method summary

Method Description Formats
GET Provides access to syslog data forwarding configurations. XML, JSON
POST Configures a forwarder to send data in standard syslog format. XML, JSON

GET data/outputs/tcp/syslog method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
disabled Specifies whether global syslog configuration is disabled.
server Specifies server:port where data is forwarded.
type Specifies whether tcp or udp is used to forward data. If unspecified, udp is used. Valid values : (tcp | udp).

POST data/outputs/tcp/syslog method detail

Example

Request parameters
Name Type Default Description
disabled Boolean If true, disables global syslog settings.
name
required
String Name of the syslog output group. This is name used when creating syslog configuration in outputs.conf.
priority Number Sets syslog priority value.

The priority value should specified as an integer. See $SPLUNK_HOME/etc/system/README/outputs.conf.spec for details.

server String host:port of the server where syslog data should be sent
syslogSourceType String Specifies a rule for handling data in addition to that provided by the "syslog" sourcetype. By default, there is no value for syslogSourceType.

This string is used as a substring match against the sourcetype key. For example, if the string is set to 'syslog', then all source types containing the string "syslog" receives this special treatment.

To match a source type explicitly, use the pattern "sourcetype::sourcetype_name." For example

syslogSourcetype = sourcetype::apache_common

Data that is "syslog" or matches this setting is assumed to already be in syslog format.

Data that does not match the rules has a header, potentially a timestamp, and a hostname added to the front of the event. This is how Splunk Enterprise causes arbitrary log data to match syslog expectations.

timestampformat String Format of timestamp to add at start of the events to be forwarded.

The format is a strftime-style timestamp formatting string. See $SPLUNK_HOME/etc/system/README/outputs.conf.spec for details.

type String Protocol to use to send syslog data. Valid values: (tcp | udp ).
Response data keys

None

[ Top ]


data/outputs/tcp/syslog/{name}

https://<host>:<mPort>/services/data/outputs/tcp/syslog/{name}

Description

Manage configuration for the {name} forwarder.

Method summary

Method Description Formats
DELETE Deletes the configuration for the forwarder specified by {name} that sends data in syslog format. XML, JSON
GET Returns configuration information for the forwarder specified by {name} that sends data in standard syslog format XML, JSON
POST Updates the configuration of the forwarder specified by {name} that sends data in syslog format. XML, JSON

DELETE data/outputs/tcp/syslog/{name} method detail

Example

Request parameters

None

Response data keys

None


GET data/outputs/tcp/syslog/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
disabled Specifies whether global syslog configuration is disabled.
server Specifies server:port where data is forwarded.
type Specifies whether tcp or udp is used to forward data. If unspecified, udp is used. Valid values : (tcp | udp).

POST data/outputs/tcp/syslog/{name} method detail

Example

Request parameters
Name Type Default Description
disabled Boolean If true, disables global syslog settings.
priority Number Sets syslog priority value.

The priority value should specified as an integer. See $SPLUNK_HOME/etc/system/README/outputs.conf.spec for details.

server String host:port of the server where syslog data should be sent
syslogSourceType String Specifies a rule for handling data in addition to that provided by the "syslog" sourcetype. By default, there is no value for syslogSourceType.

This string is used as a substring match against the sourcetype key. For example, if the string is set to 'syslog', then all source types containing the string "syslog" receives this special treatment.

To match a source type explicitly, use the pattern "sourcetype::sourcetype_name." For example

syslogSourcetype = sourcetype::apache_common

Data that is "syslog" or matches this setting is assumed to already be in syslog format.

Data that does not match the rules has a header, potentially a timestamp, and a hostname added to the front of the event. This is how Splunk Enterprise causes arbitrary log data to match syslog expectations.

timestampformat String Format of timestamp to add at start of the events to be forwarded.

The format is a strftime-style timestamp formatting string. See $SPLUNK_HOME/etc/system/README/outputs.conf.spec for details.

type String Protocol to use to send syslog data. Valid values: (tcp | udp ).
Response data keys

None

[ Top ]

PREVIOUS
License endpoint examples
  NEXT
Output endpoint examples

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters