Splunk Enterprise versions higher than version 9.4.2 are documented on our new documentation portal only. To get started, see the Splunk Enterprise page on help.splunk.com and the Splunk Enterprise 9.4.3 release notes. For information about how version selection works in the new portal, see Version selection on the About This Site page.
Access endpoint descriptions
Access and manage user credentials.
Usage details
Review ACL information for an endpoint
To check Access Control List (ACL) properties for an endpoint, append /acl to the path. For more information see Access Control List in the REST API User Manual.
Authentication and Authorization
Username and password authentication is required for access to endpoints and REST operations.
Splunk users must have role and/or capability-based authorization to use REST endpoints. Users with an administrative role, such as admin, can access authorization information in Splunk Web. To view the roles assigned to a user, select Settings > Access controls and click Users. To determine the capabilities assigned to a role, select Settings > Access controls and click Roles.
App and user context
Typically, knowledge objects, such as saved searches or event types, have an app/user context that is the namespace. For more information about specifying a namespace, see Namespace in the REST API User Manual.
Splunk Cloud Platform URL for REST API access
Splunk Cloud Platform has a different host and management port syntax than Splunk Enterprise. Use the following URL for Splunk Cloud Platform deployments. If necessary, submit a support case using the Splunk Support Portal to open port 8089 on your deployment.
https://<deployment-name>.splunkcloud.com:8089
Free trial Splunk Cloud Platform accounts cannot access the REST API.
See Access requirements and limitations for the Splunk Cloud Platform REST API in the REST API Tutorials manual for more information.
admin/Duo-MFA
Configure Duo Multifactor authentication.
Authentication and Authorization
Requires the change_authentication capability.
Usage details
Disable any SSO configurations, such as SAML, before enabling Duo authentication for the first time. Duo only works with local auth types.
GET
List Duo Multifactor configuration settings.
Request parameters
None
Returned values
| Name | Description |
|---|---|
| name | Configuration stanza name |
| integrationKey | Duo integration key for Splunk. Must be of size = 20. |
| secretKey | Shared secret key between Splunk and Duo. |
| apiHostname | Duo REST API endpoint used by Splunk for multifactor authentication |
| appSecretKey | Splunk application specific secret key. Must be a random generated hex of length 40 or more. |
| failOpen | Boolean indicating whether Splunk should bypass the Duo service if it is unavailable. Defaults to false.
|
| timeout | Positive integer indicating the Duo connection timeout, in seconds, for declaring the Duo service unavailable. Defaults to 15 seconds. |
| sslVersions | SSL version to use for accessing the Duo REST API. Defaults to Splunkd sslVersion.
|
| cipherSuite | Cipher suite to use for accessing the Duo REST API. Defaults to Splunkd cipherSuite.
|
| ecdhCurves | ECDH curve value to use for accessing the Duo REST API. Defaults to Splunkd ecdhCurves.
|
| sslVerifyServerCert | Boolean indicating if Duo server certificate verification is required. Defaults to false.
|
| sslRootCAPath | Full path of the certificate to be used for certificate verification if sslVerifyServerCert is true.
|
| sslCommonNameToCheck | Common name to verify if sslVerifyServerCert is true.
|
| sslAltNameToCheck | Alternate name to verify if sslVerifyServerCert is true.
|
| useClientSSLCompression | Boolean indicating if client side SSL compression is enabled. Defaults to Splunkd useClientSSLCompression.
|
Example request and response
XML Request
admin:changeme -X GET https://localhost:8089/services/admin/Duo-MFA
XML Response
<title>Duo-MFA</title>
<id>https://localhost:8089/services/admin/Duo-MFA</id>
<updated>2016-07-26T11:05:14-07:00</updated>
<generator build="321df14f2b1047b51259ee2d4eeacb4184dc6679" version="20160720"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/admin/Duo-MFA/_new" rel="create"/>
<link href="/services/admin/Duo-MFA/_acl" rel="_acl"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>duo-mfa</title>
<id>https://localhost:8089/servicesNS/nobody/system/admin/Duo-MFA/duo-mfa</id>
<updated>2016-07-26T11:05:14-07:00</updated>
<link href="/servicesNS/nobody/system/admin/Duo-MFA/duo-mfa" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/admin/Duo-MFA/duo-mfa" rel="list"/>
<link href="/servicesNS/nobody/system/admin/Duo-MFA/duo-mfa" rel="edit"/>
<link href="/servicesNS/nobody/system/admin/Duo-MFA/duo-mfa" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="apiHostname">api-cc7a8eab.duosecurity.com</s:key>
<s:key name="appSecretKey">$1$cQdFd4+XlOrAfgBgQEwe+VevD/MOOfFTIA4vwoaFnCX0V0TO8ZsCsKQ=</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="failOpen">0</s:key>
<s:key name="integrationKey">$1$RHhrEPy965XhV3kSQmB/zyf6IZV/</s:key>
<s:key name="secretKey">$1$A3t8AvuwwoDzSgUgB1x50FesOpd0ZKBWaHR5xY6uqWeaB02vsuFh4KQ=</s:key>
<s:key name="sslCommonNameToCheck">*.duosecurity.com</s:key>
<s:key name="sslRootCAPath">/home/mkandaswamy/git/splunkApp/etc/auth/DigiCertHighAssuranceEVRootCA.pem</s:key>
<s:key name="sslVerifyServerCert">true</s:key>
<s:key name="sslVersions">tls1.2</s:key>
<s:key name="timeout">5</s:key>
<s:key name="useClientSSLCompression">true</s:key>
</s:dict>
</content>
</entry>
POST
Create a Duo Multifactor configuration.
Request parameters
| Name | Type | Description |
|---|---|---|
| name | String | Required. Configuration stanza name |
| integrationKey | See description | Required. Duo integration key for Splunk. Must be of size = 20. |
| secretKey | See description | Required. Shared secret key between Splunk and Duo. |
| apiHostname | See description | Required. Duo REST API endpoint used by Splunk for multifactor authentication |
| appSecretKey | See description | Required. Splunk application specific secret key. Must be a random generated hex of length 40 or more. |
| failOpen | Boolean | Optional. Indicates whether Splunk should bypass the Duo service if it is unavailable. Defaults to false.
|
| timeout | Positive integer | Optional. Positive integer indicating the Duo connection timeout, in seconds, for declaring the Duo service unavailable. Defaults to 15 seconds.
|
| sslVersions | See description | Optional. SSL version to use for accessing the Duo REST API. Defaults to Splunkd sslVersion.
|
| cipherSuite | See description | Optional. Cipher suite to use for accessing the Duo REST API. Defaults to Splunkd cipherSuite.
|
| ecdhCurves | See description | Optional. ECDH curve value to use for accessing the Duo REST API. Defaults to Splunkd ecdhCurves.
|
| sslVerifyServerCert | Boolean | Optional. Indicates if Duo server certificate verification is required. Defaults to false. If set to true, provide a sslRootCAPath to ensure successful certificate validation.
|
| sslRootCAPath | See description | Optional. Full path of the certificate to be used for certificate verification. If sslVerifyServerCert is true, this path must be provided to ensure successful certificate validation.
|
| sslCommonNameToCheck | See description | Optional. Common name to verify if sslVerifyServerCert is true.
|
| sslAltNameToCheck | See description | Optional. Alternate name to verify if sslVerifyServerCert is true.
|
| useClientSSLCompression | See description | Optional. Boolean indicating if client side SSL compression is enabled. Defaults to Splunkd useClientSSLCompression.
|
Returned values
| Name | Description |
|---|---|
| name | Configuration stanza name |
| integrationKey | Duo integration key for Splunk. Must be of size = 20. |
| secretKey | Shared secret key between Splunk and Duo. |
| apiHostname | Duo REST API endpoint used by Splunk for multifactor authentication |
| appSecretKey | Splunk application specific secret key. Must be a random generated hex of length 40 or more. |
| failOpen | Boolean indicating whether Splunk should bypass the Duo service if it is unavailable. Defaults to false.
|
| timeout | Positive integer indicating the Duo connection timeout, in seconds, for declaring the Duo service unavailable. Defaults to 15 seconds.
|
| sslVersions | SSL version to use for accessing the Duo REST API. Defaults to Splunkd sslVersion.
|
| cipherSuite | Cipher suite to use for accessing the Duo REST API. Defaults to Splunkd cipherSuite.
|
| ecdhCurves | ECDH curve value to use for accessing the Duo REST API. Defaults to Splunkd ecdhCurves.
|
| sslVerifyServerCert | Boolean that indicates if Duo server certificate verification is required. Defaults to false. If set to true, provide a sslRootCAPath to ensure successful certificate validation.
|
| sslRootCAPath | Full path of the certificate to be used for certificate verification. If sslVerifyServerCert is true, this path must be provided to ensure successful certificate validation.
|
| sslCommonNameToCheck | Common name to verify if sslVerifyServerCert is true.
|
| sslAltNameToCheck | Alternate name to verify if sslVerifyServerCert is true.
|
| useClientSSLCompression | Boolean indicating if client side SSL compression is enabled. Defaults to Splunkd useClientSSLCompression.
|
Example request and response
XML Request
curl -k -u admin:changeme -X POST https://localhost:8089/services/admin/Duo-MFA/duo-mfa -d integrationKey=DIOXYOKGDJNK4JRRT0KT -d secretKey=DABZXYbRVW2yqvTM6fPVMkbgxBna0HTuYa9XuCQ2 -d appSecretKey=56a15e48ec796f3d6ee2763b088f8ca77109692c -d apiHostname=api-cc7a8eab.duosecurity.com -d failOpen=false -d timeout=10 -d sslVersions=tls1.2 -d sslCommonNameToCheck=*.duosecurity.com -d useClientSSLCompression=true -d sslVerifyServerCert=true -d sslRootCAPath=/home/user1/git/example/splunk/etc/auth/DigiCertHighAssuranceEVRootCA.pem
XML Response
<title>Duo-MFA</title>
<id>https://localhost:8089/services/admin/Duo-MFA</id>
<updated>2016-09-21T14:54:43-07:00</updated>
<generator build="3fe21d2159a8" version="6.5.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/admin/Duo-MFA/_new" rel="create"/>
<link href="/services/admin/Duo-MFA/_acl" rel="_acl"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>duo-mfa</title>
<id>https://localhost:8089/servicesNS/nobody/system/admin/Duo-MFA/duo-mfa</id>
<updated>2016-09-21T14:54:43-07:00</updated>
<link href="/servicesNS/nobody/system/admin/Duo-MFA/duo-mfa" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/admin/Duo-MFA/duo-mfa" rel="list"/>
<link href="/servicesNS/nobody/system/admin/Duo-MFA/duo-mfa" rel="edit"/>
<link href="/servicesNS/nobody/system/admin/Duo-MFA/duo-mfa" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="apiHostname">api-cc7a8eab.duosecurity.com</s:key>
<s:key name="appSecretKey">****************************************</s:key>
<s:key name="cipherSuite">TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="failOpen">0</s:key>
<s:key name="integrationKey">$1$W0/LVm4ziyz2U1HZEP8Xzn8WWRa1</s:key>
<s:key name="secretKey">****************************************</s:key>
<s:key name="sslCommonNameToCheck">*.duosecurity.com</s:key>
<s:key name="sslRootCAPath">/home/user1/git/example/splunk/etc/auth/DigiCertHighAssuranceEVRootCA.pem</s:key>
<s:key name="sslVerifyServerCert">true</s:key>
<s:key name="sslVersions">tls1.2</s:key>
<s:key name="timeout">10</s:key>
<s:key name="useClientSSLCompression">true</s:key>
</s:dict>
</content>
</entry>
admin/Duo-MFA/{name}
Access and manage the {name} Duo Multifactor configuration.
Authentication and Authorization
Requires the change_authentication capability.
GET
List the {name} Duo Multifactor configuration settings.
Request parameters
None
Returned values
| Name | Description |
|---|---|
| name | Configuration stanza name |
| integrationKey | Duo integration key for Splunk. Must be of size = 20. |
| secretKey | Shared secret key between Splunk and Duo. |
| apiHostname | Duo REST API endpoint used by Splunk for multifactor authentication |
| appSecretKey | Splunk application specific secret key. Must be a random generated hex of length 40 or more. |
| failOpen | Boolean indicating whether Splunk should bypass the Duo service if it is unavailable. Defaults to false.
|
| timeout | Positive integer indicating the Duo connection timeout, in seconds, for declaring the Duo service unavailable. Defaults to 15 seconds. |
| sslVersions | SSL version to use for accessing the Duo REST API. Defaults to Splunkd sslVersion.
|
| cipherSuite | Cipher suite to use for accessing the Duo REST API. Defaults to Splunkd cipherSuite.
|
| ecdhCurves | ECDH curve value to use for accessing the Duo REST API. Defaults to Splunkd ecdhCurves.
|
| sslVerifyServerCert | Boolean indicating if Duo server certificate verification is required. Defaults to false.
|
| sslRootCAPath | Full path of the certificate to be used for certificate verification if sslVerifyServerCert is true.
|
| sslCommonNameToCheck | Common name to verify if sslVerifyServerCert is true.
|
| sslAltNameToCheck | Alternate name to verify if sslVerifyServerCert is true.
|
| useClientSSLCompression | Boolean indicating if client side SSL compression is enabled. Defaults to Splunkd useClientSSLCompression.
|
Example request and response
XML Request
admin:changeme -X GET https://localhost:8089/services/admin/Duo-MFA
XML Response
<title>Duo-MFA</title>
<id>https://localhost:8089/services/admin/Duo-MFA</id>
<updated>2016-07-26T11:05:14-07:00</updated>
<generator build="321df14f2b1047b51259ee2d4eeacb4184dc6679" version="20160720"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/admin/Duo-MFA/_new" rel="create"/>
<link href="/services/admin/Duo-MFA/_acl" rel="_acl"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>duo-mfa</title>
<id>https://localhost:8089/servicesNS/nobody/system/admin/Duo-MFA/duo-mfa</id>
<updated>2016-07-26T11:05:14-07:00</updated>
<link href="/servicesNS/nobody/system/admin/Duo-MFA/duo-mfa" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/admin/Duo-MFA/duo-mfa" rel="list"/>
<link href="/servicesNS/nobody/system/admin/Duo-MFA/duo-mfa" rel="edit"/>
<link href="/servicesNS/nobody/system/admin/Duo-MFA/duo-mfa" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="apiHostname">api-cc7a8eab.duosecurity.com</s:key>
<s:key name="appSecretKey">$1$cQdFd4+XlOrAfgBgQEwe+VevD/MOOfFTIA4vwoaFnCX0V0TO8ZsCsKQ=</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="failOpen">0</s:key>
<s:key name="integrationKey">$1$RHhrEPy965XhV3kSQmB/zyf6IZV/</s:key>
<s:key name="secretKey">$1$A3t8AvuwwoDzSgUgB1x50FesOpd0ZKBWaHR5xY6uqWeaB02vsuFh4KQ=</s:key>
<s:key name="sslCommonNameToCheck">*.duosecurity.com</s:key>
<s:key name="sslRootCAPath">/home/mkandaswamy/git/splunkApp/etc/auth/DigiCertHighAssuranceEVRootCA.pem</s:key>
<s:key name="sslVerifyServerCert">true</s:key>
<s:key name="sslVersions">tls1.2</s:key>
<s:key name="timeout">5</s:key>
<s:key name="useClientSSLCompression">true</s:key>
</s:dict>
</content>
</entry>
POST
Update the {name} Duo Multifactor configuration.
Request parameters
| Name | Type | Description |
|---|---|---|
| name | String | Configuration stanza name |
| integrationKey | See description | Duo integration key for Splunk. Must be of size = 20. |
| secretKey | See description | Shared secret key between Splunk and Duo. |
| apiHostname | See description | Duo REST API endpoint used by Splunk for multifactor authentication |
| appSecretKey | See description | Splunk application specific secret key. Must be a random generated hex of length 40 or more. |
| failOpen | Boolean | Indicates whether Splunk should bypass the Duo service if it is unavailable. Defaults to false.
|
| timeout | Positive integer | Optional. Positive integer indicating the Duo connection timeout, in seconds, for declaring the Duo service unavailable. Defaults to 15 seconds.
|
| sslVersions | See description | Optional. SSL version to use for accessing the Duo REST API. Defaults to Splunkd sslVersion.
|
| cipherSuite | See description | Optional. Cipher suite to use for accessing the Duo REST API. Defaults to Splunkd cipherSuite.
|
| ecdhCurves | See description | Optional. ECDH curve value to use for accessing the Duo REST API. Defaults to Splunkd ecdhCurves.
|
| sslVerifyServerCert | Boolean | Optional. Indicates if Duo server certificate verification is required. Defaults to false. If set to true, provide a sslRootCAPath to ensure successful certificate validation.
|
| sslRootCAPath | See description | Optional. Full path of the certificate to be used for certificate verification. If sslVerifyServerCert is true, this path must be provided to ensure successful certificate validation.
|
| sslCommonNameToCheck | See description | Optional. Common name to verify if sslVerifyServerCert is true.
|
| sslAltNameToCheck | See description | Optional. Alternate name to verify if sslVerifyServerCert is true.
|
| useClientSSLCompression | See description | Optional. Boolean indicating if client side SSL compression is enabled. Defaults to Splunkd useClientSSLCompression.
|
Returned values
| Name | Description |
|---|---|
| name | Configuration stanza name |
| integrationKey | Duo integration key for Splunk. Must be of size = 20. |
| secretKey | Shared secret key between Splunk and Duo. |
| apiHostname | Duo REST API endpoint used by Splunk for multifactor authentication |
| appSecretKey | Splunk application specific secret key. Must be a random generated hex of length 40 or more. |
| failOpen | Boolean indicating whether Splunk should bypass the Duo service if it is unavailable. Defaults to false.
|
| timeout | Positive integer indicating the Duo connection timeout, in seconds, for declaring the Duo service unavailable. Defaults to 15 seconds.
|
| sslVersions | SSL version to use for accessing the Duo REST API. Defaults to Splunkd sslVersion.
|
| cipherSuite | Cipher suite to use for accessing the Duo REST API. Defaults to Splunkd cipherSuite.
|
| ecdhCurves | ECDH curve value to use for accessing the Duo REST API. Defaults to Splunkd ecdhCurves.
|
| sslVerifyServerCert | Boolean that indicates if Duo server certificate verification is required. Defaults to false. If set to true, provide a sslRootCAPath to ensure successful certificate validation.
|
| sslRootCAPath | Full path of the certificate to be used for certificate verification. If sslVerifyServerCert is true, this path must be provided to ensure successful certificate validation.
|
| sslCommonNameToCheck | Common name to verify if sslVerifyServerCert is true.
|
| sslAltNameToCheck | Alternate name to verify if sslVerifyServerCert is true.
|
| useClientSSLCompression | Boolean indicating if client side SSL compression is enabled. Defaults to Splunkd useClientSSLCompression.
|
Example request and response
XML Request
curl -k -u admin:changed https://localhost:8089/services/admin/Duo-MFA/duo-mfa -d failOpen=0
XML Response
<title>Duo-MFA</title>
<id>https://localhost:8089/services/admin/Duo-MFA</id>
<updated>2016-07-26T11:03:58-07:00</updated>
<generator build="321d123f2b1047b51259ee2d4eeacb4184dc6679" version="20160720"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/admin/Duo-MFA/_new" rel="create"/>
<link href="/services/admin/Duo-MFA/_acl" rel="_acl"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>duo-mfa</title>
<id>https://localhost:8089/servicesNS/nobody/system/admin/Duo-MFA/duo-mfa</id>
<updated>2016-07-26T11:03:58-07:00</updated>
<link href="/servicesNS/nobody/system/admin/Duo-MFA/duo-mfa" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/admin/Duo-MFA/duo-mfa" rel="list"/>
<link href="/servicesNS/nobody/system/admin/Duo-MFA/duo-mfa" rel="edit"/>
<link href="/servicesNS/nobody/system/admin/Duo-MFA/duo-mfa" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="apiHostname">api-cc7a8eab.duosecurity.com</s:key>
<s:key name="appSecretKey">$1$cQdFd4+XlOrAfgBgQEwe+VevD/MOOfFTIA4vwoaFnCX0123TO8ZsCsKQ=</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="failOpen">0</s:key>
<s:key name="integrationKey">$1$RHhrEPy123XhV3kSQmB/zyf6IZV/</s:key>
<s:key name="secretKey">$1$A3t8AvuwwoDzSgUgB1x50FesOpd0123WaHR5xY6uqWeaB02vsuFh4KQ=</s:key>
<s:key name="sslCommonNameToCheck">*.duosecurity.com</s:key>
<s:key name="sslRootCAPath">/home/user/git/splunkApp/etc/auth/DigiCertHighAssuranceEVRootCA.pem</s:key>
<s:key name="sslVerifyServerCert">true</s:key>
<s:key name="sslVersions">tls1.2</s:key>
<s:key name="timeout">5</s:key>
<s:key name="useClientSSLCompression">true</s:key>
</s:dict>
</content>
</entry>
DELETE
Delete the {name} Duo Multifactor configuration.
Request parameters
None
Returned values
None
Example request and response
XML Request
curl -k -u admin:changeme -X DELETE https://localhost:8089/services/admin/Duo-MFA/duo-mfa
XML Response
...
<title>Duo-MFA</title>
<id>https://localhost:8089/services/admin/Duo-MFA</id>
<updated>2016-07-26T11:06:00-07:00</updated>
<generator build="321df14f2b1047b51259ee2d4eeacb4184dc6679" version="20160720"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/admin/Duo-MFA/_new" rel="create"/>
<link href="/services/admin/Duo-MFA/_acl" rel="_acl"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages>
<s:msg type="WARN">No active Duo MFA configuration to list.</s:msg>
</s:messages>
RSA multifactor authentication REST API usage details
Splunk Enterprise users can configure RSA user authentication using the REST API.
You can use the RSA multifactor authentication REST API to configure RSA authentication and to verify that the authentication is configured correctly.
- To configure multifactor authentication for Splunk Web, you use the
/services/admin/Rsa-MFAendpoint. To enable CLI and management port, set the parameterenableMfaAuthRestto true. - To verify the authentication, you use the
/services/admin/Rsa-MFA-config-verify/endpoint.
Authentication and Authorization
Requires the change_authentication capability.
To learn more about using RSA multifactor authentication, see About multifactor authentication with RSA Authentication Manager in Securing Splunk Enterprise.
admin/Rsa-MFA
Configure RSA multifactor authentication.
GET
List the RSA Authentication Manager configuration settings.
Request parameters
None
Returned values
| Name | Description |
|---|---|
| name | Configuration stanza name |
| authManagerUrl | URL of REST endpoint of RSA Authentication Manager. |
| accessKey | Access key needed by Splunk to communicate with RSA Authentication Manager. Note that this value is hidden output. |
| clientId | Agent name created on RSA Authentication Manager is clientId. |
| failOpen | If true, allow login in case authentication server is unavailable. |
| timeout | It determines the connection timeout in seconds for the outbound HTTPS connection. |
| messageOnError | Message that will be shown to user in case of login failure. |
| enableMfaAuthRest | If true, enable authentication of REST calls. |
| caCertBundlePayload | SSL certificate chain return by RSA server. |
| replicateCertificates | If enabled, RSA certificate files are replicated across search head cluster setup. |
Example request and response
XML Request
curl -k -u admin:changeme -X GET https://ronnie.sv.splunk.com:8130/services/admin/Rsa-MFA/rsa-mfa
XML Response
...
<title>Rsa-MFA</title>
<id>https://ronnie.sv.splunk.com:8130/services/admin/Rsa-MFA</id>
<updated>2018-04-03T12:42:27-07:00</updated>
<generator build="80906e769c378b3c090160fc090717553dd4e8ef" version="20180331"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/admin/Rsa-MFA/_new" rel="create"/>
<link href="/services/admin/Rsa-MFA/_acl" rel="_acl"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>rsa-mfa</title>
<id>https://ronnie.sv.splunk.com:8130/servicesNS/nobody/system/admin/Rsa-MFA/rsa-mfa</id>
<updated>1969-12-31T16:00:00-08:00</updated>
<link href="/servicesNS/nobody/system/admin/Rsa-MFA/rsa-mfa" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/admin/Rsa-MFA/rsa-mfa" rel="list"/>
<link href="/servicesNS/nobody/system/admin/Rsa-MFA/rsa-mfa" rel="edit"/>
<link href="/servicesNS/nobody/system/admin/Rsa-MFA/rsa-mfa" rel="remove"/>
<link href="/servicesNS/nobody/system/admin/Rsa-MFA/rsa-mfa/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="accessKey">****************************************</s:key>
<s:key name="authManagerCertPath">etc/auth/rsa-2fa/cert.pem</s:key>
<s:key name="authManagerUrl">https://qa-rsaam-002.sv.splunk.com:5555</s:key>
<s:key name="clientId">ronnie.splunk.com</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="enableMfaAuthRest">false</s:key>
<s:key name="failOpen">1</s:key>
<s:key name="messageOnError">Please_contact_admin</s:key>
<s:key name="timeout">10</s:key>
</s:dict>
</content>
</entry>
POST
Edit the RSA Authentication Manager configuration.
Request parameters
| Name | Type | Description |
|---|---|---|
| name | String | Required. Name of RSA configuration stanza |
| authManagerUrl | String | Required. URL of REST endpoint of RSA Authentication Manager. |
| accessKey | String | Required. Access key needed by Splunk to communicate with RSA Authentication Manager. |
| clientId | String | Required. Agent name created on RSA Authentication Manager is clientId. |
| failOpen | Boolean | Optional. If true, allow login in case authentication server is unavailable. |
| timeout | Integer | Optional. It determines the connection timeout in seconds for the outbound HTTPS connection. |
| messageOnError | String | Optional. Message that will be shown to user in case of login failure. |
| enableMfaAuthRest | Boolean | Optional. If true, enable authentication of REST calls. |
| caCertBundlePayload | String | Required. SSL certificate chain return by RSA server. |
| replicateCertificates | Boolean | If enabled, RSA certificate files will be replicated across search head cluster setup. |
Returned values
| Name | Description |
|---|---|
| name | Configuration stanza name |
| authManagerUrl | URL of REST endpoint of RSA Authentication Manager. |
| accessKey | Access key needed by Splunk to communicate with RSA Authentication Manager. Note that this value is hidden output. |
| clientId | Agent name created on RSA Authentication Manager is clientId. |
| failOpen | If true, allow login in case authentication server is unavailable. |
| timeout | It determines the connection timeout in seconds for the outbound HTTPS connection. |
| messageOnError | Message that will be shown to user in case of login failure. |
| enableMfaAuthRest | If true, enable authentication of REST calls. |
| caCertBundlePayload | SSL certificate chain return by RSA server. |
| replicateCertificates | If enabled, RSA certificate files will be replicated across search head cluster setup. |
Example request and response
XML Request
curl -k -u admin:Splunk_123 -X POST https://localhost:8092/services/admin/Rsa-MFA -d name=rsa-mfa -d timeout=10 -d failOpen=true -d authManagerUrl=https://rsa-auth-manager.company.com:5555 -d accessKey=sdrf23ri90jn00i -d clientId=linux-vm -d messageOnError=Please_contact_admin -d caCertBundlePayload=-----BEGIN%20CERTIFICATE-----%0AMIIF8jCCBNqgAwIBAgIQDmTF%2B8I2reFLFyrrQceMsDANBgkqhkiG9w0BAQsFADBw%0AMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3%0Ad3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz%0AdXJhbmNlIFNlcnZlciBDQTAeFw0xNTExMDMwMDAwMDBaFw0xODExMjgxMjAwMDBa%0AMIGlMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxML%0ATG9zIEFuZ2VsZXMxPDA6BgNVBAoTM0ludGVybmV0IENvcnBvcmF0aW9uIGZvciBB%0Ac3NpZ25lZCBOYW1lcyBhbmQgTnVtYmVyczETMBEGA1UECxMKVGVjaG5vbG9neTEY%0AMBYGA1UEAxMPd3d3LmV4YW1wbGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A%0AMIIBCgKCAQEAs0CWL2FjPiXBl61lRfvvE0KzLJmG9LWAC3bcBjgsH6NiVVo2dt6u%0AXfzi5bTm7F3K7srfUBYkLO78mraM9qizrHoIeyofrV%2Fn%2BpZZJauQsPjCPxMEJnRo%0AD8Z4KpWKX0LyDu1SputoI4nlQ%2FhtEhtiQnuoBfNZxF7WxcxGwEsZuS1KcXIkHl5V%0ARJOreKFHTaXcB1qcZ%2FQRaBIv0yhxvK1yBTwWddT4cli6GfHcCe3xGMaSL328Fgs3%0AjYrvG29PueB6VJi%2FtbbPu6qTfwp%2FH1brqdjh29U52Bhb0fJkM9DWxCP%2FCattcc7a%0Az8EXnCO%2BLK8vkhw%2FkAiJWPKx4RBvgy73nwIDAQABo4ICUDCCAkwwHwYDVR0jBBgw%0AFoAUUWj%2FkK8CB3U8zNllZGKiErhZcjswHQYDVR0OBBYEFKZPYB4fLdHn8SOgKpUW%0A5Oia6m5IMIGBBgNVHREEejB4gg93d3cuZXhhbXBsZS5vcmeCC2V4YW1wbGUuY29t%0AggtleGFtcGxlLmVkdYILZXhhbXBsZS5uZXSCC2V4YW1wbGUub3Jngg93d3cuZXhh%0AbXBsZS5jb22CD3d3dy5leGFtcGxlLmVkdYIPd3d3LmV4YW1wbGUubmV0MA4GA1Ud%0ADwEB%2FwQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdQYDVR0f%0ABG4wbDA0oDKgMIYuaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NoYTItaGEtc2Vy%0AdmVyLWc0LmNybDA0oDKgMIYuaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL3NoYTIt%0AaGEtc2VydmVyLWc0LmNybDBMBgNVHSAERTBDMDcGCWCGSAGG%2FWwBATAqMCgGCCsG%0AAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAgGBmeBDAECAjCB%0AgwYIKwYBBQUHAQEEdzB1MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2Vy%0AdC5jb20wTQYIKwYBBQUHMAKGQWh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9E%0AaWdpQ2VydFNIQTJIaWdoQXNzdXJhbmNlU2VydmVyQ0EuY3J0MAwGA1UdEwEB%2FwQC%0AMAAwDQYJKoZIhvcNAQELBQADggEBAISomhGn2L0LJn5SJHuyVZ3qMIlRCIdvqe0Q%0A6ls%2BC8ctRwRO3UU3x8q8OH%2B2ahxlQmpzdC5al4XQzJLiLjiJ2Q1p%2Bhub8MFiMmVP%0APZjb2tZm2ipWVuMRM%2BzgpRVM6nVJ9F3vFfUSHOb4%2FJsEIUvPY%2Bd8%2FKrc%2BkPQwLvy%0AieqRbcuFjmqfyPmUv1U9QoI4TQikpw7TZU0zYZANP4C%2Fgj4Ry48%2FznmUaRvy2kvI%0Al7gRQ21qJTK5suoiYoYNo3J9T%2BpXPGU7Lydz%2FHwW%2Bw0DpArtAaukI8aNX4ohFUKS%0AwDSiIIWIWJiJGbEeIO0TIFwEVWTOnbNl%2FfaPXpk5IRXicapqiII%3D%0A-----END%20CERTIFICATE--
XML Response
...
<title>Rsa-MFA</title>
<id>https://localhost:8092/services/admin/Rsa-MFA</id>
<updated>2018-08-09T20:03:01-07:00</updated>
<generator build="179002a8c333" version="7.2.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/admin/Rsa-MFA/_new" rel="create"/>
<link href="/services/admin/Rsa-MFA/_acl" rel="_acl"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>rsa-mfa</title>
<id>https://localhost:8092/servicesNS/nobody/search/admin/Rsa-MFA/rsa-mfa</id>
<updated>1969-12-31T16:00:00-08:00</updated>
<link href="/servicesNS/nobody/search/admin/Rsa-MFA/rsa-mfa" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/admin/Rsa-MFA/rsa-mfa" rel="list"/>
<link href="/servicesNS/nobody/search/admin/Rsa-MFA/rsa-mfa" rel="edit"/>
<link href="/servicesNS/nobody/search/admin/Rsa-MFA/rsa-mfa" rel="remove"/>
<link href="/servicesNS/nobody/search/admin/Rsa-MFA/rsa-mfa/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="accessKey">****************************************</s:key>
<s:key name="authManagerUrl">https://rsa-auth-manager.company.com:5555</s:key>
<s:key name="clientId">linux-vm</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>power</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="eai:appName">search</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="enableMfaAuthRest">false</s:key>
<s:key name="failOpen">1</s:key>
<s:key name="messageOnError">Please_contact_admin</s:key>
<s:key name="replicateCertificates">true</s:key>
<s:key name="sslRootCAPath">$SPLUNK_HOME/etc/auth/rsa-2fa/cert.pem</s:key>
<s:key name="timeout">10</s:key>
</s:dict>
</content>
</entry>
DELETE
Delete the RSA Authentication Manager configuration.
Request parameters
None
Returned values
None
Example request and response
XML Request
curl -k -u admin:changeme -X DELETE https://ronnie.sv.splunk.com:8130/services/admin/Rsa-MFA/rsa-mfa
XML Response
...
<title>Rsa-MFA</title>
<id>https://ronnie.sv.splunk.com:8130/services/admin/Rsa-MFA</id>
<updated>2018-04-03T12:42:27-07:00</updated>
<generator build="80906e769c378b3c090160fc090717553dd4e8ef" version="20180331"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/admin/Rsa-MFA/_new" rel="create"/>
<link href="/services/admin/Rsa-MFA/_acl" rel="_acl"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>rsa-mfa</title>
<id>https://ronnie.sv.splunk.com:8130/servicesNS/nobody/system/admin/Rsa-MFA/rsa-mfa</id>
<updated>1969-12-31T16:00:00-08:00</updated>
<link href="/servicesNS/nobody/system/admin/Rsa-MFA/rsa-mfa" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/admin/Rsa-MFA/rsa-mfa" rel="list"/>
<link href="/servicesNS/nobody/system/admin/Rsa-MFA/rsa-mfa" rel="edit"/>
<link href="/servicesNS/nobody/system/admin/Rsa-MFA/rsa-mfa" rel="remove"/>
<link href="/servicesNS/nobody/system/admin/Rsa-MFA/rsa-mfa/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="accessKey">****************************************</s:key>
<s:key name="authManagerCertPath">etc/auth/rsa-2fa/cert.pem</s:key>
<s:key name="authManagerUrl">https://qa-rsaam-002.sv.splunk.com:5555</s:key>
<s:key name="clientId">ronnie.splunk.com</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="enableMfaAuthRest">false</s:key>
<s:key name="failOpen">1</s:key>
<s:key name="messageOnError">Please_contact_admin</s:key>
<s:key name="timeout">10</s:key>
</s:dict>
</content>
</entry>
admin/Rsa-MFA-config-verify/<rsa-stanza-name>
Verify RSA multifactor authentication.
POST
Verify the RSA mutifactor authentication.
Request parameters
| Name | Type | Description |
|---|---|---|
| username' | String | Optional. RSA username. |
| passcode | String | Optional. RSA passcode consists of PIN followed by tokencode. |
Returned values
Information on whether RSA configuration is valid or not.
Example request and response
XML Request
curl -k -u user1:Splunk_123 -X POST https://localhost:8201//services/admin/Rsa-MFA-config-verify/rsa-mfa
XML Response
...
<title>Rsa-MFA-config-verify</title>
<id>https://localhost:8201/services/admin/Rsa-MFA-config-verify</id>
<updated>2018-06-15T22:46:35-07:00</updated>
<generator build="e23985b8ecacbe6a245c427b75ec77906439d540" version="20180614"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/admin/Rsa-MFA-config-verify/_acl" rel="_acl"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages>
<s:msg type="INFO">Config verification successful</s:msg>
</s:messages>
LDAP REST API usage details
Splunk Enterprise users can configure LDAP user authentication using the REST API. If you are using Splunk Cloud Platform, contact Support for assistance with setting up LDAP authentication.
LDAP user authentication lets you specify configurations, user groups, and group to role mappings to manage permissions in your Splunk deployment.
You can use the LDAP REST API for the following LDAP management tasks.
- Configure an LDAP strategy for a server in your deployment.
- Map LDAP groups to user roles in a server to manage group permissions.
- Enable or disable an LDAP strategy.
To learn more about using LDAP authentication, see Set up user authentication with LDAP in Securing Splunk Enterprise.
admin/LDAP-groups
https://<host>:<mPort>/services/admin/LDAP-groups
Access and update LDAP group to role mappings.
Authentication and authorization
Requires the change_authentication capability for access.
GET
Access LDAP group mappings.
Request parameters
If you are passing in a strategy name with an LDAP group name, they must be comma separated.
| Name | Description |
|---|---|
| strategy | LDAP strategy name |
| LDAPgroup | LDAP group name |
Returned values
For each group, the following values are returned in the response.
| Name | Description |
|---|---|
| roles | Roles mapped to this group |
| strategy | Strategy name |
| type | Group type |
| users | List of users in this group |
Example request and response
curl -u admin:changeme -X GET -k https://localhost:8089/services/admin/LDAP-groups/
...
<title>LDAP-groups</title>
<id>https://localhost:8089/services/admin/LDAP-groups</id>
<updated>2016-11-10T13:04:02-08:00</updated>
<generator build="2469654e091cb630e237a02094e683ced50f2fe5" version="20161031"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/admin/LDAP-groups/_acl" rel="_acl"/>
<opensearch:totalResults>20</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>Abc123-Admin</title>
<id>https://localhost:8089/services/admin/LDAP-groups/ActiveDirectory_New%2CAbc123-Admin</id>
<updated>2016-11-10T13:04:02-08:00</updated>
<link href="/services/admin/LDAP-groups/ActiveDirectory_New%2CAbc123-Admin" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/admin/LDAP-groups/ActiveDirectory_New%2CAbc123-Admin" rel="list"/>
<link href="/services/admin/LDAP-groups/ActiveDirectory_New%2CAbc123-Admin" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="roles">
<s:list/>
</s:key>
<s:key name="strategy">ActiveDirectory_New</s:key>
<s:key name="type">static</s:key>
<s:key name="users">
<s:list>
<s:item>CN=Abc123 CI,OU=Abc123,OU=SAML Test,DC=qa,DC=ad2008r2,DC=com</s:item>
<s:item>CN=Test 1 User,OU=Abc123,OU=SAML Test,DC=qa,DC=ad2008r2,DC=com</s:item>
<s:item>CN=Test 2. User,OU=Abc123,OU=SAML Test,DC=qa,DC=ad2008r2,DC=com</s:item>
</s:list>
</s:key>
</s:dict>
</content>
</entry>
POST
Create an LDAP group.
Request parameters
Append the group name to the LDAP-groups/ endpoint. Pass in a strategy name using comma separation. For example, this POST creates the ActiveDirectory_New strategy and specifies the Abc123 group name.
curl -k -u admin:password -X POST https://localhost:8089/services/admin/LDAP-groups/ActiveDirectory_New,Abc123-Admin -d roles=user
| Name | Description |
|---|---|
| strategy | Required. LDAP strategy name |
| LDAPgroup | Required. LDAP group name |
Returned values
| Name | Description |
|---|---|
| roles | Roles mapped to this group. |
| strategy | Strategy name |
| type | Group type |
| users | List of users in this group. |
Example request and response
curl -k -u admin:password -X POST https://localhost:8089/services/admin/LDAP-groups/ActiveDirectory_New,Abc123-Admin -d roles=user
.
.
.
<title>Abc123-Admin</title>
<id>https://localhost:8089/services/admin/LDAP-groups/ActiveDirectory_New%2CAbc123-Admin</id>
<updated>2016-11-10T13:07:28-08:00</updated>
<link href="/services/admin/LDAP-groups/ActiveDirectory_New%2CAbc123-Admin" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/admin/LDAP-groups/ActiveDirectory_New%2CAbc123-Admin" rel="list"/>
<link href="/services/admin/LDAP-groups/ActiveDirectory_New%2CAbc123-Admin" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="roles">
<s:list>
<s:item>user</s:item>
</s:list>
</s:key>
<s:key name="strategy">ActiveDirectory_New</s:key>
<s:key name="type">static</s:key>
<s:key name="users">
<s:list>
<s:item>CN=Abc123 CI,OU=Abc123,OU=SAML Test,DC=qa,DC=ad2008r2,DC=com</s:item>
<s:item>CN=Test 1 User,OU=Abc123,OU=SAML Test,DC=qa,DC=ad2008r2,DC=com</s:item>
<s:item>CN=Test 2. User,OU=Abc123,OU=SAML Test,DC=qa,DC=ad2008r2,DC=com</s:item>
</s:list>
</s:key>
</s:dict>
</content>
</entry>
.
.
.
authentication/providers/LDAP
https://<host>:<mPort>/services/authentication/providers/LDAP
Access or create LDAP authentication strategies on a server in your deployment.
Authentication and authorization
Requires the change_authentication capability for access.
GET
Access LDAP configurations strategies.
Request parameters
| Name | Description |
|---|---|
| strategy | Name of LDAP configuration strategy |
Returned values
The response lists LDAP strategy settings.
See LDAP settings in authentication.conf for strategy settings information.
Example request and response
curl -k -u admin:password https://localhost:8089/services/authentication/providers/LDAP/
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>providers/LDAP</title>
<id>https://localhost:8089/services/authentication/providers/LDAP</id>
<updated>2016-11-09T16:14:07-08:00</updated>
<generator build="2469654e091cb630e237a02094e683ced50f2fe5" version="20161031"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/authentication/providers/LDAP/_new" rel="create"/>
<link href="/services/authentication/providers/LDAP/_acl" rel="_acl"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>my_strategy</title>
<id>https://localhost:8089/servicesNS/nobody/system/authentication/providers/LDAP/my_strategy</id>
<updated>2016-11-09T16:14:07-08:00</updated>
<link href="/servicesNS/nobody/system/authentication/providers/LDAP/my_strategy" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/authentication/providers/LDAP/my_strategy" rel="list"/>
<link href="/servicesNS/nobody/system/authentication/providers/LDAP/my_strategy" rel="edit"/>
<link href="/servicesNS/nobody/system/authentication/providers/LDAP/my_strategy" rel="remove"/>
<link href="/servicesNS/nobody/system/authentication/providers/LDAP/my_strategy/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="SSLEnabled">0</s:key>
<s:key name="anonymous_referrals">1</s:key>
<s:key name="bindDN">CN=Saml user2,OU=SAML Test,DC=qa,DC=ad2008r2,DC=com</s:key>
<s:key name="bindDNpassword">********</s:key>
<s:key name="charset">utf8</s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="emailAttribute">mail</s:key>
<s:key name="groupBaseDN">CN=Saml user2,OU=SAML Test,DC=qa,DC=ad2008r2,DC=com</s:key>
<s:key name="groupMappingAttribute">dn</s:key>
<s:key name="groupMemberAttribute">sn</s:key>
<s:key name="groupNameAttribute">sn</s:key>
<s:key name="host">1.1.1.1</s:key>
<s:key name="nestedGroups">0</s:key>
<s:key name="network_timeout">20</s:key>
<s:key name="order">1</s:key>
<s:key name="port">389</s:key>
<s:key name="realNameAttribute">sn</s:key>
<s:key name="sizelimit">1000</s:key>
<s:key name="timelimit">15</s:key>
<s:key name="userBaseDN">OU=SAML Test,DC=qa,DC=ad2008r2,DC=com</s:key>
<s:key name="userNameAttribute">sn</s:key>
</s:dict>
</content>
</entry>
</feed>
POST
Create an LDAP strategy.
Usage details
Use the following endpoints to enable or disable an LDAP strategy after you create it.
services/authentication/providers/LDAP/{LDAP_strategy_name}/enable
services/authentication/providers/LDAP/{LDAP_strategy_name}/disable
Request parameters
See LDAP settings in authentication.conf for required and optional settings information.
Returned values
None.
Example request and response
curl —k u admin:password -X POST https://localhost:8089/services/authentication/providers/LDAP/ -d name=my_strategy -d groupBaseDN="CN=Saml user2,OU=SAML Test,DC=qa,DC=ad2008r2,DC=com" -d groupMemberAttribute=sn -d groupNameAttribute=sn -d host=1.1.1.1 -d realNameAttribute=sn -d userBaseDN="OU=SAML Test,DC=qa,DC=ab2008e2,DC=com" -d userNameAttribute=sn -d bindDN="CN=Saml user2,OU=SAML Test,DC=qa,DC=ad2008r2,DC=com" -d bindDNpassword=password
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>providers/LDAP</title>
<id>https://localhost:8089/services/authentication/providers/LDAP</id>
<updated>2016-11-09T16:20:14-08:00</updated>
<generator build="2469654e091cb630e237a02094e683ced50f2fe5" version="20161031"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/authentication/providers/LDAP/_new" rel="create"/>
<link href="/services/authentication/providers/LDAP/_acl" rel="_acl"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages>
<s:msg type="INFO">Successfully performed a bind to the LDAP server</s:msg>
<s:msg type="WARN">Failed to find the email attribute 'mail' in a returned user entry.</s:msg>
</s:messages>
<entry>
<title>my_strategy</title>
<id>https://localhost:8089/servicesNS/nobody/system/authentication/providers/LDAP/my_strategy</id>
<updated>2016-11-09T16:20:14-08:00</updated>
<link href="/servicesNS/nobody/system/authentication/providers/LDAP/my_strategy" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/authentication/providers/LDAP/my_strategy" rel="list"/>
<link href="/servicesNS/nobody/system/authentication/providers/LDAP/my_strategy" rel="edit"/>
<link href="/servicesNS/nobody/system/authentication/providers/LDAP/my_strategy" rel="remove"/>
<link href="/servicesNS/nobody/system/authentication/providers/LDAP/my_strategy/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="SSLEnabled">0</s:key>
<s:key name="anonymous_referrals">1</s:key>
<s:key name="bindDN">CN=Saml user2,OU=SAML Test,DC=qa,DC=ad2008r2,DC=com</s:key>
<s:key name="bindDNpassword">********</s:key>
<s:key name="charset">utf8</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="emailAttribute">mail</s:key>
<s:key name="groupBaseDN">CN=Saml user2,OU=SAML Test,DC=qa,DC=ad2008r2,DC=com</s:key>
<s:key name="groupMappingAttribute">dn</s:key>
<s:key name="groupMemberAttribute">sn</s:key>
<s:key name="groupNameAttribute">sn</s:key>
<s:key name="host">1.1.1.1</s:key>
<s:key name="nestedGroups">0</s:key>
<s:key name="network_timeout">20</s:key>
<s:key name="order">1</s:key>
<s:key name="port">389</s:key>
<s:key name="realNameAttribute">sn</s:key>
<s:key name="sizelimit">1000</s:key>
<s:key name="timelimit">15</s:key>
<s:key name="userBaseDN">OU=SAML Test,DC=qa,DC=ab2008e2,DC=com</s:key>
<s:key name="userNameAttribute">sn</s:key>
</s:dict>
</content>
</entry>
</feed>
authentication/providers/LDAP/{LDAP_strategy_name}
https://<host>:<mPort>/services/authentication/providers/LDAP/{LDAP_strategy_name}
Access, update, or delete the {LDAP_strategy_name} strategy.
Authentication and authorization
Requires the change_authentication capability for access.
POST
Update an existing LDAP strategy.
Request parameters and returned values
See LDAP settings in authentication.conf for strategy settings information.
Example request and response
curl -k -u admin:password -X POST https://localhost:8089/services/authentication/providers/LDAP/my_strategy -d port=390
<entry>
<title>my_strategy</title>
<id>https://localhost:8089/servicesNS/nobody/system/authentication/providers/LDAP/my_strategy</id>
<updated>2016-11-09T16:14:07-08:00</updated>
<link href="/servicesNS/nobody/system/authentication/providers/LDAP/my_strategy" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/authentication/providers/LDAP/my_strategy" rel="list"/>
<link href="/servicesNS/nobody/system/authentication/providers/LDAP/my_strategy" rel="edit"/>
<link href="/servicesNS/nobody/system/authentication/providers/LDAP/my_strategy" rel="remove"/>
<link href="/servicesNS/nobody/system/authentication/providers/LDAP/my_strategy/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="SSLEnabled">0</s:key>
<s:key name="anonymous_referrals">1</s:key>
<s:key name="bindDN">CN=Saml user2,OU=SAML Test,DC=qa,DC=ad2008r2,DC=com</s:key>
<s:key name="bindDNpassword">********</s:key>
<s:key name="charset">utf8</s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="emailAttribute">mail</s:key>
<s:key name="groupBaseDN">CN=Saml user2,OU=SAML Test,DC=qa,DC=ad2008r2,DC=com</s:key>
<s:key name="groupMappingAttribute">dn</s:key>
<s:key name="groupMemberAttribute">sn</s:key>
<s:key name="groupNameAttribute">sn</s:key>
<s:key name="host">1.1.1.1</s:key>
<s:key name="nestedGroups">0</s:key>
<s:key name="network_timeout">20</s:key>
<s:key name="order">1</s:key>
<s:key name="port">390</s:key>
<s:key name="realNameAttribute">sn</s:key>
<s:key name="sizelimit">1000</s:key>
<s:key name="timelimit">15</s:key>
<s:key name="userBaseDN">OU=SAML Test,DC=qa,DC=ad2008r2,DC=com</s:key>
<s:key name="userNameAttribute">sn</s:key>
</s:dict>
</content>
</entry>
.
.
.
DELETE
Delete an existing LDAP strategy.
Request parameters
None
Returned values
None
Example request and response
curl -k -u admin:password -X DELETE https://localhost:8089/services/authentication/providers/LDAP/my_strategy
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>providers/LDAP</title>
<id>https://ronnie:8132/services/authentication/providers/LDAP</id>
<updated>2016-11-09T16:18:37-08:00</updated>
<generator build="2469654e091cb630e237a02094e683ced50f2fe5" version="20161031"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/authentication/providers/LDAP/_new" rel="create"/>
<link href="/services/authentication/providers/LDAP/_acl" rel="_acl"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
</feed>
authentication/providers/LDAP/{LDAP_strategy_name}/enable
https://<host>:<mPort>/services/authentication/providers/LDAP/{LDAP_strategy_name}/enable
POST
Enable the {LDAP_strategy_name} LDAP strategy.
Request parameters
None
Returned values
None
Example request
curl -k -u admin:password -X POST https://localhost:8089/services/authentication/providers/LDAP/my_strategy/enable
authentication/providers/LDAP/{LDAP_strategy_name}/disable
https://<host>:<mPort>/services/authentication/providers/LDAP/{LDAP_strategy_name}/disable
POST
Disable the {LDAP_strategy_name} LDAP strategy.
Request parameters
None
Returned values
None
Example request
curl -k -u admin:password -X POST https://localhost:8089/services/authentication/providers/LDAP/my_strategy/disable
admin/metrics-reload/_reload
https://<host>:<mPort>/services/admin/metrics-reload/_reload
Use this endpoint to reload the metrics processor after updating a metrics-related configuration.
POST
Reload the metrics processor.
Example request and response
Request
curl -k -u admin:changeme \https://localhost:8089/services/admin/metrics-reload/_reload
Response
...
<title>metrics-reload</title>
<id>https://<localhost>:<mport>/services/admin/metrics-reload</id>
<updated>2017-08-08T23:33:13+00:00</updated>
<generator build="eb729684699b" version="7.0.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/admin/metrics-reload/_reload" rel="_reload"/>
<link href="/services/admin/metrics-reload/_acl" rel="_acl"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
</feed>
ProxySSO REST API usage details
SSO mode must be enabled before you can configure ProxySSO. If you are creating a new ProxySSO configuration for the first time, follow these steps.
- Locate the
web.conffile in theetc/system/localdirectory. - Make the following additions to the
[settings]stanza ofweb.conffile. If the file does not already exist in this location, create a new file calledweb.confand add only the[settings]stanza name and the following settings to it.[settings] SSOMode = strict trustedIP = <IP_address> remoteUser = <remote user> remoteGroups = <remote group> tools.proxy.on = False allowSsoWithoutChangingServerConf = 1
- Restart the Splunk deployment after updating
web.conf. - Use the admin/ProxySSO-auth/{proxy_name}/enable endpoint to enable the configuration that you are creating.
- Use the admin/ProxySSO-auth endpoint to add the new configuration.
- (Optional) Use the
services/admin/auth-servicesendpoint to verify that theactive_authmoduleis set toProxySSO.
admin/ProxySSO-auth
https://<host>:<mPort>/services/admin/ProxySSO-auth
Access or create a ProxySSO configuration.
GET
Review existing ProxySSO configurations.
Request parameters
None.
Returned values
For each configuration the following values are returned.
| Name | Description |
|---|---|
| defaultRoleIfMissing | Name of default role to use if no mapping is found. |
| blacklistedUsers | Comma separated list of blacklisted users. |
| blacklistedAutoMappedRoles | Comma separated list of blacklisted roles. |
| disabled | Boolean value indicating whether the configuration is disabled. 0 indicates that the configuration is enabled.
|
| title | Configuration name |
Example request and response
XML Request
curl -k -u admin:changed https://localhost:8089/services/admin/ProxySSO-auth
XML Response
...
<title>ProxySSO-auth</title>
<id>https://localhost:8089/services/admin/ProxySSO-auth</id>
<updated>2016-08-31T15:57:42-07:00</updated>
<generator build="ca6bc6de37c2" version="6.5.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/admin/ProxySSO-auth/_new" rel="create"/>
<link href="/services/admin/ProxySSO-auth/_acl" rel="_acl"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>my_proxy</title>
<id>https://localhost:8089/services/admin/ProxySSO-auth/my_proxy</id>
<updated>2016-08-31T15:57:42-07:00</updated>
<link href="/services/admin/ProxySSO-auth/my_proxy" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/admin/ProxySSO-auth/my_proxy" rel="list"/>
<link href="/services/admin/ProxySSO-auth/my_proxy" rel="edit"/>
<link href="/services/admin/ProxySSO-auth/my_proxy" rel="remove"/>
<link href="/services/admin/ProxySSO-auth/my_proxy/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="blacklistedAutoMappedRoles">role1</s:key>
<s:key name="blacklistedUsers"></s:key>
<s:key name="defaultRoleIfMissing"></s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
</s:dict>
</content>
</entry>
...
POST
Add a new ProxySSO configuration.
Usage details
Changes are written to the app context.
Request parameters
| Name | Type | Description |
|---|---|---|
| name | String | Required. New ProxySSO configuration name |
| defaultRoleIfMissing | Role name | Specify a default role to use if no mapping is found. |
| blacklistedUsers | Comma separated list | Specify blacklisted users. |
| blacklistedAutoMappedRoles | Comma separated list | Specify blacklisted roles. |
Returned values
| Name | Description |
|---|---|
| defaultRoleIfMissing | Name of default role to use if no mapping is found. |
| blacklistedUsers | Comma separated list of blacklisted users. |
| blacklistedAutoMappedRoles | Comma separated list of blacklisted roles. |
| disabled | Boolean value indicating whether the configuration is disabled. 0 indicates that the configuration is enabled.
|
Example request and response
XML Request
curl -k -u admin:changed https://localhost:8089/services/admin/ProxySSO-auth -d name=my_proxy
XML Response
...
<title>ProxySSO-auth</title>
<id>https://wimpy:7102/services/admin/ProxySSO-auth</id>
<updated>2016-08-31T14:53:42-07:00</updated>
<generator build="ca6bc6de37c2" version="6.5.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/admin/ProxySSO-auth/_new" rel="create"/>
<link href="/services/admin/ProxySSO-auth/_acl" rel="_acl"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>my_proxy</title>
<id>https://localhost:8089/services/admin/ProxySSO-auth/my_proxy</id>
<updated>2016-08-31T14:53:42-07:00</updated>
<link href="/services/admin/ProxySSO-auth/my_proxy" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/admin/ProxySSO-auth/my_proxy" rel="list"/>
<link href="/services/admin/ProxySSO-auth/my_proxy" rel="edit"/>
<link href="/services/admin/ProxySSO-auth/my_proxy" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="blacklistedAutoMappedRoles"></s:key>
<s:key name="blacklistedUsers"></s:key>
<s:key name="defaultRoleIfMissing"></s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
</s:dict>
</content>
</entry>
...
admin/ProxySSO-auth/{proxy_name}
https://<host>:<mPort>/services/admin/ProxySSO-auth/{proxy_name}
Access, update, or delete the {proxy_name} configuration.
GET
Access configuration details.
Request parameters
None
Returned values
| Name | Description |
|---|---|
| defaultRoleIfMissing | Name of default role to use if no mapping is found. |
| blacklistedUsers | Comma separated list of blacklisted users. |
| blacklistedAutoMappedRoles | Comma separated list of blacklisted roles. |
| disabled | Boolean value indicating whether the configuration is disabled. 0 indicates that the configuration is enabled.
|
| title | Configuration name |
Example request and response
XML Request
curl -k -u admin:changed https://localhost:8089/services/admin/ProxySSO-auth/my_proxy
XML Response
<title>ProxySSO-auth</title>
<id>https://localhost:8089/services/admin/ProxySSO-auth</id>
...
<entry>
<title>my_proxy</title>
<id>https://localhost:8089/services/admin/ProxySSO-auth/my_proxy</id>
<updated>2016-08-31T16:09:38-07:00</updated>
<link href="/services/admin/ProxySSO-auth/my_proxy" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/admin/ProxySSO-auth/my_proxy" rel="list"/>
<link href="/services/admin/ProxySSO-auth/my_proxy" rel="edit"/>
<link href="/services/admin/ProxySSO-auth/my_proxy" rel="remove"/>
<link href="/services/admin/ProxySSO-auth/my_proxy/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="blacklistedAutoMappedRoles">role1</s:key>
<s:key name="blacklistedUsers"></s:key>
<s:key name="defaultRoleIfMissing"></s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>blacklistedAutoMappedRoles</s:item>
<s:item>blacklistedUsers</s:item>
<s:item>defaultRoleIfMissing</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
</s:dict>
</content>
</entry>
POST
Update a configuration.
Changes are written to the app context.
Request parameters
| Name | Type | Description |
|---|---|---|
| name | String | Required. New ProxySSO configuration name |
| defaultRoleIfMissing | Role name | Specify a default role to use if no mapping is found. |
| blacklistedUsers | Comma separated list | Specify blacklisted users. |
| blacklistedAutoMappedRoles | Comma separated list | Specify blacklisted roles. |
Returned values
| Name | Description |
|---|---|
| defaultRoleIfMissing | Name of default role to use if no mapping is found. |
| blacklistedUsers | Comma separated list of blacklisted users. |
| blacklistedAutoMappedRoles | Comma separated list of blacklisted roles. |
| disabled | Boolean value indicating whether the configuration is disabled. 0 indicates that the configuration is enabled.
|
| title | Configuration name |
Example request and response
XML Request
curl -k -u admin:changed https://localhost:8089/services/admin/ProxySSO-auth/my_proxy -d blacklistedAutoMappedRoles=role2,role3
XML Response
...
<title>ProxySSO-auth</title>
<id>https://localhost:8089/services/admin/ProxySSO-auth</id>
<updated>2016-08-31T16:19:07-07:00</updated>
<generator build="ca6bc6de37c2" version="6.5.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/admin/ProxySSO-auth/_new" rel="create"/>
<link href="/services/admin/ProxySSO-auth/_acl" rel="_acl"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>my_proxy</title>
<id>https://localhost:8089/services/admin/ProxySSO-auth/my_proxy</id>
<updated>2016-08-31T16:19:07-07:00</updated>
<link href="/services/admin/ProxySSO-auth/my_proxy" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/admin/ProxySSO-auth/my_proxy" rel="list"/>
<link href="/services/admin/ProxySSO-auth/my_proxy" rel="edit"/>
<link href="/services/admin/ProxySSO-auth/my_proxy" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="blacklistedAutoMappedRoles">role2,role3</s:key>
<s:key name="blacklistedUsers"></s:key>
<s:key name="defaultRoleIfMissing"></s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
</s:dict>
</content>
</entry>
DELETE
Delete a configuration.
Changes are written to the app context.
Request parameters
None
Returned values
None
Example request and response
XML Request
curl -k -u admin:changeme -X DELETE https://localhost:8089/services/admin/ProxySSO-auth/my_proxy
XML Response
admin/ProxySSO-auth/{proxy_name}/disable
https://<host>:<mPort>/services/admin/ProxySSO-auth/{proxy_name}/disable
Disable the {proxy_name} configuration.
GET
Disable the {proxy_name} configuration.
Request parameters
None
Returned values
None
Example request and response
XML Request
curl -k -u admin:changed https://localhost:8089/services/admin/ProxySSO-auth/my_proxy/disable
XML Response
...
<title>ProxySSO-auth</title>
<id>https://localhost:8089/services/admin/ProxySSO-auth</id>
<updated>2016-08-31T16:43:46-07:00</updated>
<generator build="ca6bc6de37c2" version="6.5.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/admin/ProxySSO-auth/_new" rel="create"/>
<link href="/services/admin/ProxySSO-auth/_acl" rel="_acl"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
...
admin/ProxySSO-auth/{proxy_name}/enable
https://<host>:<mPort>/services/admin/ProxySSO-auth/{proxy_name}/enable
Use a GET request to create and enable the {proxy_name} authentication setting. Changes are made in the default app context.
GET
Enable the {proxy_name} configuration.
Usage details
For new configurations, specify a new {proxy_name}. After enabling the configuration, use the same {proxy_name} in the POST to admin/ProxySSO-auth to add the configuration.
Request parameters
None
Returned values
None
Example request and response
XML Request
curl -k -u admin:changed https://localhost:8089/services/admin/ProxySSO-auth/my_proxy/enable
XML Response
<title>ProxySSO-auth</title>
<id>https://wimpy:7102/services/admin/ProxySSO-auth</id>
<updated>2016-08-31T16:44:05-07:00</updated>
<generator build="ca6bc6de37c2" version="6.5.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/admin/ProxySSO-auth/_new" rel="create"/>
<link href="/services/admin/ProxySSO-auth/_acl" rel="_acl"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
admin/ProxySSO-groups
https://<host>:<mPort>/services/admin/ProxySSO-groups
Access or create role to group ProxySSO mappings.
Authentication and authorization
Requires the change_authentication capability.
GET
Access ProxySSO role to group mappings.
Request parameters
None
Returned values
For each group returned, lists the roles assigned to it.
Example request and response
XML Request
curl -k -u admin:changed https://localhost:8089/services/admin/ProxySSO-groups
XML Response
...
<title>ProxySSO-groups</title>
<id>https://localhost:8089/services/admin/ProxySSO-groups</id>
...
<entry>
<title>group1</title>
<id>https://localhost:8089/services/admin/ProxySSO-groups/group1</id>
<updated>2016-08-31T17:03:46-07:00</updated>
<link href="/services/admin/ProxySSO-groups/group1" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/admin/ProxySSO-groups/group1" rel="list"/>
<link href="/services/admin/ProxySSO-groups/group1" rel="edit"/>
<link href="/services/admin/ProxySSO-groups/group1" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="roles">
<s:list>
<s:item>power</s:item>
</s:list>
</s:key>
</s:dict>
</content>
</entry>
...
POST
Create a new mapping.
Changes are written to the app context.
Request parameters
| Name | Type | Description |
|---|---|---|
| roles | User role name | Specify roles to map to the group that you are creating. Use a separate roles parameter for each role added.
|
Returned values
None
Example request and response
XML Request
curl -k -u admin:changed -X POST https://localhost:8089/services/admin/ProxySSO-groups/group1 -d roles=power
XML Response
...
<title>ProxySSO-groups</title>
<id>https://localhost:8089/services/admin/ProxySSO-groups</id>
<updated>2016-08-31T17:01:20-07:00</updated>
<generator build="ca6bc6de37c2" version="6.5.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/admin/ProxySSO-groups/_new" rel="create"/>
<link href="/services/admin/ProxySSO-groups/_acl" rel="_acl"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
...
admin/ProxySSO-groups/{group_name}
https://<host>:<mPort>/services/admin/ProxySSO-groups/{group_name}
Access, create, and manage role to group mappings.
Authentication and authorization
Requires the change_authentication capability.
GET
Access role mappings for the {group_name} group.
Request parameters
None
Returned values
| Name | Description |
|---|---|
| roles | Roles mapped to this group. |
Example request and response
XML Request
curl -k -u admin:changed https://localhost:8089/services/admin/ProxySSO-groups/group2
XML Response
<title>ProxySSO-groups</title>
<id>https://wimpy:7102/services/admin/ProxySSO-groups</id>
...
<entry>
<title>group2</title>
<id>https://localhost:8089/services/admin/ProxySSO-groups/group2</id>
<updated>2016-08-31T17:25:01-07:00</updated>
<link href="/services/admin/ProxySSO-groups/group2" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/admin/ProxySSO-groups/group2" rel="list"/>
<link href="/services/admin/ProxySSO-groups/group2" rel="edit"/>
<link href="/services/admin/ProxySSO-groups/group2" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list/>
</s:key>
<s:key name="requiredFields">
<s:list>
<s:item>roles</s:item>
</s:list>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="roles">
<s:list>
<s:item>user</s:item>
</s:list>
</s:key>
</s:dict>
</content>
</entry>
...
POST
Create a new {group_name} mapping or update an existing one.
Changes are written to the app context.
Request parameters
If you are creating a new group, specify the new group name in the URL.
| Name | Type | Description |
|---|---|---|
| roles | User role name | Specify roles to map to the group that you are creating or updating. Use a separate roles parameter for each role added.
|
Returned values
None
Example request and response
XML Request
curl -k -u admin:changed -X POST https://localhost:8089/services/admin/ProxySSO-groups/group1 -d roles=power
XML Response
...
<title>ProxySSO-groups</title>
<id>https://localhost:8089/services/admin/ProxySSO-groups</id>
<updated>2016-08-31T17:01:20-07:00</updated>
<generator build="ca6bc6de37c2" version="6.5.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/admin/ProxySSO-groups/_new" rel="create"/>
<link href="/services/admin/ProxySSO-groups/_acl" rel="_acl"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
...
DELETE
Delete the {group_name} group mapping.
Changes are written to the app context.
Request parameters
None
Returned values
None
Example request and response
XML Request
curl -k -u admin:changed -X DELETE https://localhost:8089/services/admin/ProxySSO-groups/group2
XML Response
<title>ProxySSO-groups</title>
<id>https://localhost:8089/services/admin/ProxySSO-groups</id>
<updated>2016-08-31T17:42:39-07:00</updated>
<generator build="ca6bc6de37c2" version="6.5.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/admin/ProxySSO-groups/_new" rel="create"/>
<link href="/services/admin/ProxySSO-groups/_acl" rel="_acl"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
admin/ProxySSO-user-role-map
https://<host>:<mPort>/services/admin/ProxySSO-user-role-map
Access or create a user to role mapping.
Authentication and authorization
Requires the edit_user capability.
GET
Access user to role mappings
Request parameters
None
Returned values
| Name | Description |
|---|---|
| roles | Roles mapped to the user |
| title | User name |
Example request and response
XML Request
curl -k -u admin:changed https://localhost:8089/services/admin/ProxySSO-user-role-map
XML Response
...
<title>ProxySSO-user-role-map</title>
<id>https://localhost:8089/services/admin/ProxySSO-user-role-map</id>
...
<entry>
<title>user1</title>
<id>https://localhost:8089/services/admin/ProxySSO-user-role-map/user1</id>
<updated>2016-08-31T18:00:28-07:00</updated>
<link href="/services/admin/ProxySSO-user-role-map/user1" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/admin/ProxySSO-user-role-map/user1" rel="list"/>
<link href="/services/admin/ProxySSO-user-role-map/user1" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="roles">
<s:list>
<s:item>power</s:item>
</s:list>
</s:key>
</s:dict>
</content>
</entry>
...
POST
Create a user to role mapping.
Changes are written to the etc/system/local directory.
Note: User to role mappings cannot be updated.
Request parameters
| Name | Type | Description |
|---|---|---|
| name | User name | Specify a user to map to specific roles |
| roles | User role name | Specify a role to map to the user. Use a separate roles parameter for each role that you are mapping.
|
Returned values
None
XML Request
curl -k -u admin:changed -X POST https://localhost:8089/services/admin/ProxySSO-user-role-map -d name=user1 -d roles=power
XML Response
<title>ProxySSO-user-role-map</title>
<id>https://wimpy:7102/services/admin/ProxySSO-user-role-map</id>
...
<entry>
<title>user1</title>
<id>https://wimpy:7102/services/admin/ProxySSO-user-role-map/user1</id>
<updated>2016-08-31T17:57:53-07:00</updated>
<link href="/services/admin/ProxySSO-user-role-map/user1" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/admin/ProxySSO-user-role-map/user1" rel="list"/>
<link href="/services/admin/ProxySSO-user-role-map/user1" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="roles">
<s:list>
<s:item>power</s:item>
</s:list>
</s:key>
</s:dict>
</content>
</entry>
...
admin/ProxySSO-user-role-map/{user_name}
https://<host>:<mPort>/services/admin/ProxySSO-user-role-map/{user_name}
Access or delete a user to role mapping.
Authentication and authorization
Requires the edit_user capability.
GET
Access role mappings for the {user_name} user.
Request parameters
None
Returned values
| Name | Description |
|---|---|
| roles | Roles mapped to the {user_name} user.
|
Example request and response
XML Request
curl -k -u admin:changed https://localhost:8089/services/admin/ProxySSO-user-role-map/user1
XML Response
<title>ProxySSO-user-role-map</title>
<id>https://wimpy:7102/services/admin/ProxySSO-user-role-map</id>
<updated>2016-08-31T18:13:01-07:00</updated>
...
<entry>
<title>user1</title>
<id>https://localhost:8089/services/admin/ProxySSO-user-role-map/user1</id>
<updated>2016-08-31T18:13:01-07:00</updated>
<link href="/services/admin/ProxySSO-user-role-map/user1" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/admin/ProxySSO-user-role-map/user1" rel="list"/>
<link href="/services/admin/ProxySSO-user-role-map/user1" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list/>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="roles">
<s:list>
<s:item>power</s:item>
</s:list>
</s:key>
</s:dict>
</content>
</entry>
...
DELETE
Delete the {user_name} user to role mapping.
Changes are written to the etc/system/local directory.
Request parameters
None
Returned values
The response lists remaining user to role mappings.
Example request and response
XML Request
curl -k -u admin:changed -X DELETE https://localhost:8089/services/admin/ProxySSO-user-role-map/user2
XML Response
<title>ProxySSO-user-role-map</title>
<id>https://localhost:8089/services/admin/ProxySSO-user-role-map</id>
...
<entry>
<title>user1</title>
<id>https://localhost:8089/services/admin/ProxySSO-user-role-map/user1</id>
<updated>2016-08-31T18:11:02-07:00</updated>
<link href="/services/admin/ProxySSO-user-role-map/user1" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/admin/ProxySSO-user-role-map/user1" rel="list"/>
<link href="/services/admin/ProxySSO-user-role-map/user1" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="roles">
<s:list>
<s:item>power</s:item>
</s:list>
</s:key>
</s:dict>
</content>
</entry>
SAML REST API usage details
Splunk Enterprise users can configure SAML authentication for single sign-on (SSO). If you are using Splunk Cloud Platform, contact Support to request assistance.
You can use the REST API to make the following SAML configurations.
- Manage group and user role mappings.
- Access service and identity provider information.
- Replicate SAML IdP certificates across a search head cluster.
For more information on using SAML for SSO, see Authentication using single sign-on with SAML in Securing Splunk Enterprise. You can also review the SAML settings stanza in authentication.conf in the Admin Manual.
admin/replicate-SAML-certs
https://<host>:<mPort>/services/admin/replicate-SAML-certs
Replicate SAML IdP certificates across a search head cluster.
Note: This endpoint is only available for use on search head clustered deployments with KV Store enabled.
Authentication and authorization
Requires the change_authentication capability for access.
POST
Usage details
After editing SAML IdP certificate files in $SPLUNK_HOME/etc/auth/idpCerts on one node in the cluster, you can POST to /replicate-SAML-certs to replicate the certificates across the cluster. This can be useful if there is an error in the certificate files from /SAML-idp-metadata and you need to edit them manually.
There are no request parameters or returned values.
admin/SAML-groups
https://<host>:<mPort>/services/admin/SAML-groups
Manage external groups in an IdP response to internal Splunk roles.
Authentication and authorization
Requires change_authentication capability for all operations.
GET
Access internal roles for this external group.
Request parameters
None.
Response keys
| Name | Description |
|---|---|
| roles | Corresponding internal role for the external group. |
Example request and response
XML Request
curl -k -u admin:password https://localhost:8089/services/admin/SAML-groups
XML Response
<title>SAML-groups</title>
<id>https://localhost:8089/services/admin/SAML-groups</id>
<updated>2015-11-07T18:00:05-08:00</updated>
<generator build="05ee6658a12a17d11f47076b544" version="20151021"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/admin/SAML-groups/_new" rel="create"/>
<link href="/services/admin/SAML-groups/_acl" rel="_acl"/>
<opensearch:totalResults>4</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>admin</title>
<id>https://localhost:8089/services/admin/SAML-groups/admin</id>
<updated>2015-11-07T18:00:05-08:00</updated>
<link href="/services/admin/SAML-groups/admin" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/admin/SAML-groups/admin" rel="list"/>
<link href="/services/admin/SAML-groups/admin" rel="edit"/>
<link href="/services/admin/SAML-groups/admin" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>_spl_cloud</s:item>
<s:item>_spl_cloud_user</s:item>
<s:item>admin</s:item>
<s:item>spl_cloud_user</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>_spl_cloud</s:item>
<s:item>_spl_cloud_user</s:item>
<s:item>admin</s:item>
<s:item>spl_cloud_user</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="roles">
<s:list>
<s:item>sc_admin</s:item>
</s:list>
</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>employee</title>
<id>https://localhost:8089/services/admin/SAML-groups/employee</id>
<updated>2015-11-07T18:00:05-08:00</updated>
<link href="/services/admin/SAML-groups/employee" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/admin/SAML-groups/employee" rel="list"/>
<link href="/services/admin/SAML-groups/employee" rel="edit"/>
<link href="/services/admin/SAML-groups/employee" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>_spl_cloud</s:item>
<s:item>_spl_cloud_user</s:item>
<s:item>admin</s:item>
<s:item>spl_cloud_user</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>_spl_cloud</s:item>
<s:item>_spl_cloud_user</s:item>
<s:item>admin</s:item>
<s:item>spl_cloud_user</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="roles">
<s:list>
<s:item>user</s:item>
</s:list>
</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>power admin</title>
<id>https://localhost:8089/services/admin/SAML-groups/power%20admin</id>
<updated>2015-11-07T18:00:05-08:00</updated>
<link href="/services/admin/SAML-groups/power%20admin" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/admin/SAML-groups/power%20admin" rel="list"/>
<link href="/services/admin/SAML-groups/power%20admin" rel="edit"/>
<link href="/services/admin/SAML-groups/power%20admin" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>_spl_cloud</s:item>
<s:item>_spl_cloud_user</s:item>
<s:item>admin</s:item>
<s:item>spl_cloud_user</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>_spl_cloud</s:item>
<s:item>_spl_cloud_user</s:item>
<s:item>admin</s:item>
<s:item>spl_cloud_user</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="roles">
<s:list>
<s:item>power</s:item>
</s:list>
</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>user admin</title>
<id>https://localhost:8089/services/admin/SAML-groups/user%20admin</id>
<updated>2015-11-07T18:00:05-08:00</updated>
<link href="/services/admin/SAML-groups/user%20admin" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/admin/SAML-groups/user%20admin" rel="list"/>
<link href="/services/admin/SAML-groups/user%20admin" rel="edit"/>
<link href="/services/admin/SAML-groups/user%20admin" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>_spl_cloud</s:item>
<s:item>_spl_cloud_user</s:item>
<s:item>admin</s:item>
<s:item>spl_cloud_user</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>_spl_cloud</s:item>
<s:item>_spl_cloud_user</s:item>
<s:item>admin</s:item>
<s:item>spl_cloud_user</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="roles">
<s:list>
<s:item>power</s:item>
</s:list>
</s:key>
</s:dict>
</content>
</entry>
POST
Convert an external group to internal roles.
Request parameters
| Name | Type | Description |
|---|---|---|
| name | String | External group name. |
| roles | String | Equivalent internal role for the group. |
Response keys
None
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8089/services/admin/SAML-groups -d name=Splunk -d roles=user
XML Response
<title>SAML-groups</title>
<id>https://localhost:8089/services/admin/SAML-groups</id>
<updated>2015-11-07T18:04:56-08:00</updated>
<generator build="05ee6658a1d11f47076b549133a47050ca24" version="20151021"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/admin/SAML-groups/_new" rel="create"/>
<link href="/services/admin/SAML-groups/_acl" rel="_acl"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
admin/SAML-groups/{group_name}
https://<host>:<mPort>/services/admin/SAML-groups/{group_name}
Delete the {group_name} group.
Authentication and authorization
Requires change_authentication capability for all operations.
DELETE
Delete the {group_name} particular group.
Request parameters
None
Response keys
None
Example request and response
XML Request
curl -k -u admin:password --request DELETE https://localhost:8089/services/admin/SAML-groups/group_to_delete
XML Response
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>SAML-groups</title>
<id>https://localhost:8089/services/admin/SAML-groups</id>
<updated>2015-11-07T18:04:25-08:00</updated>
<generator build="05ee6658a12a17d11f47133a47050ca24" version="20151021"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/admin/SAML-groups/_new" rel="create"/>
<link href="/services/admin/SAML-groups/_acl" rel="_acl"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
</feed>
admin/SAML-idp-metadata
https://<host>:<mPort>/services/admin/SAML-idp-metadata
Access IdP SAML metadata attributes.
Authentication and authorization
Requires change_authentication capability for all operations.
GET
Access SAML user and role information for saved searches.
Request parameters
| Name | Type | Description |
|---|---|---|
| idpMetadataFile | File path. See description. | Full path of the metadata file location. File should be local to splunkd server. |
Response keys
| Name | Description |
|---|---|
| idpMetadataPayload | SAML IdP metadata in XML format. |
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8089/services/admin/SAML-idp-metadata
XML Response
<title>SAML-idp-metadata</title>
<id>https://localhost:8089/services/admin/SAML-idp-metadata</id>
<updated>2015-11-07T18:34:07-08:00</updated>
<generator build="05ee6658a12a17d11f47076h3453ffdd50ca24" version="20151021"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/admin/SAML-idp-metadata/_acl" rel="_acl"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>idpMetadataPayload</title>
<id>https://localhost:8089/services/admin/SAML-idp-metadata/idpMetadataPayload</id>
<updated>2015-11-07T18:34:07-08:00</updated>
<link href="/services/admin/SAML-idp-metadata/idpMetadataPayload" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/admin/SAML-idp-metadata/idpMetadataPayload" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>_spl_cloud</s:item>
<s:item>_spl_cloud_user</s:item>
<s:item>admin</s:item>
<s:item>spl_cloud_user</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>_spl_cloud</s:item>
<s:item>_spl_cloud_user</s:item>
<s:item>admin</s:item>
<s:item>spl_cloud_user</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="idpCertificatePayload"><![CDATA[MIIDpjCCAo6gAwIBAgIGAU7gBZ6oMA0GCSqGSIb3DQEBBQUAMIGTMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ2FsaWZvcrterye444uIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
MBIGA1UECwwLU1NPUHJvdmlkZXIxFDASBgNVBAMMC3NwbHVua3Rlc3QxMRwwGgYJKoZIhvcNAQkB
Fg1pbmZvQG9rdGEuY29tMB4XDTE1MDczMDE3MzEyMVoXDTQ1MDczMDE3MzIyMVowgZMxCzAJBgNV
BAYTAlnJhbmNpc2NvMQ0wCwYD
VQQKDARPa3RhMRQwEgYDVQQLDAtTU09Qcm92aWRlcjEUMBIGA1UEAwwLc3BsdW5rdGVzdDExHDAa
BgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQCQS0Zh/PCBRsbHkJhi6RtGSkEzFjPZyPyFr2ND9KysDf4WRgMiklOBdrlM/++BJkqPCTYFbt/L
ZXnVqo7v9wJ538MrTp6o1iBi52zhpDnqAoOIrlSaB0PbbQVd/oz49YbEW6/ThsAMHdIyz3/CSqEM
o6oD7GiQzoGH4jidhx1Gjgmfk2OdkKAnWQDmZGKAMHJQXtjfrUK3y0H5j2tla9iIPLUVDyopzWNa
o8TKw68iWDZs9ZGrwu9ptF4fpjiaslkWp3oyO1FmAencabXMddFZ7HgVziI2TjbExNa+bzS9SUhY
gZlf2meD/ib2ul6HVFKlVM0IJA56qWGImiJRzGj1AgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAC+I
566v40xTMhFjTlF3sRGjbXQDnJGXcuF1GFkAp/IEmdo
7mawu7Z7qcHb2BcQiVViuHY5ON2O/gbz5ggDipc803JMD7dTtFxDthfZgvN1tE/nPNgx2QAKCADw
FkhYwAf6R7zV1VvyRfUzmbbl6V9JZh7Mju0vFsVJUsGhsAqJfZWQ+QckedB/NIpr9OxBu4IYgMZ4
gbV4yQ+FaICBh/vpqrtp5KmIIp63gXuV+Lh71NW0dj8oty3JpJmjZEdwXPjBKp5Xx94KHiA7Esyh
+7Zk/NK0PJTvlTrsyk+UIeSJZE473SdxI7A=]]></s:key>
<s:key name="protocol_endpoints">
<s:dict>
<s:key name="idpSLOUrl">https://test.example.com/app/example/exk4nkqqsypk32FMF0h7/slo/saml</s:key>
<s:key name="idpSSOUrl">https://test.example.com/app/example/exk4nkqqsypk32FMF0h7/sso/saml</s:key>
</s:dict>
</s:key>
<s:key name="signAuthnRequest">1</s:key>
</s:dict>
</content>
</entry>
admin/SAML-sp-metadata
https://<host>:<mPort>/services/admin/SAML-sp-metadata
Access service provider SAML metadata attributes.
Authentication and authorization
Requires change_authentication capability for all operations.
GET
Access SAML metadata attributes.
Request parameters
None.
Response keys
| Name | Description |
|---|---|
| spMetadataPayload | SAML service provider metadata in XML format. |
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8089/services/admin/SAML-sp-metadata
XML Response
<title>SAML-sp-metadata</title>
<id>https://localhost:8089/services/admin/SAML-sp-metadata</id>
<updated>2015-12-16T13:47:39-08:00</updated>
<generator build="d48f9f793521" version="6.4.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/admin/SAML-sp-metadata/_acl" rel="_acl"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>spMetadata</title>
<id>https://localhost:8089/services/admin/SAML-sp-metadata/spMetadata</id>
<updated>2015-12-16T13:47:39-08:00</updated>
<link href="/services/admin/SAML-sp-metadata/spMetadata" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/admin/SAML-sp-metadata/spMetadata" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="spMetadata"><![CDATA[<md:EntityDescriptor entityID="splunkEntityId" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"> <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="true" WantAssertionsSigned="true"> <md:KeyDescriptor> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>
MIICLTCCAZYCCQDCCiSo4+bLSzANBgkqhkiG9w0BAQUFADB/MQswCQYDVQQGEwJV
UzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDzANBgNVBAoM
BlNwbHVuazEXMBUGA1UEAwwOU3BsdW5rQ29tbW9uQ0ExITAfBgkqhkiG9w0BCQEW
EnN1cHBvcnRAc3BsdW5rLmNvbTAeFw0xNTA3MjgxNjMzNDNaFw0xODA3MjcxNjMz
NDNaMDcxIDAeBgNVBAMMF1NwbHVerTRer55ZlckRlZmF1bHRDZXJ0MRMwEQYDVQQK
DApTcGx1bmtVc2VyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCmxUfArn3l
Pxn24lBl1pWDFg5VCB/f8IS7MlEFPJiepioAli+yE7exlzD0wRniw2Akiyg1Kbt9
zNe1z9Dxi1fEOailFaV5ryENabYgYJFJonZKWucNvWzde50Cn4fm1nNqVSZOH90F
9zTGCD7Kkem0hIqx506TI2C2dKP+cJWeWwIDAQABMA0GCSqGSIb3DQEBBQUAA4GB
ADy75DKIegJo2ALOZsckvrllqGZ2+g/xBupuRBDBSRp9vs3VqN+wB39uDtMzXlZ1
u0J5OhPVMdqO0RJuYzZmFpAhCX4hFfsNeazfFzSK/DQCURvfYG4pZit3P8gJ6uDv
3OxcDGUorMNlGRRO61UAkrLUywE44MMs1jgidDw2QlMY
</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://example-unix-58667/saml/logout" index="0"> </md:SingleLogoutService> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://example-unix-58667/saml/acs" index="0"> </md:AssertionConsumerService> </md:SPSSODescriptor> </md:EntityDescriptor> ]]></s:key>
</s:dict>
</content>
</entry>
admin/SAML-user-role-map
https://<host>:<mPort>/services/admin/SAML-user-role-map
Access or create SAML user and role information for saved searches if your IdP does not support Attribute Query Requests. To delete a username, see admin/SAML-user-role-map/{name}.
Authentication and authorization
Requires edit_user capability for all operations.
GET
Access SAML user and role information for saved searches.
Request parameters
None.
Response keys
| Name | Description |
|---|---|
| name | SAML username for running saved searches. |
| roles | Assigned roles for this user. |
Example request and response
XML Request
curl -k -u admin:password https://localhost:8089/services/admin/SAML-user-role-map
XML Response
<title>SAML-user-role-map</title>
<id>https://localhost:8089/services/admin/SAML-user-role-map</id>
<updated>2015-11-07T17:34:12-08:00</updated>
<generator build="05ee6658a12a17d11f47076b549133a47050ca24" version="20151021"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/admin/SAML-user-role-map/_new" rel="create"/>
<link href="/services/admin/SAML-user-role-map/_acl" rel="_acl"/>
<opensearch:totalResults>3</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>samluser001@example.com</title>
<id>https://localhost:8089/services/admin/SAML-user-role-map/samluser001%40example.com</id>
<updated>2015-11-07T17:34:12-08:00</updated>
<link href="/services/admin/SAML-user-role-map/samluser001%40example.com" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/admin/SAML-user-role-map/samluser001%40example.com" rel="list"/>
<link href="/services/admin/SAML-user-role-map/samluser001%40example.com" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>_spl_cloud</s:item>
<s:item>_spl_cloud_user</s:item>
<s:item>admin</s:item>
<s:item>sc_admin</s:item>
<s:item>spl_cloud_user</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>_spl_cloud</s:item>
<s:item>_spl_cloud_user</s:item>
<s:item>admin</s:item>
<s:item>sc_admin</s:item>
<s:item>spl_cloud_user</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="email">samluser001@example.com</s:key>
<s:key name="realname">Firstname Lastname001</s:key>
<s:key name="roles">
<s:list>
<s:item>sc_admin</s:item>
<s:item>user</s:item>
</s:list>
</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>samluser002@example.com</title>
<id>https://localhost:8089/services/admin/SAML-user-role-map/samluser002%40example.com</id>
<updated>2015-11-07T17:34:12-08:00</updated>
<link href="/services/admin/SAML-user-role-map/samluser002%40example.com" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/admin/SAML-user-role-map/samluser002%40example.com" rel="list"/>
<link href="/services/admin/SAML-user-role-map/samluser002%40example.com" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>_spl_cloud</s:item>
<s:item>_spl_cloud_user</s:item>
<s:item>admin</s:item>
<s:item>sc_admin</s:item>
<s:item>spl_cloud_user</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>_spl_cloud</s:item>
<s:item>_spl_cloud_user</s:item>
<s:item>admin</s:item>
<s:item>sc_admin</s:item>
<s:item>spl_cloud_user</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="email">samluser002@example.com</s:key>
<s:key name="realname">Firstname Lastname002</s:key>
<s:key name="roles">
<s:list>
<s:item>power</s:item>
</s:list>
</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>samluser003@example.com</title>
<id>https://localhost:8089/services/admin/SAML-user-role-map/samluser003%40example.com</id>
<updated>2015-11-07T17:34:12-08:00</updated>
<link href="/services/admin/SAML-user-role-map/samluser003%40example.com" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/admin/SAML-user-role-map/samluser003%40example.com" rel="list"/>
<link href="/services/admin/SAML-user-role-map/samluser003%40example.com" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>_spl_cloud</s:item>
<s:item>_spl_cloud_user</s:item>
<s:item>admin</s:item>
<s:item>sc_admin</s:item>
<s:item>spl_cloud_user</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>_spl_cloud</s:item>
<s:item>_spl_cloud_user</s:item>
<s:item>admin</s:item>
<s:item>sc_admin</s:item>
<s:item>spl_cloud_user</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="email">samluser003@example.com</s:key>
<s:key name="realname">Firstname Lastname003</s:key>
<s:key name="roles">
<s:list>
<s:item>user</s:item>
</s:list>
</s:key>
</s:dict>
</content>
</entry>
POST
Update SAML user and role information for saved searches.
Request parameters
| Name | Type | Description |
|---|---|---|
| name | String | SAML username for running saved searches. |
| roles | String | Assigned roles for this user. |
Response keys
| Name | Description |
|---|---|
| name | SAML username for running saved searches. |
| roles | Assigned roles for this user. |
Example request and response
XML Request
curl -k -u admin:password https://localhost:8089/services/admin/SAML-user-role-map -d name=samluser004@example.foo -d roles=user
XML Response
<title>SAML-user-role-map</title>
<id>https://localhost:8089/services/admin/SAML-user-role-map</id>
<updated>2015-11-07T17:45:54-08:00</updated>
<generator build="05ee6658a12a17d11f47076b549133a47050ca24" version="20151021"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/admin/SAML-user-role-map/_new" rel="create"/>
<link href="/services/admin/SAML-user-role-map/_acl" rel="_acl"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>samluser004@example.foo</title>
<id>https://localhost:8089/services/admin/SAML-user-role-map/samluser004%40example.foo</id>
<updated>2015-11-07T17:45:54-08:00</updated>
<link href="/services/admin/SAML-user-role-map/samluser004%40example.foo" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/admin/SAML-user-role-map/samluser004%40example.foo" rel="list"/>
<link href="/services/admin/SAML-user-role-map/samluser004%40example.foo" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>_spl_cloud</s:item>
<s:item>_spl_cloud_user</s:item>
<s:item>admin</s:item>
<s:item>sc_admin</s:item>
<s:item>spl_cloud_user</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>_spl_cloud</s:item>
<s:item>_spl_cloud_user</s:item>
<s:item>admin</s:item>
<s:item>sc_admin</s:item>
<s:item>spl_cloud_user</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="roles">
<s:list>
<s:item>user</s:item>
</s:list>
</s:key>
</s:dict>
</content>
</entry>
DELETE
See admin/SAML-user-role-map/{name}
admin/SAML-user-role-map/{name}
https://<host>:<mPort>/services/admin/SAML-user-role-map/{name}
Delete SAML user and role information for saved searches if your IdP does not support Attribute Query Requests.
Authentication and authorization
Requires edit_user capability for all operations.
DELETE
Remove a username from SAML users for saved searches.
Request parameters
None.
Response keys
| Name | Description |
|---|---|
| name | SAML username for running saved searches. |
| roles | Assigned roles for this user. |
Example request and response
XML Request
curl -k -u admin:password --request DELETE https://localhost:8089/services/admin/SAML-user-role-map/samluser004@example.com
XML Response
<title>SAML-user-role-map</title>
<id>https://localhost:8089/services/admin/SAML-user-role-map</id>
<updated>2015-11-07T17:46:26-08:00</updated>
<generator build="05ee6658a12a17d11f47076b549133a47050ca24" version="20151021"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/admin/SAML-user-role-map/_new" rel="create"/>
<link href="/services/admin/SAML-user-role-map/_acl" rel="_acl"/>
<opensearch:totalResults>3</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>samluser001@example.com</title>
<id>https://localhost:8089/services/admin/SAML-user-role-map/samluser001%40example.com</id>
<updated>2015-11-07T17:46:26-08:00</updated>
<link href="/services/admin/SAML-user-role-map/samluser001%40example.com" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/admin/SAML-user-role-map/samluser001%40example.com" rel="list"/>
<link href="/services/admin/SAML-user-role-map/samluser001%40example.com" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>_spl_cloud</s:item>
<s:item>_spl_cloud_user</s:item>
<s:item>admin</s:item>
<s:item>sc_admin</s:item>
<s:item>spl_cloud_user</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>_spl_cloud</s:item>
<s:item>_spl_cloud_user</s:item>
<s:item>admin</s:item>
<s:item>sc_admin</s:item>
<s:item>spl_cloud_user</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="roles">
<s:list>
<s:item>sc_admin</s:item>
<s:item>user</s:item>
</s:list>
</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>samluser002@example.com</title>
<id>https://localhost:8089/services/admin/SAML-user-role-map/samluser002%40example.com</id>
<updated>2015-11-07T17:46:26-08:00</updated>
<link href="/services/admin/SAML-user-role-map/samluser002%40example.com" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/admin/SAML-user-role-map/samluser002%40example.com" rel="list"/>
<link href="/services/admin/SAML-user-role-map/samluser002%40example.com" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>_spl_cloud</s:item>
<s:item>_spl_cloud_user</s:item>
<s:item>admin</s:item>
<s:item>sc_admin</s:item>
<s:item>spl_cloud_user</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>_spl_cloud</s:item>
<s:item>_spl_cloud_user</s:item>
<s:item>admin</s:item>
<s:item>sc_admin</s:item>
<s:item>spl_cloud_user</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="roles">
<s:list>
<s:item>power</s:item>
</s:list>
</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>samluser003@example.com</title>
<id>https://localhost:8089/services/admin/SAML-user-role-map/samluser003%40example.com</id>
<updated>2015-11-07T17:46:26-08:00</updated>
<link href="/services/admin/SAML-user-role-map/samluser003%40example.com" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/admin/SAML-user-role-map/samluser003%40example.com" rel="list"/>
<link href="/services/admin/SAML-user-role-map/samluser003%40example.com" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>_spl_cloud</s:item>
<s:item>_spl_cloud_user</s:item>
<s:item>admin</s:item>
<s:item>sc_admin</s:item>
<s:item>spl_cloud_user</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>_spl_cloud</s:item>
<s:item>_spl_cloud_user</s:item>
<s:item>admin</s:item>
<s:item>sc_admin</s:item>
<s:item>spl_cloud_user</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="roles">
<s:list>
<s:item>user</s:item>
</s:list>
</s:key>
</s:dict>
</content>
</entry>
authentication/providers/SAML
https://<host>:<mPort>/services/authentication/providers/SAML
Access and create SAML configurations.
Authentication and authorization
Requires change_authentication capability for all operations.
GET
Access SAML configurations.
Request parameters
None.
Response keys
| Name | Description |
|---|---|
| allowSslCompression | Indicates whether ssl data compression is enabled. |
| assertionConsumerServiceUrl | Endpoint where SAML assertions are posted by the IdP. |
| attributeAliasMail | Specifies which SAML attribute is mapped to 'email'. Defaults to 'email'. |
| attributeAliasRealName | Specifies which SAML attribute maps to 'realName'. Defaults to realName.
|
| attributeAliasRole | Specifies which SAML attribute maps to role. Defaults to role.
|
| attributeQueryRequestSigned | Indicates whether Attribute Queries should be signed. |
| attributeQueryResponseSigned | Indicates whether Attribute Query responses should be signed. |
| attributeQuerySoapPassword | Credentials for making Attribute Query using SOAP over HTTP. |
| attributeQuerySoapUsername | Credentials for making Attribute Query using SOAP over HTTP. |
| attributeQueryTTL | ttl (time to live) for the Attribute Query credentials cache. |
| blacklistedAutoMappedRoles | Comma separated list of Splunk roles that should be blacklisted from being auto-mapped from the IDP Response. |
| blacklistedUsers | Comma separated list of user names from the IDP response to be blacklisted by Splunk software. |
| caCertFile | File path for CA certificate. For example, /home/user123/saml-install/etc/auth/server.pem |
| cipherSuite | Ciphersuite for making Attribute Queries using ssl. For example, TLSv1+HIGH:@STRENGTH.
|
| defaultRoleIfMissing | Default role to use if no role is returned in a SAML response. |
| ecdhCurves | EC curves for ECDH/ECDHE key exchange - ssl setting. |
| entityId | Unique id preconfigured by the IdP. |
| errorUrL | URL to display for a SAML error. Errors may be due to incorrect or incomplete configuration in either the IDP or Splunk deployment. |
| errorUrlLabel | Label or title of the content to which errorUrl points. Defaults to Click here to resolve SAML error..
|
| fqdn | Load balancer url. |
| idpAttributeQueryUrl | IdP attribute query url where SAML attribute queries are sent. |
| idpCertPath | Path for IdP certificate. |
| idpSLOUrl | IdP sso url where SAML SSO requests are sent. |
| idpSSOUrl | IdP SSO url where SAML SLO requests are sent. |
| maxAttributeQueryQueueSize | Maximum number of Attribute jobs to queue. |
| maxAttributeQueryThreads | Maximum number of threads for asynchronous Attribute Queries. |
| name | Configuration stanza name. |
| nameIdFormat | Specifies how subject is identified in SAML Assertion. Defaults to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified Override it when using Azure AD as an IDP and set it to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress |
| redirectAfterLogoutToUrl | Redirect URL after user logout If no SLO URL is configured. |
| redirectPort | Port where SAML responses are sent. Typically, this is the web port. Set this port if internal port redirection is needed. The
|
| signAuthnRequest | Indicates whether to sign authentication requests. |
| signatureAlgorithm | Applicable only for redirect binding. Indicates the signature algorithm used for a SP-initiated SAML request when signedAuthnRequest is set to true.
Possible values are:
|
| signedAssertion | Indicates whether to sign SAML assertions. |
| singleLogoutServiceUrl | URL where the IdP posts SAML Single Logout responses. |
| skipAttributeQueryRequestForUsers | Used in conjunction with defaultRoleIFMissing. Indicates whether to skip Attribute Queries for some users.
|
| sloBinding | Binding used when making a logout request or sending a logout response to complete the logout workflow. Possible values are HTTPPost (default) and HTTPRedirect. This binding must match the binding configured on the IDP.
|
| spCertPath | Service provider certificate path. |
| sslAltNameToCheck | Alternate name to check in the peer certificate. |
| sslCommonNameToCheck | Common name to check in the peer certificate. |
| sslKeysfile | Location of service provider private key. |
| sslKeysfilePassword | SSL password. |
| sslVerifyServerCert | Indicates whether to verify peer certificate. |
| sslVersions | SSL versions. |
| ssoBinding | Binding used when making a SP-initiated SAML request. Possible values are HTTPPost (default) and HTTPRedirect. This binding must match the binding configured on the IDP.
|
| uiStatusPage | Splunk Web page for redirecting users in case of errors. |
Example request and response
XML Request
curl -u admin:pass -k -X GET https://localhost:8089/services/authentication/providers/SAML
XML Response
<title>SAML-auth</title>
<id>https://localhost:8089/services/authentication/providers/SAML</id>
<updated>2017-04-10T23:27:22+00:00</updated>
<generator build="a8914247a786" version="6.5.1612"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/authentication/providers/SAML/_new" rel="create"/>
<link href="/services/authentication/providers/SAML/_acl" rel="_acl"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>saml-test</title>
<id>https://localhost:8089/services/authentication/providers/SAML/saml-test</id>
<updated>2017-04-10T23:27:22+00:00</updated>
<link href="/services/authentication/providers/SAML/saml-test" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authentication/providers/SAML/saml-test" rel="list"/>
<link href="/services/authentication/providers/SAML/saml-test" rel="edit"/>
<link href="/services/authentication/providers/SAML/saml-test" rel="remove"/>
<link href="/services/authentication/providers/SAML/saml-test/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="allowSslCompression">true</s:key>
<s:key name="assertionConsumerServiceUrl">http://so1:12800/saml/acs</s:key>
<s:key name="attributeQueryRequestSigned">1</s:key>
<s:key name="attributeQueryResponseSigned">1</s:key>
<s:key name="attributeQuerySoapPassword">******</s:key>
<s:key name="attributeQuerySoapUsername">test_ping</s:key>
<s:key name="attributeQueryTTL">3600</s:key>
<s:key name="attribute_aliases"/>
<s:key name="blacklistedAutoMappedRoles">
<s:list/>
</s:key>
<s:key name="blacklistedUsers">
<s:list/>
</s:key>
<s:key name="caCertFile">/opt/splunk/etc/auth/cacert.pem</s:key>
<s:key name="cipherSuite"></s:key>
<s:key name="defaultRoleIfMissing"></s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="ecdhCurves"></s:key>
<s:key name="entityId">saml-test-entity</s:key>
<s:key name="errorUrl"></s:key>
<s:key name="errorUrlLabel"></s:key>
<s:key name="fqdn">http://so1</s:key>
<s:key name="idpCertChains">
<s:list/>
</s:key>
<s:key name="idpCertPath"></s:key>
<s:key name="maxAttributeQueryQueueSize">100</s:key>
<s:key name="maxAttributeQueryThreads">2</s:key>
<s:key name="nameIdFormat"></s:key>
<s:key name="protocol_endpoints">
<s:dict>
<s:key name="idpAttributeQueryUrl">https://saml-idp:9999/idp/attrsvc.ssaml2</s:key>
<s:key name="idpSLOUrl"></s:key>
<s:key name="idpSSOUrl">https://saml-idp:9999/idp/SSO.saml2</s:key>
<s:key name="issuerId"></s:key>
</s:dict>
</s:key>
<s:key name="redirectAfterLogoutToUrl">http://www.splunk.com</s:key>
<s:key name="redirectPort">12800</s:key>
<s:key name="replicateCertificates">1</s:key>
<s:key name="signAuthnRequest">1</s:key>
<s:key name="signatureAlgorithm">
<s:dict>
<s:key name="name">RSA-SHA1</s:key>
<s:key name="uri">http://www.w3.org/2000/09/xmldsig#rsa-sha1</s:key>
</s:dict>
</s:key>
<s:key name="signedAssertion">1</s:key>
<s:key name="singleLogoutServiceUrl">http://so1:12800/saml/logout</s:key>
<s:key name="skipAttributeQueryRequestForUsers">
<s:list/>
</s:key>
<s:key name="sloBinding">HTTPPost</s:key>
<s:key name="spCertPath">/opt/splunk/etc/auth/server.pem</s:key>
<s:key name="sslAltNameToCheck"></s:key>
<s:key name="sslCommonNameToCheck"></s:key>
<s:key name="sslKeysfile">/opt/splunk/etc/auth/server.pem</s:key>
<s:key name="sslKeysfilePassword">******</s:key>
<s:key name="sslVerifyServerCert">false</s:key>
<s:key name="sslVersions">SSL3,TLS1.0,TLS1.1,TLS1.2</s:key>
<s:key name="ssoBinding">HTTPPost</s:key>
<s:key name="uiStatusPage">/account/status</s:key>
</s:dict>
</content>
</entry>
POST
Create a new SAML configuration.
Request parameters
| Name | Description |
|---|---|
| allowSslCompression | Indicates whether ssl data compression is enabled. |
| attributeAliasMail | Specifies which SAML attribute is mapped to 'email'. Defaults to 'email'. |
| attributeAliasRealName | Specifies which SAML attribute maps to 'realName'. Defaults to realName.
|
| attributeAliasRole | Specifies which SAML attribute maps to role. Defaults to role.
|
| attributeQueryRequestSigned | Indicates whether Attribute Queries should be signed. |
| attributeQueryResponseSigned | Indicates whether Attribute Query responses should be signed. |
| attributeQuerySoapPassword | Credentials for making Attribute Query using SOAP over HTTP. |
| attributeQuerySoapUsername | Credentials for making Attribute Query using SOAP over HTTP. |
| attributeQueryTTL | ttl (time to live) for the Attribute Query credentials cache. |
| blacklistedAutoMappedRoles | Comma separated list of Splunk roles that should be blacklisted from being auto-mapped from the IDP Response. |
| blacklistedUsers | Comma separated list of user names from the IDP response to be blacklisted by Splunk software. |
| caCertFile | File path for CA certificate. For example, /home/user123/saml-install/etc/auth/server.pem |
| cipherSuite | Ciphersuite for making Attribute Queries using ssl. For example, TLSv1+HIGH:@STRENGTH.
|
| defaultRoleIfMissing | Default role to use if no role is returned in a SAML response. |
| ecdhCurves | EC curves for ECDH/ECDHE key exchange - ssl setting. |
| entityId | Required. Unique id preconfigured by the IdP. |
| errorUrL | URL to display for a SAML error. Errors may be due to incorrect or incomplete configuration in either the IDP or the Splunk deployment. |
| errorUrlLabel | Label or title of the content to which errorUrl points. Defaults to Click here to resolve SAML error..
|
| fqdn | Load balancer url. |
| idpAttributeQueryUrl | IdP attribute query url where SAML attribute queries are sent. |
| idpCertPath | Path for IdP certificate. |
| idpMetadataFile | Full path to idpMetadata on disk. Used to retrieve IdP information such as idpSLOUrl, idpSSOUrl, and signing certificate. |
| idpSLOUrl | IdP sso url where SAML SSO requests are sent. |
| idpSSOUrl | Required. IdP SSO url where SAML SLO requests are sent. |
| name | Required. Configuration stanza name. |
| nameIdFormat | Specifies how subject is identified in SAML Assertion. Defaults to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified Override it when using Azure AD as an IDP and set it to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress |
| redirectAfterLogoutToUrl | Redirect URL after user logout If no SLO URL is configured. |
| redirectPort | Port where SAML responses are sent. Typically, this is the web port. Set this port if internal port redirection is needed. The
|
| signAuthnRequest | Indicates whether to sign authentication requests. |
| signatureAlgorithm | Applicable only for redirect binding. Indicates the signature algorithm used for a SP-initiated SAML request when signedAuthnRequest is set to true.
Possible values are:
|
| signedAssertion | Indicates whether to sign SAML assertions. |
| skipAttributeQueryRequestForUsers | Used in conjunction with defaultRoleIFMissing. Indicates whether to skip Attribute Queries for some users.
|
| sloBinding | Binding used when making a logout request or sending a logout response to complete the logout workflow. Possible values are HTTPPost (default) and HTTPRedirect. This binding must match the binding configured on the IDP.
|
| sslAltNameToCheck | Alternate name to check in the peer certificate. |
| sslCommonNameToCheck | Common name to check in the peer certificate. |
| sslKeysfile | Location of service provider private key. |
| sslKeysfilePassword | SSL password. |
| sslVerifyServerCert | Indicates whether to verify peer certificate. |
| sslVersions | SSL versions. |
| ssoBinding | Binding used when making a SP-initiated SAML request. Possible values are HTTPPost (default) and HTTPRedirect. This binding must match the binding configured on the IDP.
|
Response keys
None.
Example request and response
XML Request
curl -k -u admin:changed https://localhost:8089/services/authentication/providers/SAML -d "name=saml-test" -d "idpSSOUrl=https://saml-idp:9999/idp/SSO.saml2" -d "idpAttributeQueryUrl=https://saml-idp:9999/idp/attrsvc.ssaml2" -d "entityId=saml-test-entity" -d "attributeQuerySoapPassword=splunk" -d "attributeQuerySoapUsername=test_ping"
XML Response
<title>SAML-auth</title>
<id>https://localhost:8089/services/authentication/providers/SAML</id>
<updated>2017-04-10T23:26:35+00:00</updated>
<generator build="a8914247a786" version="6.5.1612"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/authentication/providers/SAML/_new" rel="create"/>
<link href="/services/authentication/providers/SAML/_acl" rel="_acl"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>saml-test</title>
<id>https://localhost:8089/services/authentication/providers/SAML/saml-test</id>
<updated>2017-04-10T23:26:35+00:00</updated>
<link href="/services/authentication/providers/SAML/saml-test" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authentication/providers/SAML/saml-test" rel="list"/>
<link href="/services/authentication/providers/SAML/saml-test" rel="edit"/>
<link href="/services/authentication/providers/SAML/saml-test" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="allowSslCompression">true</s:key>
<s:key name="assertionConsumerServiceUrl">http://so1:12800/saml/acs</s:key>
<s:key name="attributeQueryRequestSigned">1</s:key>
<s:key name="attributeQueryResponseSigned">1</s:key>
<s:key name="attributeQuerySoapPassword">******</s:key>
<s:key name="attributeQuerySoapUsername">test_ping</s:key>
<s:key name="attributeQueryTTL">3600</s:key>
<s:key name="attribute_aliases"/>
<s:key name="blacklistedAutoMappedRoles">
<s:list/>
</s:key>
<s:key name="blacklistedUsers">
<s:list/>
</s:key>
<s:key name="caCertFile">/opt/splunk/etc/auth/cacert.pem</s:key>
<s:key name="cipherSuite"></s:key>
<s:key name="defaultRoleIfMissing"></s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="ecdhCurves"></s:key>
<s:key name="entityId">saml-test-entity</s:key>
<s:key name="errorUrl"></s:key>
<s:key name="errorUrlLabel"></s:key>
<s:key name="fqdn">http://so1</s:key>
<s:key name="idpCertChains">
<s:list/>
</s:key>
<s:key name="idpCertPath"></s:key>
<s:key name="maxAttributeQueryQueueSize">100</s:key>
<s:key name="maxAttributeQueryThreads">2</s:key>
<s:key name="nameIdFormat"></s:key>
<s:key name="protocol_endpoints">
<s:dict>
<s:key name="idpAttributeQueryUrl">https://saml-idp:9999/idp/attrsvc.ssaml2</s:key>
<s:key name="idpSLOUrl"></s:key>
<s:key name="idpSSOUrl">https://saml-idp:9999/idp/SSO.saml2</s:key>
<s:key name="issuerId"></s:key>
</s:dict>
</s:key>
<s:key name="redirectAfterLogoutToUrl">http://www.splunk.com</s:key>
<s:key name="redirectPort">12800</s:key>
<s:key name="replicateCertificates">1</s:key>
<s:key name="signAuthnRequest">1</s:key>
<s:key name="signatureAlgorithm">
<s:dict>
<s:key name="name">RSA-SHA1</s:key>
<s:key name="uri">http://www.w3.org/2000/09/xmldsig#rsa-sha1</s:key>
</s:dict>
</s:key>
<s:key name="signedAssertion">1</s:key>
<s:key name="singleLogoutServiceUrl">http://so1:12800/saml/logout</s:key>
<s:key name="skipAttributeQueryRequestForUsers">
<s:list/>
</s:key>
<s:key name="sloBinding">HTTPPost</s:key>
<s:key name="spCertPath">/opt/splunk/etc/auth/server.pem</s:key>
<s:key name="sslAltNameToCheck"></s:key>
<s:key name="sslCommonNameToCheck"></s:key>
<s:key name="sslKeysfile">/opt/splunk/etc/auth/server.pem</s:key>
<s:key name="sslKeysfilePassword">******</s:key>
<s:key name="sslVerifyServerCert">false</s:key>
<s:key name="sslVersions">SSL3,TLS1.0,TLS1.1,TLS1.2</s:key>
<s:key name="ssoBinding">HTTPPost</s:key>
<s:key name="uiStatusPage">/account/status</s:key>
</s:dict>
</content>
</entry>
authentication/providers/SAML/{stanza_name}
https://<host>:<mPort>/services/authentication/providers/SAML/{stanza_name}
GET
Access a SAML configuration.
Request parameters
None.
Response keys
| Name | Description |
|---|---|
| allowSslCompression | Indicates whether ssl data compression is enabled. |
| assertionConsumerServiceUrl | Endpoint where SAML assertions are posted by the IdP. |
| attributeAliasMail | Specifies which SAML attribute is mapped to 'email'. Defaults to 'email'. |
| attributeAliasRealName | Specifies which SAML attribute maps to 'realName'. Defaults to realName.
|
| attributeAliasRole | Specifies which SAML attribute maps to role. Defaults to role.
|
| attributeQueryRequestSigned | Indicates whether Attribute Queries should be signed. |
| attributeQueryResponseSigned | Indicates whether Attribute Query responses should be signed. |
| attributeQuerySoapPassword | Credentials for making Attribute Query using SOAP over HTTP. |
| attributeQuerySoapUsername | Credentials for making Attribute Query using SOAP over HTTP. |
| attributeQueryTTL | ttl (time to live) for the Attribute Query credentials cache. |
| blacklistedAutoMappedRoles | Comma separated list of Splunk roles that should be blacklisted from being auto-mapped from the IDP Response. |
| blacklistedUsers | Comma separated list of user names from the IDP response to be blacklisted by Splunk software. |
| caCertFile | File path for CA certificate. For example, /home/user123/saml-install/etc/auth/server.pem |
| cipherSuite | Ciphersuite for making Attribute Queries using ssl. For example, TLSv1+HIGH:@STRENGTH.
|
| defaultRoleIfMissing | Default role to use if no role is returned in a SAML response. |
| ecdhCurves | EC curves for ECDH/ECDHE key exchange - ssl setting. |
| entityId | Unique id preconfigured by the IdP. |
| errorUrL | URL to display for a SAML error. Errors may be due to incorrect or incomplete configuration in either the IDP or Splunk deployment. |
| errorUrlLabel | Label or title of the content to which errorUrl points. Defaults to Click here to resolve SAML error..
|
| fqdn | Load balancer url. |
| idpAttributeQueryUrl | IdP attribute query url where SAML attribute queries are sent. |
| idpCertPath | Path for IdP certificate. |
| idpSLOUrl | IdP sso url where SAML SSO requests are sent. |
| idpSSOUrl | IdP SSO url where SAML SLO requests are sent. |
| maxAttributeQueryQueueSize | Maximum number of Attribute jobs to queue. |
| maxAttributeQueryThreads | Maximum number of threads for asynchronous Attribute Queries. |
| name | Configuration stanza name. |
| nameIdFormat | Specifies how subject is identified in SAML Assertion. Defaults to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified Override it when using Azure AD as an IDP and set it to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress |
| redirectAfterLogoutToUrl | Redirect URL after user logout If no SLO URL is configured. |
| redirectPort | Port where SAML responses are sent. Typically, this is the web port. Set this port if internal port redirection is needed. The
|
| signAuthnRequest | Indicates whether to sign authentication requests. |
| signatureAlgorithm | Applicable only for redirect binding. Indicates the signature algorithm used for a SP-initiated SAML request when signedAuthnRequest is set to true.
Possible values are:
|
| signedAssertion | Indicates whether to sign SAML assertions. |
| singleLogoutServiceUrl | URL where the IdP posts SAML Single Logout responses. |
| skipAttributeQueryRequestForUsers | Used in conjunction with defaultRoleIFMissing. Indicates whether to skip Attribute Queries for some users.
|
| sloBinding | Binding used when making a logout request or sending a logout response to complete the logout workflow. Possible values are HTTPPost (default) and HTTPRedirect. This binding must match the binding configured on the IDP.
|
| spCertPath | Service provider certificate path. |
| sslAltNameToCheck | Alternate name to check in the peer certificate. |
| sslCommonNameToCheck | Common name to check in the peer certificate. |
| sslKeysfile | Location of service provider private key. |
| sslKeysfilePassword | SSL password. |
| sslVerifyServerCert | Indicates whether to verify peer certificate. |
| sslVersions | SSL versions. |
| ssoBinding | Binding used when making a SP-initiated SAML request. Possible values are HTTPPost (default) and HTTPRedirect. This binding must match the binding configured on the IDP.
|
| uiStatusPage | Splunk Web page for redirecting users in case of errors. |
Example request and response
XML Request
curl -k -u admin:password https://localhost:8089/services/authentication/providers/SAML/saml_settings
XML Response
<title>SAML-auth</title>
<id>https://localhost:8089/services/authentication/providers/SAML</id>
<updated>2017-04-10T23:29:58+00:00</updated>
<generator build="a8914247a786" version="6.5.1612"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/authentication/providers/SAML/_new" rel="create"/>
<link href="/services/authentication/providers/SAML/_acl" rel="_acl"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>saml-test</title>
<id>https://localhost:8089/services/authentication/providers/SAML/saml-test</id>
<updated>2017-04-10T23:29:58+00:00</updated>
<link href="/services/authentication/providers/SAML/saml-test" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authentication/providers/SAML/saml-test" rel="list"/>
<link href="/services/authentication/providers/SAML/saml-test" rel="edit"/>
<link href="/services/authentication/providers/SAML/saml-test" rel="remove"/>
<link href="/services/authentication/providers/SAML/saml-test/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="allowSslCompression">true</s:key>
<s:key name="assertionConsumerServiceUrl">http://so1:12800/saml/acs</s:key>
<s:key name="attributeQueryRequestSigned">1</s:key>
<s:key name="attributeQueryResponseSigned">1</s:key>
<s:key name="attributeQuerySoapPassword">******</s:key>
<s:key name="attributeQuerySoapUsername">test_ping</s:key>
<s:key name="attributeQueryTTL">3600</s:key>
<s:key name="attribute_aliases"/>
<s:key name="blacklistedAutoMappedRoles">
<s:list/>
</s:key>
<s:key name="blacklistedUsers">
<s:list/>
</s:key>
<s:key name="caCertFile">/opt/splunk/etc/auth/cacert.pem</s:key>
<s:key name="cipherSuite"></s:key>
<s:key name="defaultRoleIfMissing"></s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>allowSslCompression</s:item>
<s:item>attributeAliasMail</s:item>
<s:item>attributeAliasRealName</s:item>
<s:item>attributeAliasRole</s:item>
<s:item>attributeQueryRequestSigned</s:item>
<s:item>attributeQueryResponseSigned</s:item>
<s:item>attributeQuerySoapPassword</s:item>
<s:item>attributeQuerySoapUsername</s:item>
<s:item>attributeQueryTTL</s:item>
<s:item>blacklistedAutoMappedRoles</s:item>
<s:item>blacklistedUsers</s:item>
<s:item>caCertFile</s:item>
<s:item>cipherSuite</s:item>
<s:item>defaultRoleIfMissing</s:item>
<s:item>ecdhCurveName</s:item>
<s:item>ecdhCurves</s:item>
<s:item>entityId</s:item>
<s:item>errorUrl</s:item>
<s:item>errorUrlLabel</s:item>
<s:item>fqdn</s:item>
<s:item>idpAttributeQueryUrl</s:item>
<s:item>idpCertChains</s:item>
<s:item>idpCertPath</s:item>
<s:item>idpCertificatePayload</s:item>
<s:item>idpMetadataFile</s:item>
<s:item>idpMetadataPayload</s:item>
<s:item>idpSLOUrl</s:item>
<s:item>idpSSOUrl</s:item>
<s:item>issuerId</s:item>
<s:item>nameIdFormat</s:item>
<s:item>redirectAfterLogoutToUrl</s:item>
<s:item>redirectPort</s:item>
<s:item>replicateCertificates</s:item>
<s:item>signAuthnRequest</s:item>
<s:item>signatureAlgorithm</s:item>
<s:item>signedAssertion</s:item>
<s:item>skipAttributeQueryRequestForUsers</s:item>
<s:item>sloBinding</s:item>
<s:item>sslAltNameToCheck</s:item>
<s:item>sslCommonNameToCheck</s:item>
<s:item>sslKeysfile</s:item>
<s:item>sslKeysfilePassword</s:item>
<s:item>sslVerifyServerCert</s:item>
<s:item>sslVersions</s:item>
<s:item>ssoBinding</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="ecdhCurves"></s:key>
<s:key name="entityId">saml-test-entity</s:key>
<s:key name="errorUrl"></s:key>
<s:key name="errorUrlLabel"></s:key>
<s:key name="fqdn">http://so1</s:key>
<s:key name="idpCertChains">
<s:list/>
</s:key>
<s:key name="idpCertPath"></s:key>
<s:key name="maxAttributeQueryQueueSize">100</s:key>
<s:key name="maxAttributeQueryThreads">2</s:key>
<s:key name="nameIdFormat"></s:key>
<s:key name="protocol_endpoints">
<s:dict>
<s:key name="idpAttributeQueryUrl">https://saml-idp:9999/idp/attrsvc.ssaml2</s:key>
<s:key name="idpSLOUrl"></s:key>
<s:key name="idpSSOUrl">https://saml-idp:9999/idp/SSO.saml2</s:key>
<s:key name="issuerId"></s:key>
</s:dict>
</s:key>
<s:key name="redirectAfterLogoutToUrl">http://www.splunk.com</s:key>
<s:key name="redirectPort">12800</s:key>
<s:key name="replicateCertificates">1</s:key>
<s:key name="signAuthnRequest">1</s:key>
<s:key name="signatureAlgorithm">
<s:dict>
<s:key name="name">RSA-SHA1</s:key>
<s:key name="uri">http://www.w3.org/2000/09/xmldsig#rsa-sha1</s:key>
</s:dict>
</s:key>
<s:key name="signedAssertion">1</s:key>
<s:key name="singleLogoutServiceUrl">http://so1:12800/saml/logout</s:key>
<s:key name="skipAttributeQueryRequestForUsers">
<s:list/>
</s:key>
<s:key name="sloBinding">HTTPPost</s:key>
<s:key name="spCertPath">/opt/splunk/etc/auth/server.pem</s:key>
<s:key name="sslAltNameToCheck"></s:key>
<s:key name="sslCommonNameToCheck"></s:key>
<s:key name="sslKeysfile">/opt/splunk/etc/auth/server.pem</s:key>
<s:key name="sslKeysfilePassword">******</s:key>
<s:key name="sslVerifyServerCert">false</s:key>
<s:key name="sslVersions">SSL3,TLS1.0,TLS1.1,TLS1.2</s:key>
<s:key name="ssoBinding">HTTPPost</s:key>
<s:key name="uiStatusPage">/account/status</s:key>
</s:dict>
</content>
</entry>
POST
Update a SAML configuration.
Request parameters
| Name | Description |
|---|---|
| allowSslCompression | Indicates whether ssl data compression is enabled. |
| attributeAliasMail | Specifies which SAML attribute is mapped to 'email'. Defaults to 'email'. |
| attributeAliasRealName | Specifies which SAML attribute maps to 'realName'. Defaults to realName.
|
| attributeAliasRole | Specifies which SAML attribute maps to role. Defaults to role.
|
| attributeQueryRequestSigned | Indicates whether Attribute Queries should be signed. |
| attributeQueryResponseSigned | Indicates whether Attribute Query responses should be signed. |
| attributeQuerySoapPassword | Credentials for making Attribute Query using SOAP over HTTP. |
| attributeQuerySoapUsername | Credentials for making Attribute Query using SOAP over HTTP. |
| attributeQueryTTL | ttl (time to live) for the Attribute Query credentials cache. |
| blacklistedAutoMappedRoles | Comma separated list of Splunk roles that should be blacklisted from being auto-mapped from the IDP Response. |
| blacklistedUsers | Comma separated list of user names from the IDP response to be blacklisted by Splunk software. |
| caCertFile | File path for CA certificate. For example, /home/user123/saml-install/etc/auth/server.pem |
| cipherSuite | Ciphersuite for making Attribute Queries using ssl. For example, TLSv1+HIGH:@STRENGTH.
|
| defaultRoleIfMissing | Default role to use if no role is returned in a SAML response. |
| ecdhCurves | EC curves for ECDH/ECDHE key exchange - ssl setting. |
| entityId | Required. Unique id preconfigured by the IdP. |
| errorUrL | URL to display for a SAML error. Errors may be due to incorrect or incomplete configuration in either the IDP or the Splunk deployment. |
| errorUrlLabel | Label or title of the content to which errorUrl points. Defaults to Click here to resolve SAML error..
|
| fqdn | Load balancer url. |
| idpAttributeQueryUrl | IdP attribute query url where SAML attribute queries are sent. |
| idpCertPath | Path for IdP certificate. |
| idpSLOUrl | IdP sso url where SAML SSO requests are sent. |
| idpSSOUrl | Required. IdP SSO url where SAML SLO requests are sent. |
| name | Required. Configuration stanza name. |
| nameIdFormat | Specifies how subject is identified in SAML Assertion. Defaults to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified Override it when using Azure AD as an IDP and set it to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress |
| redirectAfterLogoutToUrl | Redirect URL after user logout If no SLO URL is configured. |
| redirectPort | Port where SAML responses are sent. Typically, this is the web port. Set this port if internal port redirection is needed. The
|
| signAuthnRequest | Indicates whether to sign authentication requests. |
| signatureAlgorithm | Applicable only for redirect binding. Indicates the signature algorithm used for a SP-initiated SAML request when signedAuthnRequest is set to true.
Possible values are:
|
| signedAssertion | Indicates whether to sign SAML assertions. |
| skipAttributeQueryRequestForUsers | Used in conjunction with defaultRoleIFMissing. Indicates whether to skip Attribute Queries for some users.
|
| sloBinding | Binding used when making a logout request or sending a logout response to complete the logout workflow. Possible values are HTTPPost (default) and HTTPRedirect. This binding must match the binding configured on the IDP.
|
| sslAltNameToCheck | Alternate name to check in the peer certificate. |
| sslCommonNameToCheck | Common name to check in the peer certificate. |
| sslKeysfile | Location of service provider private key. |
| sslKeysfilePassword | SSL password. |
| sslVerifyServerCert | Indicates whether to verify peer certificate. |
| sslVersions | SSL versions. |
| ssoBinding | Binding used when making a SP-initiated SAML request. Possible values are HTTPPost (default) and HTTPRedirect. This binding must match the binding configured on the IDP.
|
Response keys
None
Example request and response
XML Request
curl -k -u admin:changed https://localhost:8089/services/authentication/providers/SAML/saml-test -d "entityId=someOtherEntityId"
XML Response
<title>SAML-auth</title>
<id>https://localhost:8089/services/authentication/providers/SAML</id>
<updated>2017-04-10T23:30:41+00:00</updated>
<generator build="a8914247a786" version="6.5.1612"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/authentication/providers/SAML/_new" rel="create"/>
<link href="/services/authentication/providers/SAML/_acl" rel="_acl"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>saml-test</title>
<id>https://localhost:8089/services/authentication/providers/SAML/saml-test</id>
<updated>2017-04-10T23:30:41+00:00</updated>
<link href="/services/authentication/providers/SAML/saml-test" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authentication/providers/SAML/saml-test" rel="list"/>
<link href="/services/authentication/providers/SAML/saml-test" rel="edit"/>
<link href="/services/authentication/providers/SAML/saml-test" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="allowSslCompression">true</s:key>
<s:key name="assertionConsumerServiceUrl">http://so1:12800/saml/acs</s:key>
<s:key name="attributeQueryRequestSigned">1</s:key>
<s:key name="attributeQueryResponseSigned">1</s:key>
<s:key name="attributeQuerySoapPassword">******</s:key>
<s:key name="attributeQuerySoapUsername">test_ping</s:key>
<s:key name="attributeQueryTTL">3600</s:key>
<s:key name="attribute_aliases"/>
<s:key name="blacklistedAutoMappedRoles">
<s:list/>
</s:key>
<s:key name="blacklistedUsers">
<s:list/>
</s:key>
<s:key name="caCertFile">/opt/splunk/etc/auth/cacert.pem</s:key>
<s:key name="cipherSuite"></s:key>
<s:key name="defaultRoleIfMissing"></s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="ecdhCurves"></s:key>
<s:key name="entityId">someOtherEntityId</s:key>
<s:key name="errorUrl"></s:key>
<s:key name="errorUrlLabel"></s:key>
<s:key name="fqdn">http://so1</s:key>
<s:key name="idpCertChains">
<s:list/>
</s:key>
<s:key name="idpCertPath"></s:key>
<s:key name="maxAttributeQueryQueueSize">100</s:key>
<s:key name="maxAttributeQueryThreads">2</s:key>
<s:key name="nameIdFormat"></s:key>
<s:key name="protocol_endpoints">
<s:dict>
<s:key name="idpAttributeQueryUrl">https://saml-idp:9999/idp/attrsvc.ssaml2</s:key>
<s:key name="idpSLOUrl"></s:key>
<s:key name="idpSSOUrl">https://saml-idp:9999/idp/SSO.saml2</s:key>
<s:key name="issuerId"></s:key>
</s:dict>
</s:key>
<s:key name="redirectAfterLogoutToUrl">http://www.splunk.com</s:key>
<s:key name="redirectPort">12800</s:key>
<s:key name="replicateCertificates">1</s:key>
<s:key name="signAuthnRequest">1</s:key>
<s:key name="signatureAlgorithm">
<s:dict>
<s:key name="name">RSA-SHA1</s:key>
<s:key name="uri">http://www.w3.org/2000/09/xmldsig#rsa-sha1</s:key>
</s:dict>
</s:key>
<s:key name="signedAssertion">1</s:key>
<s:key name="singleLogoutServiceUrl">http://so1:12800/saml/logout</s:key>
<s:key name="skipAttributeQueryRequestForUsers">
<s:list/>
</s:key>
<s:key name="sloBinding">HTTPPost</s:key>
<s:key name="spCertPath">/opt/splunk/etc/auth/server.pem</s:key>
<s:key name="sslAltNameToCheck"></s:key>
<s:key name="sslCommonNameToCheck"></s:key>
<s:key name="sslKeysfile">/opt/splunk/etc/auth/server.pem</s:key>
<s:key name="sslKeysfilePassword">******</s:key>
<s:key name="sslVerifyServerCert">false</s:key>
<s:key name="sslVersions">SSL3,TLS1.0,TLS1.1,TLS1.2</s:key>
<s:key name="ssoBinding">HTTPPost</s:key>
<s:key name="uiStatusPage">/account/status</s:key>
</s:dict>
</content>
</entry>
authentication/providers/SAML/{stanza_name}/enable
https://<host>:<mPort>/services/authentication/providers/SAML/{stanza_name}/enable
POST
Enable a SAML strategy.
Request parameters
None
Returned values
None
Example request
curl -k -u admin:password -X POST https://localhost:8089/services/authentication/providers/SAML/my_strategy/enable
authentication/providers/SAML/{stanza_name}/disable
https://<host>:<mPort>/services/authentication/providers/SAML/{stanza_name}/disable
POST
Delete a SAML strategy.
Request parameters
None
Returned values
None
Example request
curl -k -u admin:password -X POST https://localhost:8089/services/authentication/providers/SAML/my_strategy/disable
auth/login
https://<host>:<mPort>/services/auth/login
Get a session ID for use in subsequent API calls that require authentication. Set up cookie-based authorization.
The splunkd server supports token-based authentication using the standard HTTP authorization header. Before you can access Splunk Enterprise resources, you must authenticate with the splunkd server using your username and password.
Use cookie-based authorization
To use cookie-based authorization, first ensure that the allowCookieAuth setting is enabled in server.conf. By default, this setting is enabled in Splunk software versions 6.2 and later.
If allowCookieAuth is enabled, you can pass a cookie=1 parameter to the POST request on auth/login. As noted in the Response data keys section below, a Set-Cookie header is returned. This header must be used in subsequent requests.
Any request authenticated using a cookie may include a new Set-Cookie header in its response. Use this new cookie value in any subsequent requests.
If you do not receive a Set-Cookie header in response to the auth/login POST request but login succeeded, you can use the standard Authorization:Splunk... header with the session key for authorization.
See also
POST
Get a session ID for use in subsequent API calls that require authentication. Optionally, use cookie-based authentication or multifactor authentication.
Request parameters
| Name | Type | Description |
|---|---|---|
| cookie | Boolean, only used value is 1. | To use cookie-based REST auth, pass in cookie=1. Cookies will only be returned if the cookie parameter is passed in with the value of 1.
|
| password | String | Required. Current username password. |
| passcode | String | Required for users with RSA multifactor authentication. The passcode associated with RSA multifactor authentication. This is a combination of the user's RSA token and PIN. |
| username | String | Required. Authenticated session owner name. |
Response data keys
- Note: Only a
<response>element is returned instead of a full <atom> feed.
| Name | Description |
|---|---|
| sessionKey | Session ID. |
A Set-Cookie HTTP header is returned if cookie-based authentication is requested.
Failure to authenticate returns the following response.
<response>
<messages>
<msg type="WARN">Login failed</msg>
</messages>
</response>
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8089/services/auth/login -d username=admin -d password=changeme
XML Response
<response>
<sessionKey>192fd3e46a31246da7ea7f109e7f95fd</sessionKey>
</response>
Example request and response using RSA passcode
XML Request
curl -k https://tsen-centos62x64-7:8089/services/auth/login -d username=john@test-splunk.com -d password=changed123 -d passcode='gq!k##9b'
XML Response
<response>
<sessionKey>8Q1QczpArNgKqfUmkmhwgiZVEr4^phZzEbX9NGonO^EdW8DOKXHR9iXNStzAEpVteSkShTxS^8QcyZ8zYj4P812iRBskRurK_RZ2dEy7FZjYoaLG0wx2rkSS0sIc</sessionKey>
</response>
<messages>
<msg code=""></msg>
</messages>
</response>
Example failed login with missing RSA passcode
XML Request
curl -k https://tsen-centos62x64-7:8089/services/auth/login -d username=john@test-splunk.com -d password='changed123:gq!k##9b'
XML Response
<response>
<messages>
<msg type="WARN" code="incorrect_username_or_password">Login failed</msg>
</messages>
</response>
authentication/current-context
https://<host>:<mPort>/services/authentication/current-context
Get the authenticated session owner username.
For additional information, see the following resources.
- auth/login
- List of available capabilities in Securing Splunk Enterprise.
GET
Get user information for the current context.
Request parameters
Pagination and filtering parameters can be used with this method.
Response keys
| Name | Description |
|---|---|
| capabilities | List of capabilities assigned to role. |
| defaultApp | Default app for the user, which is invoked at login. |
| defaultAppIsUserOverride | Default app override indicates:true = Default app overrides the user role default app.false = Default app does not override the user role default app.
|
| defaultAppSourceRole | The role that determines the default app for the user, if the user has multiple roles. |
| User email address. | |
| password | User password. |
| realname | User full name. |
| restart_background_jobs | Restart background search job that has not completed when Splunk restarts indication:true = Restart job.false = Do not restart job.
|
| roles | Roles assigned to the user. |
| type | User authentication system type:
|
| tz | User timezone. |
| username | Authenticated session owner name. |
Usage in search
Here is an example of calling this endpoint in a search command to get the current user.
... rest /services/authentication/current-context/context | fields + username ...
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8089/services/authentication/current-context
XML Response
.
.
.
<title>current-context</title>
<id>https://localhost:8089/services/authentication/current-context</id>
<updated>2014-06-30T11:26:19-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>context</title>
<id>https://localhost:8089/services/authentication/current-context/context</id>
<updated>2014-06-30T11:26:19-07:00</updated>
<link href="/services/authentication/current-context/context" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authentication/current-context/context" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="capabilities">
<s:list>
<s:item>accelerate_datamodel</s:item>
<s:item>accelerate_search</s:item>
<s:item>admin_all_objects</s:item>
<s:item>change_authentication</s:item>
<s:item>change_own_password</s:item>
<s:item>edit_deployment_client</s:item>
<s:item>edit_deployment_server</s:item>
<s:item>edit_dist_peer</s:item>
<s:item>edit_forwarders</s:item>
<s:item>edit_httpauths</s:item>
<s:item>edit_input_defaults</s:item>
<s:item>edit_monitor</s:item>
<s:item>edit_roles</s:item>
<s:item>edit_scripted</s:item>
<s:item>edit_search_server</s:item>
<s:item>edit_server</s:item>
<s:item>edit_splunktcp</s:item>
<s:item>edit_splunktcp_ssl</s:item>
<s:item>edit_tcp</s:item>
<s:item>edit_udp</s:item>
<s:item>edit_user</s:item>
<s:item>edit_view_html</s:item>
<s:item>edit_web_settings</s:item>
<s:item>edit_win_admon</s:item>
<s:item>edit_win_eventlogs</s:item>
<s:item>edit_win_perfmon</s:item>
<s:item>edit_win_regmon</s:item>
<s:item>edit_win_wmiconf</s:item>
<s:item>embed_report</s:item>
<s:item>get_diag</s:item>
<s:item>get_metadata</s:item>
<s:item>get_typeahead</s:item>
<s:item>indexes_edit</s:item>
<s:item>input_file</s:item>
<s:item>license_edit</s:item>
<s:item>license_tab</s:item>
<s:item>list_deployment_client</s:item>
<s:item>list_deployment_server</s:item>
<s:item>list_forwarders</s:item>
<s:item>list_httpauths</s:item>
<s:item>list_inputs</s:item>
<s:item>list_pdfserver</s:item>
<s:item>list_win_localavailablelogs</s:item>
<s:item>output_file</s:item>
<s:item>request_remote_tok</s:item>
<s:item>rest_apps_management</s:item>
<s:item>rest_apps_view</s:item>
<s:item>rest_properties_get</s:item>
<s:item>rest_properties_set</s:item>
<s:item>restart_splunkd</s:item>
<s:item>rtsearch</s:item>
<s:item>run_debug_commands</s:item>
<s:item>schedule_rtsearch</s:item>
<s:item>schedule_search</s:item>
<s:item>search</s:item>
<s:item>write_pdfserver</s:item>
</s:list>
</s:key>
<s:key name="defaultApp">launcher</s:key>
<s:key name="defaultAppIsUserOverride">1</s:key>
<s:key name="defaultAppSourceRole">system</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="email">changeme@example.com</s:key>
<s:key name="password">********</s:key>
<s:key name="realname">Administrator</s:key>
<s:key name="restart_background_jobs">1</s:key>
<s:key name="roles">
<s:list>
<s:item>admin</s:item>
</s:list>
</s:key>
<s:key name="type">Splunk</s:key>
<s:key name="tz"></s:key>
<s:key name="username">admin</s:key>
</s:dict>
</content>
</entry>
authentication/httpauth-tokens
https://<host>:<mPort>/services/authentication/httpauth-tokens
List currently active session IDs and users.
For additional information, see the following resources.
GET
List currently active session IDs/users.
Request parameters
Pagination and filtering parameters can be used with this method.
Response keys
| Name | Description |
|---|---|
| authString | Unique identifier for this session. |
| searchId | Search ID associated with the session, if it was created for a search job. If it is a login-type session, the value is empty. The session ID token is valid for the duration of the web session. |
| timeAccessed | Last time the session was touched. |
| userName | Username associated with the session. |
Usage in searches
Here is an example of calling this endpoint in a search.
| rest /services/authentication/httpauth-tokens | search (NOT userName="splunk-system-user") searchId="" | table userName splunk_server timeAccessed
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8089/services/authentication/httpauth-tokens
XML Response
.
.
.
<title>httpauth-tokens</title>
<id>https://localhost:8089/services/authentication/httpauth-tokens</id>
<updated>2014-06-30T11:28:04-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<opensearch:totalResults>2</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>15a773187d3e4437cbe9809f41f23d8f</title>
<id>https://localhost:8089/services/authentication/httpauth-tokens/15a773187d3e4437cbe9809f41f23d8f</id>
<updated>2014-06-30T11:28:04-07:00</updated>
<link href="/services/authentication/httpauth-tokens/15a773187d3e4437cbe9809f41f23d8f" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authentication/httpauth-tokens/15a773187d3e4437cbe9809f41f23d8f" rel="list"/>
<link href="/services/authentication/httpauth-tokens/15a773187d3e4437cbe9809f41f23d8f" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="authString">vdZv2eB9F0842dyJhrIEiGNTcBMpBeGuwGPYxtGLKAESQkzjSjG7dbymQW58y^oI3kxYXWfK_Fd3cRGqwPQGp58RvEkzwCaC6PmQgCsK</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="searchId"></s:key>
<s:key name="timeAccessed">Mon Jun 30 11:28:04 2014</s:key>
<s:key name="userName">admin</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>694ef5bda40ae8c4f59626671b5f0c9a</title>
<id>https://localhost:8089/services/authentication/httpauth-tokens/694ef5bda40ae8c4f59626671b5f0c9a</id>
<updated>2014-06-30T11:28:04-07:00</updated>
<link href="/services/authentication/httpauth-tokens/694ef5bda40ae8c4f59626671b5f0c9a" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authentication/httpauth-tokens/694ef5bda40ae8c4f59626671b5f0c9a" rel="list"/>
<link href="/services/authentication/httpauth-tokens/694ef5bda40ae8c4f59626671b5f0c9a" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="authString">1RU5vGFm2OPq29plLtvqlEB9xzPDLZ3AleUhE1bwPjIrKtvyLE4fODhs^TgI4_NamvVtqusj8GnnNxd5wBB1wT^qHXn1DOV7LcCvErpyTzOvISr^2TnKUC</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="searchId"></s:key>
<s:key name="timeAccessed">Mon Jun 30 11:26:09 2014</s:key>
<s:key name="userName">splunk-system-user</s:key>
</s:dict>
</content>
</entry>
authentication/httpauth-tokens/{name}
https://<host>:<mPort>/services/authentication/httpauth-tokens/<name>
Access or delete the {name} session, where {name} is the session ID returned by auth/login.
For additional information, see the following resources.
DELETE
Delete the session associated with this session ID.
Request parameters
None
Response keys
None
Example request and response
XML Request
curl -k -u admin:changeme --request DELETE https://localhost:8089/services/authentication/httpauth-tokens/vdZv2eB9F0842dyJhrIEiGNTcBMpBeGuwGPYxtGLKAESQkzjSjG7dbymQW58y^oI3kxYXWfK_Fd3cRGqwPQGp58RvEkzwCaC6PmQgCsK
XML Response
.
.
.
<title>httpauth-tokens</title>
<id>https://localhost:8089/services/authentication/httpauth-tokens</id>
<updated>2014-06-30T12:02:12-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>694ef5bda40ae8c4f59626671b5f0c9a</title>
<id>https://localhost:8089/services/authentication/httpauth-tokens/694ef5bda40ae8c4f59626671b5f0c9a</id>
<updated>2014-06-30T12:02:12-07:00</updated>
<link href="/services/authentication/httpauth-tokens/694ef5bda40ae8c4f59626671b5f0c9a" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authentication/httpauth-tokens/694ef5bda40ae8c4f59626671b5f0c9a" rel="list"/>
<link href="/services/authentication/httpauth-tokens/694ef5bda40ae8c4f59626671b5f0c9a" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="authString">1RU5vGFm2OPq29plLtvqlEB9xzPDLZ3AleUhE1bwPjIrKtvyLE4fODhs^TgI4_NamvVtqusj8GnnNxd5wBB1wT^qHXn1DOV7LcCvErpyTzOvISr^2TnKUC</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="searchId"></s:key>
<s:key name="timeAccessed">Mon Jun 30 11:42:31 2014</s:key>
<s:key name="userName">splunk-system-user</s:key>
</s:dict>
</content>
</entry>
GET
Get session information.
Request parameters
None
Response keys
| Name | Description |
|---|---|
| authString | Unique session identifier. |
| searchId | Session search ID, if it is a search job session. The value is blank for a login-type session. |
| timeAccessed | Last time the session was touched. |
| userName | Username associated with the session. |
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8089/services/authentication/httpauth-tokens/vdZv2eB9F0842dyJhrIEiGNTcBMpBeGuwGPYxtGLKAESQkzjSjG7dbymQW58y^oI3kxYXWfK_Fd3cRGqwPQGp58RvEkzwCaC6PmQgCsK
XML Response
.
.
.
<title>httpauth-tokens</title>
<id>https://localhost:8089/services/authentication/httpauth-tokens</id>
<updated>2014-06-30T11:39:52-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>15a773187d3e4437cbe9809f41f23d8f</title>
<id>https://localhost:8089/services/authentication/httpauth-tokens/15a773187d3e4437cbe9809f41f23d8f</id>
<updated>2014-06-30T11:39:52-07:00</updated>
<link href="/services/authentication/httpauth-tokens/15a773187d3e4437cbe9809f41f23d8f" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authentication/httpauth-tokens/15a773187d3e4437cbe9809f41f23d8f" rel="list"/>
<link href="/services/authentication/httpauth-tokens/15a773187d3e4437cbe9809f41f23d8f" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="authString">vdZv2eB9F0842dyJhrIEiGNTcBMpBeGuwGPYxtGLKAESQkzjSjG7dbymQW58y^oI3kxYXWfK_Fd3cRGqwPQGp58RvEkzwCaC6PmQgCsK</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list/>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="searchId"></s:key>
<s:key name="timeAccessed">Mon Jun 30 11:39:52 2014</s:key>
<s:key name="userName">admin</s:key>
</s:dict>
</content>
</entry>
authentication/users
https://<host>:<mPort>/services/authentication/users
List current users and create new users.
For additional information about configuring users and roles, see the following resources in Securing Splunk Enterprise.
Authentication and authorization
Requires the edit_user capability.
GET
List current users.
Request parameters
Pagination and filtering parameters can be used with this method.
Response keys
| Name | Description |
|---|---|
| capabilities | List of capabilities assigned to role. |
| defaultApp | Default app for the user, which is invoked at login. |
| defaultAppIsUserOverride | Default app override indicates:true = Default app overrides the user role default app.false = Default app does not override the user role default app.
|
| defaultAppSourceRole | The role that determines the default app for the user, if the user has multiple roles. |
| User email address. | |
| locked-out | Returns 1 if the user is locked out, and 0 if the user is not locked out.
|
| password | User password. |
| realname | User full name. |
| restart_background_jobs | Restart background search job that has not completed when Splunk restarts indication:true = Restart job.false = Do not restart job.
|
| roles | Roles assigned to the user. |
| type | One of the following user authentication system types.
|
| tz | User timezone. |
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8089/services/authentication/users
XML Response
.
.
.
<title>users</title>
<id>https://localhost:8089/services/authentication/users</id>
<updated>2014-06-30T12:27:48-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/authentication/users/_new" rel="create"/>
<opensearch:totalResults>2</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>admin</title>
<id>https://localhost:8089/services/authentication/users/admin</id>
<updated>2014-06-30T12:27:48-07:00</updated>
<link href="/services/authentication/users/admin" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authentication/users/admin" rel="list"/>
<link href="/services/authentication/users/admin" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="capabilities">
<s:list>
<s:item>accelerate_datamodel</s:item>
<s:item>accelerate_search</s:item>
<s:item>admin_all_objects</s:item>
<s:item>change_authentication</s:item>
<s:item>change_own_password</s:item>
<s:item>edit_deployment_client</s:item>
<s:item>edit_deployment_server</s:item>
<s:item>edit_dist_peer</s:item>
<s:item>edit_forwarders</s:item>
<s:item>edit_httpauths</s:item>
<s:item>edit_input_defaults</s:item>
<s:item>edit_monitor</s:item>
<s:item>edit_roles</s:item>
<s:item>edit_scripted</s:item>
<s:item>edit_search_server</s:item>
<s:item>edit_server</s:item>
<s:item>edit_splunktcp</s:item>
<s:item>edit_splunktcp_ssl</s:item>
<s:item>edit_tcp</s:item>
<s:item>edit_udp</s:item>
<s:item>edit_user</s:item>
<s:item>edit_view_html</s:item>
<s:item>edit_web_settings</s:item>
<s:item>edit_win_admon</s:item>
<s:item>edit_win_eventlogs</s:item>
<s:item>edit_win_perfmon</s:item>
<s:item>edit_win_regmon</s:item>
<s:item>edit_win_wmiconf</s:item>
<s:item>embed_report</s:item>
<s:item>get_diag</s:item>
<s:item>get_metadata</s:item>
<s:item>get_typeahead</s:item>
<s:item>indexes_edit</s:item>
<s:item>input_file</s:item>
<s:item>license_edit</s:item>
<s:item>license_tab</s:item>
<s:item>list_deployment_client</s:item>
<s:item>list_deployment_server</s:item>
<s:item>list_forwarders</s:item>
<s:item>list_httpauths</s:item>
<s:item>list_inputs</s:item>
<s:item>list_pdfserver</s:item>
<s:item>list_win_localavailablelogs</s:item>
<s:item>output_file</s:item>
<s:item>request_remote_tok</s:item>
<s:item>rest_apps_management</s:item>
<s:item>rest_apps_view</s:item>
<s:item>rest_properties_get</s:item>
<s:item>rest_properties_set</s:item>
<s:item>restart_splunkd</s:item>
<s:item>rtsearch</s:item>
<s:item>run_debug_commands</s:item>
<s:item>schedule_rtsearch</s:item>
<s:item>schedule_search</s:item>
<s:item>search</s:item>
<s:item>write_pdfserver</s:item>
</s:list>
</s:key>
<s:key name="defaultApp">launcher</s:key>
<s:key name="defaultAppIsUserOverride">1</s:key>
<s:key name="defaultAppSourceRole">system</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="email">changeme@example.com</s:key>
<s:key name="password">********</s:key>
<s:key name="realname">Administrator</s:key>
<s:key name="restart_background_jobs">1</s:key>
<s:key name="roles">
<s:list>
<s:item>admin</s:item>
</s:list>
</s:key>
<s:key name="type">Splunk</s:key>
<s:key name="tz"></s:key>
</s:dict>
</content>
</entry>
<entry>
<title>user1</title>
<id>https://localhost:8089/services/authentication/users/user1</id>
<updated>2014-06-30T12:27:48-07:00</updated>
<link href="/services/authentication/users/user1" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authentication/users/user1" rel="list"/>
<link href="/services/authentication/users/user1" rel="edit"/>
<link href="/services/authentication/users/user1" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="capabilities">
<s:list>
<s:item>accelerate_datamodel</s:item>
<s:item>accelerate_search</s:item>
<s:item>admin_all_objects</s:item>
<s:item>change_authentication</s:item>
<s:item>change_own_password</s:item>
<s:item>edit_deployment_client</s:item>
<s:item>edit_deployment_server</s:item>
<s:item>edit_dist_peer</s:item>
<s:item>edit_forwarders</s:item>
<s:item>edit_httpauths</s:item>
<s:item>edit_input_defaults</s:item>
<s:item>edit_monitor</s:item>
<s:item>edit_roles</s:item>
<s:item>edit_scripted</s:item>
<s:item>edit_search_server</s:item>
<s:item>edit_server</s:item>
<s:item>edit_splunktcp</s:item>
<s:item>edit_splunktcp_ssl</s:item>
<s:item>edit_tcp</s:item>
<s:item>edit_udp</s:item>
<s:item>edit_user</s:item>
<s:item>edit_view_html</s:item>
<s:item>edit_web_settings</s:item>
<s:item>edit_win_admon</s:item>
<s:item>edit_win_eventlogs</s:item>
<s:item>edit_win_perfmon</s:item>
<s:item>edit_win_regmon</s:item>
<s:item>edit_win_wmiconf</s:item>
<s:item>embed_report</s:item>
<s:item>get_diag</s:item>
<s:item>get_metadata</s:item>
<s:item>get_typeahead</s:item>
<s:item>indexes_edit</s:item>
<s:item>input_file</s:item>
<s:item>license_edit</s:item>
<s:item>license_tab</s:item>
<s:item>list_deployment_client</s:item>
<s:item>list_deployment_server</s:item>
<s:item>list_forwarders</s:item>
<s:item>list_httpauths</s:item>
<s:item>list_inputs</s:item>
<s:item>list_pdfserver</s:item>
<s:item>list_win_localavailablelogs</s:item>
<s:item>output_file</s:item>
<s:item>request_remote_tok</s:item>
<s:item>rest_apps_management</s:item>
<s:item>rest_apps_view</s:item>
<s:item>rest_properties_get</s:item>
<s:item>rest_properties_set</s:item>
<s:item>restart_splunkd</s:item>
<s:item>rtsearch</s:item>
<s:item>run_debug_commands</s:item>
<s:item>schedule_rtsearch</s:item>
<s:item>schedule_search</s:item>
<s:item>search</s:item>
<s:item>write_pdfserver</s:item>
</s:list>
</s:key>
<s:key name="defaultApp">launcher</s:key>
<s:key name="defaultAppIsUserOverride">0</s:key>
<s:key name="defaultAppSourceRole">system</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="email"></s:key>
<s:key name="password">********</s:key>
<s:key name="realname"></s:key>
<s:key name="restart_background_jobs">1</s:key>
<s:key name="roles">
<s:list>
<s:item>admin</s:item>
</s:list>
</s:key>
<s:key name="type">Splunk</s:key>
<s:key name="tz"></s:key>
</s:dict>
</content>
</entry>
POST
Create a user.
Usage details
When creating a user you must specify at least one role.
Specify one or more roles for the user. You can create a new role for the user by setting the createrole parameter to "true" and specify the new role name as a roles parameter value.
Request parameters
| Name | Datatype | Description |
|---|---|---|
| createrole | Boolean | Flag to indicate that a new role should be created for the user. If set to "true", the new role user-<name> is created and assigned to the user. The <name> portion of the new role matches the name parameter value passed in with this POST request. If set to "false", at least one existing role must be specified using the roles parameter for the POST request.
Defaults to "false". |
| defaultApp | String | User default app. Overrides the default app inherited from the user roles. |
| String | User email address. | |
| force-change-pass | Boolean | Force user to change password indication:true = Force password change.false = Do not force password change.
|
| name | String | Required. Unique user login name. |
| password | String | User login password. |
| realname | String | Full user name. |
| restart_background_jobs | Boolean | Restart background search job that has not completed when Splunk restarts indication:true = Restart job.false = Do not restart job.
|
| roles | String | Role to assign to this user. To assign multiple roles, pass in each role using a separate roles parameter value.For example, -d roles="role1", -d roles="role2". At least one existing role is required if you are not using the createrole parameter to create a new role for the user. If you are using createrole to create a new role, you can optionally use this parameter to specify additional roles to assign to the user.
|
| tz | String | User timezone. |
Response keys
None
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8089/services/authentication/users -d name=User1 -d password=changeme -d roles=admin
XML Response
<title>users</title>
<id>https://localhost:8089/services/authentication/users</id>
<updated>2014-06-30T12:18:19-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/authentication/users/_new" rel="create"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>user1</title>
<id>https://localhost:8089/services/authentication/users/user1</id>
<updated>2014-06-30T12:18:19-07:00</updated>
<link href="/services/authentication/users/user1" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authentication/users/user1" rel="list"/>
<link href="/services/authentication/users/user1" rel="edit"/>
<link href="/services/authentication/users/user1" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="capabilities">
<s:list>
<s:item>accelerate_datamodel</s:item>
<s:item>accelerate_search</s:item>
<s:item>admin_all_objects</s:item>
<s:item>change_authentication</s:item>
<s:item>change_own_password</s:item>
<s:item>edit_deployment_client</s:item>
<s:item>edit_deployment_server</s:item>
<s:item>edit_dist_peer</s:item>
<s:item>edit_forwarders</s:item>
<s:item>edit_httpauths</s:item>
<s:item>edit_input_defaults</s:item>
<s:item>edit_monitor</s:item>
<s:item>edit_roles</s:item>
<s:item>edit_scripted</s:item>
<s:item>edit_search_server</s:item>
<s:item>edit_server</s:item>
<s:item>edit_splunktcp</s:item>
<s:item>edit_splunktcp_ssl</s:item>
<s:item>edit_tcp</s:item>
<s:item>edit_udp</s:item>
<s:item>edit_user</s:item>
<s:item>edit_view_html</s:item>
<s:item>edit_web_settings</s:item>
<s:item>edit_win_admon</s:item>
<s:item>edit_win_eventlogs</s:item>
<s:item>edit_win_perfmon</s:item>
<s:item>edit_win_regmon</s:item>
<s:item>edit_win_wmiconf</s:item>
<s:item>embed_report</s:item>
<s:item>get_diag</s:item>
<s:item>get_metadata</s:item>
<s:item>get_typeahead</s:item>
<s:item>indexes_edit</s:item>
<s:item>input_file</s:item>
<s:item>license_edit</s:item>
<s:item>license_tab</s:item>
<s:item>list_deployment_client</s:item>
<s:item>list_deployment_server</s:item>
<s:item>list_forwarders</s:item>
<s:item>list_httpauths</s:item>
<s:item>list_inputs</s:item>
<s:item>list_pdfserver</s:item>
<s:item>list_win_localavailablelogs</s:item>
<s:item>output_file</s:item>
<s:item>request_remote_tok</s:item>
<s:item>rest_apps_management</s:item>
<s:item>rest_apps_view</s:item>
<s:item>rest_properties_get</s:item>
<s:item>rest_properties_set</s:item>
<s:item>restart_splunkd</s:item>
<s:item>rtsearch</s:item>
<s:item>run_debug_commands</s:item>
<s:item>schedule_rtsearch</s:item>
<s:item>schedule_search</s:item>
<s:item>search</s:item>
<s:item>write_pdfserver</s:item>
</s:list>
</s:key>
<s:key name="defaultApp">launcher</s:key>
<s:key name="defaultAppIsUserOverride">0</s:key>
<s:key name="defaultAppSourceRole">system</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="email"></s:key>
<s:key name="password">********</s:key>
<s:key name="realname"></s:key>
<s:key name="restart_background_jobs">1</s:key>
<s:key name="roles">
<s:list>
<s:item>admin</s:item>
</s:list>
</s:key>
<s:key name="type">Splunk</s:key>
<s:key name="tz"></s:key>
</s:dict>
</content>
</entry>
authentication/users/{name}
https://<host>:<mPort>/services/authentication/users/{name}
Access and update user information or delete the {name}> user.
Usage details
The /{name} username portion of the URL is not case sensitive.
For additional information about user capabiilties, see the following resource in Securing Splunk Enterprise.
Authentication and authorization
Requires the edit_user capability.
DELETE
Remove the specified user from the system.
Request parameters
None
Response keys
None
Example request and response
XML Request
curl -k -u admin:changeme --request DELETE https://localhost:8089/services/authentication/users/user1
XML Response
.
.
.
<title>users</title>
<id>https://localhost:8089/services/authentication/users</id>
<updated>2014-06-30T12:51:09-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/authentication/users/_new" rel="create"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>admin</title>
<id>https://localhost:8089/services/authentication/users/admin</id>
<updated>2014-06-30T12:51:09-07:00</updated>
<link href="/services/authentication/users/admin" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authentication/users/admin" rel="list"/>
<link href="/services/authentication/users/admin" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="capabilities">
<s:list>
<s:item>accelerate_datamodel</s:item>
<s:item>accelerate_search</s:item>
<s:item>admin_all_objects</s:item>
<s:item>change_authentication</s:item>
<s:item>change_own_password</s:item>
<s:item>edit_deployment_client</s:item>
<s:item>edit_deployment_server</s:item>
<s:item>edit_dist_peer</s:item>
<s:item>edit_forwarders</s:item>
<s:item>edit_httpauths</s:item>
<s:item>edit_input_defaults</s:item>
<s:item>edit_monitor</s:item>
<s:item>edit_roles</s:item>
<s:item>edit_scripted</s:item>
<s:item>edit_search_server</s:item>
<s:item>edit_server</s:item>
<s:item>edit_splunktcp</s:item>
<s:item>edit_splunktcp_ssl</s:item>
<s:item>edit_tcp</s:item>
<s:item>edit_udp</s:item>
<s:item>edit_user</s:item>
<s:item>edit_view_html</s:item>
<s:item>edit_web_settings</s:item>
<s:item>edit_win_admon</s:item>
<s:item>edit_win_eventlogs</s:item>
<s:item>edit_win_perfmon</s:item>
<s:item>edit_win_regmon</s:item>
<s:item>edit_win_wmiconf</s:item>
<s:item>embed_report</s:item>
<s:item>get_diag</s:item>
<s:item>get_metadata</s:item>
<s:item>get_typeahead</s:item>
<s:item>indexes_edit</s:item>
<s:item>input_file</s:item>
<s:item>license_edit</s:item>
<s:item>license_tab</s:item>
<s:item>list_deployment_client</s:item>
<s:item>list_deployment_server</s:item>
<s:item>list_forwarders</s:item>
<s:item>list_httpauths</s:item>
<s:item>list_inputs</s:item>
<s:item>list_pdfserver</s:item>
<s:item>list_win_localavailablelogs</s:item>
<s:item>output_file</s:item>
<s:item>request_remote_tok</s:item>
<s:item>rest_apps_management</s:item>
<s:item>rest_apps_view</s:item>
<s:item>rest_properties_get</s:item>
<s:item>rest_properties_set</s:item>
<s:item>restart_splunkd</s:item>
<s:item>rtsearch</s:item>
<s:item>run_debug_commands</s:item>
<s:item>schedule_rtsearch</s:item>
<s:item>schedule_search</s:item>
<s:item>search</s:item>
<s:item>write_pdfserver</s:item>
</s:list>
</s:key>
<s:key name="defaultApp">launcher</s:key>
<s:key name="defaultAppIsUserOverride">1</s:key>
<s:key name="defaultAppSourceRole">system</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="email">changeme@example.com</s:key>
<s:key name="password">********</s:key>
<s:key name="realname">Administrator</s:key>
<s:key name="restart_background_jobs">1</s:key>
<s:key name="roles">
<s:list>
<s:item>admin</s:item>
</s:list>
</s:key>
<s:key name="type">Splunk</s:key>
<s:key name="tz"></s:key>
</s:dict>
</content>
</entry>
GET
Return information for the specified user.
Request parameters
None
Response keys
| Name | Description |
|---|---|
| capabilities | List of capabilities assigned to role. |
| defaultApp | Default app for the user, which is invoked at login. |
| defaultAppIsUserOverride | Default app override indicator.true = Default app overrides the user role default app.false = Default app does not override the user role default app.
|
| defaultAppSourceRole | Role that determines the default app for the user, if the user has multiple roles. |
| User email address | |
| locked-out | Returns 1 if the user is locked out, and 0 if the user is not locked out.
|
| password | User password |
| realname | User full name |
| restart_background_jobs | Indicates whether incomplete background search jobs restart when the Splunk deployment restarts.true = Restart jobs.false = Do not restart jobs.
|
| roles | Roles assigned to the user. |
| type | One of the following user authentication system types.
|
| tz | User timezone. |
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8089/services/authentication/users/user1
XML Response
.
.
.
<title>users</title>
<id>https://localhost:8089/services/authentication/users</id>
<updated>2014-06-30T12:39:18-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/authentication/users/_new" rel="create"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>user1</title>
<id>https://localhost:8089/services/authentication/users/user1</id>
<updated>2014-06-30T12:39:18-07:00</updated>
<link href="/services/authentication/users/user1" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authentication/users/user1" rel="list"/>
<link href="/services/authentication/users/user1" rel="edit"/>
<link href="/services/authentication/users/user1" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="capabilities">
<s:list>
<s:item>accelerate_datamodel</s:item>
<s:item>accelerate_search</s:item>
<s:item>admin_all_objects</s:item>
<s:item>change_authentication</s:item>
<s:item>change_own_password</s:item>
<s:item>edit_deployment_client</s:item>
<s:item>edit_deployment_server</s:item>
<s:item>edit_dist_peer</s:item>
<s:item>edit_forwarders</s:item>
<s:item>edit_httpauths</s:item>
<s:item>edit_input_defaults</s:item>
<s:item>edit_monitor</s:item>
<s:item>edit_roles</s:item>
<s:item>edit_scripted</s:item>
<s:item>edit_search_server</s:item>
<s:item>edit_server</s:item>
<s:item>edit_splunktcp</s:item>
<s:item>edit_splunktcp_ssl</s:item>
<s:item>edit_tcp</s:item>
<s:item>edit_udp</s:item>
<s:item>edit_user</s:item>
<s:item>edit_view_html</s:item>
<s:item>edit_web_settings</s:item>
<s:item>edit_win_admon</s:item>
<s:item>edit_win_eventlogs</s:item>
<s:item>edit_win_perfmon</s:item>
<s:item>edit_win_regmon</s:item>
<s:item>edit_win_wmiconf</s:item>
<s:item>embed_report</s:item>
<s:item>get_diag</s:item>
<s:item>get_metadata</s:item>
<s:item>get_typeahead</s:item>
<s:item>indexes_edit</s:item>
<s:item>input_file</s:item>
<s:item>license_edit</s:item>
<s:item>license_tab</s:item>
<s:item>list_deployment_client</s:item>
<s:item>list_deployment_server</s:item>
<s:item>list_forwarders</s:item>
<s:item>list_httpauths</s:item>
<s:item>list_inputs</s:item>
<s:item>list_pdfserver</s:item>
<s:item>list_win_localavailablelogs</s:item>
<s:item>output_file</s:item>
<s:item>request_remote_tok</s:item>
<s:item>rest_apps_management</s:item>
<s:item>rest_apps_view</s:item>
<s:item>rest_properties_get</s:item>
<s:item>rest_properties_set</s:item>
<s:item>restart_splunkd</s:item>
<s:item>rtsearch</s:item>
<s:item>run_debug_commands</s:item>
<s:item>schedule_rtsearch</s:item>
<s:item>schedule_search</s:item>
<s:item>search</s:item>
<s:item>write_pdfserver</s:item>
</s:list>
</s:key>
<s:key name="defaultApp">launcher</s:key>
<s:key name="defaultAppIsUserOverride">0</s:key>
<s:key name="defaultAppSourceRole">system</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>defaultApp</s:item>
<s:item>email</s:item>
<s:item>force-change-pass</s:item>
<s:item>password</s:item>
<s:item>realname</s:item>
<s:item>restart_background_jobs</s:item>
<s:item>roles</s:item>
<s:item>tz</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="email"></s:key>
<s:key name="password">********</s:key>
<s:key name="realname"></s:key>
<s:key name="restart_background_jobs">1</s:key>
<s:key name="roles">
<s:list>
<s:item>admin</s:item>
</s:list>
</s:key>
<s:key name="type">Splunk</s:key>
<s:key name="tz"></s:key>
</s:dict>
</content>
</entry>
POST
Update the specified user.
Request parameters
| Name | Type | Description |
|---|---|---|
| defaultApp | String | User default app. This overrides the default app inherited from the user roles. |
| String | User email address. | |
| force-change-pass | Boolean | Indicates whether to force user password change. true = Force password change.false = Do not force password change.
|
| oldpassword | String | Old user login password. Only required if using the password parameter to change the current user's password. |
| password | String | Required. User login password. To change the user password, enter the new user login password here. To change the current user's password, also supply the old password in the oldpassword parameter. |
| realname | String | Full user name. |
| restart_background_jobs | Boolean | Indicates whether to restart background search job that has not completed when the Splunk deployment restarts. true = Restart job.false = Do not restart job.
|
| roles | String | Role to assign to this user. To assign multiple roles, pass in each role using a separate roles parameter value.For example, -d roles="role1", -d roles="role2". At least one existing role is required if you are not using the createrole parameter to create a new role for the user. If you are using createrole to create a new role, you can optionally use this parameter to specify additional roles to assign to the user.
|
| tz | String | User timezone. |
Response keys
| Name | Description |
|---|---|
| capabilities | List of capabilities assigned to role. |
| defaultApp | Default app for the user, which is invoked at login. |
| defaultAppIsUserOverride | Default app override indicator. true = Default app overrides the user role default app.false = Default app does not override the user role default app.
|
| defaultAppSourceRole | Role that determines the default app for the user, if the user has multiple roles. |
| User email address. | |
| password | User password. |
| realname | User full name. |
| restart_background_jobs | Indicates whether to restart background search job that has not completed when the Splunk deployment restarts. true = Restart job.false = Do not restart job.
|
| roles | Roles assigned to the user. |
| type | One of the following user authentication system types.
|
| tz | User timezone. |
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8089/services/authentication/users/user1 -d defaultApp=launcher
XML Response
.
.
.
<title>users</title>
<id>https://localhost:8089/services/authentication/users</id>
<updated>2014-06-30T12:45:23-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/authentication/users/_new" rel="create"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>user1</title>
<id>https://localhost:8089/services/authentication/users/user1</id>
<updated>2014-06-30T12:45:23-07:00</updated>
<link href="/services/authentication/users/user1" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authentication/users/user1" rel="list"/>
<link href="/services/authentication/users/user1" rel="edit"/>
<link href="/services/authentication/users/user1" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="capabilities">
<s:list>
<s:item>accelerate_datamodel</s:item>
<s:item>accelerate_search</s:item>
<s:item>admin_all_objects</s:item>
<s:item>change_authentication</s:item>
<s:item>change_own_password</s:item>
<s:item>edit_deployment_client</s:item>
<s:item>edit_deployment_server</s:item>
<s:item>edit_dist_peer</s:item>
<s:item>edit_forwarders</s:item>
<s:item>edit_httpauths</s:item>
<s:item>edit_input_defaults</s:item>
<s:item>edit_monitor</s:item>
<s:item>edit_roles</s:item>
<s:item>edit_scripted</s:item>
<s:item>edit_search_server</s:item>
<s:item>edit_server</s:item>
<s:item>edit_splunktcp</s:item>
<s:item>edit_splunktcp_ssl</s:item>
<s:item>edit_tcp</s:item>
<s:item>edit_udp</s:item>
<s:item>edit_user</s:item>
<s:item>edit_view_html</s:item>
<s:item>edit_web_settings</s:item>
<s:item>edit_win_admon</s:item>
<s:item>edit_win_eventlogs</s:item>
<s:item>edit_win_perfmon</s:item>
<s:item>edit_win_regmon</s:item>
<s:item>edit_win_wmiconf</s:item>
<s:item>embed_report</s:item>
<s:item>get_diag</s:item>
<s:item>get_metadata</s:item>
<s:item>get_typeahead</s:item>
<s:item>indexes_edit</s:item>
<s:item>input_file</s:item>
<s:item>license_edit</s:item>
<s:item>license_tab</s:item>
<s:item>list_deployment_client</s:item>
<s:item>list_deployment_server</s:item>
<s:item>list_forwarders</s:item>
<s:item>list_httpauths</s:item>
<s:item>list_inputs</s:item>
<s:item>list_pdfserver</s:item>
<s:item>list_win_localavailablelogs</s:item>
<s:item>output_file</s:item>
<s:item>request_remote_tok</s:item>
<s:item>rest_apps_management</s:item>
<s:item>rest_apps_view</s:item>
<s:item>rest_properties_get</s:item>
<s:item>rest_properties_set</s:item>
<s:item>restart_splunkd</s:item>
<s:item>rtsearch</s:item>
<s:item>run_debug_commands</s:item>
<s:item>schedule_rtsearch</s:item>
<s:item>schedule_search</s:item>
<s:item>search</s:item>
<s:item>write_pdfserver</s:item>
</s:list>
</s:key>
<s:key name="defaultApp">launcher</s:key>
<s:key name="defaultAppIsUserOverride">1</s:key>
<s:key name="defaultAppSourceRole">system</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="email"></s:key>
<s:key name="password">********</s:key>
<s:key name="realname"></s:key>
<s:key name="restart_background_jobs">1</s:key>
<s:key name="roles">
<s:list>
<s:item>admin</s:item>
</s:list>
</s:key>
<s:key name="type">Splunk</s:key>
<s:key name="tz"></s:key>
</s:dict>
</content>
</entry>
authorization/capabilities
https://<host>:<mPort>/services/authorization/capabilities
Access system capabilities.
GET
List system capabiilities.
Request parameters
Pagination and filtering parameters can be used with this method.
Response keys
| Name | Description |
|---|---|
| capabilities | List of capabilities assigned to role. |
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8089/services/authorization/capabilities
XML Response
.
.
.
<title>capabilities</title>
<id>https://localhost:8089/services/authorization/capabilities</id>
<updated>2014-06-30T12:56:35-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>capabilities</title>
<id>https://localhost:8089/services/authorization/capabilities/capabilities</id>
<updated>2014-06-30T12:56:35-07:00</updated>
<link href="/services/authorization/capabilities/capabilities" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authorization/capabilities/capabilities" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="capabilities">
<s:list>
<s:item>accelerate_datamodel</s:item>
<s:item>accelerate_search</s:item>
<s:item>admin_all_objects</s:item>
<s:item>change_authentication</s:item>
<s:item>change_own_password</s:item>
<s:item>delete_by_keyword</s:item>
<s:item>edit_deployment_client</s:item>
<s:item>edit_deployment_server</s:item>
<s:item>edit_dist_peer</s:item>
<s:item>edit_forwarders</s:item>
<s:item>edit_httpauths</s:item>
<s:item>edit_input_defaults</s:item>
<s:item>edit_monitor</s:item>
<s:item>edit_roles</s:item>
<s:item>edit_scripted</s:item>
<s:item>edit_search_server</s:item>
<s:item>edit_server</s:item>
<s:item>edit_splunktcp</s:item>
<s:item>edit_splunktcp_ssl</s:item>
<s:item>edit_tcp</s:item>
<s:item>edit_udp</s:item>
<s:item>edit_user</s:item>
<s:item>edit_view_html</s:item>
<s:item>edit_web_settings</s:item>
<s:item>edit_win_admon</s:item>
<s:item>edit_win_eventlogs</s:item>
<s:item>edit_win_perfmon</s:item>
<s:item>edit_win_regmon</s:item>
<s:item>edit_win_wmiconf</s:item>
<s:item>embed_report</s:item>
<s:item>get_diag</s:item>
<s:item>get_metadata</s:item>
<s:item>get_typeahead</s:item>
<s:item>indexes_edit</s:item>
<s:item>input_file</s:item>
<s:item>license_edit</s:item>
<s:item>license_tab</s:item>
<s:item>list_deployment_client</s:item>
<s:item>list_deployment_server</s:item>
<s:item>list_forwarders</s:item>
<s:item>list_httpauths</s:item>
<s:item>list_inputs</s:item>
<s:item>list_pdfserver</s:item>
<s:item>list_win_localavailablelogs</s:item>
<s:item>output_file</s:item>
<s:item>request_remote_tok</s:item>
<s:item>rest_apps_management</s:item>
<s:item>rest_apps_view</s:item>
<s:item>rest_properties_get</s:item>
<s:item>rest_properties_set</s:item>
<s:item>restart_splunkd</s:item>
<s:item>rtsearch</s:item>
<s:item>run_debug_commands</s:item>
<s:item>schedule_rtsearch</s:item>
<s:item>schedule_search</s:item>
<s:item>search</s:item>
<s:item>use_file_operator</s:item>
<s:item>write_pdfserver</s:item>
</s:list>
</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
</s:dict>
</content>
</entry>
authorization/fieldfilters
https://<host>:<mPort>/services/authorization/fieldfilters
Create a field filter or get a list of field filters. See Protect PII, PHI, and other sensitive data with field filters in Securing Splunk Platform.
READ THIS FIRST: Should you deploy field filters in your organization?
Field filters are a powerful tool that can help many organizations protect their sensitive fields from prying eyes, but it might not be a good fit for everyone. If your organization runs Splunk Enterprise Security or if your users rely heavily on commands that field filters restricts by default (mpreview, mstats, and tstats), do not use field filters in production until you have thoroughly planned how you will work around these restricted commands. See READ THIS: Restricted commands do not work in searches on indexes that have field filters in Securing Splunk platform.
GET
List all field filters. To use GET with this endpoint, you must be a member of the admin, sc_admin, or power user role.
Request parameters
None
Response keys
| Name | Description |
|---|---|
| "name": "A field filter name" |
The name of the field filter. Field filter names can contain only alphanumeric characters and underscores ( _ ). Spaces and special symbols are not allowed. |
| action.field | The name of the field to filter for this action. |
| action.operator | The operator for the action. Operators for actions are described as follows:
|
| "description": "A field filter description" |
Stores a description of the field filter. |
| "index": "One or more index names" |
Specifies an index name or a list of comma-separated index names of the target indexes you want to search that contain the data you want to protect. If an index is not specified, all indexes are searched. |
| limit.key | The key for the field filter limit, which limits the field filter to events with a specific target host, source, or sourcetype. You can specify only one value. If the limit key is empty, the field filter doesn't apply to events with a specific host, source, or sourcetype. Limit statements that include wildcards or the following operators are not supported: AND, OR. |
| limit.value | The value for the limit, which is a sequence of characters enclosed in double quotation marks ( " ) that represents the name of the hosts, the sources, or the source types. The limit value can be a value or a list of comma-separated values for the specified limit. |
| "roleExemptions": [ list of exempted roles ] |
A list of field filters from which each role is exempt. If a role is exempt from a field filter, the field filter is not run at search time for any users holding this role. Roles inherit all field filter exemptions from imported roles. You can't remove inherited field filter exemptions. |
Example request and response
XML Request
$ curl -sk -u admin:changeme https://localhost:8106/services/authorization/fieldfilters
XML Response
<?xml version="1.0" encoding="UTF-8"?>
<!--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-->
<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>fieldfilters</title>
<id>https://localhost:8106/services/authorization/fieldfilters</id>
<updated>2023-09-07T20:54:51+00:00</updated>
<generator build="4464e07e99dad5532f25c08d83b3af6675536bdf" version="20230907"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/authorization/fieldfilters/_new" rel="create"/>
<link href="/services/authorization/fieldfilters/_reload" rel="_reload"/>
<link href="/services/authorization/fieldfilters/_acl" rel="_acl"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>demofilter</title>
<id>https://localhost:8106/servicesNS/nobody/search/authorization/fieldfilters/demofilter</id>
<updated>1970-01-01T00:00:00+00:00</updated>
<link href="/servicesNS/nobody/search/authorization/fieldfilters/demofilter" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/authorization/fieldfilters/demofilter" rel="list"/>
<link href="/servicesNS/nobody/search/authorization/fieldfilters/demofilter/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/authorization/fieldfilters/demofilter" rel="edit"/>
<link href="/servicesNS/nobody/search/authorization/fieldfilters/demofilter" rel="remove"/>
<link href="/servicesNS/nobody/search/authorization/fieldfilters/demofilter/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="action">
<s:dict>
<s:key name="field">bytes</s:key>
<s:key name="operator">"HIDDEN"</s:key>
</s:dict>
</s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="limit"/>
<s:key name="roleExemptions">
<s:list/>
</s:key>
</s:dict>
</content>
</entry>
</feed>
POST
Create a field filter. To use POST with this endpoint, you must be a member of the admin or sc_admin role.
Request parameters
None
Response keys
None
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8106/servicesNS/nobody/system/authorization/fieldfilters/ -d name=demo_hash_filter -d action=\"fieldName\"=sha256\(\)
XML Response
If a filter filter with the specified name already exists, an error is returned. If the field filter is successfully created, the newly created field filter is returned.
The following is the XML response:
<?xml version="1.0" encoding="UTF-8"?>
<!--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-->
<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>fieldfilters</title>
<id>https://localhost:8106/servicesNS/nobody/system/authorization/fieldfilters</id>
<updated>2023-09-07T22:11:14+00:00</updated>
<generator build="4464e07e99dad5532f25c08d83b3af6675536bdf" version="20230907"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/system/authorization/fieldfilters/_new" rel="create"/>
<link href="/servicesNS/nobody/system/authorization/fieldfilters/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/authorization/fieldfilters/_acl" rel="_acl"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>demo_hash_filter</title>
<id>https://localhost:8106/servicesNS/nobody/system/authorization/fieldfilters/demo_hash_filter</id>
<updated>1970-01-01T00:00:00+00:00</updated>
<link href="/servicesNS/nobody/system/authorization/fieldfilters/demo_hash_filter" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/authorization/fieldfilters/demo_hash_filter" rel="list"/>
<link href="/servicesNS/nobody/system/authorization/fieldfilters/demo_hash_filter/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/authorization/fieldfilters/demo_hash_filter" rel="edit"/>
<link href="/servicesNS/nobody/system/authorization/fieldfilters/demo_hash_filter" rel="remove"/>
<link href="/servicesNS/nobody/system/authorization/fieldfilters/demo_hash_filter/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="action">
<s:dict>
<s:key name="field">fieldName</s:key>
<s:key name="operator">sha256()</s:key>
</s:dict>
</s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="limit"/>
<s:key name="roleExemptions">
<s:list/>
</s:key>
</s:dict>
</content>
</entry>
</feed>
authorization/fieldfilters/{name}
https://<host>:<mPort>/services/authorization/fieldfilters/<name>
Access, create, or delete properties for the {name} field filter. See Protect PII, PHI, and other sensitive data with field filters in Securing Splunk Platform.
READ THIS FIRST: Should you deploy field filters in your organization?
Field filters are a powerful tool that can help many organizations protect their sensitive fields from prying eyes, but it might not be a good fit for everyone. If your organization runs Splunk Enterprise Security or if your users rely heavily on commands that field filters restricts by default (mpreview, mstats, and tstats), do not use field filters in production until you have thoroughly planned how you will work around these restricted commands. See READ THIS: Restricted commands do not work in searches on indexes that have field filters in Securing Splunk platform.
DELETE
Delete the specified field filter. To use DELETE with this endpoint, you must be a member of the admin or sc_admin role.
Request parameters
None
Response keys
None
Example request and response
XML Request
curl -k -u admin:changeme --request DELETE https://localhost:8106/services/authorization/fieldfilters/demo_hash_filter
XML Response
<?xml version="1.0" encoding="UTF-8"?>
<!--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-->
<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>fieldfilters</title>
<id>https://localhost:8106/services/authorization/fieldfilters</id>
<updated>2023-09-07T22:22:48+00:00</updated>
<generator build="4464e07e99dad5532f25c08d83b3af6675536bdf" version="20230907"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/authorization/fieldfilters/_new" rel="create"/>
<link href="/services/authorization/fieldfilters/_reload" rel="_reload"/>
<link href="/services/authorization/fieldfilters/_acl" rel="_acl"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
</feed>
GET
Retrieve details about a specific field filter. To use GET with this endpoint, you must be a member of the admin, sc_admin, or power user role.
Request parameters
None
Response keys
| "name": "A field filter name" |
The name of the field filter. Field filter names can contain only alphanumeric characters and underscores ( _ ). Spaces and special symbols are not allowed. |
| action.field | The name of the field to filter for this action. |
| action.operator | The operator for the action. Operators for actions are described as follows:
|
| "description": "A field filter description" |
Stores a description of the field filter. |
| "index": "One or more index names" |
Specifies an index name or a list of comma-separated index names of the target indexes you want to search that contain the data you want to protect. If an index is not specified, all indexes are searched. |
| limit.key | The key for the field filter limit, which limits the field filter to events with a specific target host, source, or sourcetype. You can specify only one value. If the limit key is empty, the field filter doesn't apply to events with a specific host, source, or sourcetype. Limit statements that include wildcards or the following operators are not supported: AND, OR. |
| limit.value | The value for the limit, which is a sequence of characters enclosed in double quotation marks ( " ) that represents the name of one or more hosts, sources, or source types. The limit value can be a value or a list of comma-separated values for the specified limit. |
| "roleExemptions": [ list of exempted roles ] |
A list of field filters from which each role is exempt. If a role is exempt from a field filter, the field filter is not run at search time for any users holding this role. Roles inherit all field filter exemptions from imported roles. You can't remove inherited field filter exemptions. |
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8106/services/authorization/fieldfilters/demo_hash_filter
XML Response
<?xml version="1.0" encoding="UTF-8"?>
<!--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-->
<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>fieldfilters</title>
<id>https://localhost:8106/services/authorization/fieldfilters</id>
<updated>2023-09-07T22:14:08+00:00</updated>
<generator build="4464e07e99dad5532f25c08d83b3af6675536bdf" version="20230907"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/authorization/fieldfilters/_new" rel="create"/>
<link href="/services/authorization/fieldfilters/_reload" rel="_reload"/>
<link href="/services/authorization/fieldfilters/_acl" rel="_acl"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>demo_hash_filter</title>
<id>https://localhost:8106/servicesNS/nobody/system/authorization/fieldfilters/demo_hash_filter</id>
<updated>1970-01-01T00:00:00+00:00</updated>
<link href="/servicesNS/nobody/system/authorization/fieldfilters/demo_hash_filter" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/authorization/fieldfilters/demo_hash_filter" rel="list"/>
<link href="/servicesNS/nobody/system/authorization/fieldfilters/demo_hash_filter/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/authorization/fieldfilters/demo_hash_filter" rel="edit"/>
<link href="/servicesNS/nobody/system/authorization/fieldfilters/demo_hash_filter" rel="remove"/>
<link href="/servicesNS/nobody/system/authorization/fieldfilters/demo_hash_filter/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="action">
<s:dict>
<s:key name="field">fieldName</s:key>
<s:key name="operator">sha256()</s:key>
</s:dict>
</s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list/>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list>
<s:item>.*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="limit"/>
<s:key name="roleExemptions">
<s:list/>
</s:key>
</s:dict>
</content>
</entry>
</feed>
POST
Update the specified field filter with the field values provided. To use POST with this endpoint, you must be a member of the admin or sc_admin role.
Request parameters
| Name | Description |
|---|---|
| action.field | The name of the field to filter for this action. Only one field can be specified per request. |
| action.operator | The operator for the action. Operators for actions are described as follows:
|
| description = <string> | Stores a description of the field filter. |
| "index": "One or more index names" |
Specifies an index name or a list of comma-separated index names of the target indexes you want to search that contain the data you want to protect. If an index is not specified, all indexes are searched. |
| limit.key | The key for the field filter limit, which limits the field filter to events with a specific target host, source, or sourcetype. You can specify only one value. If the limit key is empty, the field filter doesn't apply to events with a specific host, source, or sourcetype. Limit statements that include wildcards or the following operators are not supported: AND, OR. |
| limit.value | The value for the limit, which is a sequence of characters enclosed in double quotation marks ( " ) that represents the name of one or more hosts, sources, or source types. The limit value can be a value or a list of comma-separated values for the specified limit. |
| "roleExemptions": [ list of exempted roles ] |
A list of field filters from which each role is exempt. If a role is exempt from a field filter, the field filter is not run at search time for any users holding this role. Roles inherit all field filter exemptions from imported roles. You can't remove inherited field filter exemptions. |
Response keys
None
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8106/services/authorization/fieldfilters/demo_hash_filter -d limit=host::abc
XML Response
<?xml version="1.0" encoding="UTF-8"?>
<!--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-->
<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>fieldfilters</title>
<id>https://localhost:8106/services/authorization/fieldfilters</id>
<updated>2023-09-07T22:17:00+00:00</updated>
<generator build="4464e07e99dad5532f25c08d83b3af6675536bdf" version="20230907"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/authorization/fieldfilters/_new" rel="create"/>
<link href="/services/authorization/fieldfilters/_reload" rel="_reload"/>
<link href="/services/authorization/fieldfilters/_acl" rel="_acl"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>demo_hash_filter</title>
<id>https://localhost:8106/servicesNS/nobody/search/authorization/fieldfilters/demo_hash_filter</id>
<updated>1970-01-01T00:00:00+00:00</updated>
<link href="/servicesNS/nobody/search/authorization/fieldfilters/demo_hash_filter" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/authorization/fieldfilters/demo_hash_filter" rel="list"/>
<link href="/servicesNS/nobody/search/authorization/fieldfilters/demo_hash_filter/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/authorization/fieldfilters/demo_hash_filter" rel="edit"/>
<link href="/servicesNS/nobody/search/authorization/fieldfilters/demo_hash_filter" rel="remove"/>
<link href="/servicesNS/nobody/search/authorization/fieldfilters/demo_hash_filter/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="action">
<s:dict>
<s:key name="field">fieldName</s:key>
<s:key name="operator">sha256()</s:key>
</s:dict>
</s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="limit">
<s:dict>
<s:key name="key">host</s:key>
<s:key name="value">abc</s:key>
</s:dict>
</s:key>
<s:key name="roleExemptions">
<s:list/>
</s:key>
</s:dict>
</content>
</entry>
</feed>
authorization/grantable_capabilities
https://<host>:<mPort>/services/authorization/grantable_capabilities
Get a list of all capabilities that the current user can grant.
Authorization
Capabilities listed depend on the current user authorization. If the current user has the edit_roles capability, the response lists all capabilities. Otherwise, depending on the current user's edit_user permissions and configured grantableRoles in authorize.conf, the response lists only the capabilities that the current user can grant.
GET
List capabilities that the current user can grant.
Request parameters
Pagination and filtering parameters can be used with this method.
Response keys
| Name | Description |
|---|---|
| capabilities | For users with the edit_roles capability, lists all capabilities. For users with edit_roles_grantable, edit_user, and grantableRoles, lists only grantable capabilities.
|
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8089/services/authorization/grantable_capabilities
XML Response
<title>grantable_capabilities</title>
<id>https://localhost:8089/services/authorization/grantable_capabilities</id>
.
.
.
<author>
<name>Splunk</name>
</author>
<link href="/services/authorization/grantable_capabilities/_acl" rel="_acl"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>capabilities</title>
<id>https://localhost:8089/services/authorization/grantable_capabilities/capabilities</id>
<updated>2015-10-06T17:44:09-07:00</updated>
<link href="/services/authorization/grantable_capabilities/capabilities" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authorization/grantable_capabilities/capabilities" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="capabilities">
<s:list>
<s:item>accelerate_datamodel</s:item>
<s:item>accelerate_search</s:item>
<s:item>admin_all_objects</s:item>
<s:item>change_authentication</s:item>
<s:item>change_own_password</s:item>
<s:item>delete_by_keyword</s:item>
<s:item>edit_deployment_client</s:item>
<s:item>edit_deployment_server</s:item>
<s:item>edit_dist_peer</s:item>
<s:item>edit_forwarders</s:item>
<s:item>edit_httpauths</s:item>
<s:item>edit_input_defaults</s:item>
<s:item>edit_monitor</s:item>
<s:item>edit_roles</s:item>
<s:item>edit_roles_grantable</s:item>
<s:item>edit_scripted</s:item>
<s:item>edit_search_head_clustering</s:item>
<s:item>edit_search_scheduler</s:item>
<s:item>edit_search_server</s:item>
<s:item>edit_server</s:item>
<s:item>edit_sourcetypes</s:item>
<s:item>edit_splunktcp</s:item>
<s:item>edit_splunktcp_ssl</s:item>
<s:item>edit_tcp</s:item>
<s:item>edit_token_http</s:item>
<s:item>edit_udp</s:item>
<s:item>edit_user</s:item>
<s:item>edit_view_html</s:item>
<s:item>edit_web_settings</s:item>
<s:item>embed_report</s:item>
<s:item>get_diag</s:item>
<s:item>get_metadata</s:item>
<s:item>get_typeahead</s:item>
<s:item>indexes_edit</s:item>
<s:item>input_file</s:item>
<s:item>license_edit</s:item>
<s:item>license_tab</s:item>
<s:item>license_view_warnings</s:item>
<s:item>list_deployment_client</s:item>
<s:item>list_deployment_server</s:item>
<s:item>list_forwarders</s:item>
<s:item>list_httpauths</s:item>
<s:item>list_inputs</s:item>
<s:item>list_introspection</s:item>
<s:item>list_search_head_clustering</s:item>
<s:item>list_search_scheduler</s:item>
<s:item>output_file</s:item>
<s:item>pattern_detect</s:item>
<s:item>request_remote_tok</s:item>
<s:item>rest_apps_management</s:item>
<s:item>rest_apps_view</s:item>
<s:item>rest_properties_get</s:item>
<s:item>rest_properties_set</s:item>
<s:item>restart_splunkd</s:item>
<s:item>rtsearch</s:item>
<s:item>run_debug_commands</s:item>
<s:item>schedule_rtsearch</s:item>
<s:item>schedule_search</s:item>
<s:item>search</s:item>
<s:item>use_file_operator</s:item>
<s:item>web_debug</s:item>
</s:list>
</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
</s:dict>
</content>
</entry>
authorization/roles
https://<host>:<mPort>/services/authorization/roles
Create a role or get a list of defined roles with role permissions.
For additional information, see the following resources in Securing Splunk Enterprise.
GET
List all roles and the permissions for each role.
Request parameters
Pagination and filtering parameters can be used with this method.
Response keys
| Name | Description |
|---|---|
| capabilities | List of capabilities assigned to role. |
| cumulativeRTSrchJobsQuota | Maximum number of concurrently running real-time searches for all role members. Warning message logged when limit is reached. |
| cumulativeSrchJobsQuota | Maximum number of concurrently running searches for all role members. Warning message logged when limit is reached. |
| defaultApp | The name of the app to use as the default app for this role.
A user-specific default app overrides this. |
| fieldFilterExemption | A list of field filters from which each role is exempt. If a role is exempt from a field filter, the field filter is not run at search time for any users holding this role. Roles inherit all field filter exemptions from imported roles. You can't remove inherited field filter exemptions. |
| imported_capabilities | List of capabilities assigned to role made available from imported roles. |
| imported_roles | List of imported roles for this role.
Importing other roles imports all aspects of that role, such as capabilities and allowed indexes to search. In combining multiple roles, the effective value for each attribute is value with the broadest permissions. |
| imported_rtSrchJobsQuota | The maximum number of concurrent real time search jobs for this role. This count is independent from the normal search jobs limit.
imported_rtSrchJObsQuota specifies the quota imported from other roles. |
| imported_srchDiskQuota | The maximum disk space in MB that can be used by a user's search jobs. For example, 100 limits this role to 100 MB total.
imported_srchDiskQuota specifies the quota for this role that have imported from other roles. |
| imported_srchFilter | Search string, imported from other roles, that restricts the scope of searches run by this role.
Search results for this role only show events that also match this search string. When a user has multiple roles with different search filters, they are combined with an OR. |
| imported_srchIndexesAllowed | A list of indexes, imported from other roles, this role has permissions to search. |
| imported_srchIndexesDefault | A list of indexes, imported from other roles, that this role defaults to when no index is specified in a search. |
| imported_srchJobsQuota | The maximum number of historical searches for this role that are imported from other roles. |
| imported_srchTimeWin | Maximum time span of a search, in seconds.
imported_srchTimeWin specifies the limit from imported roles. |
| rtSrchJobsQuota | The maximum number of concurrent real time search jobs for this role. This count is independent from the normal search jobs limit. |
| srchDiskQuota | The maximum disk space in MB that can be used by a user's search jobs. For example, 100 limits this role to 100 MB total. |
| srchFilter | Search string that restricts the scope of searches run by this role.
Search results for this role only show events that also match this search string. When a user has multiple roles with different search filters, they are combined with an OR. |
| srchIndexesAllowed | A list of indexes this role has permissions to search. |
| srchIndexesDefault | List of search indexes that default to this role when no index is specified. |
| srchJobsQuota | The maximum number of concurrent real time search jobs for this role.
This count is independent from the normal search jobs limit. |
| srchTimeWin | Maximum time span of a search, in seconds.
|
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8089/services/authorization/roles
XML Response
.
.
.
<title>roles</title>
<id>https://localhost:8089/services/authorization/roles</id>
<updated>2014-06-30T13:12:17-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/authorization/roles/_new" rel="create"/>
<opensearch:totalResults>5</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>admin</title>
<id>https://localhost:8089/services/authorization/roles/admin</id>
<updated>2014-06-30T13:12:17-07:00</updated>
<link href="/services/authorization/roles/admin" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authorization/roles/admin" rel="list"/>
<link href="/services/authorization/roles/admin" rel="edit"/>
<link href="/services/authorization/roles/admin" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="capabilities">
<s:list>
<s:item>accelerate_datamodel</s:item>
<s:item>admin_all_objects</s:item>
<s:item>change_authentication</s:item>
<s:item>edit_deployment_client</s:item>
<s:item>edit_deployment_server</s:item>
<s:item>edit_dist_peer</s:item>
<s:item>edit_forwarders</s:item>
<s:item>edit_httpauths</s:item>
<s:item>edit_input_defaults</s:item>
<s:item>edit_monitor</s:item>
<s:item>edit_roles</s:item>
<s:item>edit_scripted</s:item>
<s:item>edit_search_server</s:item>
<s:item>edit_server</s:item>
<s:item>edit_splunktcp</s:item>
<s:item>edit_splunktcp_ssl</s:item>
<s:item>edit_tcp</s:item>
<s:item>edit_udp</s:item>
<s:item>edit_user</s:item>
<s:item>edit_view_html</s:item>
<s:item>edit_web_settings</s:item>
<s:item>edit_win_admon</s:item>
<s:item>edit_win_eventlogs</s:item>
<s:item>edit_win_perfmon</s:item>
<s:item>edit_win_regmon</s:item>
<s:item>edit_win_wmiconf</s:item>
<s:item>get_diag</s:item>
<s:item>indexes_edit</s:item>
<s:item>license_edit</s:item>
<s:item>license_tab</s:item>
<s:item>list_deployment_client</s:item>
<s:item>list_deployment_server</s:item>
<s:item>list_forwarders</s:item>
<s:item>list_httpauths</s:item>
<s:item>list_pdfserver</s:item>
<s:item>list_win_localavailablelogs</s:item>
<s:item>rest_apps_management</s:item>
<s:item>restart_splunkd</s:item>
<s:item>run_debug_commands</s:item>
<s:item>write_pdfserver</s:item>
</s:list>
</s:key>
<s:key name="cumulativeRTSrchJobsQuota">400</s:key>
<s:key name="cumulativeSrchJobsQuota">200</s:key>
<s:key name="defaultApp"></s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="imported_capabilities">
<s:list>
<s:item>accelerate_search</s:item>
<s:item>change_own_password</s:item>
<s:item>embed_report</s:item>
<s:item>get_metadata</s:item>
<s:item>get_typeahead</s:item>
<s:item>input_file</s:item>
<s:item>list_inputs</s:item>
<s:item>output_file</s:item>
<s:item>request_remote_tok</s:item>
<s:item>rest_apps_view</s:item>
<s:item>rest_properties_get</s:item>
<s:item>rest_properties_set</s:item>
<s:item>rtsearch</s:item>
<s:item>schedule_rtsearch</s:item>
<s:item>schedule_search</s:item>
<s:item>search</s:item>
</s:list>
</s:key>
<s:key name="imported_roles">
<s:list>
<s:item>power</s:item>
<s:item>user</s:item>
</s:list>
</s:key>
<s:key name="imported_rtSrchJobsQuota">20</s:key>
<s:key name="imported_srchDiskQuota">500</s:key>
<s:key name="imported_srchFilter"></s:key>
<s:key name="imported_srchIndexesAllowed">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="imported_srchIndexesDefault">
<s:list>
<s:item>main</s:item>
</s:list>
</s:key>
<s:key name="imported_srchJobsQuota">10</s:key>
<s:key name="imported_srchTimeWin">-1</s:key>
<s:key name="rtSrchJobsQuota">100</s:key>
<s:key name="srchDiskQuota">10000</s:key>
<s:key name="srchFilter">*</s:key>
<s:key name="srchIndexesAllowed">
<s:list>
<s:item>*</s:item>
<s:item>_*</s:item>
</s:list>
</s:key>
<s:key name="srchIndexesDefault">
<s:list>
<s:item>main</s:item>
<s:item>os</s:item>
</s:list>
</s:key>
<s:key name="srchJobsQuota">50</s:key>
<s:key name="srchTimeWin">0</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>can_delete</title>
<id>https://localhost:8089/services/authorization/roles/can_delete</id>
<updated>2014-06-30T13:12:17-07:00</updated>
<link href="/services/authorization/roles/can_delete" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authorization/roles/can_delete" rel="list"/>
<link href="/services/authorization/roles/can_delete" rel="edit"/>
<link href="/services/authorization/roles/can_delete" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="capabilities">
<s:list>
<s:item>delete_by_keyword</s:item>
<s:item>schedule_rtsearch</s:item>
</s:list>
</s:key>
<s:key name="cumulativeRTSrchJobsQuota">0</s:key>
<s:key name="cumulativeSrchJobsQuota">0</s:key>
<s:key name="defaultApp"></s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="imported_capabilities">
<s:list/>
</s:key>
<s:key name="imported_roles">
<s:list/>
</s:key>
<s:key name="imported_rtSrchJobsQuota">0</s:key>
<s:key name="imported_srchDiskQuota">0</s:key>
<s:key name="imported_srchFilter"></s:key>
<s:key name="imported_srchIndexesAllowed">
<s:list/>
</s:key>
<s:key name="imported_srchIndexesDefault">
<s:list/>
</s:key>
<s:key name="imported_srchJobsQuota">0</s:key>
<s:key name="imported_srchTimeWin">-1</s:key>
<s:key name="rtSrchJobsQuota">6</s:key>
<s:key name="srchDiskQuota">100</s:key>
<s:key name="srchFilter"></s:key>
<s:key name="srchIndexesAllowed">
<s:list/>
</s:key>
<s:key name="srchIndexesDefault">
<s:list/>
</s:key>
<s:key name="srchJobsQuota">3</s:key>
<s:key name="srchTimeWin">-1</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>power</title>
<id>https://localhost:8089/services/authorization/roles/power</id>
<updated>2014-06-30T13:12:17-07:00</updated>
<link href="/services/authorization/roles/power" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authorization/roles/power" rel="list"/>
<link href="/services/authorization/roles/power" rel="edit"/>
<link href="/services/authorization/roles/power" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="capabilities">
<s:list>
<s:item>embed_report</s:item>
<s:item>rtsearch</s:item>
<s:item>schedule_search</s:item>
</s:list>
</s:key>
<s:key name="cumulativeRTSrchJobsQuota">200</s:key>
<s:key name="cumulativeSrchJobsQuota">100</s:key>
<s:key name="defaultApp"></s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="imported_capabilities">
<s:list>
<s:item>accelerate_search</s:item>
<s:item>change_own_password</s:item>
<s:item>get_metadata</s:item>
<s:item>get_typeahead</s:item>
<s:item>input_file</s:item>
<s:item>list_inputs</s:item>
<s:item>output_file</s:item>
<s:item>request_remote_tok</s:item>
<s:item>rest_apps_view</s:item>
<s:item>rest_properties_get</s:item>
<s:item>rest_properties_set</s:item>
<s:item>schedule_rtsearch</s:item>
<s:item>search</s:item>
</s:list>
</s:key>
<s:key name="imported_roles">
<s:list>
<s:item>user</s:item>
</s:list>
</s:key>
<s:key name="imported_rtSrchJobsQuota">6</s:key>
<s:key name="imported_srchDiskQuota">100</s:key>
<s:key name="imported_srchFilter"></s:key>
<s:key name="imported_srchIndexesAllowed">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="imported_srchIndexesDefault">
<s:list>
<s:item>main</s:item>
</s:list>
</s:key>
<s:key name="imported_srchJobsQuota">3</s:key>
<s:key name="imported_srchTimeWin">-1</s:key>
<s:key name="rtSrchJobsQuota">20</s:key>
<s:key name="srchDiskQuota">500</s:key>
<s:key name="srchFilter"></s:key>
<s:key name="srchIndexesAllowed">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="srchIndexesDefault">
<s:list>
<s:item>main</s:item>
</s:list>
</s:key>
<s:key name="srchJobsQuota">10</s:key>
<s:key name="srchTimeWin">-1</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>splunk-system-role</title>
<id>https://localhost:8089/services/authorization/roles/splunk-system-role</id>
<updated>2014-06-30T13:12:17-07:00</updated>
<link href="/services/authorization/roles/splunk-system-role" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authorization/roles/splunk-system-role" rel="list"/>
<link href="/services/authorization/roles/splunk-system-role" rel="edit"/>
<link href="/services/authorization/roles/splunk-system-role" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="capabilities">
<s:list/>
</s:key>
<s:key name="cumulativeRTSrchJobsQuota">100</s:key>
<s:key name="cumulativeSrchJobsQuota">50</s:key>
<s:key name="defaultApp"></s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="imported_capabilities">
<s:list>
<s:item>accelerate_datamodel</s:item>
<s:item>accelerate_search</s:item>
<s:item>admin_all_objects</s:item>
<s:item>change_authentication</s:item>
<s:item>change_own_password</s:item>
<s:item>edit_deployment_client</s:item>
<s:item>edit_deployment_server</s:item>
<s:item>edit_dist_peer</s:item>
<s:item>edit_forwarders</s:item>
<s:item>edit_httpauths</s:item>
<s:item>edit_input_defaults</s:item>
<s:item>edit_monitor</s:item>
<s:item>edit_roles</s:item>
<s:item>edit_scripted</s:item>
<s:item>edit_search_server</s:item>
<s:item>edit_server</s:item>
<s:item>edit_splunktcp</s:item>
<s:item>edit_splunktcp_ssl</s:item>
<s:item>edit_tcp</s:item>
<s:item>edit_udp</s:item>
<s:item>edit_user</s:item>
<s:item>edit_view_html</s:item>
<s:item>edit_web_settings</s:item>
<s:item>edit_win_admon</s:item>
<s:item>edit_win_eventlogs</s:item>
<s:item>edit_win_perfmon</s:item>
<s:item>edit_win_regmon</s:item>
<s:item>edit_win_wmiconf</s:item>
<s:item>embed_report</s:item>
<s:item>get_diag</s:item>
<s:item>get_metadata</s:item>
<s:item>get_typeahead</s:item>
<s:item>indexes_edit</s:item>
<s:item>input_file</s:item>
<s:item>license_edit</s:item>
<s:item>license_tab</s:item>
<s:item>list_deployment_client</s:item>
<s:item>list_deployment_server</s:item>
<s:item>list_forwarders</s:item>
<s:item>list_httpauths</s:item>
<s:item>list_inputs</s:item>
<s:item>list_pdfserver</s:item>
<s:item>list_win_localavailablelogs</s:item>
<s:item>output_file</s:item>
<s:item>request_remote_tok</s:item>
<s:item>rest_apps_management</s:item>
<s:item>rest_apps_view</s:item>
<s:item>rest_properties_get</s:item>
<s:item>rest_properties_set</s:item>
<s:item>restart_splunkd</s:item>
<s:item>rtsearch</s:item>
<s:item>run_debug_commands</s:item>
<s:item>schedule_rtsearch</s:item>
<s:item>schedule_search</s:item>
<s:item>search</s:item>
<s:item>write_pdfserver</s:item>
</s:list>
</s:key>
<s:key name="imported_roles">
<s:list>
<s:item>admin</s:item>
</s:list>
</s:key>
<s:key name="imported_rtSrchJobsQuota">100</s:key>
<s:key name="imported_srchDiskQuota">10000</s:key>
<s:key name="imported_srchFilter">*</s:key>
<s:key name="imported_srchIndexesAllowed">
<s:list>
<s:item>*</s:item>
<s:item>_*</s:item>
</s:list>
</s:key>
<s:key name="imported_srchIndexesDefault">
<s:list>
<s:item>main</s:item>
<s:item>os</s:item>
</s:list>
</s:key>
<s:key name="imported_srchJobsQuota">50</s:key>
<s:key name="imported_srchTimeWin">-1</s:key>
<s:key name="rtSrchJobsQuota">6</s:key>
<s:key name="srchDiskQuota">100</s:key>
<s:key name="srchFilter"></s:key>
<s:key name="srchIndexesAllowed">
<s:list/>
</s:key>
<s:key name="srchIndexesDefault">
<s:list/>
</s:key>
<s:key name="srchJobsQuota">3</s:key>
<s:key name="srchTimeWin">-1</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>user</title>
<id>https://localhost:8089/services/authorization/roles/user</id>
<updated>2014-06-30T13:12:17-07:00</updated>
<link href="/services/authorization/roles/user" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authorization/roles/user" rel="list"/>
<link href="/services/authorization/roles/user" rel="edit"/>
<link href="/services/authorization/roles/user" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="capabilities">
<s:list>
<s:item>accelerate_search</s:item>
<s:item>change_own_password</s:item>
<s:item>get_metadata</s:item>
<s:item>get_typeahead</s:item>
<s:item>input_file</s:item>
<s:item>list_inputs</s:item>
<s:item>output_file</s:item>
<s:item>request_remote_tok</s:item>
<s:item>rest_apps_view</s:item>
<s:item>rest_properties_get</s:item>
<s:item>rest_properties_set</s:item>
<s:item>schedule_rtsearch</s:item>
<s:item>search</s:item>
</s:list>
</s:key>
<s:key name="cumulativeRTSrchJobsQuota">100</s:key>
<s:key name="cumulativeSrchJobsQuota">50</s:key>
<s:key name="defaultApp"></s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="imported_capabilities">
<s:list/>
</s:key>
<s:key name="imported_roles">
<s:list/>
</s:key>
<s:key name="imported_rtSrchJobsQuota">0</s:key>
<s:key name="imported_srchDiskQuota">0</s:key>
<s:key name="imported_srchFilter"></s:key>
<s:key name="imported_srchIndexesAllowed">
<s:list/>
</s:key>
<s:key name="imported_srchIndexesDefault">
<s:list/>
</s:key>
<s:key name="imported_srchJobsQuota">0</s:key>
<s:key name="imported_srchTimeWin">-1</s:key>
<s:key name="rtSrchJobsQuota">6</s:key>
<s:key name="srchDiskQuota">100</s:key>
<s:key name="srchFilter"></s:key>
<s:key name="srchIndexesAllowed">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="srchIndexesDefault">
<s:list>
<s:item>main</s:item>
</s:list>
</s:key>
<s:key name="srchJobsQuota">3</s:key>
<s:key name="srchTimeWin">-1</s:key>
</s:dict>
</content>
</entry>
POST
Create a user role.
Request parameters
| Name | Type | Description |
|---|---|---|
| capabilities | String | List of capabilities assigned to role. To send multiple capabilities, send this argument multiple times.
Roles inherit all capabilities from imported roles. |
| cumulativeRTSrchJobsQuota | Number | Maximum number of concurrently running real-time searches that all members of this role can have.
Note: If a user belongs to multiple roles then the user first consumes searches from the roles with the largest cumulative search quota. When the quota of a role is completely used up then roles with lower quotas are examined. |
| cumulativeSrchJobsQuota | Number | Maximum number of concurrently running searches for all role members. Warning message logged when limit is reached.
Note: If a user belongs to multiple roles then the user first consumes searches from the roles with the largest cumulative search quota. When the quota of a role is completely used up then roles with lower quotas are examined. |
| defaultApp | String | Specify the folder name of the default app to use for this role. A user-specific default app overrides this. |
| imported_roles | String | Specify a role to import attributes from. To import multiple roles, specify them separately. By default a role imports no other roles.
Importing other roles imports all aspects of that role, such as capabilities and allowed indexes to search. In combining multiple roles, the effective value for each attribute is the value with the broadest permissions. Default roles
You can specify additional roles created. |
| name required |
String | Required. The name of the user role to create. |
| rtSrchJobsQuota | Number | Specify the maximum number of concurrent real-time search jobs for this role.
This count is independent from the normal search jobs limit. |
| srchDiskQuota | Number | Specifies the maximum disk space in MB that can be used by a user's search jobs. For example, a value of 100 limits this role to 100 MB total.
|
| srchFilter | String | Specify a search string that restricts the scope of searches run by this role. Search results for this role only show events that also match the search string you specify. In the case that a user has multiple roles with different search filters, they are combined with an OR.
The search string can include search fields and the following terms.
Example: Note: You can also use the srchIndexesAllowed and srchIndexesDefault parameters to limit the search on indexes. |
| srchIndexesAllowed | String | Index that this role has permissions to search. Pass this argument once for each index that you want to specify. These may be wildcarded, but the index name must begin with an underscore to match internal indexes.
Search indexes available by default include the following.
You can also specify other search indexes added to the server. |
| srchIndexesDefault | String | For this role, indexes to search when no index is specified.
These indexes can be wildcarded, with the exception that '*' does not match internal indexes. To match internal indexes, start with '_'. All internal indexes are represented by '_*'. A user with this role can search other indexes using "index= " For example, "index=special_index". Search indexes available by default include the following.
|
| srchJobsQuota | Number | The maximum number of concurrent searches a user with this role is allowed to run. For users with multiple roles, the maximum quota value among all of the roles applies. |
| srchTimeWin | Number | Maximum time span of a search, in seconds.
By default, searches are not limited to any specific time window. To override any search time windows from imported roles, set srchTimeWin to '0', as the 'admin' role does. |
Response keys
None
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8089/services/authorization/roles -d name=newrole1 -d imported_roles=user
XML Response
.
.
.
<title>roles</title>
<id>https://localhost:8089/services/authorization/roles</id>
<updated>2014-06-30T13:21:50-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/authorization/roles/_new" rel="create"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>newrole1</title>
<id>https://localhost:8089/services/authorization/roles/newrole1</id>
<updated>2014-06-30T13:21:50-07:00</updated>
<link href="/services/authorization/roles/newrole1" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authorization/roles/newrole1" rel="list"/>
<link href="/services/authorization/roles/newrole1" rel="edit"/>
<link href="/services/authorization/roles/newrole1" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="capabilities">
<s:list/>
</s:key>
<s:key name="cumulativeRTSrchJobsQuota">0</s:key>
<s:key name="cumulativeSrchJobsQuota">0</s:key>
<s:key name="defaultApp"></s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="imported_capabilities">
<s:list>
<s:item>accelerate_search</s:item>
<s:item>change_own_password</s:item>
<s:item>get_metadata</s:item>
<s:item>get_typeahead</s:item>
<s:item>input_file</s:item>
<s:item>list_inputs</s:item>
<s:item>output_file</s:item>
<s:item>request_remote_tok</s:item>
<s:item>rest_apps_view</s:item>
<s:item>rest_properties_get</s:item>
<s:item>rest_properties_set</s:item>
<s:item>schedule_rtsearch</s:item>
<s:item>search</s:item>
</s:list>
</s:key>
<s:key name="imported_roles">
<s:list>
<s:item>user</s:item>
</s:list>
</s:key>
<s:key name="imported_rtSrchJobsQuota">6</s:key>
<s:key name="imported_srchDiskQuota">100</s:key>
<s:key name="imported_srchFilter"></s:key>
<s:key name="imported_srchIndexesAllowed">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="imported_srchIndexesDefault">
<s:list>
<s:item>main</s:item>
</s:list>
</s:key>
<s:key name="imported_srchJobsQuota">3</s:key>
<s:key name="imported_srchTimeWin">-1</s:key>
<s:key name="rtSrchJobsQuota">6</s:key>
<s:key name="srchDiskQuota">100</s:key>
<s:key name="srchFilter"></s:key>
<s:key name="srchIndexesAllowed">
<s:list/>
</s:key>
<s:key name="srchIndexesDefault">
<s:list/>
</s:key>
<s:key name="srchJobsQuota">3</s:key>
<s:key name="srchTimeWin">-1</s:key>
</s:dict>
</content>
</entry>
authorization/roles/{name}
https://<host>:<mPort>/services/authorization/roles/<name>
Access, create, or delete properties for the {name} role.
For additional information, see the List of available capabilities in Securing Splunk Enterprise.
DELETE
Delete the specified role.
Request parameters
None
Response keys
None
Example request and response
XML Request
curl -k -u admin:changeme --request DELETE https://localhost:8089/services/authorization/roles/newrole1
XML Response
.
.
.
<title>roles</title>
<id>https://localhost:8089/services/authorization/roles</id>
<updated>2014-06-30T13:21:50-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/authorization/roles/_new" rel="create"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>newrole1</title>
<id>https://localhost:8089/services/authorization/roles/newrole1</id>
<updated>2014-06-30T13:21:50-07:00</updated>
<link href="/services/authorization/roles/newrole1" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authorization/roles/newrole1" rel="list"/>
<link href="/services/authorization/roles/newrole1" rel="edit"/>
<link href="/services/authorization/roles/newrole1" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="capabilities">
<s:list/>
</s:key>
<s:key name="cumulativeRTSrchJobsQuota">0</s:key>
<s:key name="cumulativeSrchJobsQuota">0</s:key>
<s:key name="defaultApp"></s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="imported_capabilities">
<s:list>
<s:item>accelerate_search</s:item>
<s:item>change_own_password</s:item>
<s:item>get_metadata</s:item>
<s:item>get_typeahead</s:item>
<s:item>input_file</s:item>
<s:item>list_inputs</s:item>
<s:item>output_file</s:item>
<s:item>request_remote_tok</s:item>
<s:item>rest_apps_view</s:item>
<s:item>rest_properties_get</s:item>
<s:item>rest_properties_set</s:item>
<s:item>schedule_rtsearch</s:item>
<s:item>search</s:item>
</s:list>
</s:key>
<s:key name="imported_roles">
<s:list>
<s:item>user</s:item>
</s:list>
</s:key>
<s:key name="imported_rtSrchJobsQuota">6</s:key>
<s:key name="imported_srchDiskQuota">100</s:key>
<s:key name="imported_srchFilter"></s:key>
<s:key name="imported_srchIndexesAllowed">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="imported_srchIndexesDefault">
<s:list>
<s:item>main</s:item>
</s:list>
</s:key>
<s:key name="imported_srchJobsQuota">3</s:key>
<s:key name="imported_srchTimeWin">-1</s:key>
<s:key name="rtSrchJobsQuota">6</s:key>
<s:key name="srchDiskQuota">100</s:key>
<s:key name="srchFilter"></s:key>
<s:key name="srchIndexesAllowed">
<s:list/>
</s:key>
<s:key name="srchIndexesDefault">
<s:list/>
</s:key>
<s:key name="srchJobsQuota">3</s:key>
<s:key name="srchTimeWin">-1</s:key>
</s:dict>
</content>
</entry>
GET
Access the specified role.
Request parameters
None
Response keys
| Name | Description |
|---|---|
| capabilities | List of capabilities assigned to this role. |
| cumulativeRTSrchJobsQuota | Maximum number of concurrently running real-time searches for all role members. A warning message is logged when this limit is reached. |
| cumulativeSrchJobsQuota | Maximum number of concurrently running searches for all role members. A warning message is logged when this limit is reached. |
| defaultApp | The name of the app to use as the default app for this role.
A user-specific default app overrides this. |
| fieldFilterExemption | A list of field filters from which this role is exempt. If a role is exempt from a field filter, the field filter is not run at search time for any users holding this role. Roles inherit all field filter exemptions from imported roles. You can't remove inherited field filter exemptions. |
| imported_capabilities | List of capabilities assigned to the role that were made available from imported roles. |
| imported_roles | List of imported roles for this role.
Importing other roles imports all aspects of that role, such as capabilities and allowed indexes to search. In combining multiple roles, the effective value for each attribute is value with the broadest permissions. |
| imported_rtSrchJobsQuota | The maximum number of concurrent real-time search jobs for this role. This count is independent from the normal search jobs limit.
imported_rtSrchJObsQuota specifies the quota imported from other roles. |
| imported_srchDiskQuota | The maximum disk space in MB that can be used by a user's search jobs. For example, 100 limits this role to 100 MB total.
imported_rtSrchJObsQuota specifies the quota imported from other roles. |
| imported_srchFilter | Search string, imported from other roles, that restricts the scope of searches run by this role.
Search results for this role show only events that also match this search string. When a user has multiple roles with different search filters, they are combined with an |
| imported_srchIndexesAllowed | A list of indexes, imported from other roles, that this role has permissions to search. |
| imported_srchIndexesDefault | A list of indexes, imported from other roles, that this role defaults to when no index is specified in a search. |
| imported_srchJobsQuota | The maximum number of historical searches for this role that are imported from other roles. |
| imported_srchTimeWin | Maximum time span of a search, in seconds.
imported_srchTimeWin specifies the limit from imported roles. |
| rtSrchJobsQuota | The maximum number of concurrent real-time search jobs for this role. This count is independent from the normal search jobs limit. |
| srchDiskQuota | The maximum disk space in MB that can be used by a user's search jobs. For example, 100 limits this role to 100 MB total. |
| srchFilter | Search string that restricts the scope of searches run by this role.
Search results for this role show only events that also match this search string. When a user has multiple roles with different search filters, they are combined with an |
| srchIndexesAllowed | A list of indexes this role has permissions to search. |
| srchIndexesDefault | List of search indexes that default to this role when no index is specified. |
| srchIndexesDisallowed | A list of indexes that this role does not have permission to search on or delete. |
| srchJobsQuota | The maximum number of concurrent real-time search jobs for this role.
This count is independent from the normal search jobs limit. |
| srchTimeWin | Maximum time span of a search, in seconds.
|
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8089/services/authorization/roles/user
XML Request
curl -k -u admin:changeme https://localhost:8089/services/authorization/roles/user
XML Response
<title>user</title>
<id>/services/authorization/roles/user</id>
<updated>1969-12-31T16:00:00-08:00</updated>
<link href="/services/authorization/roles/user" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authorization/roles/user" rel="list"/>
<link href="/services/authorization/roles/user" rel="edit"/>
<link href="/services/authorization/roles/user" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="capabilities">
<s:list>
<s:item>change_own_password</s:item>
<s:item>get_metadata</s:item>
<s:item>get_typeahead</s:item>
<s:item>list_inputs</s:item>
<s:item>list_tokens_own</s:item>
<s:item>request_remote_tok</s:item>
<s:item>rest_apps_view</s:item>
<s:item>rest_properties_get</s:item>
<s:item>rest_properties_set</s:item>
<s:item>search</s:item>
</s:list>
</s:key>
<s:key name="cumulativeRTSrchJobsQuota">20</s:key>
<s:key name="cumulativeSrchJobsQuota">10</s:key>
<s:key name="defaultApp"></s:key>
<s:key name="deleteIndexesAllowed">
<s:list/>
</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>capabilities</s:item>
<s:item>cumulativeRTSrchJobsQuota</s:item>
<s:item>cumulativeSrchJobsQuota</s:item>
<s:item>defaultApp</s:item>
<s:item>deleteIndexesAllowed</s:item>
<s:item>federatedProviders</s:item>
<s:item>fieldFilterLimit</s:item>
<s:item>grantable_roles</s:item>
<s:item>imported_roles</s:item>
<s:item>rtSrchJobsQuota</s:item>
<s:item>srchDiskQuota</s:item>
<s:item>srchFilter</s:item>
<s:item>srchIndexesAllowed</s:item>
<s:item>srchIndexesDefault</s:item>
<s:item>srchIndexesDisallowed</s:item>
<s:item>srchJobsQuota</s:item>
<s:item>srchTimeEarliest</s:item>
<s:item>srchTimeWin</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list>
<s:item>fieldFilter\-.*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="fieldFilter-bar">NULL</s:key>
<s:key name="fieldFilter-foo">sha256</s:key>
<s:key name="fieldFilterLimit">sourcetype::foobar</s:key>
<s:key name="grantable_roles">
<s:list/>
</s:key>
<s:key name="imported_capabilities">
<s:list/>
</s:key>
<s:key name="imported_roles">
<s:list/>
</s:key>
<s:key name="imported_rtSrchJobsQuota">0</s:key>
<s:key name="imported_srchDiskQuota">0</s:key>
<s:key name="imported_srchFilter"></s:key>
<s:key name="imported_srchIndexesAllowed">
<s:list/>
</s:key>
<s:key name="imported_srchIndexesDefault">
<s:list/>
</s:key>
<s:key name="imported_srchIndexesDisallowed">
<s:list/>
</s:key>
<s:key name="imported_srchJobsQuota">0</s:key>
<s:key name="imported_srchTimeEarliest">-1</s:key>
<s:key name="imported_srchTimeWin">-1</s:key>
<s:key name="rtSrchJobsQuota">17</s:key>
<s:key name="srchDiskQuota">100</s:key>
<s:key name="srchFilter"></s:key>
<s:key name="srchIndexesAllowed">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="srchIndexesDefault">
<s:list>
<s:item>main</s:item>
</s:list>
</s:key>
<s:key name="srchIndexesDisallowed">
<s:list/>
</s:key>
<s:key name="srchJobsQuota">16</s:key>
<s:key name="srchTimeEarliest">-1</s:key>
<s:key name="srchTimeWin">-1</s:key>
</s:dict>
</content>
</entry>
POST
Update the specified role.
Request parameters
| Name | Type | Description |
|---|---|---|
| capabilities | String | List of capabilities assigned to this role. |
| cumulativeRTSrchJobsQuota | Number | Maximum number of concurrently running real-time searches for all role members. A warning message is logged when this limit is reached. |
| cumulativeSrchJobsQuota | Number | Maximum number of concurrently running searches for all role members. A warning message is logged when this limit is reached. |
| defaultApp | String | The folder name for the app to use as the default app for this role.
A user-specific default app overrides this. |
| imported_capabilities | String | List of capabilities assigned to the role that were made available from imported roles. |
| imported_roles | String | Add an imported role one at a time.
Importing other roles imports all aspects of that role, such as capabilities and allowed indexes to search. In combining multiple roles, the effective value for each attribute is value with the broadest permissions. |
| imported_rtSrchJobsQuota | String | The maximum number of concurrent real-time search jobs for this role. This count is independent from the normal search jobs limit.
imported_rtSrchJObsQuota specifies the quota imported from other roles. |
| imported_srchDiskQuota | String | The maximum disk space in MB that can be used by a user's search jobs. For example, 100 limits this role to 100 MB total.
imported_rtSrchJObsQuota specifies the quota imported from other roles. |
| imported_srchFilter | String | Search string, imported from other roles, that restricts the scope of searches run by this role.
Search results for this role show only events that also match this search string. When a user has multiple roles with different search filters, they are combined with an |
| imported_srchIndexesAllowed | String | A list of indexes, imported from other roles, that this role has permissions to search. |
| imported_srchIndexesDefault | String | A list of indexes, imported from other roles, that this role defaults to when no index is specified in a search. |
| imported_srchJobsQuota | String | The maximum number of historical searches for this role that are imported from other roles. |
| imported_srchTimeWin | String | Maximum time span of a search, in seconds.
imported_srchTimeWin specifies the limit from imported roles. |
| rtSrchJobsQuota | Number | The maximum number of concurrent real-time search jobs for this role. This count is independent from the normal search jobs limit. |
| srchDiskQuota | Number | The maximum disk space in MB that can be used by a user's search jobs. For example, 100 limits this role to 100 MB total. |
| srchFilter | String | Search string that restricts the scope of searches run by this role.
Search results for this role show only events that also match this search string. When a user has multiple roles with different search filters, they are combined with an |
| srchIndexesAllowed | String | A list of indexes this role has permissions to search. |
| srchIndexesDefault | String | List of search indexes that default to this role when no index is specified. |
| srchIndexesDisallowed | String | A list of indexes that this role does not have permission to search on or delete. |
| srchJobsQuota | Number | The maximum number of concurrent real-time search jobs for this role.
This count is independent from the normal search jobs limit. |
| srchTimeWin | Number | Maximum time span of a search, in seconds.
|
Response keys
None
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8089/services/authentication/users/user fieldFilter-foo=sha256&fieldFilter-bar=NULL&fieldFilterLimit=sourcetype::foobar
XML Request
curl -k -u admin:changeme https://localhost:8089/services/authorization/roles/newrole1 -d defaultApp=launcher
XML Response
<title>roles</title>
<id>/services/authorization/roles</id>
<updated>2022-01-26T15:46:33-08:00</updated>
<generator build="c96e1830f423ed31e033be95a0703e944ae27d25" version="20220124"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/authorization/roles/_new" rel="create"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>user</title>
<id>/services/authorization/roles/user</id>
<updated>1969-12-31T16:00:00-08:00</updated>
<link href="/services/authorization/roles/user" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authorization/roles/user" rel="list"/>
<link href="/services/authorization/roles/user" rel="edit"/>
<link href="/services/authorization/roles/user" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="capabilities">
<s:list>
<s:item>change_own_password</s:item>
<s:item>get_metadata</s:item>
<s:item>get_typeahead</s:item>
<s:item>list_inputs</s:item>
<s:item>list_tokens_own</s:item>
<s:item>request_remote_tok</s:item>
<s:item>rest_apps_view</s:item>
<s:item>rest_properties_get</s:item>
<s:item>rest_properties_set</s:item>
<s:item>search</s:item>
</s:list>
</s:key>
<s:key name="cumulativeRTSrchJobsQuota">20</s:key>
<s:key name="cumulativeSrchJobsQuota">10</s:key>
<s:key name="defaultApp"></s:key>
<s:key name="deleteIndexesAllowed">
<s:list/>
</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="fieldFilter-bar">NULL</s:key>
<s:key name="fieldFilter-foo">sha256</s:key>
<s:key name="fieldFilterLimit">sourcetype::foobar</s:key>
<s:key name="grantable_roles">
<s:list/>
</s:key>
<s:key name="imported_capabilities">
<s:list/>
</s:key>
<s:key name="imported_roles">
<s:list/>
</s:key>
<s:key name="imported_rtSrchJobsQuota">0</s:key>
<s:key name="imported_srchDiskQuota">0</s:key>
<s:key name="imported_srchFilter"></s:key>
<s:key name="imported_srchIndexesAllowed">
<s:list/>
</s:key>
<s:key name="imported_srchIndexesDefault">
<s:list/>
</s:key>
<s:key name="imported_srchIndexesDisallowed">
<s:list/>
</s:key>
<s:key name="imported_srchJobsQuota">0</s:key>
<s:key name="imported_srchTimeEarliest">-1</s:key>
<s:key name="imported_srchTimeWin">-1</s:key>
<s:key name="rtSrchJobsQuota">17</s:key>
<s:key name="srchDiskQuota">100</s:key>
<s:key name="srchFilter"></s:key>
<s:key name="srchIndexesAllowed">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="srchIndexesDefault">
<s:list>
<s:item>main</s:item>
</s:list>
</s:key>
<s:key name="srchIndexesDisallowed">
<s:list/>
</s:key>
<s:key name="srchJobsQuota">16</s:key>
<s:key name="srchTimeEarliest">-1</s:key>
<s:key name="srchTimeWin">-1</s:key>
</s:dict>
</content>
</entry>
Any Splunk roles that you create using this method will inherit a default set of capabilities. This inheritance occurs when you reload the authentication system. In search head clusters, this happens as part of configuration replication. You must manually reload the authentication system on standalone search heads for this inheritance to take effect.
authorization/tokens
https://<host>:<mPort>/services/authorization/tokens
Create, get information on, or modify tokens for authentication.
For additional information, see the following resources in Securing Splunk Enterprise.
- Set up authentication with tokens
- Create authentication tokens
- Manage or delete authentication tokens
GET
List information on tokens.
Request parameters
Pagination and filtering parameters can be used with this method.
Response keys
| Name | Description |
|---|---|
| username | The username whose tokens you want to see. Optional. If not provided, all tokens are displayed. |
| id | The ID of the token whose information you want to see. Optional. |
| status | Show only tokens of a specific status. Optional. Valid values are enabled or disabled.
|
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8089/services/authorization/tokens
XML Response
.
.
.
<title>tokens</title>
<id>https://splunkaday-linux-current:8089/services/authorization/tokens</id>
<updated>2019-04-28T15:04:30-07:00</updated>
<generator build="6c6f0a269b91" version="7.3.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/authorization/tokens/_new" rel="create"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>60ccc93ef090ca6746cc56d5dd5c6c38359bcae2d0e8ddecc9dc3b21a93ad7f9</title>
<id>https://splunkaday-linux-current:8089/services/authorization/tokens/60ccc93ef090ca6746cc56d5dd5c6c38359bcae2d0e8ddecc9dc3b21a93ad7f9</id>
<updated>1969-12-31T16:00:00-08:00</updated>
<link href="/services/authorization/tokens/60ccc93ef090ca6746cc56d5dd5c6c38359bcae2d0e8ddecc9dc3b21a93ad7f9" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authorization/tokens/60ccc93ef090ca6746cc56d5dd5c6c38359bcae2d0e8ddecc9dc3b21a93ad7f9" rel="list"/>
<link href="/services/authorization/tokens/60ccc93ef090ca6746cc56d5dd5c6c38359bcae2d0e8ddecc9dc3b21a93ad7f9" rel="edit"/>
<link href="/services/authorization/tokens/60ccc93ef090ca6746cc56d5dd5c6c38359bcae2d0e8ddecc9dc3b21a93ad7f9" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="claims">
<s:dict>
<s:key name="aud">Tokentown</s:key>
<s:key name="exp">0</s:key>
<s:key name="iat">1556488991</s:key>
<s:key name="idp">splunk</s:key>
<s:key name="iss">admin from docs-unix-4</s:key>
<s:key name="nbr">1556488991</s:key>
<s:key name="roles">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="sub">admin</s:key>
</s:dict>
</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="headers">
<s:dict>
<s:key name="alg">HS512</s:key>
<s:key name="kid">splunk.secret</s:key>
<s:key name="ttyp">static</s:key>
<s:key name="ver">v1</s:key>
</s:dict>
</s:key>
<s:key name="lastUsed">0</s:key>
<s:key name="lastUsedIp"></s:key>
<s:key name="status">enabled</s:key>
</s:dict>
</content>
</entry>
</feed>
POST
Change the status of one or more tokens.
Request parameters
| Name | Type | Description |
|---|---|---|
| name | String | The user of the token. Can be up to 1024 characters. |
| audience | String | The purpose for the token. Can be up to 256 characters. |
| expires_on | String | The time that the token expires. Can be either of an absolute time (ex.: 2019-02-09T07:35:00+07:00) or a relative time (ex.: +90d). This time cannot be in the past.
Note: If you specify |
| not_before | String | The time that the token becomes valid. Can be an absolute time or a relative time. This time cannot be in the past.
Note: If you specify |
Response keys
None
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8089/services/authorization/tokens -d name=user12 -d audience=Users
XML Response
.
.
.
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>tokens</title>
<id>https://splunkaday-linux-current:8089/services/authorization/tokens</id>
<updated>2019-04-28T15:26:52-07:00</updated>
<generator build="6c6f0a269b91" version="7.3.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/authorization/tokens/_new" rel="create"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>tokens</title>
<id>https://splunkaday-linux-current:8089/services/authorization/tokens/tokens</id>
<updated>1969-12-31T16:00:00-08:00</updated>
<link href="/services/authorization/tokens/tokens" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authorization/tokens/tokens" rel="list"/>
<link href="/services/authorization/tokens/tokens" rel="edit"/>
<link href="/services/authorization/tokens/tokens" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="id">a1afa1a74528731191ab3e597889b2013c57cc301e06a9cf4e86f8282144ba09</s:key>
<s:key name="token"><![CDATA[eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnIjoiSFM1MTIiLCJ2ZXIiOiJ2MSIsInR0eXAiOiJzdGF0aWMifQ.eyJpc3MiOiJhZG1pbiBmcm9tIGRvY3MtdW5peC00Iiwic3ViIjoidXNlcjEyIiwiYXVkIjoiVXNlcnMiLCJpZHAiOiJzcGx1bmsiLCJqdGkiOiJhMWFmYTFhNzQ1Mjg3MzExOTFhYjNlNTk3ODg5YjIwMTNjNTdjYzMwMWUwNmE5Y2Y0ZTg2ZjgyODIxNDRiYTA5IiwiaWF0IjoxNTU2NDkwNDEyLCJleHAiOjAsIm5iciI6MTU1NjQ5MDQxMn0.KQhlN5bdiEPVB_m85VV3CVIA_Ux5CI24AHoer6iElAbGLLPrwvN0ntHsagUFyrhk6edvDofRvG6Z1o5F4NS8Cg]]></s:key>
</s:dict>
</content>
</entry>
</feed>
authorization/tokens/{name}
https://<host>:<mPort>/services/authorization/tokens/name>
Get information on, modify, or delete authentication tokens for the {name} user.
For additional information, see the following resources in Securing Splunk Enterprise.
DELETE
Delete a token for the specified user.
Request parameters
Pagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| id | The ID of the token you want to delete. Optional. If not specified, then all tokens that belong to {username} are deleted.
|
Example request and response
XML Request
curl -k -u admin:changeme -X DELETE https://localhost:8089/services/authorization/tokens/user12
XML Response
.
.
.
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>tokens</title>
<id>https://splunkaday-linux-current:8089/services/authorization/tokens</id>
<updated>2019-04-28T16:13:45-07:00</updated>
<generator build="6c6f0a269b91" version="7.3.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/authorization/tokens/_new" rel="create"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages>
<s:msg type="INFO">Token(s), removed.</s:msg>
</s:messages>
<entry>
<title>cdc2f1ddc0e240695feb977c5474d27d6224eb49e4bb70d6a7dad1b7041b66bf</title>
<id>https://splunkaday-linux-current:8089/services/authorization/tokens/cdc2f1ddc0e240695feb977c5474d27d6224eb49e4bb70d6a7dad1b7041b66bf</id>
<updated>1969-12-31T16:00:00-08:00</updated>
<link href="/services/authorization/tokens/cdc2f1ddc0e240695feb977c5474d27d6224eb49e4bb70d6a7dad1b7041b66bf" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authorization/tokens/cdc2f1ddc0e240695feb977c5474d27d6224eb49e4bb70d6a7dad1b7041b66bf" rel="list"/>
<link href="/services/authorization/tokens/cdc2f1ddc0e240695feb977c5474d27d6224eb49e4bb70d6a7dad1b7041b66bf" rel="edit"/>
<link href="/services/authorization/tokens/cdc2f1ddc0e240695feb977c5474d27d6224eb49e4bb70d6a7dad1b7041b66bf" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="claims">
<s:dict>
<s:key name="aud">Tokentown</s:key>
<s:key name="exp">0</s:key>
<s:key name="iat">1556490311</s:key>
<s:key name="idp">splunk</s:key>
<s:key name="iss">admin from docs-unix-4</s:key>
<s:key name="nbr">1556490311</s:key>
<s:key name="roles">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="sub">admin</s:key>
</s:dict>
</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="headers">
<s:dict>
<s:key name="alg">HS512</s:key>
<s:key name="kid">splunk.secret</s:key>
<s:key name="ttyp">static</s:key>
<s:key name="ver">v1</s:key>
</s:dict>
</s:key>
<s:key name="lastUsed">0</s:key>
<s:key name="lastUsedIp"></s:key>
<s:key name="status">enabled</s:key>
</s:dict>
</content>
</entry>
</feed>
POST
Create a token for the specified username.
Request parameters
| Name | Type | Description |
|---|---|---|
| name | String | The user of the token. Can be up to 1024 characters. |
| audience | String | The purpose for the token. Can be up to 256 characters. |
| expires_on | String | The time that the token expires. Can be either of an absolute time (ex.: 2019-02-09T07:35:00+07:00) or a relative time (ex.: +90d). This time cannot be in the past.
Note: If you specify |
| not_before | String | The time that the token becomes valid. Can be an absolute time or a relative time. This time cannot be in the past.
Note: If you specify |
Response keys
None
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8089/services/authorization/tokens/user12 -d audience=Users -d expires_on=+90d@d
XML Response
.
.
.
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>tokens</title>
<id>https://splunkaday-linux-current:8089/services/authorization/tokens</id>
<updated>2019-04-28T15:26:52-07:00</updated>
<generator build="6c6f0a269b91" version="7.3.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/authorization/tokens/_new" rel="create"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>tokens</title>
<id>https://splunkaday-linux-current:8089/services/authorization/tokens/tokens</id>
<updated>1969-12-31T16:00:00-08:00</updated>
<link href="/services/authorization/tokens/tokens" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authorization/tokens/tokens" rel="list"/>
<link href="/services/authorization/tokens/tokens" rel="edit"/>
<link href="/services/authorization/tokens/tokens" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="id">a1afa1a74528731191ab3e597889b2013c57cc301e06a9cf4e86f8282144ba09</s:key>
<s:key name="token"><![CDATA[eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnIjoiSFM1MTIiLCJ2ZXIiOiJ2MSIsInR0eXAiOiJzdGF0aWMifQ.eyJpc3MiOiJhZG1pbiBmcm9tIGRvY3MtdW5peC00Iiwic3ViIjoidXNlcjEyIiwiYXVkIjoiVXNlcnMiLCJpZHAiOiJzcGx1bmsiLCJqdGkiOiJhMWFmYTFhNzQ1Mjg3MzExOTFhYjNlNTk3ODg5YjIwMTNjNTdjYzMwMWUwNmE5Y2Y0ZTg2ZjgyODIxNDRiYTA5IiwiaWF0IjoxNTU2NDkwNDEyLCJleHAiOjAsIm5iciI6MTU1NjQ5MDQxMn0.KQhlN5bdiEPVB_m85VV3CVIA_Ux5CI24AHoer6iElAbGLLPrwvN0ntHsagUFyrhk6edvDofRvG6Z1o5F4NS8Cg]]></s:key>
</s:dict>
</content>
</entry>
</feed>
storage/passwords
https://<host>:<mPort>/services/storage/passwords
Create or update user credentials, or list credentials for all users.
Authorization
The list_storage_passwords capability is required for the GET operation. The edit_storage_passwords capability is required for the POST operation.
Usage details
The password credential is the only part of the user credentials that is stored securely. It is encrypted with a secure key resident on the same server.
GET
List available credentials.
Request parameters
Pagination and filtering parameters can be used with this method.
Response keys
| Name | Description |
|---|---|
| clear_password | Clear text password. |
| encr_password | Encrypted, stored password. |
| password | Password mask, always ********.
|
| realm | Realm in which credentials are valid. |
| username | User name associated with credentials. |
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8089/services/storage/passwords
XML Response
.
.
.
<title>passwords</title>
<id>https://localhost:8089/services/storage/passwords</id>
<updated>2014-06-30T13:43:06-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/storage/passwords/_new" rel="create"/>
<link href="/services/storage/passwords/_reload" rel="_reload"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>:testuser:</title>
<id>https://localhost:8089/servicesNS/nobody/search/storage/passwords/%3Atestuser%3A</id>
<updated>2014-06-30T13:43:06-07:00</updated>
<link href="/servicesNS/nobody/search/storage/passwords/%3Atestuser%3A" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/nobody/search/storage/passwords/%3Atestuser%3A" rel="list"/>
<link href="/servicesNS/nobody/search/storage/passwords/%3Atestuser%3A/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/storage/passwords/%3Atestuser%3A" rel="edit"/>
<link href="/servicesNS/nobody/search/storage/passwords/%3Atestuser%3A" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="clear_password">newpwd</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">admin</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>power</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="encr_password">$1$prTUy3vRWg==</s:key>
<s:key name="password">********</s:key>
<s:key name="realm"></s:key>
<s:key name="username">testuser</s:key>
</s:dict>
</content>
</entry>
POST
Create/update new credentials.
Request parameters
| Name | Type | Description |
|---|---|---|
| name | String | Required. Credentials username. |
| password | String | Required. Credentials user password. |
| realm | String | Credentials realm. |
Response keys
| Name | Description |
|---|---|
| encr_password | Encrypted, stored password. |
| password | Password mask, always ********.
|
| realm | Realm in which credentials are valid. |
| username | Username associated with credentials. |
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/search/storage/passwords -d name=user1 -d password=changeme2
XML Response
.
.
.
<title>passwords</title>
<id>https://localhost:8089/services/storage/passwords</id>
<updated>2014-06-30T13:51:44-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/storage/passwords/_new" rel="create"/>
<link href="/services/storage/passwords/_reload" rel="_reload"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>:user1:</title>
<id>https://localhost:8089/servicesNS/nobody/search/storage/passwords/%3Auser1%3A</id>
<updated>2014-06-30T13:51:44-07:00</updated>
<link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="list"/>
<link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="edit"/>
<link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="clear_password">changeme2</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">admin</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>power</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="encr_password">$1$q7nC1WvQY/pGcQ==</s:key>
<s:key name="password">********</s:key>
<s:key name="realm"></s:key>
<s:key name="username">user1</s:key>
</s:dict>
</content>
</entry>
storage/passwords/{name}
https://<host>:<mPort>/services/storage/passwords/<name>
Update, delete, or list credentials for the {name} user.
Authorization
The edit_storage_passwords capability is required for the DELETE and POST operations. The list_storage_passwords capability is required for the GET operation.
DELETE
Delete the specified user credentials.
Usage details
The {name} portion of the URL must be bounded by the colon ( : ) symbol as in this example.
/services/storage/passwords/:uname:
Request parameters
None
Response keys
Returns a list of the remaining credentials in the {name} namespace.
Example request and response
XML Request
curl -k -u admin:changeme --request DELETE https://localhost:8089/servicesNS/nobody/search/storage/passwords/:user1:
XML Response
<title>passwords</title> <id>https://localhost:8089/services/storage/passwords</id> <updated>2014-06-30T14:21:11-07:00</updated> <generator build="200839" version="6.1"/> <author> <name>Splunk</name> </author> <link href="/services/storage/passwords/_new" rel="create"/> <link href="/services/storage/passwords/_reload" rel="_reload"/> <opensearch:totalResults>0</opensearch:totalResults> <opensearch:itemsPerPage>30</opensearch:itemsPerPage> <opensearch:startIndex>0</opensearch:startIndex> <s:messages/>
GET
Access the specified user credentials.
Request parameters
None
Response keys
| Name | Description |
|---|---|
| clear_password | Clear text password. |
| encr_password | Encrypted, stored password. |
| password | Password mask, always ********.
|
| realm | Realm in which credentials are valid. |
| username | User name associated with credentials. |
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/search/storage/passwords/user1
XML Response
<title>passwords</title>
<id>https://localhost:8089/services/storage/passwords</id>
<updated>2014-06-30T14:06:04-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/storage/passwords/_new" rel="create"/>
<link href="/services/storage/passwords/_reload" rel="_reload"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>:user1:</title>
<id>https://localhost:8089/servicesNS/nobody/search/storage/passwords/%3Auser1%3A</id>
<updated>2014-06-30T14:06:04-07:00</updated>
<link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="list"/>
<link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="edit"/>
<link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="clear_password">changeme2</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">admin</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>power</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list/>
</s:key>
<s:key name="requiredFields">
<s:list>
<s:item>password</s:item>
</s:list>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="encr_password">$1$q7nC1WvQY/pGcQ==</s:key>
<s:key name="password">********</s:key>
<s:key name="realm"></s:key>
<s:key name="username">user1</s:key>
</s:dict>
</content>
</entry>
POST
Update the specified user credentials.
Request parameters
| Name | Type | Description |
|---|---|---|
| password | String | User password credential. |
Response keys
| Name | Description |
|---|---|
| clear_password | Clear text password. |
| encr_password | Encrypted, stored password. |
| password | Password mask, always ********.
|
| realm | Realm in which credentials are valid. |
| username | User name associated with credentials. |
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/search/storage/passwords/splunker -d password=changemeAgain
XML Response
.
.
.
<title>passwords</title>
<id>https://localhost:8089/services/storage/passwords</id>
<updated>2014-06-30T14:13:57-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/storage/passwords/_new" rel="create"/>
<link href="/services/storage/passwords/_reload" rel="_reload"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>:user1:</title>
<id>https://localhost:8089/servicesNS/nobody/search/storage/passwords/%3Auser1%3A</id>
<updated>2014-06-30T14:13:57-07:00</updated>
<link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="list"/>
<link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="edit"/>
<link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="clear_password">changemeAgain</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">admin</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>power</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="encr_password">$1$q7nC1WvQY/p0UtMdIVM=</s:key>
<s:key name="password">********</s:key>
<s:key name="realm"></s:key>
<s:key name="username">user1</s:key>
</s:dict>
</content>
</entry>
Last modified on 03 June, 2025
| Endpoints reference list | Application endpoint descriptions |
This documentation applies to the following versions of Splunk® Enterprise: 9.3.2, 9.3.3, 9.3.4, 9.4.1, 9.4.2
Download manual
Feedback submitted, thanks!