Splunk® Enterprise

REST API Reference Manual

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Application endpoint examples

apps/appinstall POST

XML
XML Request
curl -k -u admin:changeme https://localhost:8089/services/apps/appinstall/ -d name=c:/tmp/splunk-dashboard-examples_50.tgz
XML Response
.
.
.
 <title></title>
 <id>https://localhost:8089/services/apps/appinstall</id>
 <updated>2014-07-01T09:44:41-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/apps/appinstall/_new" rel="create"/>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>dashboard_examples</title>
   <id>https://localhost:8089/services/apps/appinstall/dashboard_examples</id>
   <updated>2014-07-01T09:44:41-07:00</updated>
   <link href="/services/apps/appinstall/dashboard_examples" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/apps/appinstall/dashboard_examples" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="location">C:\Program Files\Splunk\etc\apps\dashboard_examples</s:key>
       <s:key name="name">dashboard_examples</s:key>
       <s:key name="source_location">c:/tmp/splunk-dashboard-examples_50.tgz</s:key>
       <s:key name="status">installed</s:key>
     </s:dict>
   </content>
 </entry>

apps/apptemplates GET

XML
XML Request
curl -k -u admin:changeme https://localhost:8089/services/apps/apptemplates
XML Response
.
.
.
<title></title>
 <id>https://localhost:8089/services/apps/apptemplates</id>
 <updated>2014-07-01T09:50:36-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <opensearch:totalResults>2</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>barebones</title>
   <id>https://localhost:8089/services/apps/apptemplates/barebones</id>
   <updated>2014-07-01T09:50:36-07:00</updated>
   <link href="/services/apps/apptemplates/barebones" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/apps/apptemplates/barebones" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="lol">wut</s:key>
     </s:dict>
   </content>
 </entry>
 <entry>
   <title>sample_app</title>
   <id>https://localhost:8089/services/apps/apptemplates/sample_app</id>
   <updated>2014-07-01T09:50:36-07:00</updated>
   <link href="/services/apps/apptemplates/sample_app" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/apps/apptemplates/sample_app" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="lol">wut</s:key>
     </s:dict>
   </content>
 </entry>

apps/apptemplates/{name} GET

XML
XML Request
curl -k -u admin:changeme https://localhost:8089/services/apps/apptemplates/sample_app
XML Response
.
.
.
 <title></title>
 <id>https://localhost:8089/services/apps/apptemplates</id>
 <updated>2014-07-01T09:54:23-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>sample_app</title>
   <id>https://localhost:8089/services/apps/apptemplates/sample_app</id>
   <updated>2014-07-01T09:54:23-07:00</updated>
   <link href="/services/apps/apptemplates/sample_app" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/apps/apptemplates/sample_app" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="eai:attributes">
         <s:dict>
           <s:key name="optionalFields">
             <s:list/>
           </s:key>
           <s:key name="requiredFields">
             <s:list/>
           </s:key>
           <s:key name="wildcardFields">
             <s:list/>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="lol">wut</s:key>
     </s:dict>
   </content>
 </entry>

apps/local GET

XML
XML Request
curl -k -u admin:changeme https://localhost:8089/services/apps/local


XML Response
<title>localapps</title>
  <id>https://localhost:17001/services/apps/local</id>
  <updated>2015-10-13T17:53:03-07:00</updated>
  <generator build="a1c9b18fdcfc" version="6.3.0"/>
  <author>
  <name>Splunk</name>
  </author>
  <link href="/services/apps/local/_new" rel="create"/>
  <link href="/services/apps/local/_reload" rel="_reload"/>
  <link href="/services/apps/local/_acl" rel="_acl"/>
  <opensearch:totalResults>16</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>alert_logevent</title>
    <id>https://localhost:17001/servicesNS/nobody/system/apps/local/alert_logevent</id>
    <updated>2015-10-13T17:53:03-07:00</updated>
    <link href="/servicesNS/nobody/system/apps/local/alert_logevent" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/apps/local/alert_logevent" rel="list"/>
    <link href="/servicesNS/nobody/system/apps/local/alert_logevent/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/apps/local/alert_logevent" rel="edit"/>
    <link href="/servicesNS/nobody/system/apps/local/alert_logevent" rel="remove"/>
    <link href="/servicesNS/nobody/system/apps/local/alert_logevent/disable" rel="disable"/>
    <link href="/servicesNS/nobody/system/apps/local/alert_logevent/package" rel="package"/>
<content type="text/xml">
      <s:dict>
        <s:key name="author">Splunk</s:key>
        <s:key name="check_for_updates">1</s:key>
        <s:key name="configured">1</s:key>
        <s:key name="core">1</s:key>
        <s:key name="description">Log Event Alert Action</s:key>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">system</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
           <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">app</s:key>
          </s:dict>
        </s:key>
        <s:key name="label">Log Event Alert Action</s:key>
        <s:key name="managed_by_deployment_client">0</s:key>
        <s:key name="show_in_nav">1</s:key>
        <s:key name="state_change_requires_restart">0</s:key>
        <s:key name="version">6.4.0</s:key>
        <s:key name="visible">0</s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>alert_webhook</title>
    <id>https://localhost:17001/servicesNS/nobody/system/apps/local/alert_webhook</id>
<updated>2015-10-13T17:53:03-07:00</updated>
    <link href="/servicesNS/nobody/system/apps/local/alert_webhook" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/apps/local/alert_webhook" rel="list"/>
    <link href="/servicesNS/nobody/system/apps/local/alert_webhook/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/apps/local/alert_webhook" rel="edit"/>
    <link href="/servicesNS/nobody/system/apps/local/alert_webhook" rel="remove"/>
    <link href="/servicesNS/nobody/system/apps/local/alert_webhook/disable" rel="disable"/>
    <link href="/servicesNS/nobody/system/apps/local/alert_webhook/package" rel="package"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="author">Splunk</s:key>
        <s:key name="check_for_updates">1</s:key>
        <s:key name="configured">1</s:key>
        <s:key name="core">1</s:key>
        <s:key name="description">Webhook Alert Action</s:key>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">system</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">app</s:key>
          </s:dict>
        </s:key>
        <s:key name="label">Webhook Alert Action</s:key>
        <s:key name="managed_by_deployment_client">0</s:key>
        <s:key name="show_in_nav">1</s:key>
        <s:key name="state_change_requires_restart">0</s:key>
        <s:key name="version">6.4.0</s:key>
        <s:key name="visible">0</s:key>
      </s:dict>
    </content>
  </entry>
<entry>
    <title>appsbrowser</title>
    <id>https://localhost:17001/servicesNS/nobody/system/apps/local/appsbrowser</id>
    <updated>2015-10-13T17:53:03-07:00</updated>
    <link href="/servicesNS/nobody/system/apps/local/appsbrowser" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/apps/local/appsbrowser" rel="list"/>
    <link href="/servicesNS/nobody/system/apps/local/appsbrowser/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/apps/local/appsbrowser" rel="edit"/>
    <link href="/servicesNS/nobody/system/apps/local/appsbrowser/package" rel="package"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="author">Splunk</s:key>
        <s:key name="check_for_updates">1</s:key>
        <s:key name="configured">1</s:key>
        <s:key name="core">1</s:key>
        <s:key name="description">Browse apps available to install.</s:key>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">system</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>power</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">app</s:key>
          </s:dict>
        </s:key>
        <s:key name="label">Apps Browser</s:key>
        <s:key name="managed_by_deployment_client">0</s:key>
        <s:key name="show_in_nav">0</s:key>
        <s:key name="state_change_requires_restart">0</s:key>
        <s:key name="version">6.4.0</s:key>
        <s:key name="visible">1</s:key>
      </s:dict>
    </content>
  </entry>
 <entry>
    <title>framework</title>
    <id>https://localhost:17001/servicesNS/nobody/system/apps/local/framework</id>
    <updated>2015-10-13T17:53:03-07:00</updated>
    <link href="/servicesNS/nobody/system/apps/local/framework" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/apps/local/framework" rel="list"/>
    <link href="/servicesNS/nobody/system/apps/local/framework/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/apps/local/framework" rel="edit"/>
    <link href="/servicesNS/nobody/system/apps/local/framework" rel="remove"/>
    <link href="/servicesNS/nobody/system/apps/local/framework/disable" rel="disable"/>
    <link href="/servicesNS/nobody/system/apps/local/framework/package" rel="package"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="check_for_updates">1</s:key>
        <s:key name="configured">0</s:key>
        <s:key name="core">1</s:key>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">system</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">app</s:key>
          </s:dict>
        </s:key>
        <s:key name="label">framework</s:key>
        <s:key name="managed_by_deployment_client">0</s:key>
        <s:key name="show_in_nav">1</s:key>
        <s:key name="state_change_requires_restart">0</s:key>
        <s:key name="visible">0</s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>gettingstarted</title>
    <id>https://localhost:17001/servicesNS/nobody/system/apps/local/gettingstarted</id>
    <updated>2015-10-13T17:53:03-07:00</updated>
    <link href="/servicesNS/nobody/system/apps/local/gettingstarted" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/apps/local/gettingstarted" rel="list"/>
    <link href="/servicesNS/nobody/system/apps/local/gettingstarted/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/apps/local/gettingstarted" rel="edit"/>
    <link href="/servicesNS/nobody/system/apps/local/gettingstarted" rel="remove"/>
    <link href="/servicesNS/nobody/system/apps/local/gettingstarted/enable" rel="enable"/>
    <link href="/servicesNS/nobody/system/apps/local/gettingstarted/package" rel="package"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="author">Splunk</s:key>
        <s:key name="check_for_updates">1</s:key>
        <s:key name="configured">1</s:key>
        <s:key name="core">1</s:key>
        <s:key name="description">Get started with Splunk.  This app introduces you to many of Splunk's features.  You'll learn how to use Splunk to index data, search and investigate, add knowledge, monitor and alert, report and analyze.</s:key>
        <s:key name="disabled">1</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">system</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>power</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">app</s:key>
          </s:dict>
        </s:key>
        <s:key name="label">Getting started</s:key>
        <s:key name="managed_by_deployment_client">0</s:key>
        <s:key name="show_in_nav">1</s:key>
        <s:key name="state_change_requires_restart">0</s:key>
        <s:key name="version">1.0</s:key>
        <s:key name="visible">1</s:key>
      </s:dict>
    </content>
  </entry>
.
.
.

apps/local POST

XML
XML Request
curl -k -u admin:changeme https://localhost:8089/services/apps/local -d name=restDemo
XML Response
<title></title>
 <id>https://localhost:8089/services/apps/local</id>
 <updated>2014-07-01T10:09:37-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/apps/local/_new" rel="create"/>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>restDemo</title>
   <id>https://localhost:8089/servicesNS/nobody/system/apps/local/restDemo</id>
   <updated>2014-07-01T10:09:37-07:00</updated>
   <link href="/servicesNS/nobody/system/apps/local/restDemo" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/system/apps/local/restDemo" rel="list"/>
   <link href="/servicesNS/nobody/system/apps/local/restDemo" rel="edit"/>
   <link href="/servicesNS/nobody/system/apps/local/restDemo/package" rel="package"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="author"></s:key>
       <s:key name="check_for_updates">1</s:key>
       <s:key name="configured">0</s:key>
       <s:key name="description"></s:key>
       <s:key name="disabled">0</s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app">system</s:key>
           <s:key name="can_change_perms">1</s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_share_app">1</s:key>
           <s:key name="can_share_global">1</s:key>
           <s:key name="can_share_user">0</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">1</s:key>
           <s:key name="owner">nobody</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>power</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">app</s:key>
         </s:dict>
       </s:key>
       <s:key name="label">restDemo</s:key>
       <s:key name="name">restDemo</s:key>
       <s:key name="state_change_requires_restart">0</s:key>
       <s:key name="version">1.0</s:key>
       <s:key name="visible">1</s:key>
     </s:dict>
   </content>
 </entry>

apps/local/{name} DELETE

XML
XML Request
curl -k -u admin:changeme --request DELETE https://localhost:8089/services/apps/local/sample_app
XML Response
.
.
.
 <title>localapps</title>
 <id>https://localhost:8089/services/apps/local</id>
 <updated>2014-07-15T10:24:35-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/apps/local/_new" rel="create"/>
 <link href="/services/apps/local/_reload" rel="_reload"/>
 <opensearch:totalResults>0</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages>
   <s:msg type="INFO">Restart required by: indexes</s:msg>
 </s:messages>

apps/local/{name} GET

XML
XML Request
curl -k -u admin:changeme https://localhost:8089/services/apps/local/dashboard_examples
XML Response
.
.
.
<title>localapps</title>
 <id>https://localhost:8089/services/apps/local</id>
 <updated>2014-07-01T10:23:46-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/apps/local/_new" rel="create"/>
 <link href="/services/apps/local/_reload" rel="_reload"/>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>dashboard_examples</title>
   <id>https://localhost:8089/servicesNS/nobody/system/apps/local/dashboard_examples</id>
   <updated>2014-07-01T10:23:46-07:00</updated>
   <link href="/servicesNS/nobody/system/apps/local/dashboard_examples" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/system/apps/local/dashboard_examples" rel="list"/>
   <link href="/servicesNS/nobody/system/apps/local/dashboard_examples/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/system/apps/local/dashboard_examples" rel="edit"/>
   <link href="/servicesNS/nobody/system/apps/local/dashboard_examples" rel="remove"/>
   <link href="/servicesNS/nobody/system/apps/local/dashboard_examples/disable" rel="disable"/>
   <link href="/servicesNS/nobody/system/apps/local/dashboard_examples/package" rel="package"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="author">Splunk, Inc.</s:key>
       <s:key name="check_for_updates">1</s:key>
       <s:key name="configured">0</s:key>
       <s:key name="description"><![CDATA[Example dashboards, forms, and views for Splunk 5+. This is the succesor app to UI Examples 4.1+. Splunk Dashboard Examples contains over 50 examples updated for Splunk 5. Each example contains inline documenation to help get you started building Splunk dashboards.]]></s:key>
       <s:key name="details">https://splunkbase.splunk.com/apps/id/dashboard_examples</s:key>
       <s:key name="disabled">0</s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app">system</s:key>
           <s:key name="can_change_perms">1</s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_share_app">1</s:key>
           <s:key name="can_share_global">1</s:key>
           <s:key name="can_share_user">0</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">1</s:key>
           <s:key name="owner">nobody</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">app</s:key>
         </s:dict>
       </s:key>
       <s:key name="eai:attributes">
         <s:dict>
           <s:key name="optionalFields">
             <s:list>
               <s:item>author</s:item>
               <s:item>check_for_updates</s:item>
               <s:item>configured</s:item>
               <s:item>description</s:item>
               <s:item>label</s:item>
               <s:item>version</s:item>
               <s:item>visible</s:item>
             </s:list>
           </s:key>
           <s:key name="requiredFields">
             <s:list/>
           </s:key>
           <s:key name="wildcardFields">
             <s:list/>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="label">Splunk Dashboard Examples</s:key>
       <s:key name="state_change_requires_restart">0</s:key>
       <s:key name="version">5.0</s:key>
       <s:key name="visible">1</s:key>
     </s:dict>
   </content>
 </entry>

apps/local/{name} POST

XML
XML Request
curl -k -u admin:changeme https://localhost:8089/services/apps/local/restDemo -d version=1.1
XML Response
.
.
.
<title>localapps</title>
 <id>https://localhost:8089/services/apps/local</id>
 <updated>2014-07-01T10:28:35-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/apps/local/_new" rel="create"/>
 <link href="/services/apps/local/_reload" rel="_reload"/>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>restDemo</title>
   <id>https://localhost:8089/servicesNS/nobody/system/apps/local/restDemo</id>
   <updated>2014-07-01T10:28:35-07:00</updated>
   <link href="/servicesNS/nobody/system/apps/local/restDemo" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/system/apps/local/restDemo" rel="list"/>
   <link href="/servicesNS/nobody/system/apps/local/restDemo/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/system/apps/local/restDemo" rel="edit"/>
   <link href="/servicesNS/nobody/system/apps/local/restDemo" rel="remove"/>
   <link href="/servicesNS/nobody/system/apps/local/restDemo/package" rel="package"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="author"></s:key>
       <s:key name="check_for_updates">1</s:key>
       <s:key name="configured">0</s:key>
       <s:key name="description"></s:key>
       <s:key name="disabled">0</s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app">system</s:key>
           <s:key name="can_change_perms">1</s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_share_app">1</s:key>
           <s:key name="can_share_global">1</s:key>
           <s:key name="can_share_user">0</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">1</s:key>
           <s:key name="owner">nobody</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>power</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">app</s:key>
         </s:dict>
       </s:key>
       <s:key name="label">restDemo</s:key>
       <s:key name="state_change_requires_restart">0</s:key>
       <s:key name="version">1.1</s:key>
       <s:key name="visible">1</s:key>
     </s:dict>
   </content>
 </entry>

apps/local/{name}/package GET

XML
XML Request
curl -k -u admin:changeme https://localhost:8089/services/apps/local/restDemo/package
XML Response
.
.
.
 <title></title>
 <id>https://localhost:8089/services/apps/local</id>
 <updated>2014-07-01T10:46:43-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/apps/local/_new" rel="create"/>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>Package</title>
   <id>https://localhost:8089/services/apps/local/Package</id>
   <updated>2014-07-01T10:46:43-07:00</updated>
   <link href="/services/apps/local/Package" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/apps/local/Package/setup" rel="edit"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="name">restDemo</s:key>
       <s:key name="path">C:\Program Files\Splunk\etc\system\static\app-packages\restDemo.spl</s:key>
       <s:key name="url">https://ghartsell-t420s:8089/static/app-packages/restDemo.spl</s:key>
     </s:dict>
   </content>
 </entry>

apps/local/{name}/setup GET

XML
XML Request
curl -k -u admin:changeme https://localhost:8089/services/apps/local/unix/setup
XML Response
.
.
.
 <title>localapps</title>
 <id>https://localhost:8089/services/apps/local</id>
 <updated>2011-07-13T11:24:35-07:00</updated>
 <generator version="102824"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/apps/local/_new" rel="create"/>
 ... opensearch elements elided ...
 <s:messages/>
 <entry>
   <title>unix</title>
   <id>https://localhost:8089/servicesNS/nobody/unix/apps/local/unix</id>
   <updated>2011-07-13T11:24:35-07:00</updated>
   <link href="/servicesNS/nobody/unix/apps/local/unix" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/unix/apps/local/unix/setup" rel="edit"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="/admin/script/.%252Fbin%252Fcpu.sh/enabled">1</s:key>
       <s:key name="/admin/script/.%252Fbin%252Fcpu.sh/interval">30</s:key>
       <s:key name="/admin/script/.%252Fbin%252Fdf.sh/enabled">1</s:key>
       <s:key name="/admin/script/.%252Fbin%252Fdf.sh/interval">300</s:key>
       ... elided ...
       <s:key name="/admin/script/.%252Fbin%252Fwho.sh/enabled">1</s:key>
       <s:key name="/admin/script/.%252Fbin%252Fwho.sh/interval">150</s:key>
       ... eai:acl element elided ...
       ... eai:attributes element elided ...
       <s:key name="eai:setup">
<![CDATA[<?xml version="1.0" encoding="UTF-8"?> <SetupInfo> <block title="Welcome to the Splunk for nix App"> <text>The Splunk for nix app provides some sample searches and reports to boot-strap your use of Splunk for Unix host management. To work, it needs certain inputs enabled. These system metrics drive the sample dashboards. Please review and confirm the inputs below before proceeding.</text> </block> <block title="CPU Stats (sar / mpstat / etc.)" endpoint="admin/script" entity=".%252Fbin%252Fcpu.sh"> <input field="interval" id="/admin/script/.%252Fbin%252Fcpu.sh/interval"> <label>Polling Interval (sec)</label> <type>text</type> </input> <input field="enabled" id="/admin/script/.%252Fbin%252Fcpu.sh/enabled"> <label>Enable</label> <type>bool</type> </input> </block>

. . .

<block title="Time Query (date, ntpdate -q)" endpoint="admin/script" entity=".%252Fbin%252Ftime.sh"> <input field="interval" id="/admin/script/.%252Fbin%252Ftime.sh/interval"> <label>Polling Interval (sec)</label> <type>text</type> </input> <input field="enabled" id="/admin/script/.%252Fbin%252Ftime.sh/enabled"> <label>Enable</label> <type>bool</type> </input> </block> <block title="Linux Audit Log (/var/log/audit/audit.log | ausearch)" endpoint="admin/script" entity=".%252Fbin%252Frlog.sh"> <input field="interval" id="/admin/script/.%252Fbin%252Frlog.sh/interval"> <label>Polling Interval (sec)</label> <type>text</type> </input> <input field="enabled" id="/admin/script/.%252Fbin%252Frlog.sh/enabled"> <label>Enable</label> <type>bool</type> </input> </block> <block title="Warning"> <text>Submitting this form can take a long time. Please be patient and wait for it to complete before navigating away from this page.</text> </block> </SetupInfo> ]]> </s:key>

     </s:dict>
   </content>
 </entry>

apps/local/{name}/update GET

XML
XML Request
curl -k -u admin:changeme https://localhost:8089/services/apps/local/gettingstarted/update
XML Response
.
.
.
 <title>localapps</title>
 <id>https://localhost:8089/services/apps/local</id>
 <updated>2014-07-15T10:34:13-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/apps/local/_new" rel="create"/>
 <link href="/services/apps/local/_reload" rel="_reload"/>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>gettingstarted</title>
   <id>https://localhost:8089/services/apps/local/gettingstarted</id>
   <updated>2014-07-15T10:34:13-07:00</updated>
   <link href="/services/apps/local/gettingstarted" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/apps/local/gettingstarted" rel="list"/>
   <link href="/services/apps/local/gettingstarted/_reload" rel="_reload"/>
   <link href="/services/apps/local/gettingstarted" rel="edit"/>
   <link href="/services/apps/local/gettingstarted" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
     </s:dict>
   </content>
 </entry>
Last modified on 21 April, 2017
PREVIOUS
Application endpoint descriptions 		  NEXT
Cluster endpoint descriptions

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters