Introspection endpoint descriptions

Access server and instance information.

Usage details

Review ACL information for an endpoint

To check Access Control List (ACL) properties for an endpoint, append /acl to the path. For more information see Access Control List in the REST API User Manual.

Authentication and Authorization

Username and password authentication is required for access to endpoints and REST operations.

Splunk users must have role and/or capability-based authorization to use REST endpoints. Users with an administrative role, such as admin, can access authorization information in Splunk Web. To view the roles assigned to a user, select Settings > Access controls and click Users. To determine the capabilities assigned to a role, select Settings > Access controls and click Roles.

App and user context

Typically, knowledge objects, such as saved searches or event types, have an app/user context that is the namespace. For more information about specifying a namespace, see Namespace in the REST API User Manual.

Splunk Cloud limitations

If you have a managed Splunk Cloud deployment with search head clustering and index clustering, the REST API supports access to the search head only. You can use the REST API to interact with the search head in your deployment. Using the REST API to access any other cluster member nodes is not supported. For example, introspection endpoints are not applicable to Splunk Cloud deployments.

data/index-volumes

https://<host>:<mPort>/services/data/index-volumes

Get information about the volume (logical drives) in use by the Splunk deployment.

GET

List the Splunk deployment volumes.

Usage details
The default update period is 10 minutes, as defined by the collectionPeriodInSecs attribute in the following file.

$SPLUNK_HOME/etc/apps/introspection_generator_addon/default/server.conf

At least one observation period must pass after Splunk software startup for valid endpoint data to be available. The observation period is defined in the following $SPLUNK_HOME/etc/system/default/server.conf stanza.

[introspection:generator:disk_objects]
collectionPeriodInSecs = 600

Request parameters
Pagination and filtering parameters can be used with this method.

Returned values

Name	Description
max_size	Maximum name volume size limit (MB): `infinite` = No maximum specified.
name	Volume name
total_size	Total name volume capacity (MB). If max_size is `infinite`, this field is not listed.

Example request and response

XML Request

curl -k -u admin:passwd https://localhost:8089/services/data/index-volumes

XML Response

...
<title>introspection--disk-objects--volumes</title>
 <id>https://localhost:8089/services/data/index-volumes</id>
 <updated>2014-03-25T14:41:09-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
    ... opensearch elements elided ...
 <s:messages/>
 <entry>
   <title>_splunk_summaries</title>
   <id>https://localhost:8089/services/data/index-volumes/_splunk_summaries</id>
   <updated>2014-03-25T14:41:09-07:00</updated>
   <link href="/services/data/index-volumes/_splunk_summaries" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/data/index-volumes/_splunk_summaries" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="eai:acl">
         ... elided ...
       </s:key>
       <s:key name="max_size">infinite</s:key>
       <s:key name="name">_splunk_summaries</s:key>
     </s:dict>
   </content>
 </entry>

data/index-volumes/{name}

https://<host>:<mPort>/services/data/index-volumes/{name}

Get information about the {name} volume (logical drive).

GET

List {name} volume properties.

Usage details
The default update period is 10 minutes, as defined by the collectionPeriodInSecs attribute in the following file.

$SPLUNK_HOME/etc/apps/introspection_generator_addon/default/server.conf

At least one observation period must pass after Splunk software startup for valid endpoint data to be available. The observation period is defined in the following $SPLUNK_HOME/etc/system/default/server.conf stanza.

[introspection:generator:disk_objects]
collectionPeriodInSecs = 600

Request parameters
Pagination and filtering parameters can be used with this method.

Returned values

Name	Description
max_size	Maximum name volume size limit (MB). `infinite` = No maximum specified (i.e., 0, the default)
name	Volume name.
total_size	Total name volume capacity (MB). If max_size is `infinite`, this field is not listed.

Example request and response

XML Request

curl -k -u admin:passwd https://localhost:8089/services/data/index-volumes/_splunk_summaries

XML Response

...
 <title>introspection--disk-objects--volumes</title>
 <id>https://localhost:8089/services/data/index-volumes</id>
 <updated>2014-03-27T14:35:26-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
    ... opensearch elements elided ...
 <s:messages/>
 <entry>
   <title>_splunk_summaries</title>
   <id>https://localhost:8089/services/data/index-volumes/_splunk_summaries</id>
   <updated>2014-03-27T14:35:26-07:00</updated>
   <link href="/services/data/index-volumes/_splunk_summaries" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/data/index-volumes/_splunk_summaries" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="eai:acl">
         ... elided ...
       </s:key>
       <s:key name="eai:attributes">... elided ...</s:key>
       <s:key name="max_size">infinite</s:key>
       <s:key name="name">_splunk_summaries</s:key>
     </s:dict>
   </content>
 </entry>

data/indexes

https://<host>:<mPort>/services/data/indexes

Create and manage data indexes.

Authorization and authentication
By default, all users can list all indexes. However, if the indexes_list_all capability is enabled in authorize.conf, access to all indexes is limited to only those roles with this capability.

To enable indexes_list_all capability restrictions on the data/indexes endpoint, create a [capability::indexes_list_all] stanza in authorize.conf. Specify indexes_list_all=enabled for any role permitted to list all indexes from this endpoint.

For more information, see the authorize.conf spec file in the Admin Manual.

GET

List the recognized indexes on the server.

Request parameters
Pagination and filtering parameters can be used with this method.

Name	Type	Default	Description
datatype	String	event	Valid values: (all \| event \| metric). Specifies the type of index.

Returned values

Name	Description
assureUTF8	Indicates whether all data retreived from the index is proper UTF8. If enabled (set to True), degrades indexing performance. This is a global setting, not a per index setting.
blockSignSize	Controls how many events make up a block for block signatures. If this is set to 0, block signing is disabled for this index. A recommended value is 100.
blockSignatureDatabase	The index that stores block signatures of events. This is a global setting, not a per index setting.
coldPath	Filepath to the cold databases for the index.
coldPath_expanded	Absoute filepath to the cold databases.
coldToFrozenDir	Destination path for the frozen archive. Used as an alternative to a coldToFrozenScript. Splunk software automatically puts frozen buckets in this directory. Bucket freezing policy is as follows: New style buckets (4.2 and on): removes all files but the rawdata To thaw, run `splunk rebuild <bucket dir>` on the bucket, then move to the thawed directory Old style buckets (Pre-4.2): gzip all the .data and .tsidx files To thaw, unzip the zipped files and move the bucket into the thawed directory If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence.
coldToFrozenScript	Path to the archiving script. See the POST parameter description for details.
compressRawdata	This value is ignored. splunkd process always compresses raw data.
currentDBSizeMB	Total size, in MB, of data stored in the index. The total incudes data in the home, cold and thawed paths.
datatype	The type of index (event \| metric).
defaultDatabase	If no index destination information is available in the input data, the index shown here is the destination of such data.
disabled	Indicates if the index is disabled.
enableRealtimeSearch	Indicates if this is a real-time search. This is a global setting, not a per index setting.
frozenTimePeriodInSecs	Number of seconds after which indexed data rolls to frozen. Defaults to 188697600 (6 years). Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation.
homePath	An absolute path that contains the hot and warm buckets for the index.
homePath_expanded	An absolute filepath to the hot and warm buckets for the index.
indexThreads	Number of threads used for indexing. This is a global setting, not a per index setting.
isInternal	Indicates if this is an internal index (for example, _internal, _audit).
isReady	Indicates if the index is properly initialized.
lastInitTime	Last time the index processor was successfully initialized. This is a global setting, not a per index setting.
maxConcurrentOptimizes	The number of concurrent optimize processes that can run against a hot bucket. This number should be increased if instructed by Splunk Support. Typically the default value should suffice.
maxDataSize	The maximum size in MB for a hot DB to reach before a roll to warm is triggered. Specifying "auto" or "auto_high_volume" causes Splunk software to autotune this parameter (recommended). Use "auto_high_volume" for high volume indexes (such as the main index); otherwise, use "auto". A "high volume index" is typically one that gets over 10GB of data per day. "auto" sets the size to 750MB. "auto_high_volume" sets the size to 10GB on 64-bit, and 1GB on 32-bit systems. Although the maximum value you can set this is 1048576 MB, which corresponds to 1 TB, a reasonable number ranges anywhere from 100 - 50000. Any number outside this range should be approved by Splunk Support before proceeding. If you specify an invalid number or string, maxDataSize is auto-tuned. Note: The precise size of your warm buckets may vary from maxDataSize, due to post-processing and timing issues with the rolling policy.
maxHotBuckets	Maximum hot buckets that can exist per index. Defaults to 3. When maxHotBuckets is exceeded, Splunk software rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll.
maxHotIdleSecs	Maximum life, in seconds, of a hot bucket. Defaults to 0. A value of 0 turns off the idle check (equivalent to INFINITE idle time). If a hot bucket exceeds maxHotIdleSecs, Splunk software rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll.
maxHotSpanSecs	Upper bound of target maximum timespan of hot/warm buckets in seconds. Defaults to 7776000 seconds (90 days). Note: If set too small, you can get an explosion of hot/warm buckets in the filesystem. The system sets a lower bound implicitly for this parameter at 3600, but this is an advanced parameter that should be set with care and understanding of the characteristics of your data.
maxMemMB	The amount of memory, in MB, allocated for indexing. This is a global setting, not a per index setting.
maxMetaEntries	Sets the maximum number of unique lines in .data files in a bucket, which may help to reduce memory consumption. If set to 0, this setting is ignored (it is treated as infinite). If exceeded, a hot bucket is rolled to prevent further increase. If your buckets are rolling due to Strings.data hitting this limit, the culprit may be the punct field in your data. If you do not use punct, it may be best to simply disable this (see props.conf.spec in $SPLUNK_HOME/etc/system/README). There is a small time delta between when maximum is exceeded and bucket is rolled. This means a bucket may end up with epsilon more lines than specified, but this is not a major concern unless excess is significant.
maxRunningProcessGroups	Maximum number of processes that the indexer fires off at a time. This is a global setting, not a per index setting.
maxTime	ISO8601 timestamp of the newest event time in the index.
maxTotalDataSizeMB	The maximum size of an index, in MB.
maxWarmDBCount	The maximum number of warm buckets. If this number is exceeded, the warm bucket/s with the lowest value for their latest times are moved to cold.
memPoolMB	Determines how much memory is given to the indexer memory pool. This is a global setting, not a per-index setting.
minRawFileSyncSecs	Can be either an integer (or "disable"). Some filesystems are very inefficient at performing sync operations, so only enable this if you are sure it is needed The integer sets how frequently splunkd forces a filesystem sync while compressing journal slices. During this period, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files. If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete.
minTime	ISO8601 timestamp of the oldest event time in the index.
partialServiceMetaPeriod	Related to serviceMetaPeriod. By default it is turned off (zero). If set, it enables metadata sync every <integer> seconds, but only for records where the sync can be done efficiently in-place, without requiring a full re-write of the metadata file. Records that require full re-write are be sync'ed at serviceMetaPeriod. partialServiceMetaPeriod specifies, in seconds, how frequently it should sync. Zero means that this feature is turned off and serviceMetaPeriod is the only time when metadata sync happens. If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect.
quarantineFutureSecs	Events with timestamp of `quarantineFutureSecs` newer than "now" that are dropped into quarantine bucket. Defaults to 2592000 (30 days). This is a mechanism to prevent main hot buckets from being polluted with fringe events.
quarantinePastSecs	Events with timestamp of quarantinePastSecs older than "now" are dropped into quarantine bucket. Defaults to 77760000 (900 days). This is a mechanism to prevent the main hot buckets from being polluted with fringe events.
rawChunkSizeBytes	Target uncompressed size in bytes for individual raw slice in the rawdata journal of the index. Defaults to 131072 (128KB). 0 is not a valid value. If 0 is specified, rawChunkSizeBytes is set to the default value. Note: rawChunkSizeBytes only specifies a target chunk size. The actual chunk size may be slightly larger by an amount proportional to an individual event size. Warning: This is an advanced parameter. Only change it if instructed to do so by Splunk Support.
rotatePeriodInSecs	Rotation period, in seconds, that specifies how frequently to check: If a new hot bucket needs to be created. If there are any cold buckets that should be frozen. If there are any buckets that need to be moved out hot and cold DBs, due to size constraints.
serviceMetaPeriod	Defines how frequently metadata is synced to disk, in seconds. Defaults to 25 (seconds). You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path.
summarize	If true, leaves out certain index details, which provides a faster response.
suppressBannerList	List of indexes for which we suppress "index missing" warning banner messages. This is a global setting, not a per index setting.
sync	Specifies the number of events that trigger the indexer to sync events. This is a global setting, not a per index setting.
syncMeta	When true, a sync operation is called before file descriptor is closed on metadata file updates. This functionality improves integrity of metadata files, especially in regards to operating system crashes/machine failures. Note: Do not change this parameter without the input of Splunk Support.
thawedPath	An absolute path that contains the thawed (resurrected) databases for the index.
thawedPath_expanded	Absolute filepath to the thawed (resurrected) databases.
throttleCheckPeriod	Defines how frequently Splunk software checks for index throttling condition, in seconds. Defaults to 15 (seconds). Note: Do not change this parameter without the input of Splunk Support.
totalEventCount	Total number of events in the index.
tsidxDedupPostingsListMaxTermsLimit	This setting is valid only when `tsidxWritingLevel` is at 4 or higher. This maximum term limit sets an upper bound on the number of terms kept inside an in-memory hash table that serves to improve tsidx compression. The tsidx optimizer uses the hash table to identify terms with identical postings lists. When the first instance of a term is received, its postings list is stored. When successive terms with identical postings lists are received, the tsidx optimizer makes them refer to the first instance of the postings list rather than creating and storing term postings list duplicates. Consider increasing this limit to improve compression for large tsidx files. For example, a tsidx file created with `tsidxTargetSizeMB` over 1500MB can contain a large number of terms with identical postings lists. Reducing this limit helps conserve memory consumed by optimization processes, at the cost of reduced tsidx compression. Set this limit to 0 to disable deduplicated postings list compression. This setting cannot exceed 1,073,741,824 (2³⁰). Defaults to 8,388,608 (2²³).

Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/data/indexes

XML Response

.
.
.
<title>indexes</title>
 <id>https://localhost:8089/services/data/indexes</id>
 <updated>2011-07-11T18:09:22-07:00</updated>
 <generator version="102807"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/data/indexes/_new" rel="create"/>
 <link href="/services/data/indexes/_reload" rel="_reload"/>
    ... opensearch elements elided ...
 <s:messages/>
 <entry>
   <title>_audit</title>
   <id>https://localhost:8089/servicesNS/nobody/system/data/indexes/_audit</id>
   <updated>2011-07-11T18:09:22-07:00</updated>
   <link href="/servicesNS/nobody/system/data/indexes/_audit" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/system/data/indexes/_audit" rel="list"/>
   <link href="/servicesNS/nobody/system/data/indexes/_audit/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/system/data/indexes/_audit" rel="edit"/>
   <link href="/servicesNS/nobody/system/data/indexes/_audit/disable" rel="disable"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="assureUTF8">0</s:key>
       <s:key name="blockSignSize">0</s:key>
       <s:key name="blockSignatureDatabase">_blocksignature</s:key>
       <s:key name="coldPath">$SPLUNK_DB/audit/colddb</s:key>
       <s:key name="coldPath_expanded">/home/amrit/temp/curl/splunk/var/lib/splunk/audit/colddb</s:key>
       <s:key name="coldToFrozenDir"/>
       <s:key name="coldToFrozenScript"/>
       <s:key name="compressRawdata">1</s:key>
       <s:key name="currentDBSizeMB">1</s:key>
       <s:key name="datatype">event</s:key>
       <s:key name="defaultDatabase">main</s:key>
       <s:key name="disabled">0</s:key>
          ... eai:acl element elided ...
       <s:key name="enableRealtimeSearch">1</s:key>
       <s:key name="frozenTimePeriodInSecs">188697600</s:key>
       <s:key name="homePath">$SPLUNK_DB/audit/db</s:key>
       <s:key name="homePath_expanded">/home/amrit/temp/curl/splunk/var/lib/splunk/audit/db</s:key>
       <s:key name="indexThreads">auto</s:key>
       <s:key name="isInternal">1</s:key>
       <s:key name="lastInitTime">1310432962.424512</s:key>
       <s:key name="maxConcurrentOptimizes">3</s:key>
       <s:key name="maxDataSize">auto</s:key>
       <s:key name="maxHotBuckets">3</s:key>
       <s:key name="maxHotIdleSecs">0</s:key>
       <s:key name="maxHotSpanSecs">7776000</s:key>
       <s:key name="maxMemMB">5</s:key>
       <s:key name="maxMetaEntries">1000000</s:key>
       <s:key name="maxRunningProcessGroups">20</s:key>
       <s:key name="maxTime">2011-07-10T22:20:53-0700</s:key>
       <s:key name="maxTotalDataSizeMB">500000</s:key>
       <s:key name="maxWarmDBCount">300</s:key>
       <s:key name="memPoolMB">auto</s:key>
       <s:key name="minRawFileSyncSecs">disable</s:key>
       <s:key name="minTime">2011-07-10T14:33:00-0700</s:key>
       <s:key name="partialServiceMetaPeriod">0</s:key>
       <s:key name="quarantineFutureSecs">2592000</s:key>
       <s:key name="quarantinePastSecs">77760000</s:key>
       <s:key name="rawChunkSizeBytes">131072</s:key>
       <s:key name="rotatePeriodInSecs">60</s:key>
       <s:key name="serviceMetaPeriod">25</s:key>
       <s:key name="suppressBannerList"/>
       <s:key name="sync">0</s:key>
       <s:key name="syncMeta">1</s:key>
       <s:key name="thawedPath">$SPLUNK_DB/audit/thaweddb</s:key>
       <s:key name="thawedPath_expanded">/home/amrit/temp/curl/splunk/var/lib/splunk/audit/thaweddb</s:key>
       <s:key name="throttleCheckPeriod">15</s:key>
       <s:key name="totalEventCount">230</s:key>
     </s:dict>
   </content>
 </entry>

POST

Create a new index.

Request parameters

Name	Type	Default	Description
blockSignSize	Number	0	Controls how many events make up a block for block signatures. If this is set to 0, block signing is disabled for this index. A recommended value is 100.
bucketRebuildMemoryHint	String	auto	Suggestion for the bucket rebuild process for the size of the time-series (tsidx) file to make. Caution: This is an advanced parameter. Inappropriate use of this parameter causes splunkd to not start if rebuild is required. Do not set this parameter unless instructed by Splunk Support. Default value, `auto`, varies by the amount of physical RAM on the host less than 2GB RAM = 67108864 (64MB) tsidx 2GB to 8GB RAM = 134217728 (128MB) tsidx more than 8GB RAM = 268435456 (256MB) tsidx Values other than "auto" must be 16MB-1GB. Highest legal value (of the numerical part) is 4294967295 You can specify the value using a size suffix: "16777216" or "16MB" are equivalent.
coldPath	String		An absolute path that contains the colddbs for the index. The path must be readable and writable. Cold databases are opened as needed when searching. May be defined in terms of a volume definition (see volume section below). Required. Splunk software does not start if an index lacks a valid coldPath.
coldToFrozenDir	String		Destination path for the frozen archive. Use as an alternative to a coldToFrozenScript. Splunk software automatically puts frozen buckets in this directory. Bucket freezing policy is as follows: New style buckets (4.2 and on): removes all files but the rawdata To thaw, run `splunk rebuild <bucket dir>` on the bucket, then move to the thawed directory Old style buckets (Pre-4.2): gzip all the .data and .tsidx files To thaw, gunzip the zipped files and move the bucket into the thawed directory If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence
coldToFrozenScript	String		Path to the archiving script. If your script requires a program to run it (for example, python), specify the program followed by the path. The script must be in $SPLUNK_HOME/bin or one of its subdirectories. Splunk software ships with an example archiving script in $SPLUNK_HOME/bin called coldToFrozenExample.py. DO NOT use this example script directly. It uses a default path, and if modified in place any changes are overwritten on upgrade. It is best to copy the example script to a new file in bin and modify it for your system. Most importantly, change the default archive path to an existing directory that fits your needs. If your new script in bin/ is named myColdToFrozen.py, set this key to the following: `coldToFrozenScript = "$SPLUNK_HOME/bin/python" "$SPLUNK_HOME/bin/myColdToFrozen.py"` By default, the example script has two possible behaviors when archiving: For buckets created from version 4.2 and on, it removes all files except for rawdata. To thaw: cd to the frozen bucket and type `splunk rebuild .`, then copy the bucket to thawed for that index. We recommend using the coldToFrozenDir parameter unless you need to perform a more advanced operation upon freezing buckets. For older-style buckets, we simply gzip all the .tsidx files. To thaw: cd to the frozen bucket and unzip the tsidx files, then copy the bucket to thawed for that index
compressRawdata	Boolean	true	This parameter is ignored. The splunkd process always compresses raw data.
datatype	String	event	Valid values: (event \| metric). Specifies the type of index.
enableOnlineBucketRepair	Boolean	true	Enables asynchronous "online fsck" bucket repair, which runs concurrently with Splunk software. When enabled, you do not have to wait until buckets are repaired to start the Splunk platform. However, you might observe a slight performance degratation.
frozenTimePeriodInSecs	Number	188697600	Number of seconds after which indexed data rolls to frozen. Defaults to 188697600 (6 years). Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation.
homePath	String		An absolute path that contains the hot and warm buckets for the index. Required. Splunk software does not start if an index lacks a valid homePath. Caution: The path must be readable and writable.
maxBloomBackfillBucketAge	Number	30d	Valid values are: Integer[m\|s\|h\|d] If a warm or cold bucket is older than the specified age, do not create or rebuild its bloomfilter. Specify 0 to never rebuild bloomfilters. For example, if a bucket is older than specified with maxBloomBackfillBucketAge, and the rebuilding of its bloomfilter started but did not finish, do not rebuild it.
maxConcurrentOptimizes	Number	6	The number of concurrent optimize processes that can run against a hot bucket. This number should be increased if instructed by Splunk Support. Typically the default value should suffice.
maxDataSize	Number	auto	The maximum size in MB for a hot DB to reach before a roll to warm is triggered. Specifying "auto" or "auto_high_volume" causes Splunk software to autotune this parameter (recommended).Use "auto_high_volume" for high volume indexes (such as the main index); otherwise, use "auto". A "high volume index" would typically be considered one that gets over 10GB of data per day. "auto" sets the size to 750MB. "auto_high_volume" sets the size to 10GB on 64-bit, and 1GB on 32-bit systems. Although the maximum value you can set this is 1048576 MB, which corresponds to 1 TB, a reasonable number ranges anywhere from 100 - 50000. Any number outside this range should be approved by Splunk Support before proceeding. If you specify an invalid number or string, maxDataSize is auto-tuned. Note: The precise size of your warm buckets may vary from maxDataSize, due to post-processing and timing issues with the rolling policy.
maxHotBuckets	Number	3	Maximum hot buckets that can exist per index. Defaults to 3. When maxHotBuckets is exceeded, Splunk software rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll.
maxHotIdleSecs	Number	0	Maximum life, in seconds, of a hot bucket. Defaults to 0. If a hot bucket exceeds maxHotIdleSecs, Splunk software rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll. A value of 0 turns off the idle check (equivalent to INFINITE idle time).
maxHotSpanSecs	Number	7776000	Upper bound of target maximum timespan of hot/warm buckets in seconds. Defaults to 7776000 seconds (90 days). Note:I f you set this too small, you can get an explosion of hot/warm buckets in the filesystem. The system sets a lower bound implicitly for this parameter at 3600, but this is an advanced parameter that should be set with care and understanding of the characteristics of your data.
maxMemMB	Number	5	The amount of memory, expressed in MB, to allocate for buffering a single tsidx file into memory before flushing to disk. Defaults to 5. The default is recommended for all environments. IMPORTANT: Calculate this number carefully. Setting this number incorrectly may have adverse effects on your systems memory and/or splunkd stability/performance.
maxMetaEntries	Number	1000000	Sets the maximum number of unique lines in .data files in a bucket, which may help to reduce memory consumption. If set to 0, this setting is ignored (it is treated as infinite). If exceeded, a hot bucket is rolled to prevent further increase. If your buckets are rolling due to Strings.data hitting this limit, the culprit may be the `punct` field in your data. If you do not use punct, it may be best to simply disable this (see props.conf.spec in $SPLUNK_HOME/etc/system/README). There is a small time delta between when maximum is exceeded and bucket is rolled. This means a bucket may end up with epsilon more lines than specified, but this is not a major concern unless excess is significant.
maxTimeUnreplicatedNoAcks	Number	300	Upper limit, in seconds, on how long an event can sit in raw slice. Applies only if replication is enabled for this index. Otherwise ignored. If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies. Highest legal value is 2147483647. To disable this parameter, set to 0. Note: this is an advanced parameter. Understand the consequences before changing.
maxTimeUnreplicatedWithAcks	Number	60	Upper limit, in seconds, on how long events can sit unacknowledged in a raw slice. Applies only if you have enabled acks on forwarders and have replication enabled (with clustering). Note: This is an advanced parameter. Make sure you understand the settings on all forwarders before changing this. This number should not exceed ack timeout configured on any forwarder, and should actually be set to at most half of the minimum value of that timeout. You can find this setting in outputs.conf readTimeout setting under the tcpout stanza. To disable, set to 0, but this is NOT recommended. Highest legal value is 2147483647.
maxTotalDataSizeMB	Number	500000	The maximum size of an index (in MB). If an index grows larger than the maximum size, the oldest data is frozen.
maxWarmDBCount	Number	300	The maximum number of warm buckets. If this number is exceeded, the warm bucket/s with the lowest value for their latest times is moved to cold.
minRawFileSyncSecs	Number	disable	Specify an integer (or "disable") for this parameter. This parameter sets how frequently splunkd forces a filesystem sync while compressing journal slices. During this period, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files. If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete. Note: Some filesystems are very inefficient at performing sync operations, so only enable this if you are sure it is needed
minStreamGroupQueueSize	Number	2000	Minimum size of the queue that stores events in memory before committing them to a tsidx file. Caution: Do not set this value, except under advice from Splunk Support.
name required	String		The name of the index to create.
partialServiceMetaPeriod	Number	0	Related to serviceMetaPeriod. If set, it enables metadata sync every <integer> seconds, but only for records where the sync can be done efficiently in-place, without requiring a full re-write of the metadata file. Records that require full re-write are be sync'ed at serviceMetaPeriod. `partialServiceMetaPeriod` specifies, in seconds, how frequently it should sync. Zero means that this feature is turned off and serviceMetaPeriod is the only time when metadata sync happens. If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect. By default it is turned off (zero).
processTrackerServiceInterval	Number	1	Specifies, in seconds, how often the indexer checks the status of the child OS processes it launched to see if it can launch new processes for queued requests. Defaults to 15. If set to 0, the indexer checks child process status every second. Highest legal value is 4294967295.
quarantineFutureSecs	Number	2592000	Events with timestamp of `quarantineFutureSecs` newer than "now" are dropped into quarantine bucket. Defaults to 2592000 (30 days). This is a mechanism to prevent main hot buckets from being polluted with fringe events.
quarantinePastSecs	Number	77760000	Events with timestamp of `quarantinePastSecs` older than "now" are dropped into quarantine bucket. Defaults to 77760000 (900 days). This is a mechanism to prevent the main hot buckets from being polluted with fringe events.
rawChunkSizeBytes	Number	131072	Target uncompressed size in bytes for individual raw slice in the rawdata journal of the index. Defaults to 131072 (128KB). 0 is not a valid value. If 0 is specified, `rawChunkSizeBytes` is set to the default value. Note: rawChunkSizeBytes only specifies a target chunk size. The actual chunk size may be slightly larger by an amount proportional to an individual event size. WARNING: This is an advanced parameter. Only change it if you are instructed to do so by Splunk Support.
repFactor	String	0	Index replication control. This parameter applies to only clustering slaves. `auto` = Use the master index replication configuration value. `0` = Turn off replication for this index.
rotatePeriodInSecs	Number	60	How frequently (in seconds) to check if a new hot bucket needs to be created. Also, how frequently to check if there are any warm/cold buckets that should be rolled/frozen.
serviceMetaPeriod	Number	25	Defines how frequently metadata is synced to disk, in seconds. Defaults to 25 (seconds). You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path.
syncMeta	Boolean	true	When `true`, a sync operation is called before file descriptor is closed on metadata file updates. This functionality improves integrity of metadata files, especially in regards to operating system crashes/machine failures. Note: Do not change this parameter without the input of a Splunk Support.
thawedPath	String		An absolute path that contains the thawed (resurrected) databases for the index. Cannot be defined in terms of a volume definition. Required. Splunk software does not start if an index lacks a valid `thawedPath`.
throttleCheckPeriod	Number	15	Defines how frequently Splunk software checks for index throttling condition, in seconds. Defaults to 15 (seconds). Note: Do not change this parameter without the input of Splunk Support.
tstatsHomePath	String		Location to store datamodel acceleration TSIDX data for this index. Restart splunkd after changing this parameter. If specified, it must be defined in terms of a volume definition. Caution: Path must be writable. Default value: volume:_splunk_summaries/$_index_name/tstats
warmToColdScript	String		Path to a script to run when moving data from warm to cold. This attribute is supported for backwards compatibility with Splunk software versions older than 4.0. Contact Splunk support if you need help configuring this setting. Caution: Migrating data across filesystems is now handled natively by splunkd. If you specify a script here, the script becomes responsible for moving the event data, and Splunk-native data migration is not used.

Returned values

Name	Description
assureUTF8	Boolean value indicating wheter all data retreived from the index is proper UTF8. If enabled (set to True), degrades indexing performance Can only be set globally.
blockSignSize	Controls how many events make up a block for block signatures. If this is set to 0, block signing is disabled for this index. A recommended value is 100.
blockSignatureDatabase	The index that stores block signatures of events. This is a global setting, not a per index setting.
bucketRebuildMemoryHint	Suggestion for the bucket rebuild process for the size of the time-series (tsidx) file to make.
coldPath	Filepath to the cold databases for the index.
coldPath_expanded	Absoute filepath to the cold databases.
coldToFrozenDir	Destination path for the frozen archive. Used as an alternative to a coldToFrozenScript. Splunk software automatically puts frozen buckets in this directory. Bucket freezing policy is as follows: New style buckets (4.2 and on): removes all files but the rawdata To thaw, run `splunk rebuild <bucket dir>` on the bucket, then move to the thawed directory Old style buckets (Pre-4.2): gzip all the .data and .tsidx files To thaw, unzip the zipped files and move the bucket into the thawed directory If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence.
coldToFrozenScript	Path to the archiving script. See the POST parameter description for details.
compressRawdata	This value is ignored. splunkd process always compresses raw data.
currentDBSizeMB	Total size, in MB, of data stored in the index. The total incudes data in the home, cold and thawed paths.
datatype	The type of index (event \| metric).
defaultDatabase	If no index destination information is available in the input data, the index shown here is the destination of such data.
enableOnlineBucketRepair	Indicates whether to run asynchronous "online fsck" bucket repair, which runs in a process concurrently with Splunk software.
enableRealtimeSearch	Indicates if this is a real-time search. This is a global setting, not a per index setting.
frozenTimePeriodInSecs	Number of seconds after which indexed data rolls to frozen. Defaults to 188697600 (6 years). Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation.
homePath	An absolute path that contains the hot and warm buckets for the index.
homePath_expanded	An absolute filepath to the hot and warm buckets for the index.
indexThreads	Number of threads used for indexing. This is a global setting, not a per index setting.
isInternal	Indicates if this is an internal index (for example, _internal, _audit).
isReady	Indicates if an index is properly initialized.
lastInitTime	Last time the index processor was successfully initialized. This is a global setting, not a per index setting.
maxBloomBackfillBucketAge	If a bucket (warm or cold) is older than this, Splunk software does not create (or re-create) its bloom filter.
maxConcurrentOptimizes	The number of concurrent optimize processes that can run against a hot bucket. This number should be increased if instructed by Splunk Support. Typically the default value should suffice.
maxDataSize	The maximum size in MB for a hot DB to reach before a roll to warm is triggered. Specifying "auto" or "auto_high_volume" causes Splunk software to autotune this parameter (recommended). Use "auto_high_volume" for high volume indexes (such as the main index); otherwise, use "auto". A "high volume index" is typically one that gets over 10GB of data per day. "auto" sets the size to 750MB. "auto_high_volume" sets the size to 10GB on 64-bit, and 1GB on 32-bit systems. Although the maximum value you can set this is 1048576 MB, which corresponds to 1 TB, a reasonable number ranges anywhere from 100 - 50000. Any number outside this range should be approved by Splunk Support before proceeding. If you specify an invalid number or string, maxDataSize is auto-tuned. Note: The precise size of your warm buckets may vary from maxDataSize, due to post-processing and timing issues with the rolling policy.
maxHotBuckets	Maximum hot buckets that can exist per index. Defaults to 3. When maxHotBuckets is exceeded, Splunk software rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll.
maxHotIdleSecs	Maximum life, in seconds, of a hot bucket. Defaults to 0. A value of 0 turns off the idle check (equivalent to INFINITE idle time). If a hot bucket exceeds maxHotIdleSecs, Splunk software rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll.
maxHotSpanSecs	Upper bound of target maximum timespan of hot/warm buckets in seconds. Defaults to 7776000 seconds (90 days). Note: If set too small, you can get an explosion of hot/warm buckets in the filesystem. The system sets a lower bound implicitly for this parameter at 3600, but this is an advanced parameter that should be set with care and understanding of the characteristics of your data.
maxMemMB	The amount of memory, in MB, allocated for indexing. This is a global setting, not a per index setting.
maxMetaEntries	Sets the maximum number of unique lines in .data files in a bucket, which may help to reduce memory consumption. If set to 0, this setting is ignored (it is treated as infinite). If exceeded, a hot bucket is rolled to prevent further increase. If your buckets are rolling due to Strings.data hitting this limit, the culprit may be the punct field in your data. If you do not use punct, it may be best to simply disable this (see props.conf.spec in $SPLUNK_HOME/etc/system/README). There is a small time delta between when maximum is exceeded and bucket is rolled. This means a bucket may end up with epsilon more lines than specified, but this is not a major concern unless excess is significant.
maxTime	ISO8601 timestamp of the newest event time in the index.
maxTimeUnreplicatedNoAcks	Upper limit, in seconds, on how long an event can sit in raw slice. Applies only if replication is enabled for this index. Otherwise ignored. If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies. Highest legal value is 2147483647. To disable this parameter, set to 0. Note: this is an advanced parameter. Understand the consequences before changing.
maxTimeUnreplicatedWithAcks	Upper limit, in seconds, on how long events can sit unacknowledged in a raw slice. Applies only if you have enabled acks on forwarders and have replication enabled (with clustering). Note: This is an advanced parameter. Make sure you understand the settings on all forwarders before changing this. This number should not exceed ack timeout configured on any forwarder, and should actually be set to at most half of the minimum value of that timeout. You can find this setting in outputs.conf readTimeout setting under the tcpout stanza. To disable, set to 0, but this is NOT recommended. Highest legal value is 2147483647.
maxTotalDataSizeMB	The maximum size of an index, in MB.
maxWarmDBCount	The maximum number of warm buckets. If this number is exceeded, the warm bucket/s with the lowest value for their latest times are moved to cold.
memPoolMB	Determines how much memory is given to the indexer memory pool. This is a global setting, not a per-index setting.
minRawFileSyncSecs	Can be either an integer (or "disable"). Some filesystems are very inefficient at performing sync operations, so only enable this if you are sure it is needed The integer sets how frequently splunkd forces a filesystem sync while compressing journal slices. During this period, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files. If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete.
minStreamGroupQueueSize	Minimum size of the queue that stores events in memory before committing them to a tsidx file.
minTime	ISO8601 timestamp of the oldest event time in the index.
partialServiceMetaPeriod	Related to serviceMetaPeriod. By default it is turned off (zero). If set, it enables metadata sync every <integer> seconds, but only for records where the sync can be done efficiently in-place, without requiring a full re-write of the metadata file. Records that require full re-write are be sync'ed at serviceMetaPeriod. partialServiceMetaPeriod specifies, in seconds, how frequently it should sync. Zero means that this feature is turned off and serviceMetaPeriod is the only time when metadata sync happens. If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect.
processTrackerServiceInterval	How often, in seconds, the indexer checks the status of the child OS processes it launched to see if it can launch new processes for queued requests.
quarantineFutureSecs	Events with timestamp of quarantineFutureSecs newer than "now" are dropped into quarantine bucket. Defaults to 2592000 (30 days). This is a mechanism to prevent main hot buckets from being polluted with fringe events.
quarantinePastSecs	Events with timestamp of quarantinePastSecs older than "now" are dropped into quarantine bucket. Defaults to 77760000 (900 days). This is a mechanism to prevent the main hot buckets from being polluted with fringe events.
rawChunkSizeBytes	Target uncompressed size in bytes for individual raw slice in the rawdata journal of the index. Defaults to 131072 (128KB). 0 is not a valid value. If 0 is specified, rawChunkSizeBytes is set to the default value. Note: rawChunkSizeBytes only specifies a target chunk size. The actual chunk size may be slightly larger by an amount proportional to an individual event size. Warning: This is an advanced parameter. Only change it if instructed to do so by Splunk Support.
repFactor	Index replication control. This parameter applies to only clustering slaves. `auto` = Use the master index replication configuration value. `0` = Turn off replication for this index.
rotatePeriodInSecs	Rotation period, in seconds, that specifies how frequently to check: If a new hot bucket needs to be created. If there are any cold buckets that should be frozen. If there are any buckets that need to be moved out hot and cold DBs, due to size constraints.
serviceMetaPeriod	Defines how frequently metadata is synced to disk, in seconds. Defaults to 25 (seconds). You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path.
suppressBannerList	List of indexes for which we suppress "index missing" warning banner messages. This is a global setting, not a per index setting.
sync	Specifies the number of events that trigger the indexer to sync events. This is a global setting, not a per index setting.
syncMeta	When true, a sync operation is called before file descriptor is closed on metadata file updates. This functionality improves integrity of metadata files, especially in regards to operating system crashes/machine failures. Note: Do not change this parameter without the input of Splunk Support.
thawedPath	Filepath to the thawed (resurrected) databases for the index.
thawedPath_expanded	Absolute filepath to the thawed (resurrected) databases.
throttleCheckPeriod	Defines how frequently Splunk software checks for index throttling condition, in seconds. Defaults to 15 (seconds). Note: Do not change this parameter without the input of Splunk Support.
totalEventCount	Total number of events in the index.
tsidxDedupPostingsListMaxTermsLimit	This setting is valid only when `tsidxWritingLevel` is at 4 or higher. This maximum term limit sets an upper bound on the number of terms kept inside an in-memory hash table that serves to improve tsidx compression. The tsidx optimizer uses the hash table to identify terms with identical postings lists. When the first instance of a term is received, its postings list is stored. When successive terms with identical postings lists are received, the tsidx optimizer makes them refer to the first instance of the postings list rather than creating and storing term postings list duplicates. Consider increasing this limit to improve compression for large tsidx files. For example, a tsidx file created with `tsidxTargetSizeMB` over 1500MB can contain a large number of terms with identical postings lists. Reducing this limit helps conserve memory consumed by optimization processes, at the cost of reduced tsidx compression. Set this limit to 0 to disable deduplicated postings list compression. This setting cannot exceed 1,073,741,824 (2³⁰). Defaults to 8,388,608 (2²³).
tstatsHomePath	Location where datamodel acceleration TSIDX data for this index is stored.
warmToColdScript	Script to run when moving data from warm to cold. See input parameter description for details.

Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/indexes -d name=Shadow

XML Response

...
 <title>indexes</title>
 <id>https://localhost:8089/servicesNS/admin/search/data/indexes</id>
 <updated>2011-05-13T13:09:27-07:00</updated>
 <generator version="98392"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/servicesNS/admin/search/data/indexes/_new" rel="create"/>
 <link href="/servicesNS/admin/search/data/indexes/_reload" rel="_reload"/>
    ... opensearch elements elided ...
 <s:messages/>
 <entry>
   <title>shadow</title>
   <id>https://localhost:8089/servicesNS/nobody/search/data/indexes/shadow</id>
   <updated>2011-05-13T13:09:27-07:00</updated>
   <link href="/servicesNS/nobody/search/data/indexes/shadow" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/search/data/indexes/shadow" rel="list"/>
   <link href="/servicesNS/nobody/search/data/indexes/shadow/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/search/data/indexes/shadow" rel="edit"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="assureUTF8">0</s:key>
       <s:key name="blockSignSize">0</s:key>
       <s:key name="blockSignatureDatabase">_blocksignature</s:key>
       <s:key name="coldPath">$SPLUNK_DB/shadow/colddb</s:key>
       <s:key name="coldPath_expanded">/Applications/splunk/var/lib/splunk/shadow/colddb</s:key>
       <s:key name="coldToFrozenDir"></s:key>
       <s:key name="coldToFrozenScript"></s:key>
       <s:key name="compressRawdata">1</s:key>
       <s:key name="currentDBSizeMB">1</s:key>
       <s:key name="datatype">event</s:key>
       <s:key name="defaultDatabase">main</s:key>
       <s:key name="eai:acl">. . .</s:key>
       <s:key name="enableRealtimeSearch">1</s:key>
       <s:key name="frozenTimePeriodInSecs">188697600</s:key>
       <s:key name="homePath">$SPLUNK_DB/shadow/db</s:key>
       <s:key name="homePath_expanded">/Applications/splunk/var/lib/splunk/shadow/db</s:key>
       <s:key name="indexThreads">auto</s:key>
       <s:key name="isInternal">0</s:key>
       <s:key name="lastInitTime">1305317367.331268</s:key>
       <s:key name="maxConcurrentOptimizes">3</s:key>
       <s:key name="maxDataSize">auto</s:key>
       <s:key name="maxHotBuckets">3</s:key>
       <s:key name="maxHotIdleSecs">0</s:key>
       <s:key name="maxHotSpanSecs">7776000</s:key>
       <s:key name="maxMemMB">5</s:key>
       <s:key name="maxMetaEntries">1000000</s:key>
       <s:key name="maxTime"></s:key>
       <s:key name="maxTotalDataSizeMB">500000</s:key>
       <s:key name="maxWarmDBCount">300</s:key>
       <s:key name="memPoolMB">auto</s:key>
       <s:key name="minRawFileSyncSecs">disable</s:key>
       <s:key name="minTime"></s:key>
       <s:key name="partialServiceMetaPeriod">0</s:key>
       <s:key name="quarantineFutureSecs">2592000</s:key>
       <s:key name="quarantinePastSecs">77760000</s:key>
       <s:key name="rawChunkSizeBytes">131072</s:key>
       <s:key name="rotatePeriodInSecs">60</s:key>
       <s:key name="serviceMetaPeriod">25</s:key>
       <s:key name="suppressBannerList"></s:key>
       <s:key name="sync">0</s:key>
       <s:key name="syncMeta">1</s:key>
       <s:key name="thawedPath">$SPLUNK_DB/shadow/thaweddb</s:key>
       <s:key name="thawedPath_expanded">/Applications/splunk/var/lib/splunk/shadow/thaweddb</s:key>
       <s:key name="throttleCheckPeriod">15</s:key>
       <s:key name="totalEventCount">0</s:key>
     </s:dict>
   </content>
 </entry>

data/indexes/{name}

https://<host>:<mPort>/services/data/indexes/{name}

Access, update, or delete the {name} index.

DELETE

Removes the {name} index and the data contained in it.

Usage details
Before executing this operation, look through all inputs.conf files (on the indexer and on any forwarders sending data to the indexer) and make sure that none of the stanzas are directing data to the index that you plan to delete.

For example, if you want to delete an index called nogood, make sure the attribute/value pair index=nogood does not appear in any input stanzas. Once the index is deleted, Splunk software discards any data sent to that index.

The method returns HTTP status code409 if the {name} index was disabled but Splunk Enterprise was not restarted. Restart Splunk Enterprise and try again.

For information on deleting indexes and deleting data from indexes, refer to Remove indexes and indexed data in Managing Indexers and Clusters of Indexers.

Request parameters
None

Returned values
None

Example request and response

XML Request

curl -k -u admin:pass --request DELETE https://localhost:8089/services/data/indexes/shadow

XML Response

.
.
.
  <title>indexes</title>
 <id>https://localhost:8089/services/data/indexes</id>
 <updated>2012-08-02T11:10:16-07:00</updated>
 <generator build="131547" version="5.0"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/data/indexes/_new" rel="create"/>
 <link href="/services/data/indexes/_reload" rel="_reload"/>
    ... opensearch elements elided ...
 <s:messages/>

GET

Access information about the {name} index.

Request parameters

Name	Type	Default	Description
summarize	Boolean	`false`	[Optional] Response type: `true` = Summarized response, omitting some index details, providing a faster response. `false` = full response.

Returned values

Name	Description
assureUTF8	Indicates whether all data retreived from the index is proper UTF8. If enabled (set to True), degrades indexing performance. This is a global setting, not a per index setting.
blockSignSize	Controls how many events make up a block for block signatures. If this is set to 0, block signing is disabled for this index. A recommended value is 100.
blockSignatureDatabase	The index that stores block signatures of events. This is a global setting, not a per index setting.
bloomfilterTotalSizeKB	Total size of all bloom filter files, in KB.
coldPath	Filepath to the cold databases for the index.
coldPath_expanded	Absoute filepath to the cold databases.
coldToFrozenDir	Destination path for the frozen archive. Used as an alternative to a coldToFrozenScript. Splunk software automatically puts frozen buckets in this directory. Bucket freezing policy is as follows: New style buckets (4.2 and on): removes all files but the rawdata To thaw, run `splunk rebuild <bucket dir>` on the bucket, then move to the thawed directory Old style buckets (Pre-4.2): gzip all the .data and .tsidx files To thaw, unzip the zipped files and move the bucket into the thawed directory If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence.
coldToFrozenScript	Path to the archiving script. See the POST parameter description for details.
compressRawdata	This value is ignored. splunkd process always compresses raw data.
currentDBSizeMB	Total size, in MB, of data stored in the index. The total incudes data in the home, cold and thawed paths.
defaultDatabase	If no index destination information is available in the input data, the index shown here is the destination of such data.
disabled	Indicates if the index is disabled.
enableRealtimeSearch	Indicates if this is a real-time search. This is a global setting, not a per index setting.
frozenTimePeriodInSecs	Number of seconds after which indexed data rolls to frozen. Defaults to 188697600 (6 years). Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation.
homePath	An absolute path that contains the hot and warm buckets for the index.
homePath_expanded	An absolute filepath to the hot and warm buckets for the index.
indexThreads	Number of threads used for indexing. This is a global setting, not a per index setting.
isInternal	Indicates if this is an internal index (for example, _internal, _audit).
lastInitTime	Last time the index processor was successfully initialized. This is a global setting, not a per index setting.
maxConcurrentOptimizes	The number of concurrent optimize processes that can run against a hot bucket. This number should be increased if instructed by Splunk Support. Typically the default value should suffice.
maxDataSize	The maximum size in MB for a hot DB to reach before a roll to warm is triggered. Specifying "auto" or "auto_high_volume" causes Splunk software to autotune this parameter (recommended). Use "auto_high_volume" for high volume indexes (such as the main index); otherwise, use "auto". A "high volume index" is typically one that gets over 10GB of data per day. "auto" sets the size to 750MB. "auto_high_volume" sets the size to 10GB on 64-bit, and 1GB on 32-bit systems. Although the maximum value you can set this is 1048576 MB, which corresponds to 1 TB, a reasonable number ranges anywhere from 100 - 50000. Any number outside this range should be approved by Splunk Support before proceeding. If you specify an invalid number or string, maxDataSize is auto-tuned. Note: The precise size of your warm buckets may vary from maxDataSize, due to post-processing and timing issues with the rolling policy.
maxHotBuckets	Maximum hot buckets that can exist per index. Defaults to 3. When maxHotBuckets is exceeded, Splunk software rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll.
maxHotIdleSecs	Maximum life, in seconds, of a hot bucket. Defaults to 0. A value of 0 turns off the idle check (equivalent to INFINITE idle time). If a hot bucket exceeds maxHotIdleSecs, Splunk software rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll.
maxHotSpanSecs	Upper bound of target maximum timespan of hot/warm buckets in seconds. Defaults to 7776000 seconds (90 days). Note: If set too small, you can get an explosion of hot/warm buckets in the filesystem. The system sets a lower bound implicitly for this parameter at 3600, but this is an advanced parameter that should be set with care and understanding of the characteristics of your data.
maxMemMB	The amount of memory, in MB, allocated for indexing. This is a global setting, not a per index setting.
maxMetaEntries	Sets the maximum number of unique lines in .data files in a bucket, which may help to reduce memory consumption. If set to 0, this setting is ignored (it is treated as infinite). If exceeded, a hot bucket is rolled to prevent further increase. If your buckets are rolling due to Strings.data hitting this limit, the culprit may be the punct field in your data. If you do not use punct, it may be best to simply disable this (see props.conf.spec in $SPLUNK_HOME/etc/system/README). There is a small time delta between when maximum is exceeded and bucket is rolled. This means a bucket may end up with epsilon more lines than specified, but this is not a major concern unless excess is significant.
maxRunningProcessGroups	Maximum number of processes that the indexer fires off at a time. This is a global setting, not a per index setting.
maxTime	UNIX timestamp of the newest event time in the index.
maxTotalDataSizeMB	The maximum size of an index, in MB.
maxWarmDBCount	Maximum number of warm buckets.
memPoolMB	Determines how much memory is given to the indexer memory pool. This is a global setting, not a per-index setting.
minRawFileSyncSecs	Can be either an integer (or "disable"). Some filesystems are very inefficient at performing sync operations, so only enable this if you are sure it is needed The integer sets how frequently splunkd forces a filesystem sync while compressing journal slices. During this period, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files. If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete.
minTime	UNIX timestamp of the oldest event time in the index.
numBloomfilters	The number of bloom filters created for this index.
numHotBuckets	The number of hot buckets created for this index.
numWarmBuckets	The number of warm buckets created for this index.
partialServiceMetaPeriod	Related to serviceMetaPeriod. By default it is turned off (zero). If set, it enables metadata sync every <integer> seconds, but only for records where the sync can be done efficiently in-place, without requiring a full re-write of the metadata file. Records that require full re-write are be sync'ed at serviceMetaPeriod. partialServiceMetaPeriod specifies, in seconds, how frequently it should sync. Zero means that this feature is turned off and serviceMetaPeriod is the only time when metadata sync happens. If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect.
quarantineFutureSecs	Events with timestamp of `quarantineFutureSecs` newer than "now" that are dropped into quarantine bucket. Defaults to 2592000 (30 days). This is a mechanism to prevent main hot buckets from being polluted with fringe events.
quarantinePastSecs	Events with timestamp of quarantinePastSecs older than "now" are dropped into quarantine bucket. Defaults to 77760000 (900 days). This is a mechanism to prevent the main hot buckets from being polluted with fringe events.
rawChunkSizeBytes	Target uncompressed size in bytes for individual raw slice in the rawdata journal of the index. Defaults to 131072 (128KB). 0 is not a valid value. If 0 is specified, rawChunkSizeBytes is set to the default value. Note: rawChunkSizeBytes only specifies a target chunk size. The actual chunk size may be slightly larger by an amount proportional to an individual event size. Warning: This is an advanced parameter. Only change it if instructed to do so by Splunk Support.
rotatePeriodInSecs	Rotation period, in seconds, that specifies how frequently to check: If a new hot bucket needs to be created. If there are any cold buckets that should be frozen. If there are any buckets that need to be moved out hot and cold DBs, due to size constraints.
serviceMetaPeriod	Defines how frequently metadata is synced to disk, in seconds. Defaults to 25 (seconds). You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path.
summarize	If true, leaves out certain index details, which provides a faster response.
suppressBannerList	List of indexes for which we suppress "index missing" warning banner messages. This is a global setting, not a per index setting.
sync	Specifies the number of events that trigger the indexer to sync events. This is a global setting, not a per index setting.
syncMeta	When true, a sync operation is called before file descriptor is closed on metadata file updates. This functionality improves integrity of metadata files, especially in regards to operating system crashes/machine failures. Note: Do not change this parameter without the input of Splunk Support.
thawedPath	An absolute path that contains the thawed (resurrected) databases for the index.
thawedPath_expanded	Absolute filepath to the thawed (resurrected) databases.
throttleCheckPeriod	Defines how frequently Splunk software checks for index throttling condition, in seconds. Defaults to 15 (seconds). Note: Do not change this parameter without the input of Splunk Support.
totalEventCount	Total number of events in the index.
tsidxDedupPostingsListMaxTermsLimit	This setting is valid only when `tsidxWritingLevel` is at 4 or higher. This maximum term limit sets an upper bound on the number of terms kept inside an in-memory hash table that serves to improve tsidx compression. The tsidx optimizer uses the hash table to identify terms with identical postings lists. When the first instance of a term is received, its postings list is stored. When successive terms with identical postings lists are received, the tsidx optimizer makes them refer to the first instance of the postings list rather than creating and storing term postings list duplicates. Consider increasing this limit to improve compression for large tsidx files. For example, a tsidx file created with `tsidxTargetSizeMB` over 1500MB can contain a large number of terms with identical postings lists. Reducing this limit helps conserve memory consumed by optimization processes, at the cost of reduced tsidx compression. Set this limit to 0 to disable deduplicated postings list compression. This setting cannot exceed 1,073,741,824 (2³⁰). Defaults to 8,388,608 (2²³).

Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/indexes/shadow

XML Response

...
 <title>indexes</title>
 <id>https://localhost:8089/servicesNS/nobody/search/data/indexes</id>
 <updated>2011-08-01T12:25:34-07:00</updated>
 <generator version="105103"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/servicesNS/nobody/search/data/indexes/_new" rel="create"/>
 <link href="/servicesNS/nobody/search/data/indexes/_reload" rel="_reload"/>
    ... opensearch elements elided ...
 <s:messages/>
 <entry>
   <title>shadow</title>
   <id>https://localhost:8089/servicesNS/nobody/search/data/indexes/shadow</id>
   <updated>2011-08-01T11:47:55-07:00</updated>
   <link href="/servicesNS/nobody/search/data/indexes/shadow" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/search/data/indexes/shadow" rel="list"/>
   <link href="/servicesNS/nobody/search/data/indexes/shadow/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/search/data/indexes/shadow" rel="edit"/>
   <link href="/servicesNS/nobody/search/data/indexes/shadow/disable" rel="disable"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="assureUTF8">0</s:key>
       <s:key name="blockSignSize">0</s:key>
       <s:key name="blockSignatureDatabase">_blocksignature</s:key>
       <s:key name="bloomfilterTotalSizeKB">0</s:key>
       <s:key name="coldPath">$SPLUNK_DB/shadow/colddb</s:key>
       <s:key name="coldPath_expanded">/home/amrit/bin/splunk-current/var/lib/splunk/shadow/colddb</s:key>
       <s:key name="coldToFrozenDir"/>
       <s:key name="coldToFrozenScript"/>
       <s:key name="compressRawdata">1</s:key>
       <s:key name="currentDBSizeMB">1</s:key>
       <s:key name="defaultDatabase">main</s:key>
       <s:key name="disabled">0</s:key>
          ...eai:acl element elided ...
       <s:key name="eai:attributes">
         <s:dict>
           <s:key name="optionalFields">
             <s:list>
               <s:item>assureUTF8</s:item>
               <s:item>blockSignSize</s:item>
               <s:item>coldToFrozenDir</s:item>
               <s:item>coldToFrozenScript</s:item>
               <s:item>compressRawdata</s:item>
               <s:item>frozenTimePeriodInSecs</s:item>
               <s:item>maxConcurrentOptimizes</s:item>
               <s:item>maxDataSize</s:item>
               <s:item>maxHotBuckets</s:item>
               <s:item>maxHotIdleSecs</s:item>
               <s:item>maxHotSpanSecs</s:item>
               <s:item>maxMemMB</s:item>
               <s:item>maxMetaEntries</s:item>
               <s:item>maxRunningProcessGroups</s:item>
               <s:item>maxTotalDataSizeMB</s:item>
               <s:item>maxWarmDBCount</s:item>
               <s:item>minRawFileSyncSecs</s:item>
               <s:item>partialServiceMetaPeriod</s:item>
               <s:item>quarantineFutureSecs</s:item>
               <s:item>quarantinePastSecs</s:item>
               <s:item>rawChunkSizeBytes</s:item>
               <s:item>rotatePeriodInSecs</s:item>
               <s:item>serviceMetaPeriod</s:item>
               <s:item>suppressBannerList</s:item>
               <s:item>syncMeta</s:item>
               <s:item>throttleCheckPeriod</s:item>
             </s:list>
           </s:key>
           <s:key name="requiredFields">
             <s:list/>
           </s:key>
           <s:key name="wildcardFields">
             <s:list/>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="enableRealtimeSearch">1</s:key>
       <s:key name="frozenTimePeriodInSecs">188697600</s:key>
       <s:key name="homePath">$SPLUNK_DB/shadow/db</s:key>
       <s:key name="homePath_expanded">/home/amrit/bin/splunk-current/var/lib/splunk/shadow/db</s:key>
       <s:key name="indexThreads">auto</s:key>
       <s:key name="isInternal">0</s:key>
       <s:key name="lastInitTime">1312226552.102920</s:key>
       <s:key name="maxConcurrentOptimizes">3</s:key>
       <s:key name="maxDataSize">auto</s:key>
       <s:key name="maxHotBuckets">3</s:key>
       <s:key name="maxHotIdleSecs">0</s:key>
       <s:key name="maxHotSpanSecs">7776000</s:key>
       <s:key name="maxMemMB">5</s:key>
       <s:key name="maxMetaEntries">1000000</s:key>
       <s:key name="maxRunningProcessGroups">20</s:key>
       <s:key name="maxTime"/>
       <s:key name="maxTotalDataSizeMB">500000</s:key>
       <s:key name="maxWarmDBCount">300</s:key>
       <s:key name="memPoolMB">auto</s:key>
       <s:key name="minRawFileSyncSecs">disable</s:key>
       <s:key name="minTime"/>
       <s:key name="numBloomfilters">0</s:key>
       <s:key name="numHotBuckets">0</s:key>
       <s:key name="numWarmBuckets">0</s:key>
       <s:key name="partialServiceMetaPeriod">0</s:key>
       <s:key name="quarantineFutureSecs">2592000</s:key>
       <s:key name="quarantinePastSecs">77760000</s:key>
       <s:key name="rawChunkSizeBytes">131072</s:key>
       <s:key name="rotatePeriodInSecs">60</s:key>
       <s:key name="serviceMetaPeriod">25</s:key>
       <s:key name="suppressBannerList"/>
       <s:key name="sync">0</s:key>
       <s:key name="syncMeta">1</s:key>
       <s:key name="thawedPath">$SPLUNK_DB/shadow/thaweddb</s:key>
       <s:key name="thawedPath_expanded">/home/amrit/bin/splunk-current/var/lib/splunk/shadow/thaweddb</s:key>
       <s:key name="throttleCheckPeriod">15</s:key>
       <s:key name="totalEventCount">0</s:key>
     </s:dict>
   </content>
 </entry>

POST

Updates the {name} index.

Request parameters

Name	Type	Default	Description
blockSignSize	Number	0	Controls how many events make up a block for block signatures. If this is set to 0, block signing is disabled for this index. A recommended value is 100.
bucketRebuildMemoryHint	String	auto	Suggestion for the bucket rebuild process for the size of the time-series (tsidx) file to make. Caution: This is an advanced parameter. Inappropriate use of this parameter causes splunkd to not start if rebuild is required. Do not set this parameter unless instructed by Splunk Support. Default value, `auto`, varies by the amount of physical RAM on the host less than 2GB RAM = 67108864 (64MB) tsidx 2GB to 8GB RAM = 134217728 (128MB) tsidx more than 8GB RAM = 268435456 (256MB) tsidx Values other than "auto" must be 16MB-1GB. Highest legal value (of the numerical part) is 4294967295 You can specify the value using a size suffix: "16777216" or "16MB" are equivalent.
coldToFrozenDir	String		Destination path for the frozen archive. Use as an alternative to a coldToFrozenScript. Splunk software automatically puts frozen buckets in this directory. Bucket freezing policy is as follows: New style buckets (4.2 and on): removes all files but the rawdata To thaw, run `splunk rebuild <bucket dir>` on the bucket, then move to the thawed directory Old style buckets (Pre-4.2): gzip all the .data and .tsidx files To thaw, gunzip the zipped files and move the bucket into the thawed directory If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence
coldToFrozenScript	String		Path to the archiving script. If your script requires a program to run it (for example, python), specify the program followed by the path. The script must be in $SPLUNK_HOME/bin or one of its subdirectories. Splunk software ships with an example archiving script in $SPLUNK_HOME/bin called coldToFrozenExample.py. DO NOT use this example script directly. It uses a default path, and if modified in place any changes are overwritten on upgrade. It is best to copy the example script to a new file in bin and modify it for your system. Most importantly, change the default archive path to an existing directory that fits your needs. If your new script in bin/ is named myColdToFrozen.py, set this key to the following: `coldToFrozenScript = "$SPLUNK_HOME/bin/python" "$SPLUNK_HOME/bin/myColdToFrozen.py"` By default, the example script has two possible behaviors when archiving: For buckets created from version 4.2 and on, it removes all files except for rawdata. To thaw: cd to the frozen bucket and type `splunk rebuild .`, then copy the bucket to thawed for that index. We recommend using the coldToFrozenDir parameter unless you need to perform a more advanced operation upon freezing buckets. For older-style buckets, we simply gzip all the .tsidx files. To thaw: cd to the frozen bucket and unzip the tsidx files, then copy the bucket to thawed for that index
compressRawdata	Boolean	true	This parameter is ignored. The splunkd process always compresses raw data.
enableOnlineBucketRepair	Boolean	true	Enables asynchronous "online fsck" bucket repair, which runs concurrently with Splunk software. When enabled, you do not have to wait until buckets are repaired to start Splunk Enterprise. However, you might observe a slight performance degratation.
frozenTimePeriodInSecs	Number	188697600	Number of seconds after which indexed data rolls to frozen. Defaults to 188697600 (6 years). Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation.
maxBloomBackfillBucketAge	Number	30d	Valid values are: Integer[m\|s\|h\|d] If a warm or cold bucket is older than the specified age, do not create or rebuild its bloomfilter. Specify 0 to never rebuild bloomfilters. For example, if a bucket is older than specified with maxBloomBackfillBucketAge, and the rebuilding of its bloomfilter started but did not finish, do not rebuild it.
maxConcurrentOptimizes	Number	6	The number of concurrent optimize processes that can run against a hot bucket. This number should be increased if instructed by Splunk Support. Typically the default value should suffice.
maxDataSize	Number	auto	The maximum size in MB for a hot DB to reach before a roll to warm is triggered. Specifying "auto" or "auto_high_volume" causes Splunk software to autotune this parameter (recommended).Use "auto_high_volume" for high volume indexes (such as the main index); otherwise, use "auto". A "high volume index" would typically be considered one that gets over 10GB of data per day. "auto" sets the size to 750MB. "auto_high_volume" sets the size to 10GB on 64-bit, and 1GB on 32-bit systems. Although the maximum value you can set this is 1048576 MB, which corresponds to 1 TB, a reasonable number ranges anywhere from 100 - 50000. Any number outside this range should be approved by Splunk Support before proceeding. If you specify an invalid number or string, maxDataSize is auto-tuned. Note: The precise size of your warm buckets may vary from maxDataSize, due to post-processing and timing issues with the rolling policy.
maxHotBuckets	Number	3	Maximum hot buckets that can exist per index. Defaults to 3. When maxHotBuckets is exceeded, Splunk software rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll.
maxHotIdleSecs	Number	0	Maximum life, in seconds, of a hot bucket. Defaults to 0. If a hot bucket exceeds maxHotIdleSecs, Splunk software rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll. A value of 0 turns off the idle check (equivalent to INFINITE idle time).
maxHotSpanSecs	Number	7776000	Upper bound of target maximum timespan of hot/warm buckets in seconds. Defaults to 7776000 seconds (90 days). Note:I f you set this too small, you can get an explosion of hot/warm buckets in the filesystem. The system sets a lower bound implicitly for this parameter at 3600, but this is an advanced parameter that should be set with care and understanding of the characteristics of your data.
maxMemMB	Number	5	The amount of memory, expressed in MB, to allocate for buffering a single tsidx file into memory before flushing to disk. Defaults to 5. The default is recommended for all environments. IMPORTANT: Calculate this number carefully. Setting this number incorrectly may have adverse effects on your systems memory and/or splunkd stability/performance.
maxMetaEntries	Number	1000000	Sets the maximum number of unique lines in .data files in a bucket, which may help to reduce memory consumption. If set to 0, this setting is ignored (it is treated as infinite). If exceeded, a hot bucket is rolled to prevent further increase. If your buckets are rolling due to Strings.data hitting this limit, the culprit may be the `punct` field in your data. If you do not use punct, it may be best to simply disable this (see props.conf.spec in $SPLUNK_HOME/etc/system/README). There is a small time delta between when maximum is exceeded and bucket is rolled. This means a bucket may end up with epsilon more lines than specified, but this is not a major concern unless excess is significant.
maxTimeUnreplicatedNoAcks	Number	300	Upper limit, in seconds, on how long an event can sit in raw slice. Applies only if replication is enabled for this index. Otherwise ignored. If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies. Highest legal value is 2147483647. To disable this parameter, set to 0. Note: this is an advanced parameter. Understand the consequences before changing.
maxTimeUnreplicatedWithAcks	Number	60	Upper limit, in seconds, on how long events can sit unacknowledged in a raw slice. Applies only if you have enabled acks on forwarders and have replication enabled (with clustering). Note: This is an advanced parameter. Make sure you understand the settings on all forwarders before changing this. This number should not exceed ack timeout configured on any forwarder, and should actually be set to at most half of the minimum value of that timeout. You can find this setting in outputs.conf readTimeout setting under the tcpout stanza. To disable, set to 0, but this is NOT recommended. Highest legal value is 2147483647.
maxTotalDataSizeMB	Number	500000	The maximum size of an index (in MB). If an index grows larger than the maximum size, the oldest data is frozen.
maxWarmDBCount	Number	300	The maximum number of warm buckets. If this number is exceeded, the warm bucket/s with the lowest value for their latest times are moved to cold.
minRawFileSyncSecs	Number	disable	Specify an integer (or "disable") for this parameter. This parameter sets how frequently splunkd forces a filesystem sync while compressing journal slices. During this period, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files. If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete. Note: Some filesystems are very inefficient at performing sync operations, so only enable this if you are sure it is needed
minStreamGroupQueueSize	Number	2000	Minimum size of the queue that stores events in memory before committing them to a tsidx file. Caution: Do not set this value, except under advice from Splunk Support.
partialServiceMetaPeriod	Number	0	Related to serviceMetaPeriod. If set, it enables metadata sync every <integer> seconds, but only for records where the sync can be done efficiently in-place, without requiring a full re-write of the metadata file. Records that require full re-write are be sync'ed at serviceMetaPeriod. `partialServiceMetaPeriod` specifies, in seconds, how frequently it should sync. Zero means that this feature is turned off and serviceMetaPeriod is the only time when metadata sync happens. If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect. By default it is turned off (zero).
processTrackerServiceInterval	Number	1	Specifies, in seconds, how often the indexer checks the status of the child OS processes it launched to see if it can launch new processes for queued requests. Defaults to 15. If set to 0, the indexer checks child process status every second. Highest legal value is 4294967295.
quarantineFutureSecs	Number	2592000	Events with timestamp of `quarantineFutureSecs` newer than "now" are dropped into quarantine bucket. Defaults to 2592000 (30 days). This is a mechanism to prevent main hot buckets from being polluted with fringe events.
quarantinePastSecs	Number	77760000	Events with timestamp of `quarantinePastSecs` older than "now" are dropped into quarantine bucket. Defaults to 77760000 (900 days). This is a mechanism to prevent the main hot buckets from being polluted with fringe events.
rawChunkSizeBytes	Number	131072	Target uncompressed size in bytes for individual raw slice in the rawdata journal of the index. Defaults to 131072 (128KB). 0 is not a valid value. If 0 is specified, `rawChunkSizeBytes` is set to the default value. Note: rawChunkSizeBytes only specifies a target chunk size. The actual chunk size may be slightly larger by an amount proportional to an individual event size. WARNING: This is an advanced parameter. Only change it if you are instructed to do so by Splunk Support.
repFactor	String	0	Index replication control. This parameter applies to only clustering slaves. `auto` = Use the master index replication configuration value. `0` = Turn off replication for this index.
rotatePeriodInSecs	Number	60	How frequently (in seconds) to check if a new hot bucket needs to be created. Also, how frequently to check if there are any warm/cold buckets that should be rolled/frozen.
serviceMetaPeriod	Number	25	Defines how frequently metadata is synced to disk, in seconds. Defaults to 25 (seconds). You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path.
syncMeta	Boolean	true	When `true`, a sync operation is called before file descriptor is closed on metadata file updates. This functionality improves integrity of metadata files, especially in regards to operating system crashes/machine failures. Note: Do not change this parameter without the input of a Splunk Support.
throttleCheckPeriod	Number	15	Defines how frequently Splunk software checks for index throttling condition, in seconds. Defaults to 15 (seconds). Note: Do not change this parameter without the input of Splunk Support.
tstatsHomePath	String		Location to store datamodel acceleration TSIDX data for this index. Restart splunkd after changing this parameter. If specified, it must be defined in terms of a volume definition. Caution: Path must be writable. Default value: volume:_splunk_summaries/$_index_name/tstats
warmToColdScript	String		Path to a script to run when moving data from warm to cold. This attribute is supported for backwards compatibility with Splunk software versions older than 4.0. Contact Splunk support if you need help configuring this setting. Caution: Migrating data across filesystems is now handled natively by splunkd. If you specify a script here, the script becomes responsible for moving the event data, and Splunk-native data migration are not used.

Returned values

Name	Description
assureUTF8	Boolean value indicating wheter all data retreived from the index is proper UTF8. If enabled (set to True), degrades indexing performance Can only be set globally.
blockSignSize	Controls how many events make up a block for block signatures. If this is set to 0, block signing is disabled for this index. A recommended value is 100.
blockSignatureDatabase	The index that stores block signatures of events. This is a global setting, not a per index setting.
bucketRebuildMemoryHint	Suggestion for the bucket rebuild process for the size of the time-series (tsidx) file to make.
coldPath	Filepath to the cold databases for the index.
coldPath_expanded	Absoute filepath to the cold databases.
coldToFrozenDir	Destination path for the frozen archive. Used as an alternative to a coldToFrozenScript. Splunk Enterprise automatically puts frozen buckets in this directory. Bucket freezing policy is as follows: New style buckets (4.2 and on): removes all files but the rawdata To thaw, run `splunk rebuild <bucket dir>` on the bucket, then move to the thawed directory Old style buckets (Pre-4.2): gzip all the .data and .tsidx files To thaw, gunzip the zipped files and move the bucket into the thawed directory If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence.
coldToFrozenScript	Path to the archiving script. See the POST parameter description for details.
compressRawdata	This value is ignored. splunkd process always compresses raw data.
currentDBSizeMB	Total size, in MB, of data stored in the index. The total incudes data in the home, cold and thawed paths.
defaultDatabase	If no index destination information is available in the input data, the index shown here is the destination of such data.
enableOnlineBucketRepair	Indicates whether to run asynchronous "online fsck" bucket repair, which runs in a process concurrently with Splunk software.
enableRealtimeSearch	Indicates if this is a real-time search. This is a global setting, not a per index setting.
frozenTimePeriodInSecs	Number of seconds after which indexed data rolls to frozen. Defaults to 188697600 (6 years). Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation.
homePath	An absolute path that contains the hot and warm buckets for the index.
homePath_expanded	An absolute filepath to the hot and warm buckets for the index.
indexThreads	Number of threads used for indexing. This is a global setting, not a per index setting.
isInternal	Indicates if this is an internal index (for example, _internal, _audit).
lastInitTime	Last time the index processor was successfully initialized. This is a global setting, not a per index setting.
maxBloomBackfillBucketAge	If a bucket (warm or cold) is older than this, Splunk Enterprise does not create (or re-create) its bloom filter.
maxConcurrentOptimizes	The number of concurrent optimize processes that can run against a hot bucket. This number should be increased if instructed by Splunk Support. Typically the default value should suffice.
maxDataSize	The maximum size in MB for a hot DB to reach before a roll to warm is triggered. Specifying "auto" or "auto_high_volume" causes Splunk software to autotune this parameter (recommended). Use "auto_high_volume" for high volume indexes (such as the main index); otherwise, use "auto". A "high volume index" is typically one that gets over 10GB of data per day. "auto" sets the size to 750MB. "auto_high_volume" sets the size to 10GB on 64-bit, and 1GB on 32-bit systems. Although the maximum value you can set this is 1048576 MB, which corresponds to 1 TB, a reasonable number ranges anywhere from 100 - 50000. Any number outside this range should be approved by Splunk Support before proceeding. If you specify an invalid number or string, maxDataSize is auto-tuned. Note: The precise size of your warm buckets may vary from maxDataSize, due to post-processing and timing issues with the rolling policy.
maxHotBuckets	Maximum hot buckets that can exist per index. Defaults to 3. When maxHotBuckets is exceeded, Splunk software rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll.
maxHotIdleSecs	Maximum life, in seconds, of a hot bucket. Defaults to 0. A value of 0 turns off the idle check (equivalent to INFINITE idle time). If a hot bucket exceeds maxHotIdleSecs, Splunk software rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll.
maxHotSpanSecs	Upper bound of target maximum timespan of hot/warm buckets in seconds. Defaults to 7776000 seconds (90 days). Note: If set too small, you can get an explosion of hot/warm buckets in the filesystem. The system sets a lower bound implicitly for this parameter at 3600, but this is an advanced parameter that should be set with care and understanding of the characteristics of your data.
maxMemMB	The amount of memory, in MB, allocated for indexing. This is a global setting, not a per index setting.
maxMetaEntries	Sets the maximum number of unique lines in .data files in a bucket, which may help to reduce memory consumption. If set to 0, this setting is ignored (it is treated as infinite). If exceeded, a hot bucket is rolled to prevent further increase. If your buckets are rolling due to Strings.data hitting this limit, the culprit may be the punct field in your data. If you do not use punct, it may be best to simply disable this (see props.conf.spec in $SPLUNK_HOME/etc/system/README). There is a small time delta between when maximum is exceeded and bucket is rolled. This means a bucket may end up with epsilon more lines than specified, but this is not a major concern unless excess is significant.
maxTime	UNIX timestamp of the newest event time in the index.
maxTimeUnreplicatedNoAcks	Upper limit, in seconds, on how long an event can sit in raw slice. Applies only if replication is enabled for this index. Otherwise ignored. If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies. Highest legal value is 2147483647. To disable this parameter, set to 0. Note: this is an advanced parameter. Understand the consequences before changing.
maxTimeUnreplicatedWithAcks	Upper limit, in seconds, on how long events can sit unacknowledged in a raw slice. Applies only if you have enabled acks on forwarders and have replication enabled (with clustering). Note: This is an advanced parameter. Make sure you understand the settings on all forwarders before changing this. This number should not exceed ack timeout configured on any forwarder, and should actually be set to at most half of the minimum value of that timeout. You can find this setting in outputs.conf readTimeout setting under the tcpout stanza. To disable, set to 0, but this is NOT recommended. Highest legal value is 2147483647.
maxTotalDataSizeMB	The maximum size of an index, in MB.
maxWarmDBCount	The maximum number of warm buckets. If this number is exceeded, the warm bucket/s with the lowest value for their latest times are moved to cold.
memPoolMB	Determines how much memory is given to the indexer memory pool. This is a global setting, not a per-index setting.
minRawFileSyncSecs	Can be either an integer (or "disable"). Some filesystems are very inefficient at performing sync operations, so only enable this if you are sure it is needed The integer sets how frequently splunkd forces a filesystem sync while compressing journal slices. During this period, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files. If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete.
minStreamGroupQueueSize	Minimum size of the queue that stores events in memory before committing them to a tsidx file.
minTime	UNIX timestamp of the oldest event time in the index.
partialServiceMetaPeriod	Related to serviceMetaPeriod. By default it is turned off (zero). If set, it enables metadata sync every <integer> seconds, but only for records where the sync can be done efficiently in-place, without requiring a full re-write of the metadata file. Records that require full re-write are be sync'ed at serviceMetaPeriod. partialServiceMetaPeriod specifies, in seconds, how frequently it should sync. Zero means that this feature is turned off and serviceMetaPeriod is the only time when metadata sync happens. If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect.
processTrackerServiceInterval	How often, in seconds, the indexer checks the status of the child OS processes it launched to see if it can launch new processes for queued requests.
quarantineFutureSecs	Events with timestamp of quarantineFutureSecs newer than "now" are dropped into quarantine bucket. Defaults to 2592000 (30 days). This is a mechanism to prevent main hot buckets from being polluted with fringe events.
quarantinePastSecs	Events with timestamp of quarantinePastSecs older than "now" are dropped into quarantine bucket. Defaults to 77760000 (900 days). This is a mechanism to prevent the main hot buckets from being polluted with fringe events.
rawChunkSizeBytes	Target uncompressed size in bytes for individual raw slice in the rawdata journal of the index. Defaults to 131072 (128KB). 0 is not a valid value. If 0 is specified, rawChunkSizeBytes is set to the default value. Note: rawChunkSizeBytes only specifies a target chunk size. The actual chunk size may be slightly larger by an amount proportional to an individual event size. Warning: This is an advanced parameter. Only change it if instructed to do so by Splunk Support.
repFactor	Index replication control. This parameter applies to only clustering slaves. `auto` = Use the master index replication configuration value. `0` = Turn off replication for this index.
rotatePeriodInSecs	Rotation period, in seconds, that specifies how frequently to check: If a new hot bucket needs to be created. If there are any cold buckets that should be frozen. If there are any buckets that need to be moved out hot and cold DBs, due to size constraints.
serviceMetaPeriod	Defines how frequently metadata is synced to disk, in seconds. Defaults to 25 (seconds). You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path.
suppressBannerList	List of indexes for which we suppress "index missing" warning banner messages. This is a global setting, not a per index setting.
sync	Specifies the number of events that trigger the indexer to sync events. This is a global setting, not a per index setting.
syncMeta	When true, a sync operation is called before file descriptor is closed on metadata file updates. This functionality improves integrity of metadata files, especially in regards to operating system crashes/machine failures. Note: Do not change this parameter without the input of Splunk Support.
thawedPath	Filepath to the thawed (resurrected) databases for the index.
thawedPath_expanded	Absolute filepath to the thawed (resurrected) databases.
throttleCheckPeriod	Defines how frequently Splunk software checks for index throttling condition, in seconds. Defaults to 15 (seconds). Note: Do not change this parameter without the input of Splunk Support.
totalEventCount	Total number of events in the index.
tsidxDedupPostingsListMaxTermsLimit	This setting is valid only when `tsidxWritingLevel` is at 4 or higher. This maximum term limit sets an upper bound on the number of terms kept inside an in-memory hash table that serves to improve tsidx compression. The tsidx optimizer uses the hash table to identify terms with identical postings lists. When the first instance of a term is received, its postings list is stored. When successive terms with identical postings lists are received, the tsidx optimizer makes them refer to the first instance of the postings list rather than creating and storing term postings list duplicates. Consider increasing this limit to improve compression for large tsidx files. For example, a tsidx file created with `tsidxTargetSizeMB` over 1500MB can contain a large number of terms with identical postings lists. Reducing this limit helps conserve memory consumed by optimization processes, at the cost of reduced tsidx compression. Set this limit to 0 to disable deduplicated postings list compression. This setting cannot exceed 1,073,741,824 (2³⁰). Defaults to 8,388,608 (2²³).
tstatsHomePath	Location where datamodel acceleration TSIDX data for this index is stored.
warmToColdScript	Script to run when moving data from warm to cold. See input parameter description for details.

Example request and response

XML Request

curl -k -u admin:pass -d maxTotalDataSizeMB=400000 https://localhost:8089/servicesNS/nobody/search/data/indexes/shadow

XML Response

...
<title>indexes</title>
 <id>https://localhost:8089/servicesNS/nobody/search/data/indexes</id>
 <updated>2011-05-16T12:20:06-07:00</updated>
 <generator version="98392"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/servicesNS/nobody/search/data/indexes/_new" rel="create"/>
 <link href="/servicesNS/nobody/search/data/indexes/_reload" rel="_reload"/>
    ... opensearch elements elided ...
 <s:messages/>
 <entry>
   <title>shadow</title>
   <id>https://localhost:8089/servicesNS/nobody/search/data/indexes/shadow</id>
   <updated>2011-05-16T12:18:56-07:00</updated>
   <link href="/servicesNS/nobody/search/data/indexes/shadow" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/search/data/indexes/shadow" rel="list"/>
   <link href="/servicesNS/nobody/search/data/indexes/shadow/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/search/data/indexes/shadow" rel="edit"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="assureUTF8">0</s:key>
       <s:key name="blockSignSize">0</s:key>
       <s:key name="blockSignatureDatabase">_blocksignature</s:key>
       <s:key name="coldPath">$SPLUNK_DB/shadow/colddb</s:key>
       <s:key name="coldPath_expanded">/Applications/splunk4.3/var/lib/splunk/shadow/colddb</s:key>
       <s:key name="coldToFrozenDir"></s:key>
       <s:key name="coldToFrozenScript"></s:key>
       <s:key name="compressRawdata">1</s:key>
       <s:key name="currentDBSizeMB">1</s:key>
       <s:key name="defaultDatabase">main</s:key>
       <s:key name="eai:acl">. . .</s:key>
       <s:key name="enableRealtimeSearch">1</s:key>
       <s:key name="frozenTimePeriodInSecs">188697600</s:key>
       <s:key name="homePath">$SPLUNK_DB/shadow/db</s:key>
       <s:key name="homePath_expanded">/Applications/splunk4.3/var/lib/splunk/shadow/db</s:key>
       <s:key name="indexThreads">auto</s:key>
       <s:key name="isInternal">0</s:key>
       <s:key name="lastInitTime">1305573611.118477</s:key>
       <s:key name="maxConcurrentOptimizes">3</s:key>
       <s:key name="maxDataSize">auto</s:key>
       <s:key name="maxHotBuckets">3</s:key>
       <s:key name="maxHotIdleSecs">0</s:key>
       <s:key name="maxHotSpanSecs">7776000</s:key>
       <s:key name="maxMemMB">5</s:key>
       <s:key name="maxMetaEntries">1000000</s:key>
       <s:key name="maxTime"></s:key>
       <s:key name="maxTotalDataSizeMB">400000</s:key>
       <s:key name="maxWarmDBCount">300</s:key>
       <s:key name="memPoolMB">auto</s:key>
       <s:key name="minRawFileSyncSecs">disable</s:key>
       <s:key name="minTime"></s:key>
       <s:key name="partialServiceMetaPeriod">0</s:key>
       <s:key name="quarantineFutureSecs">2592000</s:key>
       <s:key name="quarantinePastSecs">77760000</s:key>
       <s:key name="rawChunkSizeBytes">131072</s:key>
       <s:key name="rotatePeriodInSecs">60</s:key>
       <s:key name="serviceMetaPeriod">25</s:key>
       <s:key name="suppressBannerList"></s:key>
       <s:key name="sync">0</s:key>
       <s:key name="syncMeta">1</s:key>
       <s:key name="thawedPath">$SPLUNK_DB/shadow/thaweddb</s:key>
       <s:key name="thawedPath_expanded">/Applications/splunk4.3/var/lib/splunk/shadow/thaweddb</s:key>
       <s:key name="throttleCheckPeriod">15</s:key>
       <s:key name="totalEventCount">0</s:key>
     </s:dict>
   </content>
 </entry>

data/indexes-extended

https://<host>:<mPort>/services/data/indexes-extended

Access index bucket-level information. There are three bucket super-directories per index.

home
cold
thawed

GET

List bucket attributes for all indexes.

Usage details
The default update period is 10 minutes, as defined by the collectionPeriodInSecs attribute in the $SPLUNK_HOME/etc/apps/introspection_generator_addon/default/server.conf file.

Note: At least one observation period must pass after startup for valid endpoint data to be available. The observation period is defined in the following $SPLUNK_HOME/etc/system/default/server.conf stanza.

[introspection:generator:disk_objects]
collectionPeriodInSecs = 600

The default period is 10 seconds, but 10 minutes (600 seconds) on a Universal Forwarder.

Request parameters

Pagination and filtering parameters can be used with this method.

Name	Type	Default	Description
datatype	String	all	Valid values: (all \| event \| metric). Specifies the type of index.

Returned values

Name Description

bucket_dirs

(If total_size > 0) Lists the following attributes for each index bucket super-directory (home, cold, thawed).

Attribute	Description	home	cold	thawed
bucket_count	Number of buckets.		X	X
event_count	(If size > `0`) Number of events in this bucket super-directory.	X	X	X
event_max_time	(If size > `0`) Highest time value (Unix epoch seconds) of all events in this bucket super-directory, commonly called latest time.	X	X	X
event_min_time	(If size > `0`) Lowest time value (Unix epoch seconds) of all events in this bucket super-directory, commonly called earliest time.	X	X	X
hot_bucket_count	(If size > `0`) Number of hot buckets.	X
size	Size (fractional MB) on disk of this bucket super-directory.	X	X	X
warm_bucket_count	(If size > `0`) Number of warm buckets.	X

name Index name.

total_bucket_count (If total_size > 0) Number of index buckets.

total_event_count (If total_size > 0) Number of events for index, excluding frozen events. Approximately equal to the event_count sum of all buckets.

total_raw_size (If total_size > 0) Cumulative size (fractional MB) on disk of the <bucket>/rawdata/ directories of all buckets in this index, excluding frozen.

total_size Size (fractional MB) on disk of this index.

Example request and response

XML Request

curl -k -u admin:passwd https://localhost:8089/services/data/indexes-extended

XML Response

...
<title>introspection--disk-objects--indexes</title>
 <id>https://localhost:8089/services/data/indexes-extended</id>
 <updated>2014-03-31T12:41:09-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
   ... opensearch elements elided ...
 <s:messages/>
 <entry>
   <title>_audit</title>
   <id>https://localhost:8089/services/data/indexes-extended/_audit</id>
   <updated>2014-03-31T12:41:09-07:00</updated>
   <link href="/services/data/indexes-extended/_audit" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/data/indexes-extended/_audit" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="bucket_dirs">
         <s:dict>
           <s:key name="cold">
             <s:dict>
               <s:key name="bucket_count">0</s:key>
               <s:key name="size">0.000</s:key>
             </s:dict>
           </s:key>
           <s:key name="home">
             <s:dict>
               <s:key name="event_count">6169</s:key>
               <s:key name="event_max_time">1395246673</s:key>
               <s:key name="event_min_time">1394732683</s:key>
               <s:key name="hot_bucket_count">1</s:key>
               <s:key name="size">1.000</s:key>
               <s:key name="warm_bucket_count">5</s:key>
             </s:dict>
           </s:key>
           <s:key name="thawed">
             <s:dict>
               <s:key name="bucket_count">0</s:key>
               <s:key name="size">0.000</s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="eai:acl">
         ... elided ...
       </s:key>
       <s:key name="name">_audit</s:key>
       <s:key name="total_bucket_count">6</s:key>
       <s:key name="total_event_count">18096</s:key>
       <s:key name="total_raw_size">1.000</s:key>
       <s:key name="total_size">1.000</s:key>
     </s:dict>
   </content>
 </entry>
     .
     .
     .
   elided
     .
     .
     .
 <entry>
   <title>summary</title>
   <id>https://localhost:8089/services/data/indexes-extended/summary</id>
   <updated>2014-03-31T12:41:09-07:00</updated>
   <link href="/services/data/indexes-extended/summary" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/data/indexes-extended/summary" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="eai:acl">
         ... elided ...
       </s:key>
       <s:key name="name">summary</s:key>
       <s:key name="total_size">0.000</s:key>
     </s:dict>
   </content>
 </entry>

data/indexes-extended/{name}

https://<host>:<mPort>/services/data/indexes-extended/{name}

Access bucket-level information for the {name} index. There are three bucket super-directories per index.

home
cold
thawed

GET

Get {name} bucket information.

Usage details
The default update period is 10 minutes, as defined by the collectionPeriodInSecs attribute in the $SPLUNK_HOME/etc/apps/introspection_generator_addon/default/server.conf file.

Note: At least one observation period must pass after startup for valid endpoint data to be available. The observation period is defined in the following $SPLUNK_HOME/etc/system/default/server.conf stanza.

[introspection:generator:disk_objects]
collectionPeriodInSecs = 600

Request parameters
None

Returned values

Name Description

bucket_dirs

(If total_size > 0) List the following attributes for each index bucket super-directory (home, cold, thawed) as indicated:

Attribute	Description	home	cold	thawed
bucket_count	Number of buckets.		X	X
event_count	(If size > `0`) Number of events in this bucket super-directory.	X	X	X
event_max_time	(If size > `0`) Highest time value (Unix epoc seconds) of all events in this bucket super-directory, commonly called latest time.	X	X	X
event_min_time	(If size > `0`) Lowest time value (Unix epoc seconds) of all events in this bucket super-directory, commonly called earliest time.	X	X	X
hot_bucket_count	(If size > `0`) Number of hot buckets.	X
size	Size (fractional MB) on disk of this bucket super-directory.	X	X	X
warm_bucket_count	(If size > `0`) Number of warm buckets.	X

name Index name.

total_bucket_count (If total_size > 0) Number of index buckets.

total_event_count (If total_size > 0) Number of events for index, excluding frozen events. Approximately equal to the event_count sum of all buckets.

total_raw_size (If total_size > 0) Cumulative size (fractional MB) on disk of the <bucket>/rawdata/ directories of all buckets in this index, excluding frozen.

total_size Size (fractional MB) on disk of this index.

Example request and response

XML Request

curl -k -u admin:passwd https://localhost:8089/services/data/indexes-extended/history

XML Response

...
<title>introspection--disk-objects--indexes</title>
 <id>https://localhost:8089/services/data/indexes-extended</id>
 <updated>2014-03-31T12:42:29-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
   ... opensearch elements elided ...
 <s:messages/>
 <entry>
   <title>_internal</title>
   <id>https://localhost:8089/services/data/indexes-extended/_internal</id>
   <updated>2014-03-31T12:42:29-07:00</updated>
   <link href="/services/data/indexes-extended/_internal" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/data/indexes-extended/_internal" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="bucket_dirs">
         <s:dict>
           <s:key name="cold">
             <s:dict>
               <s:key name="bucket_count">0</s:key>
               <s:key name="size">0.000</s:key>
             </s:dict>
           </s:key>
           <s:key name="home">
             <s:dict>
               <s:key name="event_count">180492</s:key>
               <s:key name="event_max_time">1395246673</s:key>
               <s:key name="event_min_time">1392167582</s:key>
               <s:key name="hot_bucket_count">3</s:key>
               <s:key name="size">9.000</s:key>
               <s:key name="warm_bucket_count">6</s:key>
             </s:dict>
           </s:key>
           <s:key name="thawed">
             <s:dict>
               <s:key name="bucket_count">0</s:key>
               <s:key name="size">0.000</s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="eai:acl">
         ... elided ...
       </s:key>
       <s:key name="eai:attributes">
         ... elided ...
       </s:key>
       <s:key name="name">_internal</s:key>
       <s:key name="total_bucket_count">9</s:key>
       <s:key name="total_event_count">556322</s:key>
       <s:key name="total_raw_size">28.000</s:key>
       <s:key name="total_size">22.000</s:key>
     </s:dict>
   </content>
 </entry>

data/summaries

https://<host>:<mPort>/services/data/summaries

Get disk usage information about all summaries in an indexer.

GET

Gets current summary disk usage information.

Usage details
By default, this information is available five minutes after starting the Splunk deployment. Adjust this availability timing in server.conf.

Request parameters

Name	Description
report_acceleration	Optional. Use `"report_acceleration=1"` to access disk usage by report acceleration summary.
data_model_acceleration	Optional. Use `"data_model_acceleration=1"` to access disk usage by data model acceleration summary.

Pagination and filtering parameters can be used with this method.

Returned values
For each summary, the following values are returned.

Name	Description
name	Summary name.
related_indexes	Lists up to 10 indexes that contribute to this summary.
related_indexes_count	Provides total count of related indexes for this summary.
search_head_guid	GUID for the search head that created the summary data.
total_bucket_count	Number of buckets for this summary.
total_size	Total disk size for this summary, in MB.
type	Summary type, either `"report_acceleration"` or `"data_model_acceleration"`.

Example request and response

XML Request

curl -k -u username:password https://localhost:8089/services/data/summaries

XML Response

...
<title>introspection--disk-objects--summaries</title>
  <id>https://localhost:8089/services/data/summaries</id>
  <updated>2015-09-16T16:05:35-07:00</updated>
  <generator build="8a67aa2a9bd9cced535484eb781ded292ae81b7a" version="20150914"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/summaries/_acl" rel="_acl"/>
  <opensearch:totalResults>3</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>DM_launcher_mydatamodel</title>
    <id>https://localhost:8089/services/data/summaries/DM_launcher_mydatamodel</id>
    <updated>2015-09-16T16:05:35-07:00</updated>
    <link href="/services/data/summaries/DM_launcher_mydatamodel" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/data/summaries/DM_launcher_mydatamodel" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list/>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="name">DM_launcher_mydatamodel</s:key>
        <s:key name="related_indexes">_internal</s:key>
        <s:key name="related_indexes_count">1</s:key>
        <s:key name="search_head_guid">A6FF485E-7AA5-412D-8E03-BE3ED42BA327</s:key>
        <s:key name="total_bucket_count">13</s:key>
        <s:key name="total_size">2.000</s:key>
        <s:key name="type">data_model_acceleration</s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>search_admin_NS13c34e21cf577d62</title>
    <id>https://localhost:8089/services/data/summaries/search_admin_NS13c34e21cf577d62</id>
    <updated>2015-09-16T16:05:35-07:00</updated>
    <link href="/services/data/summaries/search_admin_NS13c34e21cf577d62" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/data/summaries/search_admin_NS13c34e21cf577d62" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list/>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="name">search_admin_NS13c34e21cf577d62</s:key>
        <s:key name="related_indexes">_internal</s:key>
        <s:key name="related_indexes_count">1</s:key>
        <s:key name="search_head_guid">A6FF485E-7AA5-412D-8E03-BE3ED42BA327</s:key>
        <s:key name="total_bucket_count">9</s:key>
        <s:key name="total_size">2.000</s:key>
        <s:key name="type">report_acceleration</s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>search_admin_NS6f37597da0cade4c</title>
    <id>https://localhost:8089/services/data/summaries/search_admin_NS6f37597da0cade4c</id>
    <updated>2015-09-16T16:05:35-07:00</updated>
    <link href="/services/data/summaries/search_admin_NS6f37597da0cade4c" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/data/summaries/search_admin_NS6f37597da0cade4c" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list/>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="name">search_admin_NS6f37597da0cade4c</s:key>
        <s:key name="related_indexes">_internal</s:key>
        <s:key name="related_indexes_count">1</s:key>
        <s:key name="search_head_guid">A6FF485E-7AA5-412D-8E03-BE3ED42BA327</s:key>
        <s:key name="total_bucket_count">9</s:key>
        <s:key name="total_size">4.000</s:key>
        <s:key name="type">report_acceleration</s:key>
      </s:dict>
    </content>
  </entry>

data/summaries/{summary_name}

https://<host>:<mPort>/services/data/summaries/{summary_name}

Get disk usage information about the {name} indexer summary.

GET

Get disk usage information for the {name} summary.

Request parameters
None.

Returned values

Name	Description
name	Summary name.
related_indexes	Lists up to 10 indexes that contribute to this summary.
related_indexes_count	Provides total count of related indexes for this summary.
search_head_guid	GUID for search head creating the summary data.
total_bucket_count	Number of buckets for this summary.
total_size	Total summary disk size in MB.

Example request and response

XML Request

curl -k -u username:password  https://localhost:8089/services/data/summaries/my_summary

XML Response

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>introspection--disk-objects--summaries</title>
  <id>https://localhost:8089/services/data/summaries</id>
  <updated>2015-09-11T15:27:46-07:00</updated>
  <generator build="049b19239844e1f7e09be3d55713c1aae663e7ae" version="20150910"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/summaries/_acl" rel="_acl"/>
  <opensearch:totalResults>3</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/> 
   ... opensearch elements elided ...
 <entry>
    <title>DM_launcher_mydatamodel</title>
    <id>https://localhost:8089/services/data/summaries/DM_launcher_mydatamodel</id>
    <updated>2015-09-11T15:27:46-07:00</updated>
    <link href="/services/data/summaries/DM_launcher_mydatamodel" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/data/summaries/DM_launcher_mydatamodel" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list/>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="name">DM_launcher_mydatamodel</s:key>
        <s:key name="related_indexes">_audit,_internal</s:key>
        <s:key name="related_indexes_count">2</s:key>
        <s:key name="search_head_guid">58F60B1E-F098-41F7-BFEC-FE285489E67D</s:key>
        <s:key name="total_bucket_count">88</s:key>
        <s:key name="total_size">312.000</s:key>
      </s:dict>
    </content>
  </entry>

</feed>

server/health/deployment

https://<host>:<mPort>/services/server/health/deployment

Shows the overall health of a distributed deployment. The health of the deployment can be red, yellow, or green. The overall health of the deployment is based on the health of all features reporting to it.

Authentication and Authorization

Requires the admin role or list_health capability.

GET

Get the health status of a distributed deployment.

Request parameters
None

Returned values

Name	Datatype	Description
health	String	Indicates the overall health of the deployment. Health status can be red, yellow, or green.

Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/server/health/deployment

XML Response

<title>deployment</title>
    <id>https://localhost:8089/services/server/health/deployment</id>
    <updated>1969-12-31T16:00:00-08:00</updated>
    <link href="/services/server/health/deployment" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/server/health/deployment" rel="list"/>
    <link href="/services/server/health/deployment/details" rel="details"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list/>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list/>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="health">yellow</s:key>
      </s:dict>
    </content>
  </entry>

server/health/deployment/details

https://<host>:<mPort>/services/server/health/deployment/details

Shows the overall health of the distributed deployment, as well as each feature node and its respective color.

Authentication and Authorization

Requires the admin role or list_health capability.

GET

Get health status of distributed deployment features.

Request parameters
None

Returned values

Name	Datatype	Description
health	String	Indicates the color of the feature: red, yellow or green. The color of mid-level features defaults to the worst health status color of all features reporting to it.
reason	String	Descriptive string that explains the reason the indicator is non-green.

Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/server/health/deployment/details

XML Response

<title>health-report</title>
  <id>https://localhost:8089/services/server/health</id>
  <updated>2019-08-01T13:04:45-07:00</updated>
  <generator build="8a199673a7ad87ac32419af7544dfdb1e22073ed" version="20190801"/>
  <author>
    <name>Splunk</name>
  </author>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>deployment</title>
    <id>https://localhost:8089/services/server/health/deployment</id>
    <updated>1969-12-31T16:00:00-08:00</updated>
    <link href="/services/server/health/deployment" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/server/health/deployment" rel="list"/>
    <link href="/services/server/health/deployment/details" rel="details"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list/>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="features">
          <s:dict>
            <s:key name="health">yellow</s:key>
            <s:key name="num_green">0</s:key>
            <s:key name="num_red">0</s:key>
            <s:key name="num_yellow">2</s:key>
            <s:key name="splunkd">
              <s:dict>
                <s:key name="health">yellow</s:key>
                <s:key name="indexer_clustering">
                  <s:dict>
                    <s:key name="health">yellow</s:key>
                    <s:key name="num_green">0</s:key>
                    <s:key name="num_red">0</s:key>
                    <s:key name="num_yellow">2</s:key>
                    <s:key name="slave_state">
                      <s:dict>
                        <s:key name="health">yellow</s:key>
                        <s:key name="num_green">0</s:key>
                        <s:key name="num_red">0</s:key>
                        <s:key name="num_yellow">2</s:key>
                        <s:key name="slave_state">
                          <s:dict>
                            <s:key name="description">description for the indicator TODO</s:key>
                            <s:key name="health">yellow</s:key>
                            <s:key name="instances">
                              <s:dict>
                                <s:key name="51C1A657-2E66-4138-9920-597F38495B72">
                                  <s:dict>
                                    <s:key name="guid">51C1A657-2E66-4138-9920-597F38495B72</s:key>
                                    <s:key name="health">yellow</s:key>
                                    <s:key name="measured_value">0</s:key>
                                    <s:key name="name">fool02.sv.splunk.com</s:key>
                                    <s:key name="reason">CMPeer is in manual detention.</s:key>
                                    <s:key name="timestamp">1564689878.099799</s:key>
                                  </s:dict>
                                </s:key>
                                <s:key name="BCC9FA7B-23F1-4A6B-AA2F-F88273CC557F">
                                  <s:dict>
                                    <s:key name="guid">BCC9FA7B-23F1-4A6B-AA2F-F88273CC557F</s:key>
                                    <s:key name="health">yellow</s:key>
                                    <s:key name="measured_value">0</s:key>
                                    <s:key name="name">fool03.sv.splunk.com</s:key>
                                    <s:key name="reason">CMPeer is in manual detention.</s:key>
                                    <s:key name="timestamp">1564689878.086763</s:key>
                                  </s:dict>
                                </s:key>
                                <s:key name="health">yellow</s:key>
                                <s:key name="num_green">0</s:key>
                                <s:key name="num_red">0</s:key>
                                <s:key name="num_yellow">2</s:key>
                              </s:dict>
                            </s:key>
                            <s:key name="name">slave_state</s:key>
                            <s:key name="num_green">0</s:key>
                            <s:key name="num_red">0</s:key>
                            <s:key name="num_yellow">2</s:key>
                            <s:key name="path">splunkd.indexer_clustering.slave_state.slave_state</s:key>
                          </s:dict>
                        </s:key>
                      </s:dict>
                    </s:key>
                  </s:dict>
                </s:key>
                <s:key name="num_green">0</s:key>
                <s:key name="num_red">0</s:key>
                <s:key name="num_yellow">2</s:key>
              </s:dict>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="health">yellow</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

server/health/splunkd

https://<host>:<mPort>/services/server/health/splunkd

Shows the overall health of splunkd. The health of splunkd can be red, yellow, or green. The health of splunkd is based on the health of all features reporting to it.

Authentication and Authorization

Requires the admin role or list_health capability.

GET

Get the health status of splunkd.

Request parameters
None

Returned values

Name	Datatype	Description
health	String	Indicates the overall health of `splunkd`. Health status can be red, yellow, or green.

Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/server/health/splunkd

XML Response

<title>health-report</title>
  <id>https://10.141.65.195:41405/services/server/health</id>
  <updated>2018-04-04T21:32:40+00:00</updated>
  <generator build="b233a6c1ade2" version="7.2.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/server/health/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>splunkd</title>
    <id>https://10.141.65.195:41405/services/server/health/splunkd</id>
    <updated>1970-01-01T00:00:00+00:00</updated>
    <link href="/services/server/health/splunkd" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/server/health/splunkd" rel="list"/>
    <link href="/services/server/health/splunkd/details" rel="details"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list/>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list/>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="health">red</s:key>
      </s:dict>
    </content>
  </entry>

server/health/splunkd/details

https://<host>:<mPort>/services/server/health/splunkd/details

Shows the overall health of the splunkd health status tree, as well as each feature node and its respective color. For unhealthy nodes (non-green), the output includes reasons, indicators, thresholds, messages, and so on.

Authentication and Authorization

Requires the admin role or list_health capability.

GET

Get health status of splunkd features.

Request parameters
None

Returned values

Name	Datatype	Description
health	String	Indicate the color of the feature: red, yellow or green. The color of midlevel features is the worst color of all the features reporting to it.
messages	String	The last 50 messages from `splunkd.log` that might relate to the feature status change. Returned only if a feature color is not green.
reasons	String	Describes the indicator(s) that caused the feature's status to change to a non-green state. Returned only if a feature color is not green.
due_to_stanza	String	Indicates the stanza name in `health.conf` where the configuration for the non-green indicator exists.
due_to_threshold	String	Indicates the threshold because of which the color of the indicator is non-green.
due_to_threshold_value	Numeric	Indicates the value of the above threshold.
indicator	String	Name of the indicator because of which the feature is non-green.
reason	String	Descriptive string that explains the reason the indicator is non-green.

Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/server/health/splunkd/details

XML Response

<title>health-report</title>
  <id>https://10.141.65.213:42270/services/server/health</id>
  <updated>2018-04-03T20:05:34+00:00</updated>
  <generator build="b233a6c1ade2" version="7.2.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/server/health/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>splunkd</title>
    <id>https://10.141.65.213:42270/services/server/health/splunkd</id>
    <updated>1970-01-01T00:00:00+00:00</updated>
    <link href="/services/server/health/splunkd" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/server/health/splunkd" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list/>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="features">
          <s:dict>
            <s:key name="Data Forwarding">
              <s:dict>
                <s:key name="features">
                  <s:dict>
                    <s:key name="Splunk-2-Splunk Forwarding">
                      <s:dict>
                        <s:key name="features">
                          <s:dict>
                            <s:key name="TCPOutAutoLB-0">
                              <s:dict>
                                <s:key name="health">green</s:key>
                              </s:dict>
                            </s:key>
                          </s:dict>
                        </s:key>
                        <s:key name="health">green</s:key>
                      </s:dict>
                    </s:key>
                  </s:dict>
                </s:key>
                <s:key name="health">green</s:key>
              </s:dict>
            </s:key>
            <s:key name="File Monitor Input">
              <s:dict>
                <s:key name="features">
                  <s:dict>
                    <s:key name="BatchReader-0">
                      <s:dict>
                        <s:key name="health">green</s:key>
                      </s:dict>
                    </s:key>
                    <s:key name="TailReader-0">
                      <s:dict>
                        <s:key name="health">green</s:key>
                      </s:dict>
                    </s:key>
                  </s:dict>
                </s:key>
                <s:key name="health">green</s:key>
              </s:dict>
            </s:key>
            <s:key name="Indexer Clustering">
              <s:dict>
                <s:key name="features">
                  <s:dict>
                    <s:key name="Cluster Bundles">
                      <s:dict>
                        <s:key name="health">green</s:key>
                      </s:dict>
                    </s:key>
                    <s:key name="Data Durability">
                      <s:dict>
                        <s:key name="health">green</s:key>
                      </s:dict>
                    </s:key>
                    <s:key name="Data Searchable">
                      <s:dict>
                        <s:key name="health">green</s:key>
                      </s:dict>
                    </s:key>
                    <s:key name="Indexers">
                      <s:dict>
                        <s:key name="health">green</s:key>
                      </s:dict>
                    </s:key>
                    <s:key name="Indexing Ready">
                      <s:dict>
                        <s:key name="health">green</s:key>
                      </s:dict>
                    </s:key>
                  </s:dict>
                </s:key>
                <s:key name="health">green</s:key>
              </s:dict>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="health">green</s:key>
      </s:dict>
    </content>
  </entry>

server/health-config

https://<host>:<mPort>/services/server/health-config

Endpoint to configure the splunkd health report.

Authentication and Authorization

Requires the admin role or list_health capability.

GET

List configuration information for the splunkd health report.

Request parameters
None

Returned values
None

Example request and response

XML Request

curl -k -u admin:password  https://localhost:8089/services/server/health-config

XML Response


<entry>
    <title>alert_action:email</title>
    <id>https://localhost:8089/services/server/health-config/alert_action%3Aemail</id>
    <link href="/services/server/health-config/alert_action%3Aemail" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/server/health-config/alert_action%3Aemail" rel="list"/>
    <link href="/services/server/health-config/alert_action%3Aemail" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="action.cc">a@company.com, b@company.com</s:key>
        <s:key name="action.to">c@company.com</s:key>
      </s:dict>
    </content>
</entry>

<entry>
    <title>health_reporter</title>
    <id>https://localhost:8089/services/server/health-config/health_reporter</id>
    <link href="/services/server/health-config/health_reporter" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/server/health-config/health_reporter" rel="list"/>
    <link href="/services/server/health-config/health_reporter" rel="edit"/>
    <content type="text/xml">
      <s:dict>
		<s:key name="alert.disabled">0</s:key>
		<s:key name="alert.actions">email, webhook</s:key>
		<s:key name="alert.min_duration_sec">600</s:key>
		<s:key name="alert.suppress_period">10m</s:key>
      </s:dict>
    </content>
</entry>

<entry>
    <title>feature:batchreader</title>
    <id>https://localhost:8089/services/server/health-config/feature%3Abatchreader</id>
    <link href="/services/server/health-config/feature%3Abatchreader" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/server/health-config/feature%3Abatchreader" rel="list"/>
    <link href="/services/server/health-config/feature%3Abatchreader/_reload" rel="_reload"/>
    <link href="/services/server/health-config/feature%3Abatchreader" rel="edit"/>
    <content type="text/xml">
      <s:dict>
		<s:key name="alert.disabled">0</s:key>
		<s:key name="alert.min_duration_sec">600</s:key>
		<s:key name="alert:data_out_rate.min_duration_sec">1800</s:key>	
		<s:key name="indicator:data_out_rate:red">2</s:key>
		<s:key name="indicator:data_out_rate:yellow">1</s:key>
		<s:key name="disabled">0</s:key>
		<s:key name="display_name">BatchReader</s:key>
      </s:dict>
    </content>
</entry>

server/health-config/{alert_action}

https://<host>:<mPort>/services/server/health-config/alert_action:<action_name>

Configure alert actions for the splunkd health report.

Authentication and Authorization

Requires the admin role or edit_health capability.

POST

Configure alert actions for the splunkd health report.

Request parameters

Name	Type	Description
alert_action:<action_name>	String	Specify the alert action name. `<action_name>` can be one of the following: [email \| PagerDuty]
action.to	String	Primary email address to use with the email alert action.
action.cc	String	CC email address to use with the email alert action.
action.bcc	String	BCC email address to use with the email alert action.
action.integration_url_override	String	Sets the `<integration key>` value for PagerDuty alert action. For example `action.integration_url_override=78c3b6cf0a884a538410fe2812273b0b`
disabled	Boolean	Enables/disables the alert action. Possible values are 0 and 1. A value of 1 disables the alert action.

Returned values
None

Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/server/health-config/alert_action:email -d action.to=admin@example.com -d action.cc=admin2@example.com -d disabled=0

XML Response


<title>health-report-config</title>
  <id>https://10.141.65.179:52000/services/server/health-config</id>
  <updated>2018-04-02T18:36:31+00:00</updated>
  <generator build="b233a6c1ade2" version="7.2.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/server/health-config/_new" rel="create"/>
  <link href="/services/server/health-config/_reload" rel="_reload"/>
  <link href="/services/server/health-config/_acl" rel="_acl"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>

server/health-config/{feature_name}

https://<host>:<mPort>/services/server/health-config/feature:<feature_name>

Edit feature- and indicator-level settings for the splunkd health report.

Authentication and Authorization

Requires the admin role or edit_health capability.

POST

Edit feature- and indicator-level settings for the splunkd health report.

Request parameters

Name	Type	Description
alert.disabled	Boolean	Possible values are 0 or 1. A value of 1 disables alerting for this feature. If alerting is disabled in the [health_reporter] stanza, alerting for this feature is disabled, regardless of the value set here. If the value is set to 1, alerting or all indicators is disabled. Default: 0 (enabled).
alert.min_duration_sec	Number	The minimum amount of time, in seconds, that the health status color must persist before an alert triggers.
alert.threshold_color	String	The health status color that triggers an alert. Possible values are yellow and red. Default: red.
alert:<indicator_name>.disabled	Number	Possible values are 0 or 1. A value of 1 disables alerting for this indicator. Default: 0 (enabled).
alert:<indicator_name>.min_duration_sec	Number	The minimum amount of time, in seconds, that the health status color must persist before an alert triggers for this indicator.
alert:<indicator_name>.threshold_color	String	The health status color that triggers an alert for this indicator. Possible values are yellow and red. Default: red.
disable	Boolean	Disables/enables reporting the health of the feature. Use `disabled=1` to disable the feature. Use `disabled=0` to enable the feature.
distributed_disabled	Boolean	Disables/enables reporting the health of the feature in the distributed health report Use `disabled=1` to disable the feature. Use `disabled=0` to enable the feature.
feature:<feature_name>	String	Specify the feature name. `feature_name` can be any supported feature listed in $SPLUNK_HOME/etc/system/default/health.conf.
indicator:<indicator name>:<color>	Number	The indicator threshold value that triggers a health status change to the specified color for the indicator.

Returned values
None

Example request and response

XML Request

curl -k -u admin:password https://localhost:8089/services/server/health-config/feature:batchreader -d disabled=1 -d alert.disabled=0 -d alert.min_duration_sec=100 -d alert:data_out_rate.disabled=1 -d alert:data_out_rate.threshold_color=yellow

XML Response


<title>health-report-config</title>
  <id>https://10.141.65.179:52000/services/server/health-config</id>
  <updated>2018-04-02T18:36:31+00:00</updated>
  <generator build="b233a6c1ade2" version="7.2.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/server/health-config/_new" rel="create"/>
  <link href="/services/server/health-config/_reload" rel="_reload"/>
  <link href="/services/server/health-config/_acl" rel="_acl"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>

server/info

https://<host>:<mPort>/services/server/info?output_mode=json

Access information about the currently running Splunk instance.

Note: This endpoint provides information on the currently running Splunk instance. Some values returned in the GET response reflect server status information. However, this endpoint is meant to provide information on the currently running instance, not the machine where the instance is running. Server status values returned by this endpoint should be considered deprecated and might not continue to be accessible from this endpoint. Use server/sysinfo to access server status instead. For more information, see server/sysinfo.

GET

Get Splunk instance information.

Request parameters
Pagination and filtering parameters can be used with this method.

Returned values

Name	Description
activeLicenseGroup	Type of Splunk software license. Enterprise Forwarder Free Invalid Trial
addOns	Names of active add-ons.
build	The build number for this Splunk instance version.
cpu_arch	The architecture type for the CPU hosting `splunkd`. The value returned in the `server/info` response should be considered deprecated. Use server/sysinfo to access this response key and value instead.
guid	Globally unique identifier for this server.
host	Server name.
host_fqdn	host fully-qualified domain name.
isFree	Indicates if this server is running the Splunk instance under a free license.
isTrial	Indicates if this server is using a trial license.
kv_store_status	App KV store availability.
license_labels	Labels associated with the license used on this server.
licenseKeys	License key unique for each license.
licenseSignature	Hash signature for the license used on this server.
licenseState	Specifies the status of the license, which can be either OK or Expired.
master_guid	Globally unique identifier for this server.
max_users	Maximum number of users on the instance.
mode	Indicates whether the server is a dedicated forwarder. Possible values are: normal dedicated forwarder
numberOfCores	Server number of processor cores. The value returned in the `server/info` response should be considered deprecated. Use server/sysinfo to access this response key and value instead.
os_build	Software build for the server os_version. The value returned in the `server/info` response should be considered deprecated. Use server/sysinfo to access this response key and value instead.
os_name	Server operating system. The value returned in the `server/info` response should be considered deprecated. Use server/sysinfo to access this response key and value instead.
os_version	Server operating system version. The value returned in the `server/info` response should be considered deprecated. Use server/sysinfo to access this response key and value instead.
physicalMemoryMB	Server physical memory (MB). The value returned in the `server/info` response should be considered deprecated. Use server/sysinfo to access this response key and value instead.
product_type	Splunk software product type. One of the following values. enterprise hunk lite lite_free splunk
rtsearch_enabled	Indicates if real-time search is enabled for the instance on this server.
server_roles	Zero or more of the following possible server roles. indexer universal_forwarder heavyweight_forwarder lightweight_forwarder license_master license_slave cluster_master cluster_slave cluster_search_head deployment_server deployment_client search_head search_peer shc_captain shc_deployer shc_member See also: server/roles endpoint.
serverName	Server DNS domain name.
startup_time	Server platform start time, in seconds since January 1, 1970 (UNIX epoch).
version	Displays the Splunk platform version.
versionControlEnabled	Indicates whether the View version history option is enabled on the instance. A value of `True` means that the option is enabled.

Example request and response

JSON Request

curl -X GET -u admin:changeme -k "https://localhost:8106/services/server/info?output_mode=json"

JSON Response


  {
    "links": {},
    "origin": "https://localhost:8106/services/server/info",
    "updated": "2024-09-09T01:52:13-07:00",
    "generator": {
        "build": "b0122e4d425e5c0d37a7278576a02b962b3505f7",
        "version": "20240906"
    },
    "entry": [
        {
            "name": "server-info",
            "id": "https://localhost:8106/services/server/info/server-info",
            "updated": "1969-12-31T16:00:00-08:00",
            "links": {
                "alternate": "/services/server/info/server-info",
                "list": "/services/server/info/server-info"
            },
            "author": "system",
            "acl": {
                "app": "",
                "can_list": true,
                "can_write": true,
                "modifiable": false,
                "owner": "system",
                "perms": {
                    "read": [
                        "*"
                    ],
                    "write": []
                },
                "removable": false,
                "sharing": "system"
            },
            "content": {
                "activeLicenseGroup": "Enterprise",
                "activeLicenseSubgroup": "Production",
                "addOns": null,
                "build": "b0122e4d425e5c0d37a7278576a02b962b3505f7",
                "conf_generation": 7,
                "cpu_arch": "x86_64",
                "eai:acl": null,
                "federated_search_enabled": true,
                "fips_mode": false,
                "guid": "D4DBAE70-1C60-48F5-9A91-7222FDB7C528",
                "health_info": "green",
                "health_version": 2653725249,
                "host": "chieftain",
                "host_fqdn": "chieftain",
                "host_resolved": "chieftain",
                "isConverged": false,
                "isForwarding": false,
                "isFree": false,
                "isTrial": false,
                "kvStoreStatus": "failed",
                "licenseKeys": [
                    "CF4AAB0EAB5E5CD3B2E200AC6562A4028DAD54C4E7EA61144A836200420B3ADB"
                ],
                "licenseSignature": "52468815a75e22dee8211e7afaa3c171",
                "licenseState": "OK",
                "license_labels": [
                    "Splunk Internal License DO NOT DISTRIBUTE"
                ],
                "manager_guid": "D4DBAE70-1C60-48F5-9A91-7222FDB7C528",
                "manager_uri": "self",
                "master_guid": "D4DBAE70-1C60-48F5-9A91-7222FDB7C528",
                "master_uri": "self",
                "max_users": 4294967295,
                "mode": "normal",
                "numberOfCores": 50,
                "numberOfVirtualCores": 50,
                "os_build": "#35-Ubuntu SMP Thu May 7 20:20:34 UTC 2020",
                "os_name": "Linux",
                "os_name_extended": "Linux",
                "os_version": "5.4.0-31-generic",
                "physicalMemoryMB": 35840,
                "product_type": "enterprise",
                "rtsearch_enabled": true,
                "serverName": "chieftain",
                "server_roles": [
                    "indexer",
                    "license_master",
                    "license_manager"
                ],
                "shutting_down": "0",
                "startup_time": 1725871367,
                "staticAssetId": "F5B763C878861D48BD7E909BF8BFCD565B8DAC50BE0F0EE09FFF9685D2505F04",
                "version": "20240906",
                "versionControlEnabled": true
            }
        }
    ],
    "paging": {
        "total": 1,
        "perPage": 30,
        "offset": 0
    },
    "messages": []
}

server/introspection

https://<host>:<mPort>/services/server/introspection

Access system introspection artifacts.

See also the following associated endpoints.

GET

List introspection resources.

Request parameters
None

Returned values
The endpoint returns a list of introspection artifacts.

Example request and response

XML Request

curl -k -u admin:changeme https://localhost:8089/services/server/introspection

XML Response

...
<title></title>
 <id>https://localhost:8089/services/server/introspection</id>
 <updated>2014-08-04T11:40:23-07:00</updated>
 <generator build="221120" version="6.2"/>
 <author>
   <name>Splunk</name>
 </author>
 <s:messages/>
 <entry>
   <title>indexer</title>
   <id>https://localhost:8089/services/server/introspection/indexer</id>
   <updated>2014-08-04T11:40:23-07:00</updated>
   <link href="/services/server/introspection/indexer" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/introspection/indexer" rel="list"/>
   <content type="text/xml">
     <s:dict/>
   </content>
 </entry>
 <entry>
   <title>kvstore</title>
   <id>https://localhost:8089/services/server/introspection/kvstore</id>
   <updated>2014-08-04T11:40:23-07:00</updated>
   <link href="/services/server/introspection/kvstore" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/introspection/kvstore" rel="list"/>
   <link href="/services/server/introspection/kvstore/_reload" rel="_reload"/>
   <content type="text/xml">
     <s:dict/>
   </content>
 </entry>
 <entry>
   <title>pipelines</title>
   <id>https://localhost:8089/services/server/introspection/pipelines</id>
   <updated>2014-08-04T11:40:23-07:00</updated>
   <link href="/services/server/introspection/pipelines" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/introspection/pipelines" rel="list"/>
   <content type="text/xml">
     <s:dict/>
   </content>
 </entry>
 <entry>
   <title>processors</title>
   <id>https://localhost:8089/services/server/introspection/processors</id>
   <updated>2014-08-04T11:40:23-07:00</updated>
   <link href="/services/server/introspection/processors" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/introspection/processors" rel="list"/>
   <content type="text/xml">
     <s:dict/>
   </content>
 </entry>
 <entry>
   <title>queues</title>
   <id>https://localhost:8089/services/server/introspection/queues</id>
   <updated>2014-08-04T11:40:23-07:00</updated>
   <link href="/services/server/introspection/queues" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/introspection/queues" rel="list"/>
   <content type="text/xml">
     <s:dict/>
   </content>
 </entry>

server/introspection/indexer

https://<host>:<mPort>/services/server/introspection/indexer

Access the current indexer status.

GET

Get indexer status information.

Request parameters
None

Returned values

Name Description

average_KBps Average indexer throughput (kbps).

reason

Status explanation. For a normal status, returns . . The following examples show possible abnormal status reasons.

"idx=<indexerName> Throttling indexer, too many tsidx files in bucket=<bucketName>. Is splunk-optimize working? If not, low disk space may be the cause."

"You are low in disk space on partition <partitionName>. Indexing is paused. Will resume when free disk space rises above <minFreeMB>."

status

Current indexer status. One of the following values.

normal
throttled
stopped

Example request and response

XML Request

curl -k -u admin:changeme https://localhost:8089/services/server/introspection/indexer

XML Response

...
 <title>introspection-indexer</title>
 <id>https://localhost:8089/services/server/introspection/indexer</id>
 <updated>2014-08-04T11:43:04-07:00</updated>
 <generator build="221120" version="6.2"/>
 <author>
   <name>Splunk</name>
 </author>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>indexer</title>
   <id>https://localhost:8089/services/server/introspection/indexer/indexer</id>
   <updated>2014-08-04T11:43:04-07:00</updated>
   <link href="/services/server/introspection/indexer/indexer" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/introspection/indexer/indexer" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="average_KBps">0.517667</s:key>
       <s:key name="eai:acl">... elided ...</s:key>
       <s:key name="reason">.</s:key>
       <s:key name="status">normal</s:key>
     </s:dict>
   </content>
 </entry>

server/introspection/kvstore

https://<host>:<mPort>/services/server/introspection/kvstore

Access app KV store resources.

GET

List app KV store resources.

Request parameters
None

Returned values
Lists the following app /server/introspection/kvstore resources.

Example request and response

XML Request

curl -k -u admin:changeme https://localhost:8089/services/server/introspection/kvstore

XML Response

...
 <title></title>
 <id>https://localhost:8089/services/server/introspection/kvstore</id>
 <updated>2014-08-20T14:06:12-07:00</updated>
 <generator build="221120" version="6.2"/>
 <author>
   <name>Splunk</name>
 </author>
 <s:messages/>
 <entry>
   <title>collectionstats</title>
   <id>https://localhost:8089/services/server/introspection/kvstore/collectionstats</id>
   <updated>2014-08-20T14:06:12-07:00</updated>
   <link href="/services/server/introspection/kvstore/collectionstats" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/introspection/kvstore/collectionstats" rel="list"/>
   <content type="text/xml">
     <s:dict/>
   </content>
 </entry>
 <entry>
   <title>replicasetstats</title>
   <id>https://localhost:8089/services/server/introspection/kvstore/replicasetstats</id>
   <updated>2014-08-20T14:06:12-07:00</updated>
   <link href="/services/server/introspection/kvstore/replicasetstats" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/introspection/kvstore/replicasetstats" rel="list"/>
   <content type="text/xml">
     <s:dict/>
   </content>
 </entry>
 <entry>
   <title>serverstatus</title>
   <id>https://localhost:8089/services/server/introspection/kvstore/serverstatus</id>
   <updated>2014-08-20T14:06:12-07:00</updated>
   <link href="/services/server/introspection/kvstore/serverstatus" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/introspection/kvstore/serverstatus" rel="list"/>
   <content type="text/xml">
     <s:dict/>
   </content>
 </entry>

server/introspection/kvstore/collectionstats

https://<host>:<mPort>/services/server/introspection/kvstore/collectionstats

Get storage statistics for a collection.

See also the following associated endpoints.

GET

Get collection storage statistics.

Request parameters
None

Returned values

Name Description

data

Returns the following JSON document.

count - Number of collection documents or objects.
indexSizes - Key and size of every index on the collection.
lastExtentSize - Size of last allocated extent.
nindexes - Number of indexes on the collection.
ns - Current collection namespace.
numExtents - Number of contiguously allocated data file regions.
paddingFactor - Amount of space added to each document.
size - Collection records total size.
storageSize- Collection document storage allocation.
systemFlags - Collection flags that reflect internal server options.
totalIndexSize - Size of all indexes.
userFlags - Collection flags set by user.

Note: Sizes are returned in MBs. For more information, see Performance Metrics.

Example request and response

XML Request

curl -k -u admin:changeme https://localhost:8089/services/server/introspection/kvstore/collectionstats

XML Response

<title>kvstore-collectionstats</title> 
<id>https://localhost:8089/services/server/introspection/kvstore/collectionstats</id> <updated>2014-08-20T14:31:42-07:00</updated> <generator build="226873" version="6.2"/> <author>
 <name>Splunk</name>
</author> 
... opensearch nodes elided ... 
 <title>collectionStats</title>
 <id>https://localhost:8089/services/server/introspection/kvstore/collectionstats/collectionStats</id>
 <updated>2014-08-20T14:31:42-07:00</updated>
 <link href="/services/server/introspection/kvstore/collectionstats/collectionStats" rel="alternate"/>
 <author>
   <name>system</name>
 </author>
 <link href="/services/server/introspection/kvstore/collectionstats/collectionStats" rel="list"/>
 <content type="text/xml">
   <s:dict>
     <s:key name="data">
       <s:list>
         <s:item>
         {"ns":"search.kvstoredemo",
          "count":0,
          "size":0,
          "storageSize":8192,
          "numExtents":1,
          "nindexes":2,
          "lastExtentSize":8192,
          "paddingFactor":1,
          "systemFlags":1,
          "userFlags":1,
          "totalIndexSize":16352,
          "indexSizes":{"_id_":8176,"_UserAndKeyUniqueIndex":8176},
          "ok":1}
         </s:item>
       </s:list>
     </s:key>
     <s:key name="eai:acl"> ... elided ...</s:key>
   </s:dict>
 </content>
</entry>

server/introspection/kvstore/replicasetstats

https://<host>:<mPort>/services/server/introspection/kvstore/replicasetstats

Get the status of the replica set from the point of view of the current server.

See also the following associated endpoints.

GET

Get the status of the replica set from the point of view of the current server.

Request parameters
None

Returned values

data Returns the following JSON document.

set - Replicate Set Name set in the server.conf file.
date - Current time in ISO format.
myState - Startup process, basic operations, and potential error states:
- 0 STARTUP Initial member state. Cannot vote.
- 1 PRIMARY Only member that can accept write operations. Can vote.
- 2 SECONDARY Data store replication member. Can vote.
- 3 RECOVERING Members perform startup self-checks, or transition from completing a rollback or resync. Can vote.
- 4 FATAL Unrecoverable error encountered. Cannot vote.
- 5 STARTUP2 Forks replication and election threads before becoming a secondary. Cannot vote.
- 6 UNKNOWN Never connected to replica set. Cannot vote.
- 7 ARBITER Participate in elections, do not replicate data. Can vote.
- 8 DOWN Cannot be accessed by the set. Cannot vote.
- 9 ROLLBACK Performs rollback. Can vote.
- 10 REMOVED Removed from the replica set. Cannot vote.
members - Descriptions of members of replica set:
- _id - Member ID.
- name - Server name.
- health - Status: 1 = up, 0 = down.
- state - Replica state (See MyState).
- stateStr - String representation of state.
- uptime - Online interval (seconds).
- optime - Information about last operations log operation.
  - t - 32-bit timestamp of last operation.
  - i - Number of operations since the last timestamp.
- optimeDate - Time of last operations log operation in ISO format.
- lastHeartbeat - Transmission time of last heartbeat in ISO format.
- lastHeartbeatRecv - Time last heartbeat received in ISO format.
- pingMs - Round-trip packet time (msec).
- syncingTo - On secondary and recovering members, hostname of member from which this instance is syncing.
ok - Command return status: 1 = Success, 0 = Failure.
oplogInfo - Operations log information:
- start - Start time.
- end - End time.
- collectionStats - Collection storage statistics:
  - ns - Current collection namespace.
  - count - Number of collection documents or objects.
  - size - Collection records total size.
  - avgObjSize - Average object size in collection (bytes).
  - storageSize - Collection document storage allocation.
  - numExtents - Number of contiguously allocated data file regions.
  - nindexes - Number of indexes on the collection.
  - lastExtentSize - Size of last allocated extent.
  - paddingFactor - Amount of space added to each document.
  - systemFlags - Collection flags that reflect internal server options.
  - userFlags - Collection flags set by user.
  - totalIndexSize - Size of all indexes.
  - indexSizes - Key and size of every index on the collection.
  - capped - Capped setting: true = capped, false = not capped.
  - max - Max collection size.
  - ok - Command return status: 1 = Success, 0 = Failure.
- sources - Operations log sources.

Name	Description

Example request and response

XML Request

curl -k -u admin:changeme https://localhost:8089/services/server/introspection/kvstore/replicasetstats

XML Response

...
<title>replicasetstats</title>
<id>https://localhost:8089/services/server/introspection/kvstore/replicasetstats/replicasetstats</id>
<updated>2014-08-20T14:31:42-07:00</updated>
<link href="/services/server/introspection/kvstore/replicasetstats/replicasetstats" rel="alternate"/>
<author>
  <name>system</name>
</author>
<link href="/services/server/introspection/kvstore/replicasetstats/replicasetstats" rel="list"/>
<content type="text/xml">
  <s:dict>
    <s:key name="data">
      <s:list>
        <s:item>
           {
             "replSetStats": {
               "set": "splunkrs",
               "date": 1412203576000, 
               "myState": 2,
               "syncingTo": "54.xxx.xxx.xxx:8191",
               "members": [
                 {
                   "_id": 2,
                   "name": "54.xxx.xxx.xxx:8191",
                   "health": 1,
                   "state": 2,
                   "stateStr": "SECONDARY",
                   "uptime": 102409,
                   "optime": {
                     "t": 1412101153,
                     "i": 1
                   },
                   "optimeDate": 1412101153000,
                   "lastHeartbeat": 1412203575000,
                   "lastHeartbeatRecv": 1412203575000,
                   "pingMs": 1,
                   "syncingTo": "54.xxx.xxx.xxx:8191"
                 },
                 {
                   "_id": 3,
                   "name": "54.xxx.xxx.yyy:8191",
                   "health": 1,
                   "state": 2,
                   "stateStr": "SECONDARY",
                   "uptime": 102409,
                   "optime": {
                     "t": 1412101153,
                     "i": 1
                   },
                   "optimeDate": 1412101153000,
                   "lastHeartbeat": 1412203576000,
                   "lastHeartbeatRecv": 1412203575000,
                   "pingMs": 1,
                   "syncingTo": "54.xxx.xxx.yyy:8191"
                 },
                         .
                         .
                         .
                       elided
                         .
                         .
                         .
                 {
                   "_id": 17,
                   "name": "54.xxx.xxx.zzz:8191",
                   "health": 1,
                   "state": 2,
                   "stateStr": "SECONDARY",
                   "uptime": 102409,
                   "optime": {
                     "t": 1412101153,
                     "i": 1
                   },
                   "optimeDate": 1412101153000,
                   "lastHeartbeat": 1412203574000,
                   "lastHeartbeatRecv": 1412203575000,
                   "pingMs": 1,
                   "syncingTo": "54.xxx.xxx.zzz:8191"
                 }
               ],
               "ok": 1
             },
             "oplogInfo": {
               "start": 1412022009000,
               "end": 1412101153000,
               "collectionStats": {
                 "ns": "local.oplog.rs",
                 "count": 631,
                 "size": 166964,
                 "avgObjSize": 264,
                 "storageSize": 1048580080,
                 "numExtents": 3,
                 "nindexes": 0,
                 "lastExtentSize": 4096,
                 "paddingFactor": 1,
                 "systemFlags": 0,
                 "userFlags": 0,
                 "totalIndexSize": 0,
                 "indexSizes": {},
                 "capped": true,
                 "max": 9223372036854775808.000000,
                 "ok": 1
               },
               "sources": {}
             }
           }
       </s:item>
      </s:list>
    </s:key>
    <s:key name="eai:acl"> ... elided ...</s:key>
  </s:dict>
</content>
</entry>

server/introspection/kvstore/serverstatus

https://<host>:<mPort>/services/server/introspection/kvstore/serverstatus

Get an overview of the database process state.

Monitoring applications periodically run this command to get statistical information about the database instance.

See also the following associated endpoints.

GET

Get an overview of the database process state.

Request parameters
None

Returned values
The response data is platform-dependent.

Name Description

data

Returns the following CDATA items.

asserts - Number of database assertions since the server process started, for each of the following levels/types:
- regular
- warning
- msg
- user
- rollovers
backgroundFlushing - Write to disk flush metrics:
- flushes - Number of times writes flushed.
- total_ms - Number of msec processes used to flush writes.
- average_ms - Relationship between flushes and total_ms, in msec.
- last_ms - Number of msec the last flush took.
- last_finished (date) - ISO time of last completed write flush operation.
connections - Current incoming connections status and database availability:
- current - Number of active client connections.
- available - Number of unused connections available.
- totalCreated - Total number of connections created, including closed connections.
cursors - [DEPRECATED] Current cursor and state. Use metrics, instead.
dur - (Durability) Journaling-related operations and performance. Journaling must be enabled.:
- commits - Number of transactions written to the journal during the last group commit interval.
- journaledMB - Amount of data (MB) written to the journal during the last group commit interval.
- writeToDataFilesMB - Amount of data (MB) written from journal to data files during the last group commit interval.
- compression - Compression ratio of data written to journal: (journaled_size_of_data / uncompressed_size_of_data)
- commitsInWriteLock - Number of commits that occurred during a write lock.
- earlyCommits - Number of commits requested before scheduled group commit time.
- timeMs: Performance during various journaling phases.
  - dt - Data collection interval (msec).
  - prepLogBuffer - Time spend preparing to write to journal (msec).
  - writeToJournal - Time spent writing to journal (msec).
  - writeToDataFiles - Time spent writing to data files after journaling (msec).
  - remapPrivateView - Time spent remapping copy-on-write memory mapped views (msec).
extra_info - Platform-specific information:
- note - Platform-specific information.
- heap_usage_bytes - Total heap space size used by database (bytes). Applicable to *nix systems, only.
- page_faults - Total number of page faults that require disk operations.
globalLock - Information about the current database lock state, historical lock status, and active clients:
- totalTime - Time since database started and globalLock creation (usec).
- lockTime - Time since database started that globalLock has been held (usec).
- currentQueue: Information about operations queued because of a lock.
  - total - Total number of operations queued waiting on readers and writers locks.
  - readers - Number of operations queued waiting for read lock.
  - writers - Number of operations queued waiting for write lock.
- activeClients: Information about number and operation types of connected clients.
  - total - Total number of readers and writers connections.
  - readers - Number of connected clients performing read operations.
  - writers - Number of connected clients performing write operations.
host - Hostname and port number.
indexCounters - Index usage counters:
- accesses - Number of times operations accessed indexes.
- hits - Number of times index accessed and returned from memory.
- misses - Number of attempts to access index not in memory.
- resets - Number of times index counters reset since database last started.
- missRatio - Ratio of hits to misses.
localTime - ISO-formatted local time.
locks - State and read/write use of global and database-specific locks:
- timeLockedMicros - Amount of time a lock existed, for all databases of this server instance (usec).
- timeAcquiringMicros - Amount of time operations spend waiting, for lock for all databases of this server instance (usec).
- admin: Lock use in the admin database.
  - timeLockedMicros - Amount of time locks existed in the admin database context (usec).
  - timeAcquiringMicros - Amount of time spent waiting to acquire a lock in the admin database context (usec).
- local: Lock use in the local database.
  - timeLockedMicros - Amount of time locks existed in the local database context (usec).
  - timeAcquiringMicros - Amount of time spent waiting to acquire a lock in the local database context (usec).
- search.<collection>: Locks used in each collection.
  - timeLockedMicros - Amount of time locks exist in the collection context (usec).
  - timeAcquiringMicros - Amount of time spent waiting to acquire a lock in the collection context (usec).
mem - Memory usage: System architecture and memory usage metrics.
- bits - System address architecture: 32 or 64 bit architecture.
- resident - Amount of RAM currently used by the database process (MB).
- virtual - Amount of virtual memroy used (MB).
- supported: true = supports extended memory information, false = does not support extended memory information.
- mapped - Amount of mapped memory for database (MB).
- mappedWithJournal - Amount of mapped memory, including journaling memory (MB). Always twice the size of mapped.
metrics - Current instance use and state:
- cursor: Cursor state and use.
  - timedOut - Total number of cursors that have timed out since the server process started.
  - open: - Information about open cursors.
    - noTimeout - Number of open cursors with option set to prevent timeout after a period of inactivity.
    - pinned - Number of pinned open cursors.
    - total - Number of cursors maintained for clients, typically less than zero.
- document: Information about document access and modification patterns and data use. Compare these values to opcounters data, which track total number of operations.
  - deleted - Total number of deleted documents.
  - inserted - Total number of inserted documents.
  - returned - Total number of documents returned by queries.
  - updated - Total number of updated documents.
- getLastError: Information about getLastError use.
  - wtime: getLastError operation counts with a specified write concern that wait for one or more members of a replica set to acknowledge the write operation.
    - num - getLastError operation counts with a specified write concern that wait for one or more members of a replica set to acknowledge the write operation.
    - totalMillis - Amount of time spent performing getLastError operations with write concern that wait for one or more members of a replica set to acknowledge the write operation (msec).
  - wtimeouts - Number of times write concern operations timed out as a result of the wtimeout threshold to getLastError.
- operation: Counters for several types of update and query operations handled using special operation types.
  - fastmod - Number of update operations that neither cause documents to grow nor require updates to the index.
  - idhack - Number of queries that contain the _key field.
  - scanAndOrder - Number of queries that return sorted numbers that cannot perform the sort operation using an index.
- queryExecutor: Data from the query execution system.
  - scanned - Number of index items scanned during queries and query-plan evaluation.
  - scannedObjects - Total number of documents scanned during the query.
- record: Data related to record allocation in the on-disk memory files.
  - moves - Number of times documents move within the on-disk representation of the data set. Documents move as a result of operations that increase the size of the document beyond their allocated record size.
- repl: Metrics related to the ordered history of logical writes.
  - apply: - Information about the application of ordered history of logical writes.
    - batches: Information on the ordered history of logical writes application process on secondaries members of replica sets.
      - num - Number of batches applied across all databases.
      - totalMillis - Amount of time spent applying ordered history of logical write operations (msec).
    - ops - Number of ordered history of logical write operations.
  - buffer: Information to track the ordered history of logical write operations buffer.
    - count - Number of operations on the ordered history of logical writes buffer.
    - maxSizeBytes/ - Maximum size of the ordered history of logical writes buffer.
    - sizeBytes - Current size of the contents of the ordered history of logical writes buffer.
  - network: Network use information for the replication process.
    - bytes - Amount of data read from the replication sync source (bytes).
    - getmores: Information about queries for additional results from the ordered history of logical write operations cursor as part of the replication process.
      - num - Number of queries for additional results from the ordered history of logical write operations, which are operations that request an additional set of operations from the replication sync source.
      - totalMillis - Amount of time to collect data from queries for additional results from the ordered history of logical write operations (msec).
    - ops - Number of operations read from the replication source.
    - readersCreated - Number of queries for additional results from the ordered history of logical write operations processes created.
  - preload: Information about replication pre-fetch.
    - docs: Information about documents loaded into memory during replication pre-fetch.
      - num - Number of documents loaded during replication pre-fetch.
      - totalMillis - Amount of time spent loading documents as part of replication pre-fetch (msec).
    - indexes: Information about index items loaded into memory during replication pre-fetch.
      - num - Number of index entries loaded by members before updating documents as part of replication pre-fetch.
      - totalMillis - Amount of time spent loading index entries as part of replication pre-fetch (msec).
- storage: Freelist behavior monitoring statistics.
  - freelist: Freelist bucket behavior monitoring statistics.
    - search: Freelist bucket behavior monitoring search statistics.
      - bucketExhausted - Number of times bucket fully searched, requiring advance to next bucket.
      - requests - Number of times the allocation function was called.
      - scanned - Number of freelist bucket entries examined.
- ttl: Information about resource use of the ttl index process.
  - deletedDocuments - Number of documents deleted from collections with a ttl index.
  - passes - Number of times background process removes documents from collections with a ttl index.
network - Network use and state:
- bytesIn - Amount of network traffic received by this database (bytes).
- bytesOut- Amount of network traffic sent from this database (bytes).
- numRequests - Number of distinct requests received by the server.
ok - Command return status: 1 = Success, 0 = Failure.
opcounters - Overview of database operations by type, similar to opcountersRepl:
- insert - Number of insert operations since instance started.
- query - Number of queries since instance started.
- update - Number of update operations since instance started.
- delete - Number of delete operations since instance started.
- getmore - Number of getmore operations since instance started.
- command - Number of commands issued since instance started.
opcountersRepl - Overview of replication operations by type, similar to opcounters:
- insert - Number of replicated insert operations since instance started.
- query - Number of replicated queries since instance started.
- update - Number of replicated update operations since instance started.
- delete - Number of replicated delete operations since instance started.
- getmore - Number of replicated getmore operations since instance started.
- command - Number of replicated commands issued since instance started.
pid - Process ID.
recordStats - Page fault statistics:
- accessesNotInMemory - Number of times memory page accessed that was not resident in memory, for all databases.
- pageFaultExceptionsThrown - Number of page fault exceptions thrown when accessing data for all databases.
- admin: Admin database page fault statistics.
  - accessesNotInMemory - Number of times memory page accessed that was not resident in memory, for the admin database.
  - pageFaultExceptionsThrown - Number of page fault exceptions thrown when accessing data for the admin database.
- local: Local database page fault statistics.
  - accessesNotInMemory - Number of times memory page accessed that was not resident in memory, for the local database.
  - pageFaultExceptionsThrown - Number of page fault exceptions thrown when accessing data for the local database.
- search.<collection>: Search database page fault statistics.
  - accessesNotInMemory - Number of times memory page accessed that was not resident in memory, for the search database.
  - pageFaultExceptionsThrown - Number of page fault exceptions thrown when accessing data for the search database.
uptime - Amount of time database process has been active (seconds).
uptimeEstimate - Amount of time database process has been active as calculated from the internal, course-grained time keeping system (seconds).
uptimeMillis - Amount of time database process has been active (msec).
version - Version number (not used).
writeBacksQueued - Write-backs queued status: true = write-backs queued, false = write-backs not queued.

Example request and response

XML Request

curl -k -u admin:changeme https://localhost:8089/services/server/introspection/kvstore/serverstatus

XML Response

...
 <title>serverStatus</title>
 <id>https://localhost:8089/services/server/introspection/kvstore/serverstatus/serverStatus</id>
 <updated>2014-08-20T14:26:42-07:00</updated>
 <link href="/services/server/introspection/kvstore/serverstatus/serverStatus" rel="alternate"/>
 <author>
   <name>system</name>
 </author>
 <link href="/services/server/introspection/kvstore/serverstatus/serverStatus" rel="list"/>
 <content type="text/xml">
   <s:dict>
     <s:key name="data">
       <![CDATA[{
"host":"localhost:8089", "version":"2.6.3", "pid":23009, "uptime":19049, "uptimeMillis":19049447, "uptimeEstimate":18295, "localTime":{"$date":1408570002615}, "asserts":{ "regular":0, "warning":0, "msg":0, "user":0, "rollovers":0}, "backgroundFlushing":{ "flushes":317, "total_ms":11523, "average_ms":36.350158, "last_ms":0, "last_finished":{"$date":1408569973325}}, "connections":{ "current":7, "available":3269, "totalCreated":7}, "cursors":{ "note":"deprecated, use server status metrics", "clientCursors_size":0, "totalOpen":0, "pinned":0, "totalNoTimeout":0, "timedOut":0}, "dur":{ "commits":30, "journaledMB":0, "writeToDataFilesMB":0, "compression":0, "commitsInWriteLock":0, "earlyCommits":0, "timeMs":{ "dt":3072, "prepLogBuffer":0, "writeToJournal":0, "writeToDataFiles":0, "remapPrivateView":0}}, "extra_info":{ "note":"fields vary by platform", "heap_usage_bytes":67624592, "page_faults":3}, "globalLock":{ "totalTime":19049447000, "lockTime":1491098, "currentQueue":{ "total":0, "readers":0, "writers":0}, "activeClients":{ "total":0, "readers":0, "writers":0}}, "indexCounters":{ "accesses":2, "hits":2, "misses":0, "resets":0, "missRatio":0}, "locks":{ ".":{ "timeLockedMicros":{ "R":2926340, "W":1491098}, "timeAcquiringMicros":{ "R":1458997, "W":342703}}, "admin":{ "timeLockedMicros":{ "r":103638, "w":0}, "timeAcquiringMicros":{ "r":13202, "w":0}}, "local":{ "timeLockedMicros":{ "r":426518, "w":237}, "timeAcquiringMicros":{ "r":185505, "w":12}}, "search.kvstoredemo":{ "timeLockedMicros":{ "r":2832888, "w":292}, "timeAcquiringMicros":{ "r":1310820, "w":17}}}, "network":{ "bytesIn":1133611, "bytesOut":11628162, "numRequests":12070}, "opcounters":{ "insert":1, "query":4760, "update":0, "delete":0, "getmore":0, "command":8264}, "opcountersRepl":{ "insert":0, "query":0, "update":0, "delete":0, "getmore":0, "command":0}, "recordStats":{ "accessesNotInMemory":0, "pageFaultExceptionsThrown":0, "admin":{ "accessesNotInMemory":0, "pageFaultExceptionsThrown":0}, "local":{ "accessesNotInMemory":0, "pageFaultExceptionsThrown":0}, "search.kvstoredemo":{ "accessesNotInMemory":0, "pageFaultExceptionsThrown":0}}, "writeBacksQueued":false, "mem":{ "bits":64, "resident":58, "virtual":325, "supported":true, "mapped":64, "mappedWithJournal":128}, "metrics":{ "cursor":{ "timedOut":0, "open":{ "noTimeout":0, "pinned":0, "total":0}}, "document":{ "deleted":0, "inserted":1, "returned":2, "updated":0}, "getLastError":{ "wtime":{ "num":0, "totalMillis":0}, "wtimeouts":0}, "operation":{ "fastmod":0, "idhack":0, "scanAndOrder":0}, "queryExecutor":{ "scanned":0, "scannedObjects":0}, "record":{"moves":0}, "repl":{ "apply":{ "batches":{ "num":0, "totalMillis":0}, "ops":0}, "buffer":{ "count":0, "maxSizeBytes":268435456, "sizeBytes":0}, "network":{ "bytes":0, "getmores":{ "num":0, "totalMillis":0}, "ops":0, "readersCreated":0}, "preload":{ "docs":{ "num":0, "totalMillis":0}, "indexes":{ "num":0, "totalMillis":0}}}, "storage":{ "freelist":{ "search":{ "bucketExhausted":0, "requests":0, "scanned":0}}}, "ttl":{ "deletedDocuments":0, "passes":317}}, "ok":1}]]>

     </s:key>
     <s:key name="eai:acl"> ... elided ... </s:key>
   </s:dict>
 </content>
</entry>

server/introspection/search/dispatch

https://<host>:<mPort>/services/server/introspection/search/dispatch

Provides vital statistics for distributed search framework, including details on search peer performance.

GET

Enumerate scheduled search details.

Request parameters
None

Returned values

Name	Description
Bundle_Directory_Reaper_Average_Time(ms)	Average time for dispatch reaper to walk search peer directory and reap obsolete bundles.
Bundle_Directory_Reaper_Max_Time(ms)	Maximum time for dispatch reaper to walk search peer directory and reap obsolete bundles.
Compute_User_Search_Quota_Average_Time(ms)	Average time for computing user search quota.
Compute_User_Search_Quota_Max_Time(ms)	Maximum time for computing user search quota.
Dispatch_Directory_Reaper_Average_Time(ms)	Average time for dispatch reaper to walk dispatch directory and reap stale artifacts.
Dispatch_Directory_Reaper_Max_Time(ms)	Maximum time for dispatch reaper to walk dispatch directory and reap stale artifacts.
Search_StartUp_Time_Average_Time(ms)	Average time for preprocessing before search startup. Counted from time search state is set to `RUNNING`. Startup time indicates that parsing is complete and the distributed search infrastructure is set up. At startup, the Splunk platform is ready to wait for responses from indexers.
Search_StartUp_Time_Max_Time(ms)	Maximum time for preprocessing before search startup. Counted from time search state is set to `RUNNING`. Startup time indicates that parsing is complete and the distributed search infrastructure is set up. At startup, the Splunk platform is ready to wait for responses from indexers.

Example request and response

XML Request

curl -k -u username:password https://localhost:8089/services/server/introspection/search/dispatch

XML Response

<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>introspection-dispatchreaper</title>
  <id>https://localhost:8089/services/server/introspection/search/dispatch</id>
  <updated>2015-08-27T13:49:04-07:00</updated>
  <generator build="ced4408678cc212328ba3550d23cba87c24339d4" version="20150826"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/server/introspection/search/dispatch/_acl" rel="_acl"/>
  <opensearch:totalResults>4</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>Bundle_Directory_Reaper</title>
    <id>https://localhost:8089/services/server/introspection/search/dispatch/Bundle_Directory_Reaper</id>
    <updated>2015-08-27T13:49:04-07:00</updated>
    <link href="/services/server/introspection/search/dispatch/Bundle_Directory_Reaper" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/server/introspection/search/dispatch/Bundle_Directory_Reaper" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="Bundle_Directory_Reaper_Average_Time(ms)">1.000000</s:key>
        <s:key name="Bundle_Directory_Reaper_Max_Time(ms)">1</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>Compute_User_Search_Quota</title>  <id>https://localhost:8089/services/server/introspection/search/dispatch/Compute_User_Search_Quota</id>
    <updated>2015-08-27T13:49:04-07:00</updated>
    <link href="/services/server/introspection/search/dispatch/Compute_User_Search_Quota" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/server/introspection/search/dispatch/Compute_User_Search_Quota" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="Compute_User_Search_Quota_Average_Time(ms)">2.500000</s:key>
        <s:key name="Compute_User_Search_Quota_Max_Time(ms)">4</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>Dispatch_Directory_Reaper</title>
    <id>https://localhost:8089/services/server/introspection/search/dispatch/Dispatch_Directory_Reaper</id>
    <updated>2015-08-27T13:49:04-07:00</updated>
    <link href="/services/server/introspection/search/dispatch/Dispatch_Directory_Reaper" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/server/introspection/search/dispatch/Dispatch_Directory_Reaper" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="Dispatch_Directory_Reaper_Average_Time(ms)">5.400000</s:key>
        <s:key name="Dispatch_Directory_Reaper_Max_Time(ms)">16</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>Search_StartUp_Time</title>
    <id>https://localhost:8089/services/server/introspection/search/dispatch/Search_StartUp_Time</id>
    <updated>2015-08-27T13:49:04-07:00</updated>
    <link href="/services/server/introspection/search/dispatch/Search_StartUp_Time" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/server/introspection/search/dispatch/Search_StartUp_Time" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="Search_StartUp_Time_Average_Time(ms)">136.750000</s:key>
        <s:key name="Search_StartUp_Time_Max_Time(ms)">185</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>

server/introspection/search/dispatch/Bundle_Directory_Reaper

https://<host>:<mPort>/services/server/introspection/search/dispatch/Bundle_Directory_Reaper

Get average and maximum time for the dispatch reaper to walk the search peer directory and reap obsolete bundles.

GET

Enumerate routine distributed search method execution times for each peer.

Request parameters
None

Returned values

Name	Description
Bundle_Directory_Reaper_Average_Time(ms)	Average time for dispatch reaper to walk search peer directory and reap obsolete bundles.
Bundle_Directory_Reaper_Max_Time(ms)	Maximum time for dispatch reaper to walk search peer directory and reap obsolete bundles.

Example request and response

XML Request

curl -k -u username:password https://localhost:8089/services/server/introspection/search/dispatch/Bundle_Directory_Reaper

XML Response

...
  <title>introspection-dispatchreaper</title>
  <id>https://localhost:8089/services/server/introspection/search//dispatch</id>
  <updated>2015-08-26T14:24:43-07:00</updated>
  <generator build="ced4408678cc212328ba3550d23cba87c24339d4" version="20150826"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/server/introspection/search//dispatch/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>Bundle_Directory_Reaper</title>
    <id>https://localhost:8089/services/server/introspection/search//dispatch/Bundle_Directory_Reaper</id>
    <updated>2015-08-26T14:24:43-07:00</updated>
    <link href="/services/server/introspection/search//dispatch/Bundle_Directory_Reaper" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/server/introspection/search//dispatch/Bundle_Directory_Reaper" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="Bundle_Directory_Reaper_Average_Time(ms)">1.000000</s:key>
        <s:key name="Bundle_Directory_Reaper_Max_Time(ms)">1</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list/>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
      </s:dict>
    </content>
  </entry>

server/introspection/search/dispatch/Compute_User_Search_Quota

https://<host>:<mPort>/services/server/introspection/search/dispatch/Compute_User_Search_Quota

Provides average and maximum time for computing user search quotas.

GET

Enumerate average and maximum time for user search quota computation.

Request parameters
None

Returned values

Name	Description
Compute_User_Search_Quota_Average_Time(ms)	Average time for computing user search quota.
Compute_User_Search_Quota_Max_Time(ms)	Maximum time for computing user search quota.

XML Request

curl -k -u username:password https://localhost:8089/services/server/introspection/search/dispatch/Compute_User_Search_Quota

XML Response

...
<title>introspection-dispatchreaper</title>
  <id>https://localhost:8089/services/server/introspection/search/dispatch</id>
  <updated>2015-08-26T14:33:46-07:00</updated>
  <generator build="ced4408678cc212328ba3550d23cba87c24339d4" version="20150826"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/server/introspection/search/dispatch/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>Compute_User_Search_Quota</title>
    <id>https://localhost:8089/services/server/introspection/search/dispatch/Compute_User_Search_Quota</id>
    <updated>2015-08-26T14:33:46-07:00</updated>
    <link href="/services/server/introspection/search/dispatch/Compute_User_Search_Quota" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/server/introspection/search/dispatch/Compute_User_Search_Quota" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="Compute_User_Search_Quota_Average_Time(ms)">1.950000</s:key>
        <s:key name="Compute_User_Search_Quota_Max_Time(ms)">4</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list/>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
      </s:dict>
    </content>
  </entry>

server/introspection/search/dispatch/Dispatch_Directory_Reaper

https://<host>:<mPort>/services/server/introspection/search/dispatch/Dispatch_Directory_Reaper

Get average and maximum time for the dispatch reaper to walk the dispatch directory and reap stale artifacts.

GET

Show dispatch directory reaper times for reaping stale artifacts.

Request parameters
None

Returned values

Name	Description
Dispatch_Directory_Reaper_Average_Time(ms)	Average time for dispatch reaper to walk dispatch directory and reap stale artifacts.
Dispatch_Directory_Reaper_Max_Time(ms)	Maximum time for dispatch reaper to walk dispatch directory and reap stale artifacts.

Example request and response

XML Request

curl -k -u username:password https://localhost:8089/services/server/introspection/search/dispatch/Dispatch_Directory_Reaper

XML Response

...
  <title>introspection-dispatchreaper</title>
  <id>https://localhost:8089/services/server/introspection/search/dispatch</id>
  <updated>2015-08-26T14:34:41-07:00</updated>
  <generator build="ced4408678cc212328ba3550d23cba87c24339d4" version="20150826"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/server/introspection/search/dispatch/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>Dispatch_Directory_Reaper</title>
    <id>https://localhost:8089/services/server/introspection/search/dispatch/Dispatch_Directory_Reaper</id>
    <updated>2015-08-26T14:34:41-07:00</updated>
    <link href="/services/server/introspection/search/dispatch/Dispatch_Directory_Reaper" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/server/introspection/search/dispatch/Dispatch_Directory_Reaper" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="Dispatch_Directory_Reaper_Average_Time(ms)">4.500000</s:key>
        <s:key name="Dispatch_Directory_Reaper_Max_Time(ms)">10</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list/>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
      </s:dict>
    </content>
  </entry>

server/introspection/search/dispatch/Search_StartUp_Time

https://<host>:<mPort>/services/server/introspection/search/dispatch/Search_StartUp_Time

Get average and maximum time for search preprocessing before startup.

Startup time indicates that parsing is complete and the distributed search infrastructure is set up. At startup, Splunk software is ready to wait for responses from indexers.

GET

Enumerate average and maximum time for search preprocessing before startup.

Request parameters
None

Returned values

Name	Description
Search_StartUp_Time_Average_Time(ms)	Average time for preprocessing before search startup. Counted from time search state is set to `RUNNING`.
Search_StartUp_Time_Max_Time(ms)	Maximum time for preprocessing before search startup. Counted from time search state is set to `RUNNING`.

Example request and response

XML Request

curl -k -u username:password https://localhost:8089/services/server/introspection/search/dispatch/Search_StartUp_Time

XML Response

...
<title>introspection-dispatchreaper</title>
  <id>https://localhost:8089/services/server/introspection/search//dispatch</id>
  <updated>2015-08-26T14:25:14-07:00</updated>
  <generator build="ced4408678cc212328ba3550d23cba87c24339d4" version="20150826"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/server/introspection/search//dispatch/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>Search_StartUp_Time</title>
    <id>https://localhost:8089/services/server/introspection/search//dispatch/Search_StartUp_Time</id>
    <updated>2015-08-26T14:25:14-07:00</updated>
    <link href="/services/server/introspection/search//dispatch/Search_StartUp_Time" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/server/introspection/search//dispatch/Search_StartUp_Time" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="Search_StartUp_Time_Average_Time(ms)">128.619048</s:key>
        <s:key name="Search_StartUp_Time_Max_Time(ms)">171</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list/>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
      </s:dict>
    </content>
  </entry>

server/introspection/search/distributed

https://<host>:<mPort>/services/server/introspection/search/distributed

Get information about the search knowledge bundle replication, if the current instance is the search head. Provides details about maximum and average time to execute routine distributed search methods, including peer info, peer bundles list, and authentication token requests from search heads.

GET

Enumerate routine distributed search method execution times for each peer.

Usage details
The default update period is ten minutes, as defined by the collectionPeriodInSecs attribute in the $SPLUNK_HOME/etc/apps/introspection_generator_addon/default/server.conf file. If startup occurs within the last ten minutes, counts are shown from startup to the current time.

Request parameters
Pagination and filtering parameters can be used with this method.

Returned values

The following values are listed for each peer.

Name	Description
Get_Authentication_Max_Time(ms)	Maximum time for search head to get authentication from this peer.
Get_Authentication_Mean_Time(ms)	Average time for search head to get authentication from this peer.
Get_BundleList_Max_Time(ms)	Maximum time for search head to get bundle list from this peer.
Get_ServerInfo_Max_Time(ms)	Maximum time for search head to get server information back from this peer.
Get_ServerInfo_Mean_Time(ms)	Average time for search head to get server information back from this peer.

Example request and response

XML Request

curl -k -u username:password https://localhost:8089/services/server/introspection/search/distributed

XML Response

...
 <title>search-distributedmetrics</title>
  <id>https://localhost:8089/services/server/introspection/search/distributed</id>
  <updated>2015-08-26T14:35:48-07:00</updated>
  <generator build="ced4408678cc212328ba3550d23cba87c24339d4" version="20150826"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/server/introspection/search/distributed/_acl" rel="_acl"/>
  <opensearch:totalResults>3</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>per_searchhead_metrics</title>
    <id>https://localhost:8089/services/server/introspection/search/distributed/per_searchhead_metrics</id>
    <updated>2015-08-26T14:35:48-07:00</updated>
    <link href="/services/server/introspection/search/distributed/per_searchhead_metrics" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/server/introspection/search/distributed/per_searchhead_metrics" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">0</s:key>
            <s:key name="can_write">0</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list/>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>localhost:8089</title>
    <id>https://localhost:8089/services/server/introspection/search/distributed/peer.sv.splunk.com%3A10017</id>
    <updated>2015-08-26T14:35:48-07:00</updated>
    <link href="/services/server/introspection/search/distributed/peer.sv.splunk.com%3A10017" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/server/introspection/search/distributed/peer.sv.splunk.com%3A10017" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="Get_Authentication_Max_Time(ms)">4</s:key>
        <s:key name="Get_Authentication_Mean_Time(ms)">3.400000</s:key>
        <s:key name="Get_BundleList_Max_Time(ms)">5</s:key>
        <s:key name="Get_BundleList_Mean_Time(ms)">3.800000</s:key>
        <s:key name="Get_ServerInfo_Max_Time(ms)">14</s:key>
        <s:key name="Get_ServerInfo_Mean_Time(ms)">9.300000</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">0</s:key>
            <s:key name="can_write">0</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list/>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>window_metrics</title>
    <id>https://localhost:8089/services/server/introspection/search/distributed/window_metrics</id>
    <updated>2015-08-26T14:35:48-07:00</updated>
    <link href="/services/server/introspection/search/distributed/window_metrics" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/server/introspection/search/distributed/window_metrics" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="average_bytes">0.000000</s:key>
        <s:key name="average_msecs">0.000000</s:key>
        <s:key name="count">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">0</s:key>
            <s:key name="can_write">0</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list/>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
      </s:dict>
    </content>
  </entry>

server/introspection/search/saved

https://<host>:<mPort>/services/server/introspection/search/saved

Access most recent scheduled search priority scores and score calculation adjustments.

GET

Enumerate scheduled search details.

Request parameters
None

Returned values
'Note: 'These response data keys are for informational purposes only. They are subject to change or removal at any time.

Name	Description
final_score	Most recent calculated priority score, based on adjustments and original score.
name	Scheduled search name.
orig_score	A score based on a search's originally scheduled run time.
owner	Search scope or context owner. This could be a specific user or "nobody" for a search defined in an app or system-level scope.
priority_no	Most recent calculated priority number for this search.
real_time_adj	Real-time search priority adjustment. Real-time searches default to -80000 and continuous scheduled searches default to 0. This particular value is for internal purposes only and is subject to change.
runtime_adj	Calculated value based on average search runtime.
skipped_adj	Adjustment for number of times search has been skipped and search period. 0 means the search has not been skipped.
window_adj	Adjustment for remaining time in search run window.

Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/server/introspection/search/saved

XML Response

  <title>introspection-savedsearches</title>
  <id>https://localhost:8089/services/server/introspection/search/saved</id>
  <updated>2015-06-03T16:41:21-07:00</updated>
  <generator build="6cfc0237739f" version="6.3.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/server/introspection/search/saved/_acl" rel="_acl"/>
  <opensearch:totalResults>2</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>admin;search;search_1</title>
    <id>https://localhost:8089/services/server/introspection/search/saved/admin%3Bsearch%3Bsearch_1</id>
    <updated>2015-06-03T16:41:21-07:00</updated>
    <link href="/services/server/introspection/search/saved/admin%3Bsearch%3Bsearch_1" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/server/introspection/search/saved/admin%3Bsearch%3Bsearch_1" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list/>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="final_score">1433294868</s:key>
        <s:key name="name">search_1</s:key>
        <s:key name="orig_score">1433374860</s:key>
        <s:key name="owner">admin</s:key>
        <s:key name="priority_no">1</s:key>
        <s:key name="real_time_adj">-80000</s:key>
        <s:key name="runtime_adj">8</s:key>
        <s:key name="skipped_adj">0</s:key>
        <s:key name="window_adj">0</s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>nobody;search;Errors in the last hour</title>
    <id>https://localhost:8089/services/server/introspection/search/saved/nobody%3Bsearch%3BErrors%20in%20the%20last%20hour</id>
    <updated>2015-06-03T16:41:21-07:00</updated>
    <link href="/services/server/introspection/search/saved/nobody%3Bsearch%3BErrors%20in%20the%20last%20hour" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/server/introspection/search/saved/nobody%3Bsearch%3BErrors%20in%20the%20last%20hour" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list/>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="final_score">1433294980</s:key>
        <s:key name="name">Errors in the last hour</s:key>
        <s:key name="orig_score">1433374860</s:key>
        <s:key name="owner">nobody</s:key>
        <s:key name="priority_no">2</s:key>
        <s:key name="real_time_adj">-80000</s:key>
        <s:key name="runtime_adj">1</s:key>
        <s:key name="skipped_adj">0</s:key>
        <s:key name="window_adj">119</s:key>
      </s:dict>
    </content>
  </entry>

server/status

https://<host>:<mPort>/services/server/status

List server/status child resources.

GET

Enumerate server/status endpoints.

Request parameters
None

Returned values
Returns /server/status/ child endpoints.

Example request and response

XML Request

curl -k -u admin:changeme https://localhost:8089/services/server/status

XML Response

...
 <title></title>
 <id>https://localhost:8089/services/server/status</id>
 <updated>2014-03-25T13:52:59-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <s:messages/>
 <entry>
   <title>dispatch-artifacts</title>
   <id>https://localhost:8089/services/server/status/dispatch-artifacts</id>
   <updated>2014-03-25T13:52:59-07:00</updated>
   <link href="/services/server/status/dispatch-artifacts" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/status/dispatch-artifacts" rel="list"/>
   <content type="text/xml">
     <s:dict/>
   </content>
 </entry>
 <entry>
   <title>fishbucket</title>
   <id>https://localhost:8089/services/server/status/fishbucket</id>
   <updated>2014-03-25T13:52:59-07:00</updated>
   <link href="/services/server/status/fishbucket" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/status/fishbucket" rel="list"/>
   <content type="text/xml">
     <s:dict/>
   </content>
 </entry>
 <entry>
   <title>partitions-space</title>
   <id>https://localhost:8089/services/server/status/partitions-space</id>
   <updated>2014-03-25T13:52:59-07:00</updated>
   <link href="/services/server/status/partitions-space" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/status/partitions-space" rel="list"/>
   <content type="text/xml">
     <s:dict/>
   </content>
 </entry>

server/status/dispatch-artifacts

https://<host>:<mPort>/services/server/status/dispatch-artifacts

Access search job information.

GET

Get information about dispatched search jobs.

Usage details
At least one observation period must pass after startup for valid endpoint data to be available. The observation period is defined in the following $SPLUNK_HOME/etc/system/default/server.conf stanza.

[introspection:generator:disk_objects]
collectionPeriodInSecs = 600

The default period is 10 seconds, but 10 minutes (600 seconds) on a Universal Forwarder.

Request parameters
None

Returned values

Name	Description
count_realtime	Jobs active in the immediate past observation period, not including historical jobs.
count_scheduled	Jobs active in the immediate past observation period, not including real-time jobs.
count_summary	Jobs active in the immediate past observation period, not including non-summary jobs.
top_apps	Top 15 apps in the past observation period, inapp:count key-value pair format.
top_named_searches	Top 15 named searches in the past observation period, in savedSearchName:count key-value pair format.
top_users	Top 15 users in the past observation period, in username:count key-value pair format, with count as the number of app contexts for the user.
total_count	Number of dispatched search jobs since start-up.

Example request and response

XML Request

curl -k -u admin:changeme https://localhost:8089/services/server/status/dispatch-artifacts

XML Response

...
<title>introspection--disk-objects--search-dispatch-artifacts</title>
 <id>https://localhost:8089/services/server/status/dispatch-artifacts</id>
 <updated>2014-03-25T11:10:33-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
    ... opensearch elements elided ...
 <s:messages/>
 <entry>
   <title>result</title>
   <id>https://localhost:8089/services/server/status/dispatch-artifacts/result</id>
   <updated>2014-03-25T11:10:33-07:00</updated>
   <link href="/services/server/status/dispatch-artifacts/result" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/status/dispatch-artifacts/result" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="count_realtime">0</s:key>
       <s:key name="count_scheduled">0</s:key>
       <s:key name="count_summary">0</s:key>
       <s:key name="eai:acl">
         ... elided ...
       </s:key>
       <s:key name="top_apps"/>
       <s:key name="top_named_searches"/>
       <s:key name="top_users"/>
       <s:key name="total_count">0</s:key>
     </s:dict>
   </content>
 </entry>

server/status/fishbucket

https://<host>:<mPort>/services/server/status/fishbucket

Access information about the private BTree database.

GET

Access private BTree database information.

Usage details
At least one observation period must pass after startup for valid endpoint data to be available. The observation period is defined in the following $SPLUNK_HOME/etc/system/default/server.conf stanza.

[introspection:generator:disk_objects]
collectionPeriodInSecs = 600

The default period is 10 seconds, but 10 minutes (600 seconds) on a Universal Forwarder.

Request parameters
None

Returned values

Name	Description
key_count	Number of file input records (keys) seen since start-up.
total_size	Total number of file input records (keys).

Example request and response

XML Request

curl -k -u admin:changeme https://localhost:8089/services/server/status/fishbucket

XML Response

...
 <title>introspection--disk-objects--fishbucket</title>
 <id>https://localhost:8089/services/server/status/fishbucket</id>
 <updated>2014-03-25T11:31:10-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
    ... opensearch elements elided ...
 <s:messages/>
 <entry>
   <title>result</title>
   <id>https://localhost:8089/services/server/status/fishbucket/result</id>
   <updated>2014-03-25T11:31:10-07:00</updated>
   <link href="/services/server/status/fishbucket/result" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/status/fishbucket/result" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="eai:acl">
         ... elided ...
       </s:key>
       <s:key name="key_count">0</s:key>
       <s:key name="total_size">0.000</s:key>
     </s:dict>
   </content>
 </entry>

server/status/installed-file-integrity

Check for system file irregularities.

https://<host>:<mPort>/services/server/status/installed-file-integrity

GET

Check file integrity status.

Usage details
The GET request returns cached results for an automatic check of all files installed with the currently running Splunk software version. The check compares currently installed files against the manifest file located in the $SPLUNK_HOME directory. Based on this comparison, the GET response shows an integrity status indicator for each installed file.

By default, this check runs at startup and results are cached when the check completes. The check takes a few minutes to run and results are available after it completes. The response indicates if initial results are not yet ready when the GET request is performed or if the check is disabled.

You can prompt a new check to run by passing in ?refresh=true with the GET request.

To disable the file integrity check, edit the installed_files_integrity setting in the limits.conf file.

Note: Changing or removing the manifest file prevents the check from working.

Request parameters

Name	Type	Description
refresh	Boolean	Set to `true` to perform a new file integrity check. Only one such check can be performed at a time.
regex_filter	PCRE regular expression	Specify a regular expression to filter results of the check. For example, use `regex_filter=\.conf$` to filter results for configuration files.

Returned values
For each installed file, one of the following integrity status indicators is returned.

Indicator	Description
<empty>	Indicates complete file integrity. No irregularities were found.
access_failed	The `splunkd` process does not have permissions to read the file.
differs	The installed file differs from the manifest file.
missing	The installed file was not found.
read_failed	The installed file comparison failed.
other_open_failed	A failure other than failure to access or read was encountered when trying to open the file.

Example request and response

XML Request

curl -k -u admin:changed https://localhost:8089/services/server/status/installed-file-integrity?refresh=true

XML Response
The following example is a portion of the response data. The full response lists all installed files and their integrity status.

...

<s:key name="/opt/splunktest/etc/system/README/inputs.conf.example">differs</s:key>
<s:key name="/opt/splunktest/etc/system/README/inputs.conf.spec">differs</s:key>
<s:key name="/opt/splunktest/etc/system/README/limits.conf.example">differs</s:key>
<s:key name="/opt/splunktest/etc/system/README/limits.conf.spec">differs</s:key>
<s:key name="/opt/splunktest/etc/system/README/messages.conf.example">differs</s:key>
<s:key name="/opt/splunktest/etc/system/README/props.conf.spec">differs</s:key>
<s:key name="/opt/splunktest/etc/system/README/savedsearches.conf.spec">differs</s:key>
<s:key name="/opt/splunktest/etc/system/README/server.conf.spec">differs</s:key>
<s:key name="/opt/splunktest/etc/system/README/user-prefs.conf.spec">differs</s:key>
<s:key name="/opt/splunktest/etc/system/README/web.conf.spec">differs</s:key>
<s:key name="/opt/splunktest/etc/system/bin/field_extractor.py">differs</s:key>
<s:key name="/opt/splunktest/etc/system/default/app.conf">differs</s:key>
<s:key name="/opt/splunktest/etc/system/default/authorize.conf">differs</s:key>
<s:key name="/opt/splunktest/etc/system/default/indexes.conf">differs</s:key>
<s:key name="/opt/splunktest/etc/system/default/inputs.conf">differs</s:key>
<s:key name="/opt/splunktest/etc/system/default/limits.conf">differs</s:key>

...

server/status/limits/search-concurrency

https://<host>:<mPort>/services/server/status/limits/search-concurrency

Access search concurrency metrics for a standalone Splunk Enterprise instance.

GET

Get search concurrency limits for a standalone Splunk Enterprise instance.

Request parameters
None

Returned values

Name	Description
max_auto_summary_searches	Maximum number of auto summary searches.
max_hist_scheduled_searches	Maximum number of historical scheduled searches.
max_hist_searches	Maximum number of historical searches.
max_rt_scheduled_searches	Maximum number of scheduled searches.
max_rt_searches	Maximum number of real-time searches.

Example request and response

XML Request

curl -k -u admin:changeme https://localhost:8089/services/server/status/limits/search-concurrency

XML Response

...
 <title>server-status-limits-concurrency</title>
 <id>https://localhost:8089/services/server/status/limits/search-concurrency</id>
 <updated>2014-03-25T11:40:16-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
    ... opensearch elements elided ...
 <s:messages/>
 <entry>
   <title>search-concurrency</title>
   <id>https://localhost:8089/services/server/status/limits/search-concurrency/search-concurrency</id>
   <updated>2014-03-25T11:40:16-07:00</updated>
   <link href="/services/server/status/limits/search-concurrency/search-concurrency" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/status/limits/search-concurrency/search-concurrency" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="eai:acl">
         ... elided ...
       </s:key>
       <s:key name="max_auto_summary_searches">2</s:key>
       <s:key name="max_hist_scheduled_searches">5</s:key>
       <s:key name="max_hist_searches">10</s:key>
       <s:key name="max_rt_scheduled_searches">5</s:key>
       <s:key name="max_rt_searches">10</s:key>
     </s:dict>
   </content>
 </entry>

server/status/partitions-space

https://<host>:<mPort>/services/server/status/partitions-space

Access disk utilization information for filesystems that have Splunk objects, such as indexes, volumes, and logs. A filesystem can span multiple physical disk partitions.

GET

Get disk utilization information.

Usage details
At least one observation period must pass after startup for valid endpoint data to be available. The observation period is defined in the following $SPLUNK_HOME/etc/system/default/server.conf stanza.

[introspection:generator:disk_objects]
collectionPeriodInSecs = 600

The default period is 10 seconds, but 10 minutes (600 seconds) on a Universal Forwarder.

Request parameters
Pagination and filtering parameters can be used with this method.

Returned values

Name	Description
capacity	Disk capacity (MB).
free	Disk free space (MB).
fs_type	File system type. Example values: Linux: ext2, ext3, ext4, qnx4 Solaris: ufs, zfs Windows: ntfs, fat32 AIX: jfs (not OS-specific) WORM: ISO9660, UDF13346 (not OS-specific); network-shared: SMB, CIFS, NFS (not OS-specific) Veritas: VxFS.
mount_point	Absolute path of the directory where this partition is mounted.

Example request and response

XML Request

curl -k -u admin:changeme https://localhost:8089/services/server/status/partitions-space

XML Response

...
<title>introspection--disk-objects--partitions-space</title>
 <id>https://localhost:8089/services/server/status/partitions-space</id>
 <updated>2014-03-25T11:43:39-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
    ... opensearch elements elided ...
 <s:messages/>
 <entry>
   <title>0</title>
   <id>https://localhost:8089/services/server/status/partitions-space/0</id>
   <updated>2014-03-25T11:43:39-07:00</updated>
   <link href="/services/server/status/partitions-space/0" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/status/partitions-space/0" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="capacity">104901.000</s:key>
       <s:key name="eai:acl">
         ... elided ...
       </s:key>
       <s:key name="free">7774.000</s:key>
       <s:key name="fs_type">ntfs</s:key>
       <s:key name="mount_point">C:\</s:key>
     </s:dict>
   </content>
 </entry>

server/status/resource-usage

https://<host>:<mPort>/services/server/status/resource-usage

Get current resource (CPU, RAM, VM, I/O, file handle) utilization for entire host, and per Splunk-related processes.

GET

Get resource utilization information.

Usage details
At least one observation period must pass after startup for valid endpoint data to be available. The observation period is defined in the following $SPLUNK_HOME/etc/system/default/server.conf stanza.

[introspection:generator:disk_objects]
collectionPeriodInSecs = 600

The default period is 10 seconds, but 10 minutes (600 seconds) on a Universal Forwarder.

Request parameters
Pagination and filtering parameters can be used with this method.

Returned values
Returns a list of server/status/resource-usage/ endpoints.

Example request and response

XML Request

curl -k -u admin:changeme https://localhost:8089/services/server/status/resource-usage

XML Response

...
<title></title>
 <id>https://localhost:8089/services/server/status/resource-usage</id>
 <updated>2014-03-25T11:53:26-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <s:messages/>
 <entry>
   <title>hostwide</title>
   <id>https://localhost:8089/services/server/status/resource-usage/hostwide</id>
   <updated>2014-03-25T11:53:26-07:00</updated>
   <link href="/services/server/status/resource-usage/hostwide" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/status/resource-usage/hostwide" rel="list"/>
   <content type="text/xml">
     <s:dict/>
   </content>
 </entry>
 <entry>
   <title>splunk-processes</title>
   <id>https://localhost:8089/services/server/status/resource-usage/splunk-processes</id>
   <updated>2014-03-25T11:53:26-07:00</updated>
   <link href="/services/server/status/resource-usage/splunk-processes" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/status/resource-usage/splunk-processes" rel="list"/>
   <content type="text/xml">
     <s:dict/>
   </content>
 </entry>

server/status/resource-usage/hostwide

https://<host>:<mPort>/services/server/status/resource-usage/hostwide

Access host-level dynamic CPU utilization and paging information.

GET

Get host-level, dynamic CPU utilization and paging information.

Usage details
At least one observation period must pass after startup for valid endpoint data to be available. The observation period is defined in the following $SPLUNK_HOME/etc/system/default/server.conf stanza.

[introspection:generator:disk_objects]
collectionPeriodInSecs = 600

The default period is 10 seconds, but 10 minutes (600 seconds) on a Universal Forwarder.

Request parameters

None

Returned values

Name	Description
cpu_arch	CPU architecture
cpu_count	CPU count
cpu_idle_pct	Percentage of time CPU is idle.
cpu_system_pct	Percentage of time CPU is running in system mode.
cpu_user_pct	Percentage of time CPU is running in user mode.
forks	Cumulative number of forked processes since OS startup.
mem	Total physical memory available (MB)
mem_used	Total physical memory used (MB). This value represents the amount of actual physical memory minus the amount of physical memory currently available. This is the amount of physical memory that can be immediately reused without having to first write its contents to disk. On Unix, mem_used = total_phys_ram - (free_mem + buffer_mem + cached_mem) On Windows, mem_used = (memoryStatus.ullTotalPhys - memoryStatus.ullAvailPhys) See GlobalMemoryStatusEx function for more information.
normalized_load_avg_1min	Normalized load average of runnable_process_count across all cores (cumulative_load_avg / number_of_cores). This value is not reliable for a VM guest.
os_build	Software build for the os_version
os_name	Operating system name
os_name_ext	Extended operating system name
os_version	Operating system version
pg_paged_out	Cumulative VM page count paged since OS startup. Not available on Windows.
pg_swapped_out	Cumulative pages swapped out since OS startup. Not available on Windows.
runnable_process_count	Number of process running or in the runnable queue. Value reported as 1 on Windows except for Vista+ and XP/Win2003 English-only operating systems.
splunk_version	Currently installed Splunk software version
swap	Amount of disk allocated to swap (fractional MB)
swap_used	Swap space currently in use (fractional MB)
virtual_cpu_count	Virtual CPU count

Example request and response

XML Request

curl -k -u admin:changeme https://localhost:8089/services/server/status/resource-usage/hostwide

XML Response

  <title>introspection--resource-usage--hostwide</title>
  <id>https://localhost:8089/services/server/status/resource-usage/hostwide</id>
  <updated>2016-09-19T12:56:56-07:00</updated>
  <generator build="bf83e168dd2e" version="6.5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/server/status/resource-usage/hostwide/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>result</title>
    <id>https://localhost:8089/services/server/status/resource-usage/hostwide/result</id>
    <updated>2016-09-19T12:56:56-07:00</updated>
    <link href="/services/server/status/resource-usage/hostwide/result" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/server/status/resource-usage/hostwide/result" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="cpu_arch">x86_64</s:key>
        <s:key name="cpu_count">4</s:key>
        <s:key name="cpu_idle_pct">99.37</s:key>
        <s:key name="cpu_system_pct">0.25</s:key>
        <s:key name="cpu_user_pct">0.38</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list/>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="forks">16462040</s:key>
        <s:key name="instance_guid">88F85972-368E-45F8-A123-FDB14AE9701E</s:key>
        <s:key name="mem">7872.781</s:key>
        <s:key name="mem_used">929.883</s:key>
        <s:key name="normalized_load_avg_1min">0.00</s:key>
        <s:key name="os_build">#1 SMP Fri Aug 24 01:07:11 UTC 2012</s:key>
        <s:key name="os_name">Linux</s:key>
        <s:key name="os_name_ext">Linux</s:key>
        <s:key name="os_version">2.6.32-279.5.2.el6.x86_64</s:key>
        <s:key name="pg_paged_out">732923572</s:key>
        <s:key name="pg_swapped_out">0</s:key>
        <s:key name="runnable_process_count">1</s:key>
        <s:key name="splunk_version">6.5.0</s:key>
        <s:key name="swap">4031.992</s:key>
        <s:key name="swap_used">0.000</s:key>
        <s:key name="virtual_cpu_count">4</s:key>
      </s:dict>
    </content>
  </entry>

server/status/resource-usage/iostats

https://<host>:<mPort>/services/server/status/resource-usage/iostats

Access the most recent disk I/O statistics for each disk. This endpoint is currently supported for Linux, Windows, and Solaris. By default this endpoint is updated every 60s seconds.

GET

Get disk I/O statistics.

Request parameters
None

Returned values

Name	Description
avg_service_ms	Average time requests caused the CPU to be in use, in milliseconds.
avg_total_ms	Average queue + execution time for requests to be completed, in milliseconds.
cpu_pct	Percentage of time the CPU was servicing requests.
device	Device name (e.g., as listed under /dev on UNIX).
fs_type	Mounted device file system type.
interval	Interval over which sampling occurred, in seconds.
mount_point	Mount point(s) of the underlying device.
reads_kb_ps	Total number of kb read per second.
reads_ps	Number of read requests per second.
writes_kb_ps	Total number of kb written per second.
writes_ps	Number of write requests per second.

Example request and response

XML Request

curl -k -u username:password https://localhost:8089/services/server/status/resource-usage/iostats

XML Response

...
<title>introspection--resource-usage--iostats</title>
  <id>https://localhost:8089/services/server/status/resource-usage/iostats</id>
  <updated>2015-09-11T14:10:45-04:00</updated>
  <generator build="78167cb4239c44472aa42425ebc83481b2d83433" version="20150910"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/server/status/resource-usage/iostats/_acl" rel="_acl"/>
  <opensearch:totalResults>2</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>0</title>
    <id>https://localhost:8089/services/server/status/resource-usage/iostats/0</id>
    <updated>2015-09-11T14:10:45-04:00</updated>
    <link href="/services/server/status/resource-usage/iostats/0" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/server/status/resource-usage/iostats/0" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="avg_service_ms">0.142</s:key>
        <s:key name="avg_total_ms">4.110</s:key>
        <s:key name="cpu_pct">0.05</s:key>
        <s:key name="device">dm-1</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list/>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="fs_type">xfs</s:key>
        <s:key name="interval">60</s:key>
        <s:key name="mount_point">/</s:key>
        <s:key name="reads_kb_ps">0.000</s:key>
        <s:key name="reads_ps">0.000</s:key>
        <s:key name="writes_kb_ps">43.050</s:key>
        <s:key name="writes_ps">3.633</s:key>
      </s:dict>
    </content>
  </entry>

server/status/resource-usage/splunk-processes

https://<host>:<mPort>/services/server/status/resource-usage/splunk-processes

Access operating system resource utilization information.

GET

Get process operating system resource utilization information.

Usage details
At least one observation period must pass after startup for valid endpoint data to be available. The observation period is defined in the following $SPLUNK_HOME/etc/system/default/server.conf stanza.

[introspection:generator:disk_objects]
collectionPeriodInSecs = 600

The default period is 10 seconds, but 10 minutes (600 seconds) on a Universal Forwarder.

Request parameters
None

Returned values

Name	Description
args	Non-search process arguments.
cpu_system_time	Cumulative time this process has spent executing in kernel (incl. system calls). Extra field.
cpu_user_time	Cumulative time this process has spent executing in user space (incl. library functions). Extra field.
elapsed	Elapsed wall time, accurate to within the collection period.
fd_used	Number of currently open files used by this process.
label	Human-readable label for the saved search.
mem_unshared_data_used	Amount of heap and stack used. Not available on Windows. Extra field.
mem_used	Current amount of resident physical memory used (MB). (Usually far less deceiving than virtual memory because operating systems can be liberal with virtual memory size but never with resident memory size.) On Windows, mem_used is obtained by reading the `WorkingSetSize` property returned by the `GetProcessMemoryInfo()` function (see GetProcessMemoryInfo function and PROCESS_MEMORY_COUNTERS structure).
normalized_pct_cpu	Percentage of CPU usage across all cores. `100%` is equivalent to all CPU resources on the machine.
page_faults	Number of major page faults. Extra field.
pct_cpu	Percentage of CPU usage, relative to one core. `100%` is equivalent to 1 core.
pct_memory	Percentage of physical memory used hostwide ((mem_used/available_host_memory) * 100).
pid	Process ID.
ppid	Parent process ID. Not available for all processes.
process	Process name. The `.exe` suffix is stripped on Windows operating systems.
read_mb	Amount of data read (MB), excluding cache reads.
search_head	Dispatching search head for processes running saved searches.
search_props	Search properties map of the following key value pairs. `acceleration_id`: Acceleration ID `app`: App name `mode`: One of the following search modes. `historical` `historical batch` `RT` `RT indexed` `provenance`: One of the following search sources. `cli` `rest` `ui:<App>:<View>` `role`: Splunk Enterprise platform role. Either `head` or `peer`. `scan_count`: Event scan count for running process. Available only in Linux systems. This property is offered experimentally and might be changed or removed in a future release. `delta_scan_count`: Delta event scan count for running process. Available only in Linux systems. This property is offered experimentally and might be changed or removed in a future release. `sid`: Search ID (SID). `type`: One of the following search types. `ad-hoc` `datamodel acceleration` `other` `report acceleration` `scheduled` `summary indexing` `user`: Splunk username who initiated the search
status	Status from the OS scheduler. Can be R (runnable or running), W (waiting), stopped, Z (zombie), or O (other). W includes voluntary sleep or blocking on I/O. O means status is knowable but does not fit into one of those categories. Not available on Windows.
t_count	Current number of threads.
written_mb	Amount of data written (MB), excluding canceled writes.

Example request and response

XML Request

curl -k -u admin:changeme https://localhost:8089/services/server/status/resource-usage/splunk-processes/0

XML Response

<title>introspection--resource-usage--splunk-processes</title>
 <id>https://localhost:8089/services/server/status/resource-usage/splunk-processes</id>
 <updated>2014-03-26T13:35:52-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
    ... opensearch elements elided ...
 <s:messages/>
 <entry>
   <title>0</title>
   <id>https://localhost:8089/services/server/status/resource-usage/splunk-processes/0</id>
   <updated>2014-03-26T13:35:52-07:00</updated>
   <link href="/services/server/status/resource-usage/splunk-processes/0" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/server/status/resource-usage/splunk-processes/0" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="args"> instrument-resource-usage</s:key>
       <s:key name="eai:acl">
           ... elided ...
       </s:key>
       <s:key name="eai:attributes">
         <s:dict>
           <s:key name="optionalFields">
             <s:list/>
           </s:key>
           <s:key name="requiredFields">
             <s:list/>
           </s:key>
           <s:key name="wildcardFields">
             <s:list/>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="elapsed">619262.3610</s:key>
       <s:key name="mem_used">15.762</s:key>
       <s:key name="page_faults">12001684</s:key>
       <s:key name="pct_memory">0.40</s:key>
       <s:key name="pid">4256</s:key>
       <s:key name="ppid">2476</s:key>
       <s:key name="process">splunkd</s:key>
       <s:key name="t_count">4</s:key>
     </s:dict>
   </content>
 </entry>

server/sysinfo

https://<host>:<mPort>/services/server/sysinfo

Exposes relevant information about the resources and OS settings of the machine where Splunk Enterprise is running.

Usage details
This endpoint provides status information for the server where the current Splunk instance is running. The GET request response includes Kernel Transparent Huge Pages (THP) and ulimit status.

Note: Some properties returned by this endpoint are also returned by server/info. However, the server/info endpoint is meant to provide information on the currently running Splunk instance and not the machine where the instance is running. Server status values returned by server/info should be considered deprecated and might not continue to be accessible from this endpoint. Use the server/sysinfo endpoint for server information instead.

GET

Access server details.

Request parameters
None.

Returned values

Name	Description
cpu_arch	Server CPU architecture.
numberOfCores	Number of server processor cores. Not applicable if host is a VM guest. A value of `0` is returned if the number cannot be accessed and the access failure reason is logged to `splunkd.log`.
numberOfVirtualCores	Number of server virtual cores.
os_build	Software build for the server os_version.
os_name	Server operating system name.
os_name_extended	Server operating system name.
os_version	Server operating system version.
physicalMemoryMB	Server physical memory (MB). The same value is returned as the `mem` field from `server/status/resource-usage/hostwide`. A value of `0` is returned if the number cannot be accessed and the access failure reason is logged to `splunkd.log`.
transparent_hugepages	For Linux systems, includes the following THP status indicators. `defrag` `effective_state` `enabled` For non-Linux systems, `effective_state` is set to `ok`
ulimits	On all UNIX systems, lists settings for the following `ulimits` in place on `splunkd` at runtime. `core_file_size` `cpu_time` `data_file_size` `data_segment_size` `nice` `open_files` `resident_memory_size` `stack_size` `user_processes` `virtual_address_space_size`

Example request and response

XML Request

curl -k -u admin:changed https://localhost:8089/services/server/sysinfo

XML Response

...
  <title>system-info</title>
  <id>https://localhost:8089/services/server/sysinfo</id>
  <updated>2016-09-08T15:28:11-07:00</updated>
  <generator build="19e4b5854495" version="6.5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/server/sysinfo/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>system-info</title>
    <id>https://localhost:8089/services/server/sysinfo/system-info</id>
    <updated>2016-09-08T15:28:11-07:00</updated>
    <link href="/services/server/sysinfo/system-info" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/server/sysinfo/system-info" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="cpu_arch">x86_64</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list/>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="numberOfCores">8</s:key>
        <s:key name="numberOfVirtualCores">8</s:key>
        <s:key name="os_build">#1 SMP Thu Feb 9 12:45:44 EST 2012</s:key>
        <s:key name="os_name">Linux</s:key>
        <s:key name="os_name_extended">Linux</s:key>
        <s:key name="os_version">2.6.18-274.18.1.el5</s:key>
        <s:key name="physicalMemoryMB">7982</s:key>
        <s:key name="transparent_hugepages">
          <s:dict>
            <s:key name="defrag"></s:key>
            <s:key name="effective_state">ok</s:key>
            <s:key name="enabled"></s:key>
          </s:dict>
        </s:key>
        <s:key name="ulimits">
          <s:dict>
            <s:key name="core_file_size">0</s:key>
            <s:key name="cpu_time">-1</s:key>
            <s:key name="data_file_size">-1</s:key>
            <s:key name="data_segment_size">-1</s:key>
            <s:key name="nice">0</s:key>
            <s:key name="open_files">1024</s:key>
            <s:key name="resident_memory_size">-1</s:key>
            <s:key name="stack_size">10485760</s:key>
            <s:key name="user_processes">73728</s:key>
            <s:key name="virtual_address_space_size">-1</s:key>
          </s:dict>
        </s:key>
      </s:dict>
    </content>
  </entry>

services/saved/bookmarks/monitoring_console

https://<host>:<mPort>/services/saved/bookmarks/monitoring_console

Add URLs that link to monitoring consoles of your other deployments. For example, if you're admin overseeing multiple separate Splunk deployments for different teams.

GET

List deployment bookmarks.

Request parameters

Optional request parameters:

Name	Type	Description
count	Number	Number of bookmark URLs to list.
offset	Number	Lists bookmark URLs, offset from the first bookmark.
search	String	Items to search for, must be valid as SPL.
sort_dir	Enum	asc or desc; ascending or descending
sort_key	String	Key to sort on, must be existing key in the stanza

Returned values
None

Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/saved/bookmarks/monitoring_console

XML Response

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>bookmarks-mc</title>
  <id>https://qa-ubuntu-022:8089/services/saved/bookmarks/monitoring_console</id>
  <updated>2019-10-13T16:47:42-07:00</updated>
  <generator build="324da9f5a506" version="8.0.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/saved/bookmarks/monitoring_console/_new" rel="create"/>
  <link href="/services/saved/bookmarks/monitoring_console/_reload" rel="_reload"/>
  <link href="/services/saved/bookmarks/monitoring_console/_acl" rel="_acl"/>
  <opensearch:totalResults>2</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>deployment-2</title>
    <id>https://qa-ubuntu-022:8089/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2</id>
    <updated>1969-12-31T16:00:00-08:00</updated>
    <link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2" rel="list"/>
    <link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2" rel="edit"/>
    <link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2" rel="remove"/>
    <link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">search</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">app</s:key>
          </s:dict>
        </s:key>
        <s:key name="url">https://deployment-2-host:8000/en-US/app/splunk_monitoring_console</s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>deployment-3</title>
    <id>https://localhost:8089/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-3</id>
    <updated>1969-12-31T16:00:00-08:00</updated>
    <link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-3" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-3" rel="list"/>
    <link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-3/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-3" rel="edit"/>
    <link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-3" rel="remove"/>
    <link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-3/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">search</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">app</s:key>
          </s:dict>
        </s:key>
        <s:key name="url">https://deployment-3-host:8000/en-US/app/splunk_monitoring_console</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST

Add deployment bookmark URLs.

Request parameters

Name	Type	Description
name	String	Name of the deployment bookmark.
url	string	Full URL to the monitoring console of a different Splunk deployment.

Returned values
None

Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/saved/bookmarks/monitoring_console -d name=deployment-2 -d url=https://deployment-2-host:8000/en-US/app/splunk_monitoring_console

XML Response

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>bookmarks-mc</title>
  <id>https://localhost:8089/services/saved/bookmarks/monitoring_console</id>
  <updated>2019-10-13T16:16:38-07:00</updated>
  <generator build="324da9f5a506" version="8.0.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/saved/bookmarks/monitoring_console/_new" rel="create"/>
  <link href="/services/saved/bookmarks/monitoring_console/_reload" rel="_reload"/>
  <link href="/services/saved/bookmarks/monitoring_console/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>deployment-2</title>
    <id>https://localhost:8089/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2</id>
    <updated>1969-12-31T16:00:00-08:00</updated>
    <link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2" rel="list"/>
    <link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2" rel="edit"/>
    <link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2" rel="remove"/>
    <link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">search</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">app</s:key>
          </s:dict>
        </s:key>
        <s:key name="url">https://deployment-2-host:8000/en-US/app/splunk_monitoring_console</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

DELETE

Remove deployment bookmark URLs.

Request parameters

None

Returned values
None

Example request and response

XML Request

curl -k -u admin:pass --request DELETE https://localhost:8089/services/saved/bookmarks/monitoring_console/{name}

XML Response

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>bookmarks-mc</title>
  <id>https://localhost:8089/services/saved/bookmarks/monitoring_console</id>
  <updated>2019-10-13T16:25:38-07:00</updated>
  <generator build="324da9f5a506" version="8.0.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/saved/bookmarks/monitoring_console/_new" rel="create"/>
  <link href="/services/saved/bookmarks/monitoring_console/_reload" rel="_reload"/>
  <link href="/services/saved/bookmarks/monitoring_console/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>deployment-2</title>
    <id>https://localhost:8089/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2</id>
    <updated>1969-12-31T16:00:00-08:00</updated>
    <link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2" rel="list"/>
    <link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2" rel="edit"/>
    <link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2" rel="remove"/>
    <link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">search</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">app</s:key>
          </s:dict>
        </s:key>
        <s:key name="url">https://deployment-2-host:8000/en-US/app/splunk_monitoring_console</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

Related answers from Splunk Community

Introspection endpoint descriptions

Usage details

Review ACL information for an endpoint

Authentication and Authorization

App and user context

Splunk Cloud limitations

data/index-volumes

GET

data/index-volumes/{name}

GET

data/indexes

GET

POST

data/indexes/{name}

DELETE

GET

POST

data/indexes-extended

GET

data/indexes-extended/{name}

GET

data/summaries

GET

data/summaries/{summary_name}

GET

server/health/deployment

GET

server/health/deployment/details

GET

server/health/splunkd

GET

server/health/splunkd/details

GET

server/health-config

GET

server/health-config/{alert_action}

POST

server/health-config/{feature_name}

POST

server/info

GET

server/introspection

GET

server/introspection/indexer

GET

server/introspection/kvstore

GET

server/introspection/kvstore/collectionstats

GET

server/introspection/kvstore/replicasetstats

GET

server/introspection/kvstore/serverstatus

GET

server/introspection/search/dispatch

GET