Splunk® Enterprise

REST API Reference Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Access endpoint descriptions

Access and manage user credentials.

Usage details

Review ACL information for an endpoint
To check Access Control List (ACL) properties for an endpoint, append /acl to the path. For more information see Access Control List in the REST API User Manual.

Authentication and Authorization
Username and password authentication is required for most endpoints and REST operations. Additional capability or role-based authorization may also be required, particularly for POST or DELETE operations.

Capabilities for roles vary between Splunk Enterprise and Splunk Cloud. Splunk Cloud users with the sc_admin role can navigate to Settings > Access controls to view capabilities for roles.


LDAP REST API usage details

Splunk Enterprise users can configure LDAP user authentication using the REST API. If you are using Splunk Cloud, contact Support for assistance with setting up LDAP authentication.

LDAP user authentication lets you specify configurations, user groups, and group to role mappings to manage permissions in your Splunk deployment.

You can use the LDAP REST API for the following LDAP management tasks.

  • Configure an LDAP strategy for a server in your deployment.
  • Map LDAP groups to user roles in a server to manage group permissions.
  • Enable or disable an LDAP strategy.

To learn more about using LDAP authentication, see Set up user authentication with LDAP in Securing Splunk Enterprise.

admin/LDAP-groups

https://<host>:<mPort>/services/admin/LDAP-groups

Access and update LDAP group to role mappings.

Authentication and authorization
Requires the change_authentication capability for access.


GET

Access LDAP group mappings.

Request parameters

If you are passing in a strategy name with an LDAP group name, they must be comma separated.

Name Description
strategy LDAP strategy name
LDAPgroup LDAP group name

Returned values
For each group, the following values are returned in the response.

Name Description
roles Roles mapped to this group
strategy Strategy name
type Group type
users List of users in this group


Example request and response

curl -u admin:changeme -X GET -k https://localhost:8089/services/admin/LDAP-groups/
...
  <title>LDAP-groups</title>
  <id>https://localhost:8089/services/admin/LDAP-groups</id>
  <updated>2016-11-10T13:04:02-08:00</updated>
  <generator build="2469654e091cb630e237a02094e683ced50f2fe5" version="20161031"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/admin/LDAP-groups/_acl" rel="_acl"/>
  <opensearch:totalResults>20</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>Abc123-Admin</title>
    <id>https://localhost:8089/services/admin/LDAP-groups/ActiveDirectory_New%2CAbc123-Admin</id>
    <updated>2016-11-10T13:04:02-08:00</updated>
    <link href="/services/admin/LDAP-groups/ActiveDirectory_New%2CAbc123-Admin" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/admin/LDAP-groups/ActiveDirectory_New%2CAbc123-Admin" rel="list"/>
    <link href="/services/admin/LDAP-groups/ActiveDirectory_New%2CAbc123-Admin" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="roles">
          <s:list/>
        </s:key>
        <s:key name="strategy">ActiveDirectory_New</s:key>
        <s:key name="type">static</s:key>
        <s:key name="users">
          <s:list>
            <s:item>CN=Abc123 CI,OU=Abc123,OU=SAML Test,DC=qa,DC=ad2008r2,DC=com</s:item>
            <s:item>CN=Test 1 User,OU=Abc123,OU=SAML Test,DC=qa,DC=ad2008r2,DC=com</s:item>
            <s:item>CN=Test 2. User,OU=Abc123,OU=SAML Test,DC=qa,DC=ad2008r2,DC=com</s:item>
          </s:list>
        </s:key>
      </s:dict>
    </content>
  </entry>

POST

Create an LDAP group.


Request parameters
Append the group name to the LDAP-groups/ endpoint. Pass in a strategy name using comma separation. For example, this POST creates the ActiveDirectory_New strategy and specifies the Abc123 group name.

  curl -k -u admin:password -X POST
  https://localhost:8089/services/admin/LDAP-groups/ActiveDirectory_New,Abc123-Admin -d roles=user
Name Description
strategy Required. LDAP strategy name
LDAPgroup Required. LDAP group name


Returned values

Name Description
roles Roles mapped to this group.
strategy Strategy name
type Group type
users List of users in this group.


Example request and response


curl -k -u admin:password -X POST https://localhost:8089/services/admin/LDAP-groups/ActiveDirectory_New,Abc123-Admin -d roles=user

.
.
.
    <title>Abc123-Admin</title>
    <id>https://localhost:8089/services/admin/LDAP-groups/ActiveDirectory_New%2CAbc123-Admin</id>
    <updated>2016-11-10T13:07:28-08:00</updated>
    <link href="/services/admin/LDAP-groups/ActiveDirectory_New%2CAbc123-Admin" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/admin/LDAP-groups/ActiveDirectory_New%2CAbc123-Admin" rel="list"/>
    <link href="/services/admin/LDAP-groups/ActiveDirectory_New%2CAbc123-Admin" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="roles">
          <s:list>
            <s:item>user</s:item>
          </s:list>
        </s:key>
        <s:key name="strategy">ActiveDirectory_New</s:key>
        <s:key name="type">static</s:key>
        <s:key name="users">
          <s:list>
            <s:item>CN=Abc123 CI,OU=Abc123,OU=SAML Test,DC=qa,DC=ad2008r2,DC=com</s:item>
            <s:item>CN=Test 1 User,OU=Abc123,OU=SAML Test,DC=qa,DC=ad2008r2,DC=com</s:item>
            <s:item>CN=Test 2. User,OU=Abc123,OU=SAML Test,DC=qa,DC=ad2008r2,DC=com</s:item>
          </s:list>
        </s:key>
      </s:dict>
    </content>
  </entry>
.
.
.



authentication/LDAP-auth

https://<host>:<mPort>/services/authentication/LDAP-auth

Access or create LDAP authentication strategies on a server in your deployment.

Authentication and authorization
Requires the change_auth capability for access.

GET

Access LDAP configurations strategies.

Request parameters

Name Description
strategy Name of LDAP configuration strategy

Returned values
The response lists LDAP strategy settings.

See LDAP settings in authentication.conf for strategy settings information.

Example request and response

curl -k -u admin:password https://localhost:8089/services/authentication/LDAP-auth/
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>LDAP-auth</title>
  <id>https://localhost:8089/services/authentication/LDAP-auth</id>
  <updated>2016-11-09T16:14:07-08:00</updated>
  <generator build="2469654e091cb630e237a02094e683ced50f2fe5" version="20161031"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/authentication/LDAP-auth/_new" rel="create"/>
  <link href="/services/authentication/LDAP-auth/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>my_strategy</title>
    <id>https://localhost:8089/servicesNS/nobody/system/authentication/LDAP-auth/my_strategy</id>
    <updated>2016-11-09T16:14:07-08:00</updated>
    <link href="/servicesNS/nobody/system/authentication/LDAP-auth/my_strategy" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/authentication/LDAP-auth/my_strategy" rel="list"/>
    <link href="/servicesNS/nobody/system/authentication/LDAP-auth/my_strategy" rel="edit"/>
    <link href="/servicesNS/nobody/system/authentication/LDAP-auth/my_strategy" rel="remove"/>
    <link href="/servicesNS/nobody/system/authentication/LDAP-auth/my_strategy/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="SSLEnabled">0</s:key>
        <s:key name="anonymous_referrals">1</s:key>
        <s:key name="bindDN">CN=Saml user2,OU=SAML Test,DC=qa,DC=ad2008r2,DC=com</s:key>
        <s:key name="bindDNpassword">********</s:key>
        <s:key name="charset">utf8</s:key>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">system</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="emailAttribute">mail</s:key>
        <s:key name="groupBaseDN">CN=Saml user2,OU=SAML Test,DC=qa,DC=ad2008r2,DC=com</s:key>
        <s:key name="groupMappingAttribute">dn</s:key>
        <s:key name="groupMemberAttribute">sn</s:key>
        <s:key name="groupNameAttribute">sn</s:key>
        <s:key name="host">1.1.1.1</s:key>
        <s:key name="nestedGroups">0</s:key>
        <s:key name="network_timeout">20</s:key>
        <s:key name="order">1</s:key>
        <s:key name="port">389</s:key>
        <s:key name="realNameAttribute">sn</s:key>
        <s:key name="sizelimit">1000</s:key>
        <s:key name="timelimit">15</s:key>
        <s:key name="userBaseDN">OU=SAML Test,DC=qa,DC=ad2008r2,DC=com</s:key>
        <s:key name="userNameAttribute">sn</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST

Create an LDAP strategy.

Usage details
Use the following endpoints to enable or disable an LDAP strategy after you create it.

  • services/authentication/LDAP-auth/{LDAP_strategy_name}/enable
  • services/authentication/LDAP-auth/{LDAP_strategy_name}/disable

Request parameters
See LDAP settings in authentication.conf for required and optional settings information.

Returned values
None.

Example request and response

curl —k u admin:password -X POST https://localhost:8089/services/authentication/LDAP-auth/ -d name=my_strategy -d groupBaseDN="CN=Saml user2,OU=SAML Test,DC=qa,DC=ad2008r2,DC=com" -d groupMemberAttribute=sn -d groupNameAttribute=sn -d host=1.1.1.1 -d realNameAttribute=sn -d userBaseDN="OU=SAML Test,DC=qa,DC=ab2008e2,DC=com" -d userNameAttribute=sn -d bindDN="CN=Saml user2,OU=SAML Test,DC=qa,DC=ad2008r2,DC=com" -d bindDNpassword=password

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>LDAP-auth</title>
  <id>https://localhost:8089/services/authentication/LDAP-auth</id>
  <updated>2016-11-09T16:20:14-08:00</updated>
  <generator build="2469654e091cb630e237a02094e683ced50f2fe5" version="20161031"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/authentication/LDAP-auth/_new" rel="create"/>
  <link href="/services/authentication/LDAP-auth/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages>
    <s:msg type="INFO">Successfully performed a bind to the LDAP server</s:msg>
    <s:msg type="WARN">Failed to find the email attribute 'mail' in a returned user entry.</s:msg>
  </s:messages>
  <entry>
    <title>my_strategy</title>
    <id>https://localhost:8089/servicesNS/nobody/system/authentication/LDAP-auth/my_strategy</id>
    <updated>2016-11-09T16:20:14-08:00</updated>
    <link href="/servicesNS/nobody/system/authentication/LDAP-auth/my_strategy" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/authentication/LDAP-auth/my_strategy" rel="list"/>
    <link href="/servicesNS/nobody/system/authentication/LDAP-auth/my_strategy" rel="edit"/>
    <link href="/servicesNS/nobody/system/authentication/LDAP-auth/my_strategy" rel="remove"/>
    <link href="/servicesNS/nobody/system/authentication/LDAP-auth/my_strategy/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="SSLEnabled">0</s:key>
        <s:key name="anonymous_referrals">1</s:key>
        <s:key name="bindDN">CN=Saml user2,OU=SAML Test,DC=qa,DC=ad2008r2,DC=com</s:key>
        <s:key name="bindDNpassword">********</s:key>
        <s:key name="charset">utf8</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">system</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="emailAttribute">mail</s:key>
        <s:key name="groupBaseDN">CN=Saml user2,OU=SAML Test,DC=qa,DC=ad2008r2,DC=com</s:key>
        <s:key name="groupMappingAttribute">dn</s:key>
        <s:key name="groupMemberAttribute">sn</s:key>
        <s:key name="groupNameAttribute">sn</s:key>
        <s:key name="host">1.1.1.1</s:key>
        <s:key name="nestedGroups">0</s:key>
        <s:key name="network_timeout">20</s:key>
        <s:key name="order">1</s:key>
        <s:key name="port">389</s:key>
        <s:key name="realNameAttribute">sn</s:key>
        <s:key name="sizelimit">1000</s:key>
        <s:key name="timelimit">15</s:key>
        <s:key name="userBaseDN">OU=SAML Test,DC=qa,DC=ab2008e2,DC=com</s:key>
        <s:key name="userNameAttribute">sn</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



authentication/LDAP-auth/{LDAP_strategy_name}

https://<host>:<mPort>/services/authentication/LDAP-auth/{LDAP_strategy_name}

Access, update, or delete the {LDAP_strategy_name} strategy.

Authentication and authorization
Requires the change_auth capability for access.

GET

Access an existing LDAP strategy.

Usage details
Use the following endpoints to enable or disable the {LDAP_strategy_name} strategy.

  • services/authentication/LDAP-auth/my_strategy/enable
  • services/authentication/LDAP-auth/my_strategy/disable


Request parameters
None.

Returned values
See LDAP settings in authentication.conf for strategy settings information.

Example request and response

curl —k u admin:password https://localhost:8089/services/authentication/LDAP-auth/my_strategy
.
.
.
  <entry>
    <title>my_strategy</title>
    <id>https://localhost:8089/servicesNS/nobody/system/authentication/LDAP-auth/my_strategy</id>
    <updated>2016-11-09T16:14:07-08:00</updated>
    <link href="/servicesNS/nobody/system/authentication/LDAP-auth/my_strategy" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/authentication/LDAP-auth/my_strategy" rel="list"/>
    <link href="/servicesNS/nobody/system/authentication/LDAP-auth/my_strategy" rel="edit"/>
    <link href="/servicesNS/nobody/system/authentication/LDAP-auth/my_strategy" rel="remove"/>
    <link href="/servicesNS/nobody/system/authentication/LDAP-auth/my_strategy/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="SSLEnabled">0</s:key>
        <s:key name="anonymous_referrals">1</s:key>
        <s:key name="bindDN">CN=Saml user2,OU=SAML Test,DC=qa,DC=ad2008r2,DC=com</s:key>
        <s:key name="bindDNpassword">********</s:key>
        <s:key name="charset">utf8</s:key>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">system</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="emailAttribute">mail</s:key>
        <s:key name="groupBaseDN">CN=Saml user2,OU=SAML Test,DC=qa,DC=ad2008r2,DC=com</s:key>
        <s:key name="groupMappingAttribute">dn</s:key>
        <s:key name="groupMemberAttribute">sn</s:key>
        <s:key name="groupNameAttribute">sn</s:key>
        <s:key name="host">1.1.1.1</s:key>
        <s:key name="nestedGroups">0</s:key>
        <s:key name="network_timeout">20</s:key>
        <s:key name="order">1</s:key>
        <s:key name="port">389</s:key>
        <s:key name="realNameAttribute">sn</s:key>
        <s:key name="sizelimit">1000</s:key>
        <s:key name="timelimit">15</s:key>
        <s:key name="userBaseDN">OU=SAML Test,DC=qa,DC=ad2008r2,DC=com</s:key>
        <s:key name="userNameAttribute">sn</s:key>
      </s:dict>
    </content>
  </entry>
.
.
.

POST

Update an existing LDAP strategy.

Request parameters and returned values
See LDAP settings in authentication.conf for strategy settings information.

Example request and response

curl —k u admin:password -X POST https://localhost:8089/services/authentication/LDAP-auth/my_strategy -d port=390
  <entry>
    <title>my_strategy</title>
    <id>https://localhost:8089/servicesNS/nobody/system/authentication/LDAP-auth/my_strategy</id>
    <updated>2016-11-09T16:14:07-08:00</updated>
    <link href="/servicesNS/nobody/system/authentication/LDAP-auth/my_strategy" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/authentication/LDAP-auth/my_strategy" rel="list"/>
    <link href="/servicesNS/nobody/system/authentication/LDAP-auth/my_strategy" rel="edit"/>
    <link href="/servicesNS/nobody/system/authentication/LDAP-auth/my_strategy" rel="remove"/>
    <link href="/servicesNS/nobody/system/authentication/LDAP-auth/my_strategy/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="SSLEnabled">0</s:key>
        <s:key name="anonymous_referrals">1</s:key>
        <s:key name="bindDN">CN=Saml user2,OU=SAML Test,DC=qa,DC=ad2008r2,DC=com</s:key>
        <s:key name="bindDNpassword">********</s:key>
        <s:key name="charset">utf8</s:key>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">system</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="emailAttribute">mail</s:key>
        <s:key name="groupBaseDN">CN=Saml user2,OU=SAML Test,DC=qa,DC=ad2008r2,DC=com</s:key>
        <s:key name="groupMappingAttribute">dn</s:key>
        <s:key name="groupMemberAttribute">sn</s:key>
        <s:key name="groupNameAttribute">sn</s:key>
        <s:key name="host">1.1.1.1</s:key>
        <s:key name="nestedGroups">0</s:key>
        <s:key name="network_timeout">20</s:key>
        <s:key name="order">1</s:key>
        <s:key name="port">390</s:key>
        <s:key name="realNameAttribute">sn</s:key>
        <s:key name="sizelimit">1000</s:key>
        <s:key name="timelimit">15</s:key>
        <s:key name="userBaseDN">OU=SAML Test,DC=qa,DC=ad2008r2,DC=com</s:key>
        <s:key name="userNameAttribute">sn</s:key>
      </s:dict>
    </content>
  </entry>
.
.
.

DELETE

Delete an existing LDAP strategy.

Request parameters
None

Returned values
None

Example request and response

curl -k -u admin:password -X DELETE https://localhost:8089/services/authentication/LDAP-auth/my_strategy
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>LDAP-auth</title>
  <id>https://ronnie:8132/services/authentication/LDAP-auth</id>
  <updated>2016-11-09T16:18:37-08:00</updated>
  <generator build="2469654e091cb630e237a02094e683ced50f2fe5" version="20161031"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/authentication/LDAP-auth/_new" rel="create"/>
  <link href="/services/authentication/LDAP-auth/_acl" rel="_acl"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
</feed>



authentication/LDAP-auth/{LDAP_strategy_name}/enable

https://<host>:<mPort>/services/authentication/LDAP-auth/{LDAP_strategy_name}/enable


GET

Enable the {LDAP_strategy_name} LDAP strategy.

Request parameters
None

Returned values
None

Example request

curl —k u admin:password https://localhost:8089/services/authentication/LDAP-auth/my_strategy/enable

authentication/LDAP-auth/{LDAP_strategy_name}/disable

https://<host>:<mPort>/services/authentication/LDAP-auth/{LDAP_strategy_name}/disable


GET

Disable the {LDAP_strategy_name} LDAP strategy.

Request parameters
None

Returned values
None

Example request

curl —k u admin:password https://localhost:8089/services/authentication/LDAP-auth/my_strategy/disable

admin/SAML-groups

https://<host>:<mPort>/services/admin/SAML-groups

Manage external groups in an IdP response to internal Splunk platform roles.

Authentication and authorization
Requires change_authentication capability for all operations.


GET

Access internal roles for this external group.


Request parameters
None.

Response keys

Name Description
roles Corresponding internal role for the external group.


Example request and response


XML Request

curl -k -u admin:password https://localhost:8089/services/admin/SAML-groups

XML Response

<title>SAML-groups</title>
  <id>https://localhost:8089/services/admin/SAML-groups</id>
  <updated>2015-11-07T18:00:05-08:00</updated>
  <generator build="05ee6658a12a17d11f47076b544" version="20151021"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/admin/SAML-groups/_new" rel="create"/>
  <link href="/services/admin/SAML-groups/_acl" rel="_acl"/>
  <opensearch:totalResults>4</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>admin</title>
    <id>https://localhost:8089/services/admin/SAML-groups/admin</id>
    <updated>2015-11-07T18:00:05-08:00</updated>
    <link href="/services/admin/SAML-groups/admin" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/admin/SAML-groups/admin" rel="list"/>
    <link href="/services/admin/SAML-groups/admin" rel="edit"/>
    <link href="/services/admin/SAML-groups/admin" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>_spl_cloud</s:item>
                    <s:item>_spl_cloud_user</s:item>
                    <s:item>admin</s:item>
                    <s:item>spl_cloud_user</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>_spl_cloud</s:item>
                    <s:item>_spl_cloud_user</s:item>
                    <s:item>admin</s:item>
                    <s:item>spl_cloud_user</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="roles">
          <s:list>
            <s:item>sc_admin</s:item>
          </s:list>
        </s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>employee</title>
    <id>https://localhost:8089/services/admin/SAML-groups/employee</id>
    <updated>2015-11-07T18:00:05-08:00</updated>
    <link href="/services/admin/SAML-groups/employee" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/admin/SAML-groups/employee" rel="list"/>
    <link href="/services/admin/SAML-groups/employee" rel="edit"/>
    <link href="/services/admin/SAML-groups/employee" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>_spl_cloud</s:item>
                    <s:item>_spl_cloud_user</s:item>
                    <s:item>admin</s:item>
                    <s:item>spl_cloud_user</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>_spl_cloud</s:item>
                    <s:item>_spl_cloud_user</s:item>
                    <s:item>admin</s:item>
                    <s:item>spl_cloud_user</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="roles">
          <s:list>
            <s:item>user</s:item>
          </s:list>
        </s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>power admin</title>
    <id>https://localhost:8089/services/admin/SAML-groups/power%20admin</id>
    <updated>2015-11-07T18:00:05-08:00</updated>
    <link href="/services/admin/SAML-groups/power%20admin" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/admin/SAML-groups/power%20admin" rel="list"/>
    <link href="/services/admin/SAML-groups/power%20admin" rel="edit"/>
    <link href="/services/admin/SAML-groups/power%20admin" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>_spl_cloud</s:item>
                    <s:item>_spl_cloud_user</s:item>
                    <s:item>admin</s:item>
                    <s:item>spl_cloud_user</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>_spl_cloud</s:item>
                    <s:item>_spl_cloud_user</s:item>
                    <s:item>admin</s:item>
                    <s:item>spl_cloud_user</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="roles">
          <s:list>
            <s:item>power</s:item>
          </s:list>
        </s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>user admin</title>
    <id>https://localhost:8089/services/admin/SAML-groups/user%20admin</id>
    <updated>2015-11-07T18:00:05-08:00</updated>
    <link href="/services/admin/SAML-groups/user%20admin" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/admin/SAML-groups/user%20admin" rel="list"/>
    <link href="/services/admin/SAML-groups/user%20admin" rel="edit"/>
    <link href="/services/admin/SAML-groups/user%20admin" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>_spl_cloud</s:item>
                    <s:item>_spl_cloud_user</s:item>
                    <s:item>admin</s:item>
                    <s:item>spl_cloud_user</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>_spl_cloud</s:item>
                    <s:item>_spl_cloud_user</s:item>
                    <s:item>admin</s:item>
                    <s:item>spl_cloud_user</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="roles">
          <s:list>
            <s:item>power</s:item>
          </s:list>
        </s:key>
      </s:dict>
    </content>
  </entry>


POST

Convert an external group to internal roles.


Request parameters

Name Type Description
name String External group name.
roles String Equivalent internal role for the group.

Response keys
None

Example request and response

XML Request

curl -k -u admin:changeme  https://localhost:8089/services/admin/SAML-groups -d name=Splunk -d roles=user

XML Response

  <title>SAML-groups</title>
  <id>https://localhost:8089/services/admin/SAML-groups</id>
  <updated>2015-11-07T18:04:56-08:00</updated>
  <generator build="05ee6658a1d11f47076b549133a47050ca24" version="20151021"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/admin/SAML-groups/_new" rel="create"/>
  <link href="/services/admin/SAML-groups/_acl" rel="_acl"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>

admin/SAML-groups/{group_name}

https://<host>:<mPort>/services/admin/SAML-groups/{group_name}

Delete the {group_name} group.

Authentication and authorization
Requires change_authentication capability for all operations.


DELETE

Delete the {group_name} particular group.

Request parameters
None

Response keys
None

Example request and response

XML Request

curl -k -u admin:password --request DELETE https://localhost:8089/services/admin/SAML-groups/group_to_delete

XML Response

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>SAML-groups</title>
  <id>https://localhost:8089/services/admin/SAML-groups</id>
  <updated>2015-11-07T18:04:25-08:00</updated>
  <generator build="05ee6658a12a17d11f47133a47050ca24" version="20151021"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/admin/SAML-groups/_new" rel="create"/>
  <link href="/services/admin/SAML-groups/_acl" rel="_acl"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
</feed>

admin/SAML-idp-metadata

https://<host>:<mPort>/services/admin/SAML-idp-metadata

Access IdP SAML metadata attributes.


Authentication and authorization
Requires change_authentication capability for all operations.


GET

Access SAML user and role information for saved searches.

Request parameters

Name Type Description
idpMetadataFile File path. See description. Full path of the metadata file location. File should be local to splunkd server.

Response keys

Name Description
idpMetadataPayload SAML IdP metadata in XML format.

Example request and response


XML Request

curl -k -u admin:changeme  https://localhost:8089/services/admin/SAML-idp-metadata

XML Response

<title>SAML-idp-metadata</title>
  <id>https://localhost:8089/services/admin/SAML-idp-metadata</id>
  <updated>2015-11-07T18:34:07-08:00</updated>
  <generator build="05ee6658a12a17d11f47076h3453ffdd50ca24" version="20151021"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/admin/SAML-idp-metadata/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>idpMetadataPayload</title>
    <id>https://localhost:8089/services/admin/SAML-idp-metadata/idpMetadataPayload</id>
    <updated>2015-11-07T18:34:07-08:00</updated>
    <link href="/services/admin/SAML-idp-metadata/idpMetadataPayload" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/admin/SAML-idp-metadata/idpMetadataPayload" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>_spl_cloud</s:item>
                    <s:item>_spl_cloud_user</s:item>
                    <s:item>admin</s:item>
                    <s:item>spl_cloud_user</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>_spl_cloud</s:item>
                    <s:item>_spl_cloud_user</s:item>
                    <s:item>admin</s:item>
                    <s:item>spl_cloud_user</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="idpCertificatePayload"><![CDATA[MIIDpjCCAo6gAwIBAgIGAU7gBZ6oMA0GCSqGSIb3DQEBBQUAMIGTMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ2FsaWZvcrterye444uIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
MBIGA1UECwwLU1NPUHJvdmlkZXIxFDASBgNVBAMMC3NwbHVua3Rlc3QxMRwwGgYJKoZIhvcNAQkB
Fg1pbmZvQG9rdGEuY29tMB4XDTE1MDczMDE3MzEyMVoXDTQ1MDczMDE3MzIyMVowgZMxCzAJBgNV
BAYTAlnJhbmNpc2NvMQ0wCwYD
VQQKDARPa3RhMRQwEgYDVQQLDAtTU09Qcm92aWRlcjEUMBIGA1UEAwwLc3BsdW5rdGVzdDExHDAa
BgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQCQS0Zh/PCBRsbHkJhi6RtGSkEzFjPZyPyFr2ND9KysDf4WRgMiklOBdrlM/++BJkqPCTYFbt/L
ZXnVqo7v9wJ538MrTp6o1iBi52zhpDnqAoOIrlSaB0PbbQVd/oz49YbEW6/ThsAMHdIyz3/CSqEM
o6oD7GiQzoGH4jidhx1Gjgmfk2OdkKAnWQDmZGKAMHJQXtjfrUK3y0H5j2tla9iIPLUVDyopzWNa
o8TKw68iWDZs9ZGrwu9ptF4fpjiaslkWp3oyO1FmAencabXMddFZ7HgVziI2TjbExNa+bzS9SUhY
gZlf2meD/ib2ul6HVFKlVM0IJA56qWGImiJRzGj1AgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAC+I
566v40xTMhFjTlF3sRGjbXQDnJGXcuF1GFkAp/IEmdo
7mawu7Z7qcHb2BcQiVViuHY5ON2O/gbz5ggDipc803JMD7dTtFxDthfZgvN1tE/nPNgx2QAKCADw
FkhYwAf6R7zV1VvyRfUzmbbl6V9JZh7Mju0vFsVJUsGhsAqJfZWQ+QckedB/NIpr9OxBu4IYgMZ4
gbV4yQ+FaICBh/vpqrtp5KmIIp63gXuV+Lh71NW0dj8oty3JpJmjZEdwXPjBKp5Xx94KHiA7Esyh
+7Zk/NK0PJTvlTrsyk+UIeSJZE473SdxI7A=]]></s:key>
        <s:key name="protocol_endpoints">
          <s:dict>
            <s:key name="idpSLOUrl">https://test.example.com/app/example/exk4nkqqsypk32FMF0h7/slo/saml</s:key>
            <s:key name="idpSSOUrl">https://test.example.com/app/example/exk4nkqqsypk32FMF0h7/sso/saml</s:key>
          </s:dict>
        </s:key>
        <s:key name="signAuthnRequest">1</s:key>
      </s:dict>
    </content>
  </entry>

admin/SAML-sp-metadata

https://<host>:<mPort>/services/admin/SAML-sp-metadata

Access service provider SAML metadata attributes.


Authentication and authorization
Requires change_authentication capability for all operations.


GET

Access SAML metadata attributes.

Request parameters
None.

Response keys

Name Description
spMetadataPayload SAML service provider metadata in XML format.

Example request and response


XML Request

curl -k -u admin:changeme  https://localhost:8089/services/admin/SAML-sp-metadata

XML Response


  <title>SAML-sp-metadata</title>
  <id>https://localhost:8089/services/admin/SAML-sp-metadata</id>
  <updated>2015-12-16T13:47:39-08:00</updated>
  <generator build="d48f9f793521" version="6.4.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/admin/SAML-sp-metadata/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>spMetadata</title>
    <id>https://localhost:8089/services/admin/SAML-sp-metadata/spMetadata</id>
    <updated>2015-12-16T13:47:39-08:00</updated>
    <link href="/services/admin/SAML-sp-metadata/spMetadata" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/admin/SAML-sp-metadata/spMetadata" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="spMetadata"><![CDATA[<md:EntityDescriptor entityID="splunkEntityId"  xmlns:ds="http://www.w3.org/2000/09/xmldsig#"  xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"  AuthnRequestsSigned="true"  WantAssertionsSigned="true">  <md:KeyDescriptor>  <ds:KeyInfo>  <ds:X509Data>  <ds:X509Certificate>
MIICLTCCAZYCCQDCCiSo4+bLSzANBgkqhkiG9w0BAQUFADB/MQswCQYDVQQGEwJV
UzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDzANBgNVBAoM
BlNwbHVuazEXMBUGA1UEAwwOU3BsdW5rQ29tbW9uQ0ExITAfBgkqhkiG9w0BCQEW
EnN1cHBvcnRAc3BsdW5rLmNvbTAeFw0xNTA3MjgxNjMzNDNaFw0xODA3MjcxNjMz
NDNaMDcxIDAeBgNVBAMMF1NwbHVerTRer55ZlckRlZmF1bHRDZXJ0MRMwEQYDVQQK
DApTcGx1bmtVc2VyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCmxUfArn3l
Pxn24lBl1pWDFg5VCB/f8IS7MlEFPJiepioAli+yE7exlzD0wRniw2Akiyg1Kbt9
zNe1z9Dxi1fEOailFaV5ryENabYgYJFJonZKWucNvWzde50Cn4fm1nNqVSZOH90F
9zTGCD7Kkem0hIqx506TI2C2dKP+cJWeWwIDAQABMA0GCSqGSIb3DQEBBQUAA4GB
ADy75DKIegJo2ALOZsckvrllqGZ2+g/xBupuRBDBSRp9vs3VqN+wB39uDtMzXlZ1
u0J5OhPVMdqO0RJuYzZmFpAhCX4hFfsNeazfFzSK/DQCURvfYG4pZit3P8gJ6uDv
3OxcDGUorMNlGRRO61UAkrLUywE44MMs1jgidDw2QlMY
</ds:X509Certificate>  </ds:X509Data>  </ds:KeyInfo>  </md:KeyDescriptor>  <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat> <md:SingleLogoutService  Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"  Location="http://example-unix-58667/saml/logout"  index="0">  </md:SingleLogoutService>  <md:AssertionConsumerService  Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"  Location="http://example-unix-58667/saml/acs"  index="0">  </md:AssertionConsumerService>  </md:SPSSODescriptor> </md:EntityDescriptor> ]]></s:key>
      </s:dict>
    </content>
  </entry>

admin/SAML-user-role-map

https://<host>:<mPort>/services/admin/SAML-user-role-map

Description

Access or create SAML user and role information for saved searches if your IdP does not support Attribute Query Requests. To delete a username, see admin/SAML-user-role-map/{name}.

Authentication and authorization
Requires edit_user capability for all operations.


GET

Access SAML user and role information for saved searches.

Request parameters

None.

Response keys

Name Description
name SAML username for running saved searches.
roles Assigned roles for this user.

Example request and response

XML Request

curl -k -u admin:password https://localhost:8089/services/admin/SAML-user-role-map 

XML Response

  <title>SAML-user-role-map</title>
  <id>https://localhost:8089/services/admin/SAML-user-role-map</id>
  <updated>2015-11-07T17:34:12-08:00</updated>
  <generator build="05ee6658a12a17d11f47076b549133a47050ca24" version="20151021"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/admin/SAML-user-role-map/_new" rel="create"/>
  <link href="/services/admin/SAML-user-role-map/_acl" rel="_acl"/>
  <opensearch:totalResults>3</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>samluser001@example.com</title>
    <id>https://localhost:8089/services/admin/SAML-user-role-map/samluser001%40example.com</id>
    <updated>2015-11-07T17:34:12-08:00</updated>
    <link href="/services/admin/SAML-user-role-map/samluser001%40example.com" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/admin/SAML-user-role-map/samluser001%40example.com" rel="list"/>
    <link href="/services/admin/SAML-user-role-map/samluser001%40example.com" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>_spl_cloud</s:item>
                    <s:item>_spl_cloud_user</s:item>
                    <s:item>admin</s:item>
                    <s:item>sc_admin</s:item>
                    <s:item>spl_cloud_user</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>_spl_cloud</s:item>
                    <s:item>_spl_cloud_user</s:item>
                    <s:item>admin</s:item>
                    <s:item>sc_admin</s:item>
                    <s:item>spl_cloud_user</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="roles">
          <s:list>
            <s:item>sc_admin</s:item>
            <s:item>user</s:item>
          </s:list>
        </s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>samluser002@example.com</title>
    <id>https://localhost:8089/services/admin/SAML-user-role-map/samluser002%40example.com</id>
    <updated>2015-11-07T17:34:12-08:00</updated>
    <link href="/services/admin/SAML-user-role-map/samluser002%40example.com" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/admin/SAML-user-role-map/samluser002%40example.com" rel="list"/>
    <link href="/services/admin/SAML-user-role-map/samluser002%40example.com" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>_spl_cloud</s:item>
                    <s:item>_spl_cloud_user</s:item>
                    <s:item>admin</s:item>
                    <s:item>sc_admin</s:item>
                    <s:item>spl_cloud_user</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>_spl_cloud</s:item>
                    <s:item>_spl_cloud_user</s:item>
                    <s:item>admin</s:item>
                    <s:item>sc_admin</s:item>
                    <s:item>spl_cloud_user</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="roles">
          <s:list>
            <s:item>power</s:item>
          </s:list>
        </s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>samluser003@example.com</title>
    <id>https://localhost:8089/services/admin/SAML-user-role-map/samluser003%40example.com</id>
    <updated>2015-11-07T17:34:12-08:00</updated>
    <link href="/services/admin/SAML-user-role-map/samluser003%40example.com" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/admin/SAML-user-role-map/samluser003%40example.com" rel="list"/>
    <link href="/services/admin/SAML-user-role-map/samluser003%40example.com" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>_spl_cloud</s:item>
                    <s:item>_spl_cloud_user</s:item>
                    <s:item>admin</s:item>
                    <s:item>sc_admin</s:item>
                    <s:item>spl_cloud_user</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>_spl_cloud</s:item>
                    <s:item>_spl_cloud_user</s:item>
                    <s:item>admin</s:item>
                    <s:item>sc_admin</s:item>
                    <s:item>spl_cloud_user</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="roles">
          <s:list>
            <s:item>user</s:item>
          </s:list>
        </s:key>
      </s:dict>
    </content>
  </entry>

POST

Update SAML user and role information for saved searches.

Request parameters

Name Type Description
name String SAML username for running saved searches.
roles String Assigned roles for this user.

Response keys

Name Description
name SAML username for running saved searches.
roles Assigned roles for this user.


Example request and response


XML Request

curl -k -u admin:password https://localhost:8089/services/admin/SAML-user-role-map -d name=samluser004@example.foo -d roles=user

XML Response

 <title>SAML-user-role-map</title>
  <id>https://localhost:8089/services/admin/SAML-user-role-map</id>
  <updated>2015-11-07T17:45:54-08:00</updated>
  <generator build="05ee6658a12a17d11f47076b549133a47050ca24" version="20151021"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/admin/SAML-user-role-map/_new" rel="create"/>
  <link href="/services/admin/SAML-user-role-map/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>samluser004@example.foo</title>
    <id>https://localhost:8089/services/admin/SAML-user-role-map/samluser004%40example.foo</id>
    <updated>2015-11-07T17:45:54-08:00</updated>
    <link href="/services/admin/SAML-user-role-map/samluser004%40example.foo" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/admin/SAML-user-role-map/samluser004%40example.foo" rel="list"/>
    <link href="/services/admin/SAML-user-role-map/samluser004%40example.foo" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>_spl_cloud</s:item>
                    <s:item>_spl_cloud_user</s:item>
                    <s:item>admin</s:item>
                    <s:item>sc_admin</s:item>
                    <s:item>spl_cloud_user</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>_spl_cloud</s:item>
                    <s:item>_spl_cloud_user</s:item>
                    <s:item>admin</s:item>
                    <s:item>sc_admin</s:item>
                    <s:item>spl_cloud_user</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="roles">
          <s:list>
            <s:item>user</s:item>
          </s:list>
        </s:key>
      </s:dict>
    </content>
  </entry>


DELETE

See admin/SAML-user-role-map/{name}


admin/SAML-user-role-map/{name}

https://<host>:<mPort>/services/admin/SAML-user-role-map/{name}

Delete SAML user and role information for saved searches if your IdP does not support Attribute Query Requests.

Authentication and authorization
Requires edit_user capability for all operations.


DELETE

Remove a username from SAML users for saved searches.

Request parameters

None.

Response keys

Name Description
name SAML username for running saved searches.
roles Assigned roles for this user.

Example request and response


XML Request

curl -k -u admin:password --request DELETE https://localhost:8089/services/admin/SAML-user-role-map/samluser004@example.com

XML Response

 <title>SAML-user-role-map</title>
  <id>https://localhost:8089/services/admin/SAML-user-role-map</id>
  <updated>2015-11-07T17:46:26-08:00</updated>
  <generator build="05ee6658a12a17d11f47076b549133a47050ca24" version="20151021"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/admin/SAML-user-role-map/_new" rel="create"/>
  <link href="/services/admin/SAML-user-role-map/_acl" rel="_acl"/>
  <opensearch:totalResults>3</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>samluser001@example.com</title>
    <id>https://localhost:8089/services/admin/SAML-user-role-map/samluser001%40example.com</id>
    <updated>2015-11-07T17:46:26-08:00</updated>
    <link href="/services/admin/SAML-user-role-map/samluser001%40example.com" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/admin/SAML-user-role-map/samluser001%40example.com" rel="list"/>
    <link href="/services/admin/SAML-user-role-map/samluser001%40example.com" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>_spl_cloud</s:item>
                    <s:item>_spl_cloud_user</s:item>
                    <s:item>admin</s:item>
                    <s:item>sc_admin</s:item>
                    <s:item>spl_cloud_user</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>_spl_cloud</s:item>
                    <s:item>_spl_cloud_user</s:item>
                    <s:item>admin</s:item>
                    <s:item>sc_admin</s:item>
                    <s:item>spl_cloud_user</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="roles">
          <s:list>
            <s:item>sc_admin</s:item>
            <s:item>user</s:item>
          </s:list>
        </s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>samluser002@example.com</title>
    <id>https://localhost:8089/services/admin/SAML-user-role-map/samluser002%40example.com</id>
    <updated>2015-11-07T17:46:26-08:00</updated>
    <link href="/services/admin/SAML-user-role-map/samluser002%40example.com" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/admin/SAML-user-role-map/samluser002%40example.com" rel="list"/>
    <link href="/services/admin/SAML-user-role-map/samluser002%40example.com" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>_spl_cloud</s:item>
                    <s:item>_spl_cloud_user</s:item>
                    <s:item>admin</s:item>
                    <s:item>sc_admin</s:item>
                    <s:item>spl_cloud_user</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>_spl_cloud</s:item>
                    <s:item>_spl_cloud_user</s:item>
                    <s:item>admin</s:item>
                    <s:item>sc_admin</s:item>
                    <s:item>spl_cloud_user</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="roles">
          <s:list>
            <s:item>power</s:item>
          </s:list>
        </s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>samluser003@example.com</title>
    <id>https://localhost:8089/services/admin/SAML-user-role-map/samluser003%40example.com</id>
    <updated>2015-11-07T17:46:26-08:00</updated>
    <link href="/services/admin/SAML-user-role-map/samluser003%40example.com" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/admin/SAML-user-role-map/samluser003%40example.com" rel="list"/>
    <link href="/services/admin/SAML-user-role-map/samluser003%40example.com" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>_spl_cloud</s:item>
                    <s:item>_spl_cloud_user</s:item>
                    <s:item>admin</s:item>
                    <s:item>sc_admin</s:item>
                    <s:item>spl_cloud_user</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>_spl_cloud</s:item>
                    <s:item>_spl_cloud_user</s:item>
                    <s:item>admin</s:item>
                    <s:item>sc_admin</s:item>
                    <s:item>spl_cloud_user</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="roles">
          <s:list>
            <s:item>user</s:item>
          </s:list>
        </s:key>
      </s:dict>
    </content>
  </entry>

auth/login

https://<host>:<mPort>/services/auth/login


Get a session ID for use in subsequent API calls that require authentication. Set up cookie-based authorization.

The splunkd server supports token-based authentication using the standard HTTP authorization header. Before you can access Splunk Enterprise resources, you must authenticate with the splunkd server using your username and password.

Use cookie-based authorization

To use cookie-based authorization, first ensure that the allowCookieAuth setting is enabled in server.conf. By default, this setting is enabled in Splunk software versions 6.2 and later.

If allowCookieAuth is enabled, you can pass a cookie=1 parameter to the POST request on auth/login. As noted in the Response data keys section below, a Set-Cookie header is returned. This header must be used in subsequent requests.

Any request authenticated using a cookie may include a new Set-Cookie header in its response. Use this new cookie value in any subsequent requests.

If you do not receive a Set-Cookie header in response to the auth/login POST request but login succeeded, you can use the standard Authorization:Splunk... header with the session key for authorization.


See also


POST

Get a session ID for use in subsequent API calls that require authentication. Optionally, use cookie-based authentication.

Request parameters

Name Type Description
cookie Boolean, only used value is 1. To use cookie-based REST auth, pass in cookie=1. Cookies will only be returned if the cookie parameter is passed in with the value of 1.
password String Required. Current username password.
username String Required. Authenticated session owner name.


Response data keys

Note: Only a <response> element is returned instead of a full <atom> feed.
Name Description
sessionKey Session ID.

A Set-Cookie HTTP header is returned if cookie-based authentication is requested.

Failure to authenticate returns the following response.

<response>
     <messages>
         <msg type="WARN">Login failed</msg>
     </messages>
</response>


Example request and response

XML Request

curl -k -u admin:changeme  https://localhost:8089/services/auth/login -d username=admin -d password=changeme

XML Response

<response>
    <sessionKey>192fd3e46a31246da7ea7f109e7f95fd</sessionKey>
</response>

authentication/current-context

https://<host>:<mPort>/services/authentication/current-context

Get the authenticated session owner username.

For additional information, see the following resources.


GET

Get user information for the current context.


Request parameters
Pagination and filtering parameters can be used with this method.


Response keys

Name Description
capabilities List of capabilities assigned to role.
defaultApp Default app for the user, which is invoked at login.
defaultAppIsUserOverride Default app override indicates:
true = Default app overrides the user role default app.
false = Default app does not override the user role default app.
defaultAppSourceRole The role that determines the default app for the user, if the user has multiple roles.
email User email address.
password User password.
realname User full name.
restart_background_jobs Restart background search job that has not completed when Splunk Enterprise restarts indication:
true = Restart job.
false = Do not restart job.
roles Roles assigned to the user.
type User authentication system type:
  • LDAP
  • Scripted
  • Splunk
  • System (reserved for system user)
tz User timezone.
username Authenticated session owner name.


Usage in search
Here is an example of calling this endpoint in a search command to get the current user.

... rest /services/authentication/current-context/context | fields + username ...


Example request and response


XML Request

curl -k -u admin:changeme https://localhost:8089/services/authentication/current-context

XML Response

.
.
.
<title>current-context</title>
 <id>https://localhost:8089/services/authentication/current-context</id>
 <updated>2014-06-30T11:26:19-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>context</title>
   <id>https://localhost:8089/services/authentication/current-context/context</id>
   <updated>2014-06-30T11:26:19-07:00</updated>
   <link href="/services/authentication/current-context/context" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/authentication/current-context/context" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="capabilities">
         <s:list>
           <s:item>accelerate_datamodel</s:item>
           <s:item>accelerate_search</s:item>
           <s:item>admin_all_objects</s:item>
           <s:item>change_authentication</s:item>
           <s:item>change_own_password</s:item>
           <s:item>edit_deployment_client</s:item>
           <s:item>edit_deployment_server</s:item>
           <s:item>edit_dist_peer</s:item>
           <s:item>edit_forwarders</s:item>
           <s:item>edit_httpauths</s:item>
           <s:item>edit_input_defaults</s:item>
           <s:item>edit_monitor</s:item>
           <s:item>edit_roles</s:item>
           <s:item>edit_scripted</s:item>
           <s:item>edit_search_server</s:item>
           <s:item>edit_server</s:item>
           <s:item>edit_splunktcp</s:item>
           <s:item>edit_splunktcp_ssl</s:item>
           <s:item>edit_tcp</s:item>
           <s:item>edit_udp</s:item>
           <s:item>edit_user</s:item>
           <s:item>edit_view_html</s:item>
           <s:item>edit_web_settings</s:item>
           <s:item>edit_win_admon</s:item>
           <s:item>edit_win_eventlogs</s:item>
           <s:item>edit_win_perfmon</s:item>
           <s:item>edit_win_regmon</s:item>
           <s:item>edit_win_wmiconf</s:item>
           <s:item>embed_report</s:item>
           <s:item>get_diag</s:item>
           <s:item>get_metadata</s:item>
           <s:item>get_typeahead</s:item>
           <s:item>indexes_edit</s:item>
           <s:item>input_file</s:item>
           <s:item>license_edit</s:item>
           <s:item>license_tab</s:item>
           <s:item>list_deployment_client</s:item>
           <s:item>list_deployment_server</s:item>
           <s:item>list_forwarders</s:item>
           <s:item>list_httpauths</s:item>
           <s:item>list_inputs</s:item>
           <s:item>list_pdfserver</s:item>
           <s:item>list_win_localavailablelogs</s:item>
           <s:item>output_file</s:item>
           <s:item>request_remote_tok</s:item>
           <s:item>rest_apps_management</s:item>
           <s:item>rest_apps_view</s:item>
           <s:item>rest_properties_get</s:item>
           <s:item>rest_properties_set</s:item>
           <s:item>restart_splunkd</s:item>
           <s:item>rtsearch</s:item>
           <s:item>run_debug_commands</s:item>
           <s:item>schedule_rtsearch</s:item>
           <s:item>schedule_search</s:item>
           <s:item>search</s:item>
           <s:item>write_pdfserver</s:item>
         </s:list>
       </s:key>
       <s:key name="defaultApp">launcher</s:key>
       <s:key name="defaultAppIsUserOverride">1</s:key>
       <s:key name="defaultAppSourceRole">system</s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="email">changeme@example.com</s:key>
       <s:key name="password">********</s:key>
       <s:key name="realname">Administrator</s:key>
       <s:key name="restart_background_jobs">1</s:key>
       <s:key name="roles">
         <s:list>
           <s:item>admin</s:item>
         </s:list>
       </s:key>
       <s:key name="type">Splunk</s:key>
       <s:key name="tz"></s:key>
       <s:key name="username">admin</s:key>
     </s:dict>
   </content>
 </entry>

authentication/httpauth-tokens

https://<host>:<mPort>/services/authentication/httpauth-tokens

List currently active session IDs and users.

For additional information, see the following resources.


GET

List currently active session IDs/users.

Request parameters
Pagination and filtering parameters can be used with this method.

Response keys

Name Description
authString Unique identifier for this session.
searchId Search ID associated with the session, if it was created for a search job. If it is a login-type session, the value is empty. The session ID token is valid for the duration of the web session.
timeAccessed Last time the session was touched.
userName Username associated with the session.


Usage in searches
Here is an example of calling this endpoint in a search.

| rest /services/authentication/httpauth-tokens | search (NOT userName="splunk-system-user") searchId="" | table userName splunk_server timeAccessed


Example request and response

XML Request

curl -k -u admin:changeme https://localhost:8089/services/authentication/httpauth-tokens

XML Response

.
.
.
<title>httpauth-tokens</title>
 <id>https://localhost:8089/services/authentication/httpauth-tokens</id>
 <updated>2014-06-30T11:28:04-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <opensearch:totalResults>2</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>15a773187d3e4437cbe9809f41f23d8f</title>
   <id>https://localhost:8089/services/authentication/httpauth-tokens/15a773187d3e4437cbe9809f41f23d8f</id>
   <updated>2014-06-30T11:28:04-07:00</updated>
   <link href="/services/authentication/httpauth-tokens/15a773187d3e4437cbe9809f41f23d8f" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/authentication/httpauth-tokens/15a773187d3e4437cbe9809f41f23d8f" rel="list"/>
   <link href="/services/authentication/httpauth-tokens/15a773187d3e4437cbe9809f41f23d8f" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="authString">vdZv2eB9F0842dyJhrIEiGNTcBMpBeGuwGPYxtGLKAESQkzjSjG7dbymQW58y^oI3kxYXWfK_Fd3cRGqwPQGp58RvEkzwCaC6PmQgCsK</s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="searchId"></s:key>
       <s:key name="timeAccessed">Mon Jun 30 11:28:04 2014</s:key>
       <s:key name="userName">admin</s:key>
     </s:dict>
   </content>
 </entry>
 <entry>
   <title>694ef5bda40ae8c4f59626671b5f0c9a</title>
   <id>https://localhost:8089/services/authentication/httpauth-tokens/694ef5bda40ae8c4f59626671b5f0c9a</id>
   <updated>2014-06-30T11:28:04-07:00</updated>
   <link href="/services/authentication/httpauth-tokens/694ef5bda40ae8c4f59626671b5f0c9a" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/authentication/httpauth-tokens/694ef5bda40ae8c4f59626671b5f0c9a" rel="list"/>
   <link href="/services/authentication/httpauth-tokens/694ef5bda40ae8c4f59626671b5f0c9a" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="authString">1RU5vGFm2OPq29plLtvqlEB9xzPDLZ3AleUhE1bwPjIrKtvyLE4fODhs^TgI4_NamvVtqusj8GnnNxd5wBB1wT^qHXn1DOV7LcCvErpyTzOvISr^2TnKUC</s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="searchId"></s:key>
       <s:key name="timeAccessed">Mon Jun 30 11:26:09 2014</s:key>
       <s:key name="userName">splunk-system-user</s:key>
     </s:dict>
   </content>
 </entry>

authentication/httpauth-tokens/{name}

https://<host>:<mPort>/services/authentication/httpauth-tokens/<name>


Access or delete the {name} session, where {name} is the session ID returned by auth/login.

For additional information, see the following resources.


DELETE

Delete the session associated with this session ID.

Request parameters
None

Response keys
None

Example request and response

XML Request

curl -k -u admin:changeme --request DELETE https://localhost:8089/services/authentication/httpauth-tokens/vdZv2eB9F0842dyJhrIEiGNTcBMpBeGuwGPYxtGLKAESQkzjSjG7dbymQW58y^oI3kxYXWfK_Fd3cRGqwPQGp58RvEkzwCaC6PmQgCsK

XML Response

.
.
.
<title>httpauth-tokens</title>
 <id>https://localhost:8089/services/authentication/httpauth-tokens</id>
 <updated>2014-06-30T12:02:12-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>694ef5bda40ae8c4f59626671b5f0c9a</title>
   <id>https://localhost:8089/services/authentication/httpauth-tokens/694ef5bda40ae8c4f59626671b5f0c9a</id>
   <updated>2014-06-30T12:02:12-07:00</updated>
   <link href="/services/authentication/httpauth-tokens/694ef5bda40ae8c4f59626671b5f0c9a" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/authentication/httpauth-tokens/694ef5bda40ae8c4f59626671b5f0c9a" rel="list"/>
   <link href="/services/authentication/httpauth-tokens/694ef5bda40ae8c4f59626671b5f0c9a" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="authString">1RU5vGFm2OPq29plLtvqlEB9xzPDLZ3AleUhE1bwPjIrKtvyLE4fODhs^TgI4_NamvVtqusj8GnnNxd5wBB1wT^qHXn1DOV7LcCvErpyTzOvISr^2TnKUC</s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="searchId"></s:key>
       <s:key name="timeAccessed">Mon Jun 30 11:42:31 2014</s:key>
       <s:key name="userName">splunk-system-user</s:key>
     </s:dict>
   </content>
 </entry>


GET

Get session information.


Request parameters
None

Response keys

Name Description
authString Unique session identifier.
searchId Session search ID, if it is a search job session. The value is blank for a login-type session.
timeAccessed Last time the session was touched.
userName Username associated with the session.


Example request and response

XML Request

curl -k -u admin:changeme https://localhost:8089/services/authentication/httpauth-tokens/vdZv2eB9F0842dyJhrIEiGNTcBMpBeGuwGPYxtGLKAESQkzjSjG7dbymQW58y^oI3kxYXWfK_Fd3cRGqwPQGp58RvEkzwCaC6PmQgCsK

XML Response

.
.
.
 <title>httpauth-tokens</title>
 <id>https://localhost:8089/services/authentication/httpauth-tokens</id>
 <updated>2014-06-30T11:39:52-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>15a773187d3e4437cbe9809f41f23d8f</title>
   <id>https://localhost:8089/services/authentication/httpauth-tokens/15a773187d3e4437cbe9809f41f23d8f</id>
   <updated>2014-06-30T11:39:52-07:00</updated>
   <link href="/services/authentication/httpauth-tokens/15a773187d3e4437cbe9809f41f23d8f" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/authentication/httpauth-tokens/15a773187d3e4437cbe9809f41f23d8f" rel="list"/>
   <link href="/services/authentication/httpauth-tokens/15a773187d3e4437cbe9809f41f23d8f" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="authString">vdZv2eB9F0842dyJhrIEiGNTcBMpBeGuwGPYxtGLKAESQkzjSjG7dbymQW58y^oI3kxYXWfK_Fd3cRGqwPQGp58RvEkzwCaC6PmQgCsK</s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="eai:attributes">
         <s:dict>
           <s:key name="optionalFields">
             <s:list/>
           </s:key>
           <s:key name="requiredFields">
             <s:list/>
           </s:key>
           <s:key name="wildcardFields">
             <s:list/>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="searchId"></s:key>
       <s:key name="timeAccessed">Mon Jun 30 11:39:52 2014</s:key>
       <s:key name="userName">admin</s:key>
     </s:dict>
   </content>
 </entry>

authentication/providers/SAML

https://<host>:<mPort>/services/authentication/providers/SAML

Access and create SAML configurations.

Authentication and authorization
Requires change_authentication capability for all operations.


GET

Access SAML configurations.

Request parameters
None.

Response keys

Name Description
allowSslCompression Indicates whether ssl data compression is enabled.
assertionConsumerServiceUrl Endpoint where SAML assertions are posted by the IdP.
attributeAliasMail Specifies which SAML attribute is mapped to ‘email’. Defaults to ‘email’.
attributeAliasRealName Specifies which SAML attribute maps to ‘realName’. Defaults to realName.
attributeAliasRole Specifies which SAML attribute maps to role. Defaults to role.
attributeQueryRequestSigned Indicates whether Attribute Queries should be signed.
attributeQueryResponseSigned Indicates whether Attribute Query responses should be signed.
attributeQuerySoapPassword Credentials for making Attribute Query using SOAP over HTTP.
attributeQuerySoapUsername Credentials for making Attribute Query using SOAP over HTTP.
attributeQueryTTL ttl (time to live) for the Attribute Query credentials cache.
blacklistedAutoMappedRoles Comma separated list of Splunk platform roles that should be blacklisted from being auto-mapped from the IDP Response.
blacklistedUsers Comma separated list of user names from the IDP response to be blacklisted by the Splunk platform.
caCertFile File path for CA certificate. For example, /home/user123/saml-install/etc/auth/server.pem
cipherSuite Ciphersuite for making Attribute Queries using ssl. For example, TLSv1+HIGH:@STRENGTH.
defaultRoleIfMissing Default role to use if no role is returned in a SAML response.
ecdhCurveName EC curves for ECDH/ECDHE key exchange - ssl setting.
entityId Unique id preconfigured by the IdP.
errorUrL URL to display for a SAML error. Errors may be due to incorrect or incomplete configuration in either the IDP or the Splunk platform.
errorUrlLabel Label or title of the content to which errorUrl points. Defaults to Click here to resolve SAML error..
fqdn Load balancer url.
idpAttributeQueryUrl IdP attribute query url where SAML attribute queries are sent.
idpCertPath Path for IdP certificate.
idpSLOUrl IdP sso url where SAML SSO requests are sent.
idpSSOUrl IdP SSO url where SAML SLO requests are sent.
maxAttributeQueryQueueSize Maximum number of Attribute jobs to queue.
maxAttributeQueryThreads Maximum number of threads for asynchronous Attribute Queries.
name Configuration stanza name.
nameIdFormat Specifies how subject is identified in SAML Assertion. Defaults to
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

Override it when using Azure AD as an IDP and set it to
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
redirectAfterLogoutToUrl Redirect URL after user logout If no SLO URL is configured.
signAuthnRequest Indicates whether to sign authentication requests.
signedAssertion Indicates whether to sign SAML assertions.
singleLogoutServiceUrl URL where the IdP posts SAML Single Logout responses.
skipAttributeQueryRequestForUsers Used in conjunction with defaultRoleIFMissing. Indicates whether to skip Attribute Queries for some users.
spCertPath Service provider certificate path.
sslAltNameToCheck Alternate name to check in the peer certificate.
sslCommonNameToCheck Common name to check in the peer certificate.
sslKeysfile Location of service provider private key.
sslKeysfilePassword SSL password.
sslVerifyServerCert Indicates whether to verify peer certificate.
sslVersions SSL versions.
uiStatusPage Splunk Web page for redirecting users in case of errors.


Example request and response

XML Request

curl -u admin:pass -k -X GET  https://localhost:8089/services/authentication/providers/SAML

XML Response

  <title>SAML-auth</title>
  <id>https://localhost:8089/services/authentication/providers/SAML</id>
  <updated>2016-01-27T11:13:29-08:00</updated>
  <generator build="d4236ccf1981eec20e461cd26a1f808e0ae54e71" version="20160126"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/authentication/providers/SAML/_new" rel="create"/>
  <link href="/services/authentication/providers/SAML/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>saml_settings</title>
    <id>https://localhost:8089/services/authentication/providers/SAML/saml_settings</id>
    <updated>2016-01-27T11:13:29-08:00</updated>
    <link href="/services/authentication/providers/SAML/saml_settings" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/authentication/providers/SAML/saml_settings" rel="list"/>
    <link href="/services/authentication/providers/SAML/saml_settings" rel="edit"/>
    <link href="/services/authentication/providers/SAML/saml_settings" rel="remove"/>
    <link href="/services/authentication/providers/SAML/saml_settings/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="allowSslCompression">true</s:key>
        <s:key name="assertionConsumerServiceUrl">https://localhost:8000/saml/acs</s:key>
        <s:key name="attributeQueryRequestSigned">1</s:key>
        <s:key name="attributeQueryResponseSigned">1</s:key>
        <s:key name="attributeQuerySoapPassword">******</s:key>
        <s:key name="attributeQuerySoapUsername"></s:key>
        <s:key name="attributeQueryTTL">3600</s:key>
        <s:key name="attribute_aliases"/>
        <s:key name="blacklistedAutoMappedRoles">
          <s:list/>
        </s:key>
        <s:key name="blacklistedUsers">
          <s:list/>
        </s:key>
        <s:key name="caCertFile">/home/rdimri/binary_11/etc/auth/server.pem</s:key>
        <s:key name="cipherSuite">TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH</s:key>
        <s:key name="defaultRoleIfMissing"></s:key>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="ecdhCurves"></s:key>
        <s:key name="entityId">someOtherEntityId</s:key>
        <s:key name="errorUrl"></s:key>
        <s:key name="errorUrlLabel"></s:key>
        <s:key name="fqdn">https://splunk.com</s:key>
        <s:key name="idpCertPath">idpCert.pem</s:key>
        <s:key name="maxAttributeQueryQueueSize">100</s:key>
        <s:key name="maxAttributeQueryThreads">2</s:key>
        <s:key name="nameIdFormat"></s:key>
        <s:key name="protocol_endpoints">
          <s:dict>
            <s:key name="idpAttributeQueryUrl"></s:key>
            <s:key name="idpSLOUrl">http://idp.saml2.com:48080/openam/IDPSloPOST/metaAlias/idp</s:key>
            <s:key name="idpSSOUrl">http://idp.saml2.com:48080/openam/SSOPOST/metaAlias/idp</s:key>
          </s:dict>
        </s:key>
        <s:key name="redirectAfterLogoutToUrl"></s:key>
        <s:key name="signAuthnRequest">0</s:key>
        <s:key name="signedAssertion">1</s:key>
        <s:key name="singleLogoutServiceUrl">https://localhost:8000/saml/logout</s:key>
        <s:key name="skipAttributeQueryRequestForUsers">
          <s:list/>
        </s:key>
        <s:key name="spCertPath">/home/rdimri/binary_11/etc/auth/server.pem</s:key>
        <s:key name="sslAltNameToCheck"></s:key>
        <s:key name="sslCommonNameToCheck"></s:key>
        <s:key name="sslKeysfile">/home/rdimri/binary_11/etc/auth/server.pem</s:key>
        <s:key name="sslKeysfilePassword">******</s:key>
        <s:key name="sslVerifyServerCert">false</s:key>
        <s:key name="sslVersions">SSL3,TLS1.0,TLS1.1,TLS1.2</s:key>
        <s:key name="uiStatusPage">/account/status</s:key>
      </s:dict>
    </content>
  </entry>


POST

Create a new SAML configuration.

Request parameters

Name Description
allowSslCompression Indicates whether ssl data compression is enabled.
attributeAliasMail Specifies which SAML attribute is mapped to ‘email’. Defaults to ‘email’.
attributeAliasRealName Specifies which SAML attribute maps to ‘realName’. Defaults to realName.
attributeAliasRole Specifies which SAML attribute maps to role. Defaults to role.
attributeQueryRequestSigned Indicates whether Attribute Queries should be signed.
attributeQueryResponseSigned Indicates whether Attribute Query responses should be signed.
attributeQuerySoapPassword Credentials for making Attribute Query using SOAP over HTTP.
attributeQuerySoapUsername Credentials for making Attribute Query using SOAP over HTTP.
attributeQueryTTL ttl (time to live) for the Attribute Query credentials cache.
blacklistedAutoMappedRoles Comma separated list of Splunk platform roles that should be blacklisted from being auto-mapped from the IDP Response.
blacklistedUsers Comma separated list of user names from the IDP response to be blacklisted by the Splunk platform.
caCertFile File path for CA certificate. For example, /home/user123/saml-install/etc/auth/server.pem
cipherSuite Ciphersuite for making Attribute Queries using ssl. For example, TLSv1+HIGH:@STRENGTH.
defaultRoleIfMissing Default role to use if no role is returned in a SAML response.
ecdhCurveName EC curves for ECDH/ECDHE key exchange - ssl setting.
entityId Required. Unique id preconfigured by the IdP.
errorUrL URL to display for a SAML error. Errors may be due to incorrect or incomplete configuration in either the IDP or the Splunk platform.
errorUrlLabel Label or title of the content to which errorUrl points. Defaults to Click here to resolve SAML error..
fqdn Load balancer url.
idpAttributeQueryUrl IdP attribute query url where SAML attribute queries are sent.
idpCertPath Path for IdP certificate.
idpSLOUrl IdP sso url where SAML SSO requests are sent.
idpSSOUrl Required. IdP SSO url where SAML SLO requests are sent.
name Required. Configuration stanza name.
nameIdFormat Specifies how subject is identified in SAML Assertion. Defaults to
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

Override it when using Azure AD as an IDP and set it to
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
redirectAfterLogoutToUrl Redirect URL after user logout If no SLO URL is configured.
signAuthnRequest Indicates whether to sign authentication requests.
signedAssertion Indicates whether to sign SAML assertions.
skipAttributeQueryRequestForUsers Used in conjunction with defaultRoleIFMissing. Indicates whether to skip Attribute Queries for some users.
sslAltNameToCheck Alternate name to check in the peer certificate.
sslCommonNameToCheck Common name to check in the peer certificate.
sslKeysfile Location of service provider private key.
sslKeysfilePassword SSL password.
sslVerifyServerCert Indicates whether to verify peer certificate.
sslVersions SSL versions.


Response keys
None.


Example request and response


XML Request

curl -u admin:password -k -X POST https://localhost:8089/services/authentication/providers/SAML -d "name=saml_settings" -d "entityId=http://myURL" -d "idpMetadataFile=/home/my_folder/binary_11/openam.xml"
-d "idpSSOUrl=http://idp.saml2.com:8080/openam/SSOPOST/metaAlias/idp"

XML Response

<title>SAML-auth</title>
  <id>https://localhost:8089/services/authentication/providers/SAML</id>
  <updated>2016-01-26T11:51:18-08:00</updated>
  <generator build="420c52964b8db66082924ce2190253da9a41e6c" version="20160126"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/authentication/providers/SAML/_new" rel="create"/>
  <link href="/services/authentication/providers/SAML/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>saml_settings</title>
    <id>https://localhost:8089/services/authentication/providers/SAML/saml_settings</id>
    <updated>2016-01-26T11:51:18-08:00</updated>
    <link href="/services/authentication/providers/SAML/saml_settings" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/authentication/providers/SAML/saml_settings" rel="list"/>
    <link href="/services/authentication/providers/SAML/saml_settings" rel="edit"/>
    <link href="/services/authentication/providers/SAML/saml_settings" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="allowSslCompression">true</s:key>
        <s:key name="assertionConsumerServiceUrl">https://localhost:8000/saml/acs</s:key>
        <s:key name="attributeQueryRequestSigned">1</s:key>
        <s:key name="attributeQueryResponseSigned">1</s:key>
        <s:key name="attributeQuerySoapPassword">******</s:key>
        <s:key name="attributeQuerySoapUsername"></s:key>
        <s:key name="attributeQueryTTL">3600</s:key>
        <s:key name="attribute_aliases"/>
        <s:key name="blacklistedAutoMappedRoles">
          <s:list/>
        </s:key>
        <s:key name="blacklistedUsers">
          <s:list/>
        </s:key>
        <s:key name="caCertFile">/home/my_folder/binary_11/etc/auth/server.pem</s:key>
        <s:key name="cipherSuite">TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH</s:key>
        <s:key name="defaultRoleIfMissing"></s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="ecdhCurves"></s:key>
        <s:key name="entityId">http://rdimriSplunk</s:key>
        <s:key name="errorUrl"></s:key>
        <s:key name="errorUrlLabel"></s:key>
        <s:key name="fqdn">https://splunk.com</s:key>
        <s:key name="idpCertPath">idpCert.pem</s:key>
        <s:key name="maxAttributeQueryQueueSize">100</s:key>
        <s:key name="maxAttributeQueryThreads">2</s:key>
        <s:key name="nameIdFormat"></s:key>
        <s:key name="protocol_endpoints">
          <s:dict>
            <s:key name="idpAttributeQueryUrl"></s:key>
            <s:key name="idpSLOUrl">http://idp.saml2.com:8080/openam/IDPSloPOST/metaAlias/idp</s:key>
            <s:key name="idpSSOUrl">http://idp.saml2.com:8080/openam/SSOPOST/metaAlias/idp</s:key>
          </s:dict>
        </s:key>
        <s:key name="redirectAfterLogoutToUrl"></s:key>
        <s:key name="signAuthnRequest">0</s:key>
        <s:key name="signedAssertion">1</s:key>
        <s:key name="singleLogoutServiceUrl">https://localhost:8000/saml/logout</s:key>
        <s:key name="skipAttributeQueryRequestForUsers">
          <s:list/>
        </s:key>
        <s:key name="spCertPath">/home/rdimri/binary_11/etc/auth/server.pem</s:key>
        <s:key name="sslAltNameToCheck"></s:key>
        <s:key name="sslCommonNameToCheck"></s:key>
        <s:key name="sslKeysfile">/home/my_folder/binary_11/etc/auth/server.pem</s:key>
        <s:key name="sslKeysfilePassword">******</s:key>
        <s:key name="sslVerifyServerCert">false</s:key>
        <s:key name="sslVersions">SSL3,TLS1.0,TLS1.1,TLS1.2</s:key>
        <s:key name="uiStatusPage">/account/status</s:key>
      </s:dict>
    </content>
  </entry>

authentication/providers/SAML/{stanza_name}

https://<host>:<mPort>/services/authentication/providers/SAML/{stanza_name}


GET

Access a SAML configuration.

Request parameters
None.

Response keys

Name Description
allowSslCompression Indicates whether ssl data compression is enabled.
assertionConsumerServiceUrl Endpoint where SAML assertions are posted by the IdP.
attributeAliasMail Specifies which SAML attribute is mapped to ‘email’. Defaults to ‘email’.
attributeAliasRealName Specifies which SAML attribute maps to ‘realName’. Defaults to realName.
attributeAliasRole Specifies which SAML attribute maps to role. Defaults to role.
attributeQueryRequestSigned Indicates whether Attribute Queries should be signed.
attributeQueryResponseSigned Indicates whether Attribute Query responses should be signed.
attributeQuerySoapPassword Credentials for making Attribute Query using SOAP over HTTP.
attributeQuerySoapUsername Credentials for making Attribute Query using SOAP over HTTP.
attributeQueryTTL ttl (time to live) for the Attribute Query credentials cache.
blacklistedAutoMappedRoles Comma separated list of Splunk platform roles that should be blacklisted from being auto-mapped from the IDP Response.
blacklistedUsers Comma separated list of user names from the IDP response to be blacklisted by the Splunk platform.
caCertFile File path for CA certificate. For example, /home/user123/saml-install/etc/auth/server.pem
cipherSuite Ciphersuite for making Attribute Queries using ssl. For example, TLSv1+HIGH:@STRENGTH.
defaultRoleIfMissing Default role to use if no role is returned in a SAML response.
ecdhCurveName EC curves for ECDH/ECDHE key exchange - ssl setting.
entityId Unique id preconfigured by the IdP.
errorUrL URL to display for a SAML error. Errors may be due to incorrect or incomplete configuration in either the IDP or the Splunk platform.
errorUrlLabel Label or title of the content to which errorUrl points. Defaults to Click here to resolve SAML error..
fqdn Load balancer url.
idpAttributeQueryUrl IdP attribute query url where SAML attribute queries are sent.
idpCertPath Path for IdP certificate.
idpSLOUrl IdP sso url where SAML SSO requests are sent.
idpSSOUrl IdP SSO url where SAML SLO requests are sent.
maxAttributeQueryQueueSize Maximum number of Attribute jobs to queue.
maxAttributeQueryThreads Maximum number of threads for asynchronous Attribute Queries.
name Configuration stanza name.
nameIdFormat Specifies how subject is identified in SAML Assertion. Defaults to
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

Override it when using Azure AD as an IDP and set it to
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
redirectAfterLogoutToUrl Redirect URL after user logout If no SLO URL is configured.
signAuthnRequest Indicates whether to sign authentication requests.
signedAssertion Indicates whether to sign SAML assertions.
singleLogoutServiceUrl URL where the IdP posts SAML Single Logout responses.
skipAttributeQueryRequestForUsers Used in conjunction with defaultRoleIFMissing. Indicates whether to skip Attribute Queries for some users.
spCertPath Service provider certificate path.
sslAltNameToCheck Alternate name to check in the peer certificate.
sslCommonNameToCheck Common name to check in the peer certificate.
sslKeysfile Location of service provider private key.
sslKeysfilePassword SSL password.
sslVerifyServerCert Indicates whether to verify peer certificate.
sslVersions SSL versions.
uiStatusPage Splunk Web page for redirecting users in case of errors.


Example request and response

XML Request

 curl -k -u admin:password https://localhost:8089/services/authentication/providers/SAML/saml_settings

XML Response

<title>SAML-auth</title>
  <id>https://localhost:8089/services/authentication/providers/SAML</id>
  <updated>2016-01-27T11:14:39-08:00</updated>
  <generator build="d4236ccf1981eec20e461cd26a1f808e0ae54e71" version="20160126"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/authentication/providers/SAML/_new" rel="create"/>
  <link href="/services/authentication/providers/SAML/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>saml_settings</title>
    <id>https://localhost:8089/services/authentication/providers/SAML/saml_settings</id>
    <updated>2016-01-27T11:14:39-08:00</updated>
    <link href="/services/authentication/providers/SAML/saml_settings" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/authentication/providers/SAML/saml_settings" rel="list"/>
    <link href="/services/authentication/providers/SAML/saml_settings" rel="edit"/>
    <link href="/services/authentication/providers/SAML/saml_settings" rel="remove"/>
    <link href="/services/authentication/providers/SAML/saml_settings/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="allowSslCompression">true</s:key>
        <s:key name="assertionConsumerServiceUrl">https://localhost:8000/saml/acs</s:key>
        <s:key name="attributeQueryRequestSigned">1</s:key>
        <s:key name="attributeQueryResponseSigned">1</s:key>
        <s:key name="attributeQuerySoapPassword">******</s:key>
        <s:key name="attributeQuerySoapUsername"></s:key>
        <s:key name="attributeQueryTTL">3600</s:key>
        <s:key name="attribute_aliases"/>
        <s:key name="blacklistedAutoMappedRoles">
          <s:list/>
        </s:key>
        <s:key name="blacklistedUsers">
          <s:list/>
        </s:key>
        <s:key name="caCertFile">/home/my_folder/binary_11/etc/auth/server.pem</s:key>
        <s:key name="cipherSuite">TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH</s:key>
        <s:key name="defaultRoleIfMissing"></s:key>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>allowSslCompression</s:item>
                <s:item>attributeAliasMail</s:item>
                <s:item>attributeAliasRealName</s:item>
                <s:item>attributeAliasRole</s:item>
                <s:item>attributeQueryRequestSigned</s:item>
                <s:item>attributeQueryResponseSigned</s:item>
                <s:item>attributeQuerySoapPassword</s:item>
                <s:item>attributeQuerySoapUsername</s:item>
                <s:item>attributeQueryTTL</s:item>
                <s:item>blacklistedAutoMappedRoles</s:item>
                <s:item>blacklistedUsers</s:item>
                <s:item>caCertFile</s:item>
                <s:item>cipherSuite</s:item>
                <s:item>defaultRoleIfMissing</s:item>
                <s:item>ecdhCurveName</s:item>
                <s:item>ecdhCurves</s:item>
                <s:item>entityId</s:item>
                <s:item>errorUrl</s:item>
                <s:item>errorUrlLabel</s:item>
                <s:item>fqdn</s:item>
                <s:item>idpAttributeQueryUrl</s:item>
                <s:item>idpCertPath</s:item>
                <s:item>idpCertificatePayload</s:item>
                <s:item>idpMetadataFile</s:item>
                <s:item>idpMetadataPayload</s:item>
                <s:item>idpSLOUrl</s:item>
                <s:item>idpSSOUrl</s:item>
                <s:item>nameIdFormat</s:item>
                <s:item>redirectAfterLogoutToUrl</s:item>
                <s:item>redirectPort</s:item>
                <s:item>signAuthnRequest</s:item>
                <s:item>signedAssertion</s:item>
                <s:item>skipAttributeQueryRequestForUsers</s:item>
                <s:item>sslAltNameToCheck</s:item>
                <s:item>sslCommonNameToCheck</s:item>
                <s:item>sslKeysfile</s:item>
                <s:item>sslKeysfilePassword</s:item>
                <s:item>sslVerifyServerCert</s:item>
                <s:item>sslVersions</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="ecdhCurves"></s:key>
        <s:key name="entityId">someOtherEntityId</s:key>
        <s:key name="errorUrl"></s:key>
        <s:key name="errorUrlLabel"></s:key>
        <s:key name="fqdn">https://my_url.com</s:key>
        <s:key name="idpCertPath">idpCert.pem</s:key>
        <s:key name="maxAttributeQueryQueueSize">100</s:key>
        <s:key name="maxAttributeQueryThreads">2</s:key>
        <s:key name="nameIdFormat"></s:key>
        <s:key name="protocol_endpoints">
          <s:dict>
            <s:key name="idpAttributeQueryUrl"></s:key>
            <s:key name="idpSLOUrl">http://idp.saml2.com:48080/openam/IDPSloPOST/metaAlias/idp</s:key>
            <s:key name="idpSSOUrl">http://idp.saml2.com:48080/openam/SSOPOST/metaAlias/idp</s:key>
          </s:dict>
        </s:key>
        <s:key name="redirectAfterLogoutToUrl"></s:key>
        <s:key name="signAuthnRequest">0</s:key>
        <s:key name="signedAssertion">1</s:key>
        <s:key name="singleLogoutServiceUrl">https://localhost:8089/saml/logout</s:key>
        <s:key name="skipAttributeQueryRequestForUsers">
          <s:list/>
        </s:key>
        <s:key name="spCertPath">/home/my_folder/binary_11/etc/auth/server.pem</s:key>
        <s:key name="sslAltNameToCheck"></s:key>
        <s:key name="sslCommonNameToCheck"></s:key>
        <s:key name="sslKeysfile">/home/my_folder/binary_11/etc/auth/server.pem</s:key>
        <s:key name="sslKeysfilePassword">******</s:key>
        <s:key name="sslVerifyServerCert">false</s:key>
        <s:key name="sslVersions">SSL3,TLS1.0,TLS1.1,TLS1.2</s:key>
        <s:key name="uiStatusPage">/account/status</s:key>
      </s:dict>
    </content>
  </entry>


POST

Update a SAML configuration.

Request parameters

Name Description
allowSslCompression Indicates whether ssl data compression is enabled.
attributeAliasMail Specifies which SAML attribute is mapped to ‘email’. Defaults to ‘email’.
attributeAliasRealName Specifies which SAML attribute maps to ‘realName’. Defaults to realName.
attributeAliasRole Specifies which SAML attribute maps to role. Defaults to role.
attributeQueryRequestSigned Indicates whether Attribute Queries should be signed.
attributeQueryResponseSigned Indicates whether Attribute Query responses should be signed.
attributeQuerySoapPassword Credentials for making Attribute Query using SOAP over HTTP.
attributeQuerySoapUsername Credentials for making Attribute Query using SOAP over HTTP.
attributeQueryTTL ttl (time to live) for the Attribute Query credentials cache.
blacklistedAutoMappedRoles Comma separated list of Splunk platform roles that should be blacklisted from being auto-mapped from the IDP Response.
blacklistedUsers Comma separated list of user names from the IDP response to be blacklisted by the Splunk platform.
caCertFile File path for CA certificate. For example, /home/user123/saml-install/etc/auth/server.pem
cipherSuite Ciphersuite for making Attribute Queries using ssl. For example, TLSv1+HIGH:@STRENGTH.
defaultRoleIfMissing Default role to use if no role is returned in a SAML response.
ecdhCurveName EC curves for ECDH/ECDHE key exchange - ssl setting.
entityId Unique id preconfigured by the IdP.
errorUrL URL to display for a SAML error. Errors may be due to incorrect or incomplete configuration in either the IDP or the Splunk platform.
errorUrlLabel Label or title of the content to which errorUrl points. Defaults to Click here to resolve SAML error..
fqdn Load balancer url.
idpAttributeQueryUrl IdP attribute query url where SAML attribute queries are sent.
idpCertPath Path for IdP certificate.
idpSLOUrl IdP sso url where SAML SSO requests are sent.
idpSSOUrl IdP SSO url where SAML SLO requests are sent.
name Configuration stanza name.
nameIdFormat Specifies how subject is identified in SAML Assertion. Defaults to
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

Override it when using Azure AD as an IDP and set it to
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
redirectAfterLogoutToUrl Redirect URL after user logout If no SLO URL is configured.
signAuthnRequest Indicates whether to sign authentication requests.
signedAssertion Indicates whether to sign SAML assertions.
singleLogoutServiceUrl URL where the IdP posts SAML Single Logout responses.
skipAttributeQueryRequestForUsers Used in conjunction with defaultRoleIFMissing. Indicates whether to skip Attribute Queries for some users.
sslAltNameToCheck Alternate name to check in the peer certificate.
sslCommonNameToCheck Common name to check in the peer certificate.
sslKeysfile Location of service provider private key.
sslKeysfilePassword SSL password.
sslVerifyServerCert Indicates whether to verify peer certificate.
sslVersions SSL versions.

Response keys
None


Example request and response

XML Request

curl -u admin:password -k -X POST https://localhost:8089/services/authentication/providers/SAML/saml_settings -d "entityId=someOtherEntityId"

XML Response

<title>SAML-auth</title>
  <id>https://localhost:8089/services/authentication/providers/SAML</id>
  <updated>2016-01-26T11:53:23-08:00</updated>
  <generator build="420c5296srgdb60e6a2924ce2190253da9a41e6c" version="20160126"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/authentication/providers/SAML/_new" rel="create"/>
  <link href="/services/authentication/providers/SAML/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>saml_settings</title>
    <id>https://localhost:8089/services/authentication/providers/SAML/saml_settings</id>
    <updated>2016-01-26T11:53:23-08:00</updated>
    <link href="/services/authentication/providers/SAML/saml_settings" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/authentication/providers/SAML/saml_settings" rel="list"/>
    <link href="/services/authentication/providers/SAML/saml_settings" rel="edit"/>
    <link href="/services/authentication/providers/SAML/saml_settings" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="allowSslCompression">true</s:key>
        <s:key name="assertionConsumerServiceUrl">https://myhost:29000/saml/acs</s:key>
        <s:key name="attributeQueryRequestSigned">1</s:key>
        <s:key name="attributeQueryResponseSigned">1</s:key>
        <s:key name="attributeQuerySoapPassword">******</s:key>
        <s:key name="attributeQuerySoapUsername"></s:key>
        <s:key name="attributeQueryTTL">3600</s:key>
        <s:key name="attribute_aliases"/>
        <s:key name="blacklistedAutoMappedRoles">
          <s:list/>
        </s:key>
        <s:key name="blacklistedUsers">
          <s:list/>
        </s:key>
        <s:key name="caCertFile">/home/my_folder/binary_11/etc/auth/server.pem</s:key>
        <s:key name="cipherSuite">TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH</s:key>
        <s:key name="defaultRoleIfMissing"></s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="ecdhCurves"></s:key>
        <s:key name="entityId">someOtherEntityId</s:key>
        <s:key name="errorUrl"></s:key>
        <s:key name="errorUrlLabel"></s:key>
        <s:key name="fqdn">https://myURL.com</s:key>
        <s:key name="idpCertPath">idpCert.pem</s:key>
        <s:key name="maxAttributeQueryQueueSize">100</s:key>
        <s:key name="maxAttributeQueryThreads">2</s:key>
        <s:key name="nameIdFormat"></s:key>
        <s:key name="protocol_endpoints">
          <s:dict>
            <s:key name="idpAttributeQueryUrl"></s:key>
            <s:key name="idpSLOUrl">http://idp.saml2.com:8080/openam/IDPSloPOST/metaAlias/idp</s:key>
            <s:key name="idpSSOUrl">http://idp.saml2.com:8080/openam/SSOPOST/metaAlias/idp</s:key>
          </s:dict>
        </s:key>
        <s:key name="redirectAfterLogoutToUrl"></s:key>
        <s:key name="signAuthnRequest">0</s:key>
        <s:key name="signedAssertion">1</s:key>
        <s:key name="singleLogoutServiceUrl">https://localhost:8000/saml/logout</s:key>
        <s:key name="skipAttributeQueryRequestForUsers">
          <s:list/>
        </s:key>
        <s:key name="spCertPath">/home/my_folder/binary_11/etc/auth/server.pem</s:key>
        <s:key name="sslAltNameToCheck"></s:key>
        <s:key name="sslCommonNameToCheck"></s:key>
        <s:key name="sslKeysfile">/home/my_folder/binary_11/etc/auth/server.pem</s:key>
        <s:key name="sslKeysfilePassword">******</s:key>
        <s:key name="sslVerifyServerCert">false</s:key>
        <s:key name="sslVersions">SSL3,TLS1.0,TLS1.1,TLS1.2</s:key>
        <s:key name="uiStatusPage">/account/status</s:key>
      </s:dict>
    </content>
  </entry>

authentication/users

https://<host>:<mPort>/services/authentication/users


List current users and create new users.

For additional information about configuring users and roles, see the following resources in Securing Splunk Enterprise.


GET

List current users.


Request parameters
Pagination and filtering parameters can be used with this method.

Response keys

Name Description
capabilities List of capabilities assigned to role.
defaultApp Default app for the user, which is invoked at login.
defaultAppIsUserOverride Default app override indicates:
true = Default app overrides the user role default app.
false = Default app does not override the user role default app.
defaultAppSourceRole The role that determines the default app for the user, if the user has multiple roles.
email User email address.
password User password.
realname User full name.
restart_background_jobs Restart background search job that has not completed when Splunk Enterprise restarts indication:
true = Restart job.
false = Do not restart job.
roles Roles assigned to the user.
type One of the following user authentication system types.
  • LDAP
  • Scripted
  • Splunk
  • System (reserved for system user)
tz User timezone.


Example request and response

XML Request

curl -k -u admin:changeme https://localhost:8089/services/authentication/users

XML Response

.
.
.
 <title>users</title>
 <id>https://localhost:8089/services/authentication/users</id>
 <updated>2014-06-30T12:27:48-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/authentication/users/_new" rel="create"/>
 <opensearch:totalResults>2</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>admin</title>
   <id>https://localhost:8089/services/authentication/users/admin</id>
   <updated>2014-06-30T12:27:48-07:00</updated>
   <link href="/services/authentication/users/admin" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/authentication/users/admin" rel="list"/>
   <link href="/services/authentication/users/admin" rel="edit"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="capabilities">
         <s:list>
           <s:item>accelerate_datamodel</s:item>
           <s:item>accelerate_search</s:item>
           <s:item>admin_all_objects</s:item>
           <s:item>change_authentication</s:item>
           <s:item>change_own_password</s:item>
           <s:item>edit_deployment_client</s:item>
           <s:item>edit_deployment_server</s:item>
           <s:item>edit_dist_peer</s:item>
           <s:item>edit_forwarders</s:item>
           <s:item>edit_httpauths</s:item>
           <s:item>edit_input_defaults</s:item>
           <s:item>edit_monitor</s:item>
           <s:item>edit_roles</s:item>
           <s:item>edit_scripted</s:item>
           <s:item>edit_search_server</s:item>
           <s:item>edit_server</s:item>
           <s:item>edit_splunktcp</s:item>
           <s:item>edit_splunktcp_ssl</s:item>
           <s:item>edit_tcp</s:item>
           <s:item>edit_udp</s:item>
           <s:item>edit_user</s:item>
           <s:item>edit_view_html</s:item>
           <s:item>edit_web_settings</s:item>
           <s:item>edit_win_admon</s:item>
           <s:item>edit_win_eventlogs</s:item>
           <s:item>edit_win_perfmon</s:item>
           <s:item>edit_win_regmon</s:item>
           <s:item>edit_win_wmiconf</s:item>
           <s:item>embed_report</s:item>
           <s:item>get_diag</s:item>
           <s:item>get_metadata</s:item>
           <s:item>get_typeahead</s:item>
           <s:item>indexes_edit</s:item>
           <s:item>input_file</s:item>
           <s:item>license_edit</s:item>
           <s:item>license_tab</s:item>
           <s:item>list_deployment_client</s:item>
           <s:item>list_deployment_server</s:item>
           <s:item>list_forwarders</s:item>
           <s:item>list_httpauths</s:item>
           <s:item>list_inputs</s:item>
           <s:item>list_pdfserver</s:item>
           <s:item>list_win_localavailablelogs</s:item>
           <s:item>output_file</s:item>
           <s:item>request_remote_tok</s:item>
           <s:item>rest_apps_management</s:item>
           <s:item>rest_apps_view</s:item>
           <s:item>rest_properties_get</s:item>
           <s:item>rest_properties_set</s:item>
           <s:item>restart_splunkd</s:item>
           <s:item>rtsearch</s:item>
           <s:item>run_debug_commands</s:item>
           <s:item>schedule_rtsearch</s:item>
           <s:item>schedule_search</s:item>
           <s:item>search</s:item>
           <s:item>write_pdfserver</s:item>
         </s:list>
       </s:key>
       <s:key name="defaultApp">launcher</s:key>
       <s:key name="defaultAppIsUserOverride">1</s:key>
       <s:key name="defaultAppSourceRole">system</s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="email">changeme@example.com</s:key>
       <s:key name="password">********</s:key>
       <s:key name="realname">Administrator</s:key>
       <s:key name="restart_background_jobs">1</s:key>
       <s:key name="roles">
         <s:list>
           <s:item>admin</s:item>
         </s:list>
       </s:key>
       <s:key name="type">Splunk</s:key>
       <s:key name="tz"></s:key>
     </s:dict>
   </content>
 </entry>
 <entry>
   <title>user1</title>
   <id>https://localhost:8089/services/authentication/users/user1</id>
   <updated>2014-06-30T12:27:48-07:00</updated>
   <link href="/services/authentication/users/user1" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/authentication/users/user1" rel="list"/>
   <link href="/services/authentication/users/user1" rel="edit"/>
   <link href="/services/authentication/users/user1" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="capabilities">
         <s:list>
           <s:item>accelerate_datamodel</s:item>
           <s:item>accelerate_search</s:item>
           <s:item>admin_all_objects</s:item>
           <s:item>change_authentication</s:item>
           <s:item>change_own_password</s:item>
           <s:item>edit_deployment_client</s:item>
           <s:item>edit_deployment_server</s:item>
           <s:item>edit_dist_peer</s:item>
           <s:item>edit_forwarders</s:item>
           <s:item>edit_httpauths</s:item>
           <s:item>edit_input_defaults</s:item>
           <s:item>edit_monitor</s:item>
           <s:item>edit_roles</s:item>
           <s:item>edit_scripted</s:item>
           <s:item>edit_search_server</s:item>
           <s:item>edit_server</s:item>
           <s:item>edit_splunktcp</s:item>
           <s:item>edit_splunktcp_ssl</s:item>
           <s:item>edit_tcp</s:item>
           <s:item>edit_udp</s:item>
           <s:item>edit_user</s:item>
           <s:item>edit_view_html</s:item>
           <s:item>edit_web_settings</s:item>
           <s:item>edit_win_admon</s:item>
           <s:item>edit_win_eventlogs</s:item>
           <s:item>edit_win_perfmon</s:item>
           <s:item>edit_win_regmon</s:item>
           <s:item>edit_win_wmiconf</s:item>
           <s:item>embed_report</s:item>
           <s:item>get_diag</s:item>
           <s:item>get_metadata</s:item>
           <s:item>get_typeahead</s:item>
           <s:item>indexes_edit</s:item>
           <s:item>input_file</s:item>
           <s:item>license_edit</s:item>
           <s:item>license_tab</s:item>
           <s:item>list_deployment_client</s:item>
           <s:item>list_deployment_server</s:item>
           <s:item>list_forwarders</s:item>
           <s:item>list_httpauths</s:item>
           <s:item>list_inputs</s:item>
           <s:item>list_pdfserver</s:item>
           <s:item>list_win_localavailablelogs</s:item>
           <s:item>output_file</s:item>
           <s:item>request_remote_tok</s:item>
           <s:item>rest_apps_management</s:item>
           <s:item>rest_apps_view</s:item>
           <s:item>rest_properties_get</s:item>
           <s:item>rest_properties_set</s:item>
           <s:item>restart_splunkd</s:item>
           <s:item>rtsearch</s:item>
           <s:item>run_debug_commands</s:item>
           <s:item>schedule_rtsearch</s:item>
           <s:item>schedule_search</s:item>
           <s:item>search</s:item>
           <s:item>write_pdfserver</s:item>
         </s:list>
       </s:key>
       <s:key name="defaultApp">launcher</s:key>
       <s:key name="defaultAppIsUserOverride">0</s:key>
       <s:key name="defaultAppSourceRole">system</s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="email"></s:key>
       <s:key name="password">********</s:key>
       <s:key name="realname"></s:key>
       <s:key name="restart_background_jobs">1</s:key>
       <s:key name="roles">
         <s:list>
           <s:item>admin</s:item>
         </s:list>
       </s:key>
       <s:key name="type">Splunk</s:key>
       <s:key name="tz"></s:key>
     </s:dict>
   </content>
 </entry>


POST

Create a user.

Usage details
When creating a user you must specify at least one role.

Specify one or more roles for the user. You can create a new role for the user by setting the createrole parameter to "true" and specify the new role name as a roles parameter value.

Request parameters

Name Datatype Description
createrole Boolean Flag to indicate that a new role should be created for the user. If set to "true", the new role user-<name> is created and assigned to the user. The <name> portion of the new role matches the name parameter value passed in with this POST request.

If set to "false", at least one existing role must be specified using the roles parameter for the POST request.

Defaults to "false".

defaultApp String User default app. Overrides the default app inherited from the user roles.
email String User email address.
force-change-pass Boolean Force user to change password indication:
true = Force password change.
false = Do not force password change.
name String Required. Unique user login name.
password String Required. User login password.
realname String Full user name.
restart_background_jobs Boolean Restart background search job that has not completed when Splunk Enterprise restarts indication:
true = Restart job.
false = Do not restart job.
roles String One or more existing roles to assign to this user. At least one existing role is required if you are not using the createrole parameter to create a new role for the user. If you are using createrole to create a new role, you can optionally use this parameter to specify additional roles to assign to the user.
tz String User timezone.

Response keys
None


Example request and response

XML Request

curl -k -u admin:changeme https://localhost:8089/services/authentication/users -d name=User1 -d password=changeme -d roles=admin

XML Response

<title>users</title>
 <id>https://localhost:8089/services/authentication/users</id>
 <updated>2014-06-30T12:18:19-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/authentication/users/_new" rel="create"/>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>user1</title>
   <id>https://localhost:8089/services/authentication/users/user1</id>
   <updated>2014-06-30T12:18:19-07:00</updated>
   <link href="/services/authentication/users/user1" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/authentication/users/user1" rel="list"/>
   <link href="/services/authentication/users/user1" rel="edit"/>
   <link href="/services/authentication/users/user1" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="capabilities">
         <s:list>
           <s:item>accelerate_datamodel</s:item>
           <s:item>accelerate_search</s:item>
           <s:item>admin_all_objects</s:item>
           <s:item>change_authentication</s:item>
           <s:item>change_own_password</s:item>
           <s:item>edit_deployment_client</s:item>
           <s:item>edit_deployment_server</s:item>
           <s:item>edit_dist_peer</s:item>
           <s:item>edit_forwarders</s:item>
           <s:item>edit_httpauths</s:item>
           <s:item>edit_input_defaults</s:item>
           <s:item>edit_monitor</s:item>
           <s:item>edit_roles</s:item>
           <s:item>edit_scripted</s:item>
           <s:item>edit_search_server</s:item>
           <s:item>edit_server</s:item>
           <s:item>edit_splunktcp</s:item>
           <s:item>edit_splunktcp_ssl</s:item>
           <s:item>edit_tcp</s:item>
           <s:item>edit_udp</s:item>
           <s:item>edit_user</s:item>
           <s:item>edit_view_html</s:item>
           <s:item>edit_web_settings</s:item>
           <s:item>edit_win_admon</s:item>
           <s:item>edit_win_eventlogs</s:item>
           <s:item>edit_win_perfmon</s:item>
           <s:item>edit_win_regmon</s:item>
           <s:item>edit_win_wmiconf</s:item>
           <s:item>embed_report</s:item>
           <s:item>get_diag</s:item>
           <s:item>get_metadata</s:item>
           <s:item>get_typeahead</s:item>
           <s:item>indexes_edit</s:item>
           <s:item>input_file</s:item>
           <s:item>license_edit</s:item>
           <s:item>license_tab</s:item>
           <s:item>list_deployment_client</s:item>
           <s:item>list_deployment_server</s:item>
           <s:item>list_forwarders</s:item>
           <s:item>list_httpauths</s:item>
           <s:item>list_inputs</s:item>
           <s:item>list_pdfserver</s:item>
           <s:item>list_win_localavailablelogs</s:item>
           <s:item>output_file</s:item>
           <s:item>request_remote_tok</s:item>
           <s:item>rest_apps_management</s:item>
           <s:item>rest_apps_view</s:item>
           <s:item>rest_properties_get</s:item>
           <s:item>rest_properties_set</s:item>
           <s:item>restart_splunkd</s:item>
           <s:item>rtsearch</s:item>
           <s:item>run_debug_commands</s:item>
           <s:item>schedule_rtsearch</s:item>
           <s:item>schedule_search</s:item>
           <s:item>search</s:item>
           <s:item>write_pdfserver</s:item>
         </s:list>
       </s:key>
       <s:key name="defaultApp">launcher</s:key>
       <s:key name="defaultAppIsUserOverride">0</s:key>
       <s:key name="defaultAppSourceRole">system</s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="email"></s:key>
       <s:key name="password">********</s:key>
       <s:key name="realname"></s:key>
       <s:key name="restart_background_jobs">1</s:key>
       <s:key name="roles">
         <s:list>
           <s:item>admin</s:item>
         </s:list>
       </s:key>
       <s:key name="type">Splunk</s:key>
       <s:key name="tz"></s:key>
     </s:dict>
   </content>
 </entry>



authentication/users/{name}

https://<host>:<mPort>/services/authentication/users/{name}

Access and update user information or delete the {name}> user.

Usage details
The /{name} username portion of the URL is not case sensitive.

For additional information about user capabiilties, see the following resource in Securing Splunk Enterprise.


DELETE

Remove the specified user from the system.

Request parameters
None

Response keys
None


Example request and response


XML Request

curl -k -u admin:changeme --request DELETE https://localhost:8089/services/authentication/users/user1

XML Response

.
.
.
 <title>users</title>
 <id>https://localhost:8089/services/authentication/users</id>
 <updated>2014-06-30T12:51:09-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/authentication/users/_new" rel="create"/>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>admin</title>
   <id>https://localhost:8089/services/authentication/users/admin</id>
   <updated>2014-06-30T12:51:09-07:00</updated>
   <link href="/services/authentication/users/admin" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/authentication/users/admin" rel="list"/>
   <link href="/services/authentication/users/admin" rel="edit"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="capabilities">
         <s:list>
           <s:item>accelerate_datamodel</s:item>
           <s:item>accelerate_search</s:item>
           <s:item>admin_all_objects</s:item>
           <s:item>change_authentication</s:item>
           <s:item>change_own_password</s:item>
           <s:item>edit_deployment_client</s:item>
           <s:item>edit_deployment_server</s:item>
           <s:item>edit_dist_peer</s:item>
           <s:item>edit_forwarders</s:item>
           <s:item>edit_httpauths</s:item>
           <s:item>edit_input_defaults</s:item>
           <s:item>edit_monitor</s:item>
           <s:item>edit_roles</s:item>
           <s:item>edit_scripted</s:item>
           <s:item>edit_search_server</s:item>
           <s:item>edit_server</s:item>
           <s:item>edit_splunktcp</s:item>
           <s:item>edit_splunktcp_ssl</s:item>
           <s:item>edit_tcp</s:item>
           <s:item>edit_udp</s:item>
           <s:item>edit_user</s:item>
           <s:item>edit_view_html</s:item>
           <s:item>edit_web_settings</s:item>
           <s:item>edit_win_admon</s:item>
           <s:item>edit_win_eventlogs</s:item>
           <s:item>edit_win_perfmon</s:item>
           <s:item>edit_win_regmon</s:item>
           <s:item>edit_win_wmiconf</s:item>
           <s:item>embed_report</s:item>
           <s:item>get_diag</s:item>
           <s:item>get_metadata</s:item>
           <s:item>get_typeahead</s:item>
           <s:item>indexes_edit</s:item>
           <s:item>input_file</s:item>
           <s:item>license_edit</s:item>
           <s:item>license_tab</s:item>
           <s:item>list_deployment_client</s:item>
           <s:item>list_deployment_server</s:item>
           <s:item>list_forwarders</s:item>
           <s:item>list_httpauths</s:item>
           <s:item>list_inputs</s:item>
           <s:item>list_pdfserver</s:item>
           <s:item>list_win_localavailablelogs</s:item>
           <s:item>output_file</s:item>
           <s:item>request_remote_tok</s:item>
           <s:item>rest_apps_management</s:item>
           <s:item>rest_apps_view</s:item>
           <s:item>rest_properties_get</s:item>
           <s:item>rest_properties_set</s:item>
           <s:item>restart_splunkd</s:item>
           <s:item>rtsearch</s:item>
           <s:item>run_debug_commands</s:item>
           <s:item>schedule_rtsearch</s:item>
           <s:item>schedule_search</s:item>
           <s:item>search</s:item>
           <s:item>write_pdfserver</s:item>
         </s:list>
       </s:key>
       <s:key name="defaultApp">launcher</s:key>
       <s:key name="defaultAppIsUserOverride">1</s:key>
       <s:key name="defaultAppSourceRole">system</s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="email">changeme@example.com</s:key>
       <s:key name="password">********</s:key>
       <s:key name="realname">Administrator</s:key>
       <s:key name="restart_background_jobs">1</s:key>
       <s:key name="roles">
         <s:list>
           <s:item>admin</s:item>
         </s:list>
       </s:key>
       <s:key name="type">Splunk</s:key>
       <s:key name="tz"></s:key>
     </s:dict>
   </content>
 </entry>


GET

Return information for the specified user.


Request parameters
None

Response keys

Name Description
capabilities List of capabilities assigned to role.
defaultApp Default app for the user, which is invoked at login.
defaultAppIsUserOverride Default app override indicator.
true = Default app overrides the user role default app.
false = Default app does not override the user role default app.
defaultAppSourceRole Role that determines the default app for the user, if the user has multiple roles.
email User email address
password User password
realname User full name
restart_background_jobs Indicates whether incomplete background search jobs restart when the Splunk platform restarts.
true = Restart jobs.
false = Do not restart jobs.
roles Roles assigned to the user.
type One of the following user authentication system types.
  • LDAP
  • Scripted
  • Splunk
  • System (reserved for system user)
tz User timezone.


Example request and response

XML Request

curl -k -u admin:changeme https://localhost:8089/services/authentication/users/user1

XML Response

.
.
.
<title>users</title>
 <id>https://localhost:8089/services/authentication/users</id>
 <updated>2014-06-30T12:39:18-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/authentication/users/_new" rel="create"/>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>user1</title>
   <id>https://localhost:8089/services/authentication/users/user1</id>
   <updated>2014-06-30T12:39:18-07:00</updated>
   <link href="/services/authentication/users/user1" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/authentication/users/user1" rel="list"/>
   <link href="/services/authentication/users/user1" rel="edit"/>
   <link href="/services/authentication/users/user1" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="capabilities">
         <s:list>
           <s:item>accelerate_datamodel</s:item>
           <s:item>accelerate_search</s:item>
           <s:item>admin_all_objects</s:item>
           <s:item>change_authentication</s:item>
           <s:item>change_own_password</s:item>
           <s:item>edit_deployment_client</s:item>
           <s:item>edit_deployment_server</s:item>
           <s:item>edit_dist_peer</s:item>
           <s:item>edit_forwarders</s:item>
           <s:item>edit_httpauths</s:item>
           <s:item>edit_input_defaults</s:item>
           <s:item>edit_monitor</s:item>
           <s:item>edit_roles</s:item>
           <s:item>edit_scripted</s:item>
           <s:item>edit_search_server</s:item>
           <s:item>edit_server</s:item>
           <s:item>edit_splunktcp</s:item>
           <s:item>edit_splunktcp_ssl</s:item>
           <s:item>edit_tcp</s:item>
           <s:item>edit_udp</s:item>
           <s:item>edit_user</s:item>
           <s:item>edit_view_html</s:item>
           <s:item>edit_web_settings</s:item>
           <s:item>edit_win_admon</s:item>
           <s:item>edit_win_eventlogs</s:item>
           <s:item>edit_win_perfmon</s:item>
           <s:item>edit_win_regmon</s:item>
           <s:item>edit_win_wmiconf</s:item>
           <s:item>embed_report</s:item>
           <s:item>get_diag</s:item>
           <s:item>get_metadata</s:item>
           <s:item>get_typeahead</s:item>
           <s:item>indexes_edit</s:item>
           <s:item>input_file</s:item>
           <s:item>license_edit</s:item>
           <s:item>license_tab</s:item>
           <s:item>list_deployment_client</s:item>
           <s:item>list_deployment_server</s:item>
           <s:item>list_forwarders</s:item>
           <s:item>list_httpauths</s:item>
           <s:item>list_inputs</s:item>
           <s:item>list_pdfserver</s:item>
           <s:item>list_win_localavailablelogs</s:item>
           <s:item>output_file</s:item>
           <s:item>request_remote_tok</s:item>
           <s:item>rest_apps_management</s:item>
           <s:item>rest_apps_view</s:item>
           <s:item>rest_properties_get</s:item>
           <s:item>rest_properties_set</s:item>
           <s:item>restart_splunkd</s:item>
           <s:item>rtsearch</s:item>
           <s:item>run_debug_commands</s:item>
           <s:item>schedule_rtsearch</s:item>
           <s:item>schedule_search</s:item>
           <s:item>search</s:item>
           <s:item>write_pdfserver</s:item>
         </s:list>
       </s:key>
       <s:key name="defaultApp">launcher</s:key>
       <s:key name="defaultAppIsUserOverride">0</s:key>
       <s:key name="defaultAppSourceRole">system</s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="eai:attributes">
         <s:dict>
           <s:key name="optionalFields">
             <s:list>
               <s:item>defaultApp</s:item>
               <s:item>email</s:item>
               <s:item>force-change-pass</s:item>
               <s:item>password</s:item>
               <s:item>realname</s:item>
               <s:item>restart_background_jobs</s:item>
               <s:item>roles</s:item>
               <s:item>tz</s:item>
             </s:list>
           </s:key>
           <s:key name="requiredFields">
             <s:list/>
           </s:key>
           <s:key name="wildcardFields">
             <s:list/>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="email"></s:key>
       <s:key name="password">********</s:key>
       <s:key name="realname"></s:key>
       <s:key name="restart_background_jobs">1</s:key>
       <s:key name="roles">
         <s:list>
           <s:item>admin</s:item>
         </s:list>
       </s:key>
       <s:key name="type">Splunk</s:key>
       <s:key name="tz"></s:key>
     </s:dict>
   </content>
 </entry>


POST

Update the specified user.

Request parameters

Name Type Description
defaultApp String User default app. This overrides the default app inherited from the user roles.
email String User email address.
force-change-pass Boolean Indicates whether to force user password change.
true = Force password change.
false = Do not force password change.
password String Required. User login password.
realname String Full user name.
restart_background_jobs Boolean Indicates whether to restart background search job that has not completed when the Splunk platform restarts.
true = Restart job.
false = Do not restart job.
roles String One or more existing roles to assign to this user. At least one existing role is required if you are not using the createrole parameter to create a new role for the user. If you are using createrole to create a new role, you can optionally use this parameter to specify additional roles to assign to the user.
tz String User timezone.

Response keys

Name Description
capabilities List of capabilities assigned to role.
defaultApp Default app for the user, which is invoked at login.
defaultAppIsUserOverride Default app override indicator.
true = Default app overrides the user role default app.
false = Default app does not override the user role default app.
defaultAppSourceRole Role that determines the default app for the user, if the user has multiple roles.
email User email address.
password User password.
realname User full name.
restart_background_jobs Indicates whether to restart background search job that has not completed when the Splunk platform restarts.
true = Restart job.
false = Do not restart job.
roles Roles assigned to the user.
type One of the following user authentication system types.
  • LDAP
  • Scripted
  • Splunk
  • System (reserved for system user)
tz User timezone.


Example request and response


XML Request

curl -k -u admin:changeme https://localhost:8089/services/authentication/users/user1 -d defaultApp=launcher

XML Response

.
.
.
<title>users</title>
 <id>https://localhost:8089/services/authentication/users</id>
 <updated>2014-06-30T12:45:23-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/authentication/users/_new" rel="create"/>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>user1</title>
   <id>https://localhost:8089/services/authentication/users/user1</id>
   <updated>2014-06-30T12:45:23-07:00</updated>
   <link href="/services/authentication/users/user1" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/authentication/users/user1" rel="list"/>
   <link href="/services/authentication/users/user1" rel="edit"/>
   <link href="/services/authentication/users/user1" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="capabilities">
         <s:list>
           <s:item>accelerate_datamodel</s:item>
           <s:item>accelerate_search</s:item>
           <s:item>admin_all_objects</s:item>
           <s:item>change_authentication</s:item>
           <s:item>change_own_password</s:item>
           <s:item>edit_deployment_client</s:item>
           <s:item>edit_deployment_server</s:item>
           <s:item>edit_dist_peer</s:item>
           <s:item>edit_forwarders</s:item>
           <s:item>edit_httpauths</s:item>
           <s:item>edit_input_defaults</s:item>
           <s:item>edit_monitor</s:item>
           <s:item>edit_roles</s:item>
           <s:item>edit_scripted</s:item>
           <s:item>edit_search_server</s:item>
           <s:item>edit_server</s:item>
           <s:item>edit_splunktcp</s:item>
           <s:item>edit_splunktcp_ssl</s:item>
           <s:item>edit_tcp</s:item>
           <s:item>edit_udp</s:item>
           <s:item>edit_user</s:item>
           <s:item>edit_view_html</s:item>
           <s:item>edit_web_settings</s:item>
           <s:item>edit_win_admon</s:item>
           <s:item>edit_win_eventlogs</s:item>
           <s:item>edit_win_perfmon</s:item>
           <s:item>edit_win_regmon</s:item>
           <s:item>edit_win_wmiconf</s:item>
           <s:item>embed_report</s:item>
           <s:item>get_diag</s:item>
           <s:item>get_metadata</s:item>
           <s:item>get_typeahead</s:item>
           <s:item>indexes_edit</s:item>
           <s:item>input_file</s:item>
           <s:item>license_edit</s:item>
           <s:item>license_tab</s:item>
           <s:item>list_deployment_client</s:item>
           <s:item>list_deployment_server</s:item>
           <s:item>list_forwarders</s:item>
           <s:item>list_httpauths</s:item>
           <s:item>list_inputs</s:item>
           <s:item>list_pdfserver</s:item>
           <s:item>list_win_localavailablelogs</s:item>
           <s:item>output_file</s:item>
           <s:item>request_remote_tok</s:item>
           <s:item>rest_apps_management</s:item>
           <s:item>rest_apps_view</s:item>
           <s:item>rest_properties_get</s:item>
           <s:item>rest_properties_set</s:item>
           <s:item>restart_splunkd</s:item>
           <s:item>rtsearch</s:item>
           <s:item>run_debug_commands</s:item>
           <s:item>schedule_rtsearch</s:item>
           <s:item>schedule_search</s:item>
           <s:item>search</s:item>
           <s:item>write_pdfserver</s:item>
         </s:list>
       </s:key>
       <s:key name="defaultApp">launcher</s:key>
       <s:key name="defaultAppIsUserOverride">1</s:key>
       <s:key name="defaultAppSourceRole">system</s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="email"></s:key>
       <s:key name="password">********</s:key>
       <s:key name="realname"></s:key>
       <s:key name="restart_background_jobs">1</s:key>
       <s:key name="roles">
         <s:list>
           <s:item>admin</s:item>
         </s:list>
       </s:key>
       <s:key name="type">Splunk</s:key>
       <s:key name="tz"></s:key>
     </s:dict>
   </content>
 </entry>

authorization/capabilities

https://<host>:<mPort>/services/authorization/capabilities

Access system capabilities.

GET

List system capabiilities.

Request parameters
Pagination and filtering parameters can be used with this method.

Response keys

Name Description
capabilities List of capabilities assigned to role.

Example request and response


XML Request

curl -k -u admin:changeme https://localhost:8089/services/authorization/capabilities

XML Response

.
.
.
<title>capabilities</title>
 <id>https://localhost:8089/services/authorization/capabilities</id>
 <updated>2014-06-30T12:56:35-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>capabilities</title>
   <id>https://localhost:8089/services/authorization/capabilities/capabilities</id>
   <updated>2014-06-30T12:56:35-07:00</updated>
   <link href="/services/authorization/capabilities/capabilities" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/authorization/capabilities/capabilities" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="capabilities">
         <s:list>
           <s:item>accelerate_datamodel</s:item>
           <s:item>accelerate_search</s:item>
           <s:item>admin_all_objects</s:item>
           <s:item>change_authentication</s:item>
           <s:item>change_own_password</s:item>
           <s:item>delete_by_keyword</s:item>
           <s:item>edit_deployment_client</s:item>
           <s:item>edit_deployment_server</s:item>
           <s:item>edit_dist_peer</s:item>
           <s:item>edit_forwarders</s:item>
           <s:item>edit_httpauths</s:item>
           <s:item>edit_input_defaults</s:item>
           <s:item>edit_monitor</s:item>
           <s:item>edit_roles</s:item>
           <s:item>edit_scripted</s:item>
           <s:item>edit_search_server</s:item>
           <s:item>edit_server</s:item>
           <s:item>edit_splunktcp</s:item>
           <s:item>edit_splunktcp_ssl</s:item>
           <s:item>edit_tcp</s:item>
           <s:item>edit_udp</s:item>
           <s:item>edit_user</s:item>
           <s:item>edit_view_html</s:item>
           <s:item>edit_web_settings</s:item>
           <s:item>edit_win_admon</s:item>
           <s:item>edit_win_eventlogs</s:item>
           <s:item>edit_win_perfmon</s:item>
           <s:item>edit_win_regmon</s:item>
           <s:item>edit_win_wmiconf</s:item>
           <s:item>embed_report</s:item>
           <s:item>get_diag</s:item>
           <s:item>get_metadata</s:item>
           <s:item>get_typeahead</s:item>
           <s:item>indexes_edit</s:item>
           <s:item>input_file</s:item>
           <s:item>license_edit</s:item>
           <s:item>license_tab</s:item>
           <s:item>list_deployment_client</s:item>
           <s:item>list_deployment_server</s:item>
           <s:item>list_forwarders</s:item>
           <s:item>list_httpauths</s:item>
           <s:item>list_inputs</s:item>
           <s:item>list_pdfserver</s:item>
           <s:item>list_win_localavailablelogs</s:item>
           <s:item>output_file</s:item>
           <s:item>request_remote_tok</s:item>
           <s:item>rest_apps_management</s:item>
           <s:item>rest_apps_view</s:item>
           <s:item>rest_properties_get</s:item>
           <s:item>rest_properties_set</s:item>
           <s:item>restart_splunkd</s:item>
           <s:item>rtsearch</s:item>
           <s:item>run_debug_commands</s:item>
           <s:item>schedule_rtsearch</s:item>
           <s:item>schedule_search</s:item>
           <s:item>search</s:item>
           <s:item>use_file_operator</s:item>
           <s:item>write_pdfserver</s:item>
         </s:list>
       </s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
     </s:dict>
   </content>
 </entry>

authorization/grantable_capabilities

https://<host>:<mPort>/services/authorization/grantable_capabilities

Get a list of all capabilities that the current user can grant.

Authorization
Capabilities listed depend on the current user authorization. If the current user has the edit_roles capability, the response lists all capabilities. Otherwise, depending on the current user's edit_user permissions and configured grantableRoles in authorize.conf, the response lists only the capabilities that the current user can grant.


GET

List capabilities that the current user can grant.

Request parameters
Pagination and filtering parameters can be used with this method.

Response keys

Name Description
capabilities For users with the edit_roles capability, lists all capabilities. For users with edit_roles_grantable, edit_user, and grantableRoles, lists only grantable capabilities.

Example request and response


XML Request

curl -k -u admin:changeme https://localhost:8089/services/authorization/grantable_capabilities

XML Response

<title>grantable_capabilities</title>
  <id>https://localhost:8089/services/authorization/grantable_capabilities</id>
.
.
.
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/authorization/grantable_capabilities/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>capabilities</title>
    <id>https://localhost:8089/services/authorization/grantable_capabilities/capabilities</id>
    <updated>2015-10-06T17:44:09-07:00</updated>
    <link href="/services/authorization/grantable_capabilities/capabilities" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/authorization/grantable_capabilities/capabilities" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="capabilities">
          <s:list>
            <s:item>accelerate_datamodel</s:item>
            <s:item>accelerate_search</s:item>
            <s:item>admin_all_objects</s:item>
            <s:item>change_authentication</s:item>
            <s:item>change_own_password</s:item>
            <s:item>delete_by_keyword</s:item>
            <s:item>edit_deployment_client</s:item>
            <s:item>edit_deployment_server</s:item>
            <s:item>edit_dist_peer</s:item>
            <s:item>edit_forwarders</s:item>
            <s:item>edit_httpauths</s:item>
            <s:item>edit_input_defaults</s:item>
            <s:item>edit_monitor</s:item>
            <s:item>edit_roles</s:item>
            <s:item>edit_roles_grantable</s:item>
            <s:item>edit_scripted</s:item>
            <s:item>edit_search_head_clustering</s:item>
            <s:item>edit_search_scheduler</s:item>
            <s:item>edit_search_server</s:item>
            <s:item>edit_server</s:item>
            <s:item>edit_sourcetypes</s:item>
            <s:item>edit_splunktcp</s:item>
            <s:item>edit_splunktcp_ssl</s:item>
            <s:item>edit_tcp</s:item>
            <s:item>edit_token_http</s:item>
            <s:item>edit_udp</s:item>
            <s:item>edit_user</s:item>
            <s:item>edit_view_html</s:item>
            <s:item>edit_web_settings</s:item>
            <s:item>embed_report</s:item>
            <s:item>get_diag</s:item>
            <s:item>get_metadata</s:item>
            <s:item>get_typeahead</s:item>
            <s:item>indexes_edit</s:item>
            <s:item>input_file</s:item>
            <s:item>license_edit</s:item>
            <s:item>license_tab</s:item>
            <s:item>license_view_warnings</s:item>
            <s:item>list_deployment_client</s:item>
            <s:item>list_deployment_server</s:item>
            <s:item>list_forwarders</s:item>
            <s:item>list_httpauths</s:item>
            <s:item>list_inputs</s:item>
            <s:item>list_introspection</s:item>
            <s:item>list_search_head_clustering</s:item>
            <s:item>list_search_scheduler</s:item>
            <s:item>output_file</s:item>
            <s:item>pattern_detect</s:item>
            <s:item>request_remote_tok</s:item>
            <s:item>rest_apps_management</s:item>
            <s:item>rest_apps_view</s:item>
            <s:item>rest_properties_get</s:item>
            <s:item>rest_properties_set</s:item>
            <s:item>restart_splunkd</s:item>
            <s:item>rtsearch</s:item>
            <s:item>run_debug_commands</s:item>
            <s:item>schedule_rtsearch</s:item>
            <s:item>schedule_search</s:item>
            <s:item>search</s:item>
            <s:item>use_file_operator</s:item>
            <s:item>web_debug</s:item>
          </s:list>
        </s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
      </s:dict>
    </content>
  </entry>

authorization/roles

https://<host>:<mPort>/services/authorization/roles


Create a role or get a list of defined roles with role permissions.

For additional information, see the following resources in Securing Splunk Enterprise.


GET

List all roles and the permissions for each role.


Request parameters
Pagination and filtering parameters can be used with this method.

Response keys

Name Description
capabilities List of capabilities assigned to role.
cumulativeRTSrchJobsQuota Maximum number of concurrently running real-time searches for all role members. Warning message logged when limit is reached.
cumulativeSrchJobsQuota Maximum number of concurrently running searches for all role members. Warning message logged when limit is reached.
defaultApp The name of the app to use as the default app for this role.

A user-specific default app overrides this.

imported_capabilities List of capabilities assigned to role made available from imported roles.
imported_roles List of imported roles for this role.

Importing other roles imports all aspects of that role, such as capabilities and allowed indexes to search. In combining multiple roles, the effective value for each attribute is value with the broadest permissions.

imported_rtSrchJobsQuota The maximum number of concurrent real time search jobs for this role. This count is independent from the normal search jobs limit.

imported_rtSrchJObsQuota specifies the quota imported from other roles.

imported_srchDiskQuota The maximum disk space in MB that can be used by a user's search jobs. For example, 100 limits this role to 100 MB total.

imported_srchDiskQuota specifies the quota for this role that have imported from other roles.

imported_srchFilter Search string, imported from other roles, that restricts the scope of searches run by this role.

Search results for this role only show events that also match this search string. When a user has multiple roles with different search filters, they are combined with an OR.

imported_srchIndexesAllowed A list of indexes, imported from other roles, this role has permissions to search.
imported_srchIndexesDefault A list of indexes, imported from other roles, that this role defaults to when no index is specified in a search.
imported_srchJobsQuota The maximum number of historical searches for this role that are imported from other roles.
imported_srchTimeWin Maximum time span of a search, in seconds.

0 indicates searches are not limited to any specific time window.

imported_srchTimeWin specifies the limit from imported roles.

rtSrchJobsQuota The maximum number of concurrent real time search jobs for this role. This count is independent from the normal search jobs limit.
srchDiskQuota The maximum disk space in MB that can be used by a user's search jobs. For example, 100 limits this role to 100 MB total.
srchFilter Search string that restricts the scope of searches run by this role.

Search results for this role only show events that also match this search string. When a user has multiple roles with different search filters, they are combined with an OR.

srchIndexesAllowed A list of indexes this role has permissions to search.
srchIndexesDefault List of search indexes that default to this role when no index is specified.
srchJobsQuota The maximum number of concurrent real time search jobs for this role.

This count is independent from the normal search jobs limit.

srchTimeWin Maximum time span of a search, in seconds.

0 indicates searches are not limited to any specific time window.

Example request and response

XML Request

curl -k -u admin:changeme https://localhost:8089/services/authorization/roles

XML Response

.
.
.
 <title>roles</title>
 <id>https://localhost:8089/services/authorization/roles</id>
 <updated>2014-06-30T13:12:17-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/authorization/roles/_new" rel="create"/>
 <opensearch:totalResults>5</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>admin</title>
   <id>https://localhost:8089/services/authorization/roles/admin</id>
   <updated>2014-06-30T13:12:17-07:00</updated>
   <link href="/services/authorization/roles/admin" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/authorization/roles/admin" rel="list"/>
   <link href="/services/authorization/roles/admin" rel="edit"/>
   <link href="/services/authorization/roles/admin" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="capabilities">
         <s:list>
           <s:item>accelerate_datamodel</s:item>
           <s:item>admin_all_objects</s:item>
           <s:item>change_authentication</s:item>
           <s:item>edit_deployment_client</s:item>
           <s:item>edit_deployment_server</s:item>
           <s:item>edit_dist_peer</s:item>
           <s:item>edit_forwarders</s:item>
           <s:item>edit_httpauths</s:item>
           <s:item>edit_input_defaults</s:item>
           <s:item>edit_monitor</s:item>
           <s:item>edit_roles</s:item>
           <s:item>edit_scripted</s:item>
           <s:item>edit_search_server</s:item>
           <s:item>edit_server</s:item>
           <s:item>edit_splunktcp</s:item>
           <s:item>edit_splunktcp_ssl</s:item>
           <s:item>edit_tcp</s:item>
           <s:item>edit_udp</s:item>
           <s:item>edit_user</s:item>
           <s:item>edit_view_html</s:item>
           <s:item>edit_web_settings</s:item>
           <s:item>edit_win_admon</s:item>
           <s:item>edit_win_eventlogs</s:item>
           <s:item>edit_win_perfmon</s:item>
           <s:item>edit_win_regmon</s:item>
           <s:item>edit_win_wmiconf</s:item>
           <s:item>get_diag</s:item>
           <s:item>indexes_edit</s:item>
           <s:item>license_edit</s:item>
           <s:item>license_tab</s:item>
           <s:item>list_deployment_client</s:item>
           <s:item>list_deployment_server</s:item>
           <s:item>list_forwarders</s:item>
           <s:item>list_httpauths</s:item>
           <s:item>list_pdfserver</s:item>
           <s:item>list_win_localavailablelogs</s:item>
           <s:item>rest_apps_management</s:item>
           <s:item>restart_splunkd</s:item>
           <s:item>run_debug_commands</s:item>
           <s:item>write_pdfserver</s:item>
         </s:list>
       </s:key>
       <s:key name="cumulativeRTSrchJobsQuota">400</s:key>
       <s:key name="cumulativeSrchJobsQuota">200</s:key>
       <s:key name="defaultApp"></s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="imported_capabilities">
         <s:list>
           <s:item>accelerate_search</s:item>
           <s:item>change_own_password</s:item>
           <s:item>embed_report</s:item>
           <s:item>get_metadata</s:item>
           <s:item>get_typeahead</s:item>
           <s:item>input_file</s:item>
           <s:item>list_inputs</s:item>
           <s:item>output_file</s:item>
           <s:item>request_remote_tok</s:item>
           <s:item>rest_apps_view</s:item>
           <s:item>rest_properties_get</s:item>
           <s:item>rest_properties_set</s:item>
           <s:item>rtsearch</s:item>
           <s:item>schedule_rtsearch</s:item>
           <s:item>schedule_search</s:item>
           <s:item>search</s:item>
         </s:list>
       </s:key>
       <s:key name="imported_roles">
         <s:list>
           <s:item>power</s:item>
           <s:item>user</s:item>
         </s:list>
       </s:key>
       <s:key name="imported_rtSrchJobsQuota">20</s:key>
       <s:key name="imported_srchDiskQuota">500</s:key>
       <s:key name="imported_srchFilter"></s:key>
       <s:key name="imported_srchIndexesAllowed">
         <s:list>
           <s:item>*</s:item>
         </s:list>
       </s:key>
       <s:key name="imported_srchIndexesDefault">
         <s:list>
           <s:item>main</s:item>
         </s:list>
       </s:key>
       <s:key name="imported_srchJobsQuota">10</s:key>
       <s:key name="imported_srchTimeWin">-1</s:key>
       <s:key name="rtSrchJobsQuota">100</s:key>
       <s:key name="srchDiskQuota">10000</s:key>
       <s:key name="srchFilter">*</s:key>
       <s:key name="srchIndexesAllowed">
         <s:list>
           <s:item>*</s:item>
           <s:item>_*</s:item>
         </s:list>
       </s:key>
       <s:key name="srchIndexesDefault">
         <s:list>
           <s:item>main</s:item>
           <s:item>os</s:item>
         </s:list>
       </s:key>
       <s:key name="srchJobsQuota">50</s:key>
       <s:key name="srchTimeWin">0</s:key>
     </s:dict>
   </content>
 </entry>
 <entry>
   <title>can_delete</title>
   <id>https://localhost:8089/services/authorization/roles/can_delete</id>
   <updated>2014-06-30T13:12:17-07:00</updated>
   <link href="/services/authorization/roles/can_delete" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/authorization/roles/can_delete" rel="list"/>
   <link href="/services/authorization/roles/can_delete" rel="edit"/>
   <link href="/services/authorization/roles/can_delete" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="capabilities">
         <s:list>
           <s:item>delete_by_keyword</s:item>
           <s:item>schedule_rtsearch</s:item>
         </s:list>
       </s:key>
       <s:key name="cumulativeRTSrchJobsQuota">0</s:key>
       <s:key name="cumulativeSrchJobsQuota">0</s:key>
       <s:key name="defaultApp"></s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="imported_capabilities">
         <s:list/>
       </s:key>
       <s:key name="imported_roles">
         <s:list/>
       </s:key>
       <s:key name="imported_rtSrchJobsQuota">0</s:key>
       <s:key name="imported_srchDiskQuota">0</s:key>
       <s:key name="imported_srchFilter"></s:key>
       <s:key name="imported_srchIndexesAllowed">
         <s:list/>
       </s:key>
       <s:key name="imported_srchIndexesDefault">
         <s:list/>
       </s:key>
       <s:key name="imported_srchJobsQuota">0</s:key>
       <s:key name="imported_srchTimeWin">-1</s:key>
       <s:key name="rtSrchJobsQuota">6</s:key>
       <s:key name="srchDiskQuota">100</s:key>
       <s:key name="srchFilter"></s:key>
       <s:key name="srchIndexesAllowed">
         <s:list/>
       </s:key>
       <s:key name="srchIndexesDefault">
         <s:list/>
       </s:key>
       <s:key name="srchJobsQuota">3</s:key>
       <s:key name="srchTimeWin">-1</s:key>
     </s:dict>
   </content>
 </entry>
 <entry>
   <title>power</title>
   <id>https://localhost:8089/services/authorization/roles/power</id>
   <updated>2014-06-30T13:12:17-07:00</updated>
   <link href="/services/authorization/roles/power" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/authorization/roles/power" rel="list"/>
   <link href="/services/authorization/roles/power" rel="edit"/>
   <link href="/services/authorization/roles/power" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="capabilities">
         <s:list>
           <s:item>embed_report</s:item>
           <s:item>rtsearch</s:item>
           <s:item>schedule_search</s:item>
         </s:list>
       </s:key>
       <s:key name="cumulativeRTSrchJobsQuota">200</s:key>
       <s:key name="cumulativeSrchJobsQuota">100</s:key>
       <s:key name="defaultApp"></s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="imported_capabilities">
         <s:list>
           <s:item>accelerate_search</s:item>
           <s:item>change_own_password</s:item>
           <s:item>get_metadata</s:item>
           <s:item>get_typeahead</s:item>
           <s:item>input_file</s:item>
           <s:item>list_inputs</s:item>
           <s:item>output_file</s:item>
           <s:item>request_remote_tok</s:item>
           <s:item>rest_apps_view</s:item>
           <s:item>rest_properties_get</s:item>
           <s:item>rest_properties_set</s:item>
           <s:item>schedule_rtsearch</s:item>
           <s:item>search</s:item>
         </s:list>
       </s:key>
       <s:key name="imported_roles">
         <s:list>
           <s:item>user</s:item>
         </s:list>
       </s:key>
       <s:key name="imported_rtSrchJobsQuota">6</s:key>
       <s:key name="imported_srchDiskQuota">100</s:key>
       <s:key name="imported_srchFilter"></s:key>
       <s:key name="imported_srchIndexesAllowed">
         <s:list>
           <s:item>*</s:item>
         </s:list>
       </s:key>
       <s:key name="imported_srchIndexesDefault">
         <s:list>
           <s:item>main</s:item>
         </s:list>
       </s:key>
       <s:key name="imported_srchJobsQuota">3</s:key>
       <s:key name="imported_srchTimeWin">-1</s:key>
       <s:key name="rtSrchJobsQuota">20</s:key>
       <s:key name="srchDiskQuota">500</s:key>
       <s:key name="srchFilter"></s:key>
       <s:key name="srchIndexesAllowed">
         <s:list>
           <s:item>*</s:item>
         </s:list>
       </s:key>
       <s:key name="srchIndexesDefault">
         <s:list>
           <s:item>main</s:item>
         </s:list>
       </s:key>
       <s:key name="srchJobsQuota">10</s:key>
       <s:key name="srchTimeWin">-1</s:key>
     </s:dict>
   </content>
 </entry>
 <entry>
   <title>splunk-system-role</title>
   <id>https://localhost:8089/services/authorization/roles/splunk-system-role</id>
   <updated>2014-06-30T13:12:17-07:00</updated>
   <link href="/services/authorization/roles/splunk-system-role" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/authorization/roles/splunk-system-role" rel="list"/>
   <link href="/services/authorization/roles/splunk-system-role" rel="edit"/>
   <link href="/services/authorization/roles/splunk-system-role" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="capabilities">
         <s:list/>
       </s:key>
       <s:key name="cumulativeRTSrchJobsQuota">100</s:key>
       <s:key name="cumulativeSrchJobsQuota">50</s:key>
       <s:key name="defaultApp"></s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="imported_capabilities">
         <s:list>
           <s:item>accelerate_datamodel</s:item>
           <s:item>accelerate_search</s:item>
           <s:item>admin_all_objects</s:item>
           <s:item>change_authentication</s:item>
           <s:item>change_own_password</s:item>
           <s:item>edit_deployment_client</s:item>
           <s:item>edit_deployment_server</s:item>
           <s:item>edit_dist_peer</s:item>
           <s:item>edit_forwarders</s:item>
           <s:item>edit_httpauths</s:item>
           <s:item>edit_input_defaults</s:item>
           <s:item>edit_monitor</s:item>
           <s:item>edit_roles</s:item>
           <s:item>edit_scripted</s:item>
           <s:item>edit_search_server</s:item>
           <s:item>edit_server</s:item>
           <s:item>edit_splunktcp</s:item>
           <s:item>edit_splunktcp_ssl</s:item>
           <s:item>edit_tcp</s:item>
           <s:item>edit_udp</s:item>
           <s:item>edit_user</s:item>
           <s:item>edit_view_html</s:item>
           <s:item>edit_web_settings</s:item>
           <s:item>edit_win_admon</s:item>
           <s:item>edit_win_eventlogs</s:item>
           <s:item>edit_win_perfmon</s:item>
           <s:item>edit_win_regmon</s:item>
           <s:item>edit_win_wmiconf</s:item>
           <s:item>embed_report</s:item>
           <s:item>get_diag</s:item>
           <s:item>get_metadata</s:item>
           <s:item>get_typeahead</s:item>
           <s:item>indexes_edit</s:item>
           <s:item>input_file</s:item>
           <s:item>license_edit</s:item>
           <s:item>license_tab</s:item>
           <s:item>list_deployment_client</s:item>
           <s:item>list_deployment_server</s:item>
           <s:item>list_forwarders</s:item>
           <s:item>list_httpauths</s:item>
           <s:item>list_inputs</s:item>
           <s:item>list_pdfserver</s:item>
           <s:item>list_win_localavailablelogs</s:item>
           <s:item>output_file</s:item>
           <s:item>request_remote_tok</s:item>
           <s:item>rest_apps_management</s:item>
           <s:item>rest_apps_view</s:item>
           <s:item>rest_properties_get</s:item>
           <s:item>rest_properties_set</s:item>
           <s:item>restart_splunkd</s:item>
           <s:item>rtsearch</s:item>
           <s:item>run_debug_commands</s:item>
           <s:item>schedule_rtsearch</s:item>
           <s:item>schedule_search</s:item>
           <s:item>search</s:item>
           <s:item>write_pdfserver</s:item>
         </s:list>
       </s:key>
       <s:key name="imported_roles">
         <s:list>
           <s:item>admin</s:item>
         </s:list>
       </s:key>
       <s:key name="imported_rtSrchJobsQuota">100</s:key>
       <s:key name="imported_srchDiskQuota">10000</s:key>
       <s:key name="imported_srchFilter">*</s:key>
       <s:key name="imported_srchIndexesAllowed">
         <s:list>
           <s:item>*</s:item>
           <s:item>_*</s:item>
         </s:list>
       </s:key>
       <s:key name="imported_srchIndexesDefault">
         <s:list>
           <s:item>main</s:item>
           <s:item>os</s:item>
         </s:list>
       </s:key>
       <s:key name="imported_srchJobsQuota">50</s:key>
       <s:key name="imported_srchTimeWin">-1</s:key>
       <s:key name="rtSrchJobsQuota">6</s:key>
       <s:key name="srchDiskQuota">100</s:key>
       <s:key name="srchFilter"></s:key>
       <s:key name="srchIndexesAllowed">
         <s:list/>
       </s:key>
       <s:key name="srchIndexesDefault">
         <s:list/>
       </s:key>
       <s:key name="srchJobsQuota">3</s:key>
       <s:key name="srchTimeWin">-1</s:key>
     </s:dict>
   </content>
 </entry>
 <entry>
   <title>user</title>
   <id>https://localhost:8089/services/authorization/roles/user</id>
   <updated>2014-06-30T13:12:17-07:00</updated>
   <link href="/services/authorization/roles/user" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/authorization/roles/user" rel="list"/>
   <link href="/services/authorization/roles/user" rel="edit"/>
   <link href="/services/authorization/roles/user" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="capabilities">
         <s:list>
           <s:item>accelerate_search</s:item>
           <s:item>change_own_password</s:item>
           <s:item>get_metadata</s:item>
           <s:item>get_typeahead</s:item>
           <s:item>input_file</s:item>
           <s:item>list_inputs</s:item>
           <s:item>output_file</s:item>
           <s:item>request_remote_tok</s:item>
           <s:item>rest_apps_view</s:item>
           <s:item>rest_properties_get</s:item>
           <s:item>rest_properties_set</s:item>
           <s:item>schedule_rtsearch</s:item>
           <s:item>search</s:item>
         </s:list>
       </s:key>
       <s:key name="cumulativeRTSrchJobsQuota">100</s:key>
       <s:key name="cumulativeSrchJobsQuota">50</s:key>
       <s:key name="defaultApp"></s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="imported_capabilities">
         <s:list/>
       </s:key>
       <s:key name="imported_roles">
         <s:list/>
       </s:key>
       <s:key name="imported_rtSrchJobsQuota">0</s:key>
       <s:key name="imported_srchDiskQuota">0</s:key>
       <s:key name="imported_srchFilter"></s:key>
       <s:key name="imported_srchIndexesAllowed">
         <s:list/>
       </s:key>
       <s:key name="imported_srchIndexesDefault">
         <s:list/>
       </s:key>
       <s:key name="imported_srchJobsQuota">0</s:key>
       <s:key name="imported_srchTimeWin">-1</s:key>
       <s:key name="rtSrchJobsQuota">6</s:key>
       <s:key name="srchDiskQuota">100</s:key>
       <s:key name="srchFilter"></s:key>
       <s:key name="srchIndexesAllowed">
         <s:list>
           <s:item>*</s:item>
         </s:list>
       </s:key>
       <s:key name="srchIndexesDefault">
         <s:list>
           <s:item>main</s:item>
         </s:list>
       </s:key>
       <s:key name="srchJobsQuota">3</s:key>
       <s:key name="srchTimeWin">-1</s:key>
     </s:dict>
   </content>
 </entry>


POST

Create a user role.

Request parameters

Name Type Description
capabilities String List of capabilities assigned to role. To send multiple capabilities, send this argument multiple times.

Roles inherit all capabilities from imported roles.

cumulativeRTSrchJobsQuota Number Maximum number of concurrently running real-time searches that all members of this role can have.

Note: If a user belongs to multiple roles then the user first consumes searches from the roles with the largest cumulative search quota. When the quota of a role is completely used up then roles with lower quotas are examined.

cumulativeSrchJobsQuota Number Maximum number of concurrently running searches for all role members. Warning message logged when limit is reached.

Note: If a user belongs to multiple roles then the user first consumes searches from the roles with the largest cumulative search quota. When the quota of a role is completely used up then roles with lower quotas are examined.

defaultApp String Specify the folder name of the default app to use for this role. A user-specific default app overrides this.
imported_roles String Specify a role to import attributes from. To import multiple roles, specify them separately. By default a role imports no other roles.

Importing other roles imports all aspects of that role, such as capabilities and allowed indexes to search. In combining multiple roles, the effective value for each attribute is the value with the broadest permissions.

Default roles

  • admin
  • can_delete
  • power
  • user

You can specify additional roles created.

name
required
String Required. The name of the user role to create.
rtSrchJobsQuota Number Specify the maximum number of concurrent real-time search jobs for this role.

This count is independent from the normal search jobs limit.

srchDiskQuota Number Specifies the maximum disk space in MB that can be used by a user's search jobs. For example, a value of 100 limits this role to 100 MB total.
srchFilter String Specify a search string that restricts the scope of searches run by this role. Search results for this role only show events that also match the search string you specify. In the case that a user has multiple roles with different search filters, they are combined with an OR.

The search string can include search fields and the following terms.

  • source
  • host
  • index
  • eventtype
  • sourcetype
  • *
  • OR
  • AND

Example: "host=web* OR source=/var/log/*"

Note: You can also use the srchIndexesAllowed and srchIndexesDefault parameters to limit the search on indexes.

srchIndexesAllowed String Index that this role has permissions to search. Pass this argument once for each index that you want to specify. These may be wildcarded, but the index name must begin with an underscore to match internal indexes.

Search indexes available by default include the following.

  • All internal indexes
  • All non-internal indexes
  • _audit
  • _blocksignature
  • _internal
  • _thefishbucket
  • history
  • main

You can also specify other search indexes added to the server.

srchIndexesDefault String For this role, indexes to search when no index is specified.

These indexes can be wildcarded, with the exception that '*' does not match internal indexes. To match internal indexes, start with '_'. All internal indexes are represented by '_*'.

A user with this role can search other indexes using "index= "

For example, "index=special_index".

Search indexes available by default include the following.

  • All internal indexes
  • All non-internal indexes
  • _audit
  • _blocksignature
  • _internal
  • _thefishbucket
  • history
  • main
  • other search indexes added to the server
srchJobsQuota Number The maximum number of concurrent searches a user with this role is allowed to run. For users with multiple roles, the maximum quota value among all of the roles applies.
srchTimeWin Number Maximum time span of a search, in seconds.

By default, searches are not limited to any specific time window. To override any search time windows from imported roles, set srchTimeWin to '0', as the 'admin' role does.

Response keys
None

Example request and response

XML Request

curl -k -u admin:changeme https://localhost:8089/services/authorization/roles -d name=newrole1 -d imported_roles=user

XML Response

.
.
.
<title>roles</title>
 <id>https://localhost:8089/services/authorization/roles</id>
 <updated>2014-06-30T13:21:50-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/authorization/roles/_new" rel="create"/>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>newrole1</title>
   <id>https://localhost:8089/services/authorization/roles/newrole1</id>
   <updated>2014-06-30T13:21:50-07:00</updated>
   <link href="/services/authorization/roles/newrole1" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/authorization/roles/newrole1" rel="list"/>
   <link href="/services/authorization/roles/newrole1" rel="edit"/>
   <link href="/services/authorization/roles/newrole1" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="capabilities">
         <s:list/>
       </s:key>
       <s:key name="cumulativeRTSrchJobsQuota">0</s:key>
       <s:key name="cumulativeSrchJobsQuota">0</s:key>
       <s:key name="defaultApp"></s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="imported_capabilities">
         <s:list>
           <s:item>accelerate_search</s:item>
           <s:item>change_own_password</s:item>
           <s:item>get_metadata</s:item>
           <s:item>get_typeahead</s:item>
           <s:item>input_file</s:item>
           <s:item>list_inputs</s:item>
           <s:item>output_file</s:item>
           <s:item>request_remote_tok</s:item>
           <s:item>rest_apps_view</s:item>
           <s:item>rest_properties_get</s:item>
           <s:item>rest_properties_set</s:item>
           <s:item>schedule_rtsearch</s:item>
           <s:item>search</s:item>
         </s:list>
       </s:key>
       <s:key name="imported_roles">
         <s:list>
           <s:item>user</s:item>
         </s:list>
       </s:key>
       <s:key name="imported_rtSrchJobsQuota">6</s:key>
       <s:key name="imported_srchDiskQuota">100</s:key>
       <s:key name="imported_srchFilter"></s:key>
       <s:key name="imported_srchIndexesAllowed">
         <s:list>
           <s:item>*</s:item>
         </s:list>
       </s:key>
       <s:key name="imported_srchIndexesDefault">
         <s:list>
           <s:item>main</s:item>
         </s:list>
       </s:key>
       <s:key name="imported_srchJobsQuota">3</s:key>
       <s:key name="imported_srchTimeWin">-1</s:key>
       <s:key name="rtSrchJobsQuota">6</s:key>
       <s:key name="srchDiskQuota">100</s:key>
       <s:key name="srchFilter"></s:key>
       <s:key name="srchIndexesAllowed">
         <s:list/>
       </s:key>
       <s:key name="srchIndexesDefault">
         <s:list/>
       </s:key>
       <s:key name="srchJobsQuota">3</s:key>
       <s:key name="srchTimeWin">-1</s:key>
     </s:dict>
   </content>
 </entry>

authorization/roles/{name}

https://<host>:<mPort>/services/authorization/roles/<name>

Access, create, or delete properties for the {name} role.

For additional information, see the following resource in Securing Splunk Enterprise. List of available capabilities


DELETE

Delete the specified role.

Request parameters
None

Response keys
None

Example request and response


XML Request

curl -k -u admin:changeme https://localhost:8089/services/authorization/roles -d name=newrole1 -d imported_roles=user

XML Response

.
.
.
<title>roles</title>
 <id>https://localhost:8089/services/authorization/roles</id>
 <updated>2014-06-30T13:21:50-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/authorization/roles/_new" rel="create"/>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>newrole1</title>
   <id>https://localhost:8089/services/authorization/roles/newrole1</id>
   <updated>2014-06-30T13:21:50-07:00</updated>
   <link href="/services/authorization/roles/newrole1" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/authorization/roles/newrole1" rel="list"/>
   <link href="/services/authorization/roles/newrole1" rel="edit"/>
   <link href="/services/authorization/roles/newrole1" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="capabilities">
         <s:list/>
       </s:key>
       <s:key name="cumulativeRTSrchJobsQuota">0</s:key>
       <s:key name="cumulativeSrchJobsQuota">0</s:key>
       <s:key name="defaultApp"></s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="imported_capabilities">
         <s:list>
           <s:item>accelerate_search</s:item>
           <s:item>change_own_password</s:item>
           <s:item>get_metadata</s:item>
           <s:item>get_typeahead</s:item>
           <s:item>input_file</s:item>
           <s:item>list_inputs</s:item>
           <s:item>output_file</s:item>
           <s:item>request_remote_tok</s:item>
           <s:item>rest_apps_view</s:item>
           <s:item>rest_properties_get</s:item>
           <s:item>rest_properties_set</s:item>
           <s:item>schedule_rtsearch</s:item>
           <s:item>search</s:item>
         </s:list>
       </s:key>
       <s:key name="imported_roles">
         <s:list>
           <s:item>user</s:item>
         </s:list>
       </s:key>
       <s:key name="imported_rtSrchJobsQuota">6</s:key>
       <s:key name="imported_srchDiskQuota">100</s:key>
       <s:key name="imported_srchFilter"></s:key>
       <s:key name="imported_srchIndexesAllowed">
         <s:list>
           <s:item>*</s:item>
         </s:list>
       </s:key>
       <s:key name="imported_srchIndexesDefault">
         <s:list>
           <s:item>main</s:item>
         </s:list>
       </s:key>
       <s:key name="imported_srchJobsQuota">3</s:key>
       <s:key name="imported_srchTimeWin">-1</s:key>
       <s:key name="rtSrchJobsQuota">6</s:key>
       <s:key name="srchDiskQuota">100</s:key>
       <s:key name="srchFilter"></s:key>
       <s:key name="srchIndexesAllowed">
         <s:list/>
       </s:key>
       <s:key name="srchIndexesDefault">
         <s:list/>
       </s:key>
       <s:key name="srchJobsQuota">3</s:key>
       <s:key name="srchTimeWin">-1</s:key>
     </s:dict>
   </content>
 </entry>


GET

Access the specified role.


Request parameters
None

Response keys

Name Description
capabilities List of capabilities assigned to this role.
cumulativeRTSrchJobsQuota Maximum number of concurrently running real-time searches for all role members. A warning message is logged when this limit is reached.
cumulativeSrchJobsQuota Maximum number of concurrently running searches for all role members. A warning message is logged when this limit is reached.
defaultApp The name of the app to use as the default app for this role.

A user-specific default app overrides this.

imported_capabilities List of capabilities assigned to role that were made available from imported roles.
imported_roles List of imported roles for this role.

Importing other roles imports all aspects of that role, such as capabilities and allowed indexes to search. In combining multiple roles, the effective value for each attribute is value with the broadest permissions.

imported_rtSrchJobsQuota The maximum number of concurrent real-time search jobs for this role. This count is independent from the normal search jobs limit.

imported_rtSrchJObsQuota specifies the quota imported from other roles.

imported_srchDiskQuota The maximum disk space in MB that can be used by a user's search jobs. For example, 100 limits this role to 100 MB total.

imported_rtSrchJObsQuota specifies the quota imported from other roles.

imported_srchFilter Search string, imported from other roles, that restricts the scope of searches run by this role.

Search results for this role only show events that also match this search string. When a user has multiple roles with different search filters, they are combined with an OR.

imported_srchIndexesAllowed A list of indexes, imported from other roles, this role has permissions to search.
imported_srchIndexesDefault A list of indexes, imported from other roles, that this role defaults to when no index is specified in a search.
imported_srchJobsQuota The maximum number of historical searches for this role that are imported from other roles.
imported_srchTimeWin Maximum time span of a search, in seconds.

0 indicates searches are not limited to any specific time window.

imported_srchTimeWin specifies the limit from imported roles.

rtSrchJobsQuota The maximum number of concurrent real-time search jobs for this role. This count is independent from the normal search jobs limit.
srchDiskQuota The maximum disk space in MB that can be used by a user's search jobs. For example, 100 limits this role to 100 MB total.
srchFilter Search string that restricts the scope of searches run by this role.

Search results for this role only show events that also match this search string. When a user has multiple roles with different search filters, they are combined with an OR.

srchIndexesAllowed A list of indexes this role has permissions to search.
srchIndexesDefault List of search indexes that default to this role when no index is specified.
srchJobsQuota The maximum number of concurrent real time search jobs for this role.

This count is independent from the normal search jobs limit.

srchTimeWin Maximum time span of a search, in seconds.

0 indicates searches are not limited to any specific time window.

Example request and response

XML Request

curl -k -u admin:changeme https://localhost:8089/services/authorization/roles/newrole1

XML Response

<title>roles</title>
 <id>https://localhost:8089/services/authorization/roles</id>
 <updated>2014-06-30T13:30:34-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/authorization/roles/_new" rel="create"/>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>newrole1</title>
   <id>https://localhost:8089/services/authorization/roles/newrole1</id>
   <updated>2014-06-30T13:30:34-07:00</updated>
   <link href="/services/authorization/roles/newrole1" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/authorization/roles/newrole1" rel="list"/>
   <link href="/services/authorization/roles/newrole1" rel="edit"/>
   <link href="/services/authorization/roles/newrole1" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="capabilities">
         <s:list/>
       </s:key>
       <s:key name="cumulativeRTSrchJobsQuota">0</s:key>
       <s:key name="cumulativeSrchJobsQuota">0</s:key>
       <s:key name="defaultApp"></s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="eai:attributes">
         <s:dict>
           <s:key name="optionalFields">
             <s:list>
               <s:item>capabilities</s:item>
               <s:item>cumulativeRTSrchJobsQuota</s:item>
               <s:item>cumulativeSrchJobsQuota</s:item>
               <s:item>defaultApp</s:item>
               <s:item>imported_roles</s:item>
               <s:item>rtSrchJobsQuota</s:item>
               <s:item>srchDiskQuota</s:item>
               <s:item>srchFilter</s:item>
               <s:item>srchIndexesAllowed</s:item>
               <s:item>srchIndexesDefault</s:item>
               <s:item>srchJobsQuota</s:item>
               <s:item>srchTimeWin</s:item>
             </s:list>
           </s:key>
           <s:key name="requiredFields">
             <s:list/>
           </s:key>
           <s:key name="wildcardFields">
             <s:list/>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="imported_capabilities">
         <s:list>
           <s:item>accelerate_search</s:item>
           <s:item>change_own_password</s:item>
           <s:item>get_metadata</s:item>
           <s:item>get_typeahead</s:item>
           <s:item>input_file</s:item>
           <s:item>list_inputs</s:item>
           <s:item>output_file</s:item>
           <s:item>request_remote_tok</s:item>
           <s:item>rest_apps_view</s:item>
           <s:item>rest_properties_get</s:item>
           <s:item>rest_properties_set</s:item>
           <s:item>schedule_rtsearch</s:item>
           <s:item>search</s:item>
         </s:list>
       </s:key>
       <s:key name="imported_roles">
         <s:list>
           <s:item>user</s:item>
         </s:list>
       </s:key>
       <s:key name="imported_rtSrchJobsQuota">6</s:key>
       <s:key name="imported_srchDiskQuota">100</s:key>
       <s:key name="imported_srchFilter"></s:key>
       <s:key name="imported_srchIndexesAllowed">
         <s:list>
           <s:item>*</s:item>
         </s:list>
       </s:key>
       <s:key name="imported_srchIndexesDefault">
         <s:list>
           <s:item>main</s:item>
         </s:list>
       </s:key>
       <s:key name="imported_srchJobsQuota">3</s:key>
       <s:key name="imported_srchTimeWin">-1</s:key>
       <s:key name="rtSrchJobsQuota">6</s:key>
       <s:key name="srchDiskQuota">100</s:key>
       <s:key name="srchFilter"></s:key>
       <s:key name="srchIndexesAllowed">
         <s:list/>
       </s:key>
       <s:key name="srchIndexesDefault">
         <s:list/>
       </s:key>
       <s:key name="srchJobsQuota">3</s:key>
       <s:key name="srchTimeWin">-1</s:key>
     </s:dict>
   </content>
 </entry>


POST

Update the specified role.


Request parameters

Name Type Description
capabilities String List of capabilities assigned to this role.
cumulativeRTSrchJobsQuota Number Maximum number of concurrently running real-time searches for all role members. A warning message is logged when this limit is reached.
cumulativeSrchJobsQuota Number Maximum number of concurrently running searches for all role members. A warning message is logged when this limit is reached.
defaultApp String The folder name for the app to use as the default app for this role.

A user-specific default app overrides this.

imported_capabilities String List of capabilities assigned to role that were made available from imported roles.
imported_roles String List of imported roles for this role.

Importing other roles imports all aspects of that role, such as capabilities and allowed indexes to search. In combining multiple roles, the effective value for each attribute is value with the broadest permissions.

imported_rtSrchJobsQuota String The maximum number of concurrent real-time search jobs for this role. This count is independent from the normal search jobs limit.

imported_rtSrchJObsQuota specifies the quota imported from other roles.

imported_srchDiskQuota String The maximum disk space in MB that can be used by a user's search jobs. For example, 100 limits this role to 100 MB total.

imported_rtSrchJObsQuota specifies the quota imported from other roles.

imported_srchFilter String Search string, imported from other roles, that restricts the scope of searches run by this role.

Search results for this role only show events that also match this search string. When a user has multiple roles with different search filters, they are combined with an OR.

imported_srchIndexesAllowed String A list of indexes, imported from other roles, this role has permissions to search.
imported_srchIndexesDefault String A list of indexes, imported from other roles, that this role defaults to when no index is specified in a search.
imported_srchJobsQuota String The maximum number of historical searches for this role that are imported from other roles.
imported_srchTimeWin String Maximum time span of a search, in seconds.

0 indicates searches are not limited to any specific time window.

imported_srchTimeWin specifies the limit from imported roles.

rtSrchJobsQuota Number The maximum number of concurrent real-time search jobs for this role. This count is independent from the normal search jobs limit.
srchDiskQuota Number The maximum disk space in MB that can be used by a user's search jobs. For example, 100 limits this role to 100 MB total.
srchFilter String Search string that restricts the scope of searches run by this role.

Search results for this role only show events that also match this search string. When a user has multiple roles with different search filters, they are combined with an OR.

srchIndexesAllowed String A list of indexes this role has permissions to search.
srchIndexesDefault String List of search indexes that default to this role when no index is specified.
srchJobsQuota Number The maximum number of concurrent real time search jobs for this role.

This count is independent from the normal search jobs limit.

srchTimeWin Number Maximum time span of a search, in seconds.

0 indicates searches are not limited to any specific time window.


Response keys
None

Example request and response


XML Request

curl -k -u admin:changeme https://localhost:8089/services/authorization/roles/newrole1 -d defaultApp=launcher

XML Response

<title>roles</title>
 <id>https://localhost:8089/services/authorization/roles</id>
 <updated>2014-06-30T13:33:38-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/authorization/roles/_new" rel="create"/>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>newrole1</title>
   <id>https://localhost:8089/services/authorization/roles/newrole1</id>
   <updated>2014-06-30T13:33:38-07:00</updated>
   <link href="/services/authorization/roles/newrole1" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/authorization/roles/newrole1" rel="list"/>
   <link href="/services/authorization/roles/newrole1" rel="edit"/>
   <link href="/services/authorization/roles/newrole1" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="capabilities">
         <s:list/>
       </s:key>
       <s:key name="cumulativeRTSrchJobsQuota">0</s:key>
       <s:key name="cumulativeSrchJobsQuota">0</s:key>
       <s:key name="defaultApp">launcher</s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="imported_capabilities">
         <s:list>
           <s:item>accelerate_search</s:item>
           <s:item>change_own_password</s:item>
           <s:item>get_metadata</s:item>
           <s:item>get_typeahead</s:item>
           <s:item>input_file</s:item>
           <s:item>list_inputs</s:item>
           <s:item>output_file</s:item>
           <s:item>request_remote_tok</s:item>
           <s:item>rest_apps_view</s:item>
           <s:item>rest_properties_get</s:item>
           <s:item>rest_properties_set</s:item>
           <s:item>schedule_rtsearch</s:item>
           <s:item>search</s:item>
         </s:list>
       </s:key>
       <s:key name="imported_roles">
         <s:list>
           <s:item>user</s:item>
         </s:list>
       </s:key>
       <s:key name="imported_rtSrchJobsQuota">6</s:key>
       <s:key name="imported_srchDiskQuota">100</s:key>
       <s:key name="imported_srchFilter"></s:key>
       <s:key name="imported_srchIndexesAllowed">
         <s:list>
           <s:item>*</s:item>
         </s:list>
       </s:key>
       <s:key name="imported_srchIndexesDefault">
         <s:list>
           <s:item>main</s:item>
         </s:list>
       </s:key>
       <s:key name="imported_srchJobsQuota">3</s:key>
       <s:key name="imported_srchTimeWin">-1</s:key>
       <s:key name="rtSrchJobsQuota">6</s:key>
       <s:key name="srchDiskQuota">100</s:key>
       <s:key name="srchFilter"></s:key>
       <s:key name="srchIndexesAllowed">
         <s:list/>
       </s:key>
       <s:key name="srchIndexesDefault">
         <s:list/>
       </s:key>
       <s:key name="srchJobsQuota">3</s:key>
       <s:key name="srchTimeWin">-1</s:key>
     </s:dict>
   </content>
 </entry>

storage/passwords

https://<host>:<mPort>/services/storage/passwords

Create or update user credentials, or list credentials for all users.

Authorization
Only admin-level users can access this endpoint.

Usage details
The password credential is the only part of the user credentials that is stored securely. It is encrypted with a secure key resident on the same server.


GET

List available credentials.


Request parameters
Pagination and filtering parameters can be used with this method.

Response keys

Name Description
clear_password Clear text password.
encr_password Encrypted, stored password.
password Password mask, always ********.
realm Realm in which credentials are valid.
username User name associated with credentials.


Example request and response


XML Request

curl -k -u admin:changeme https://localhost:8089/services/storage/passwords

XML Response

.
.
.
<title>passwords</title>
 <id>https://localhost:8089/services/storage/passwords</id>
 <updated>2014-06-30T13:43:06-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/storage/passwords/_new" rel="create"/>
 <link href="/services/storage/passwords/_reload" rel="_reload"/>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>:testuser:</title>
   <id>https://localhost:8089/servicesNS/nobody/search/storage/passwords/%3Atestuser%3A</id>
   <updated>2014-06-30T13:43:06-07:00</updated>
   <link href="/servicesNS/nobody/search/storage/passwords/%3Atestuser%3A" rel="alternate"/>
   <author>
     <name>admin</name>
   </author>
   <link href="/servicesNS/nobody/search/storage/passwords/%3Atestuser%3A" rel="list"/>
   <link href="/servicesNS/nobody/search/storage/passwords/%3Atestuser%3A/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/search/storage/passwords/%3Atestuser%3A" rel="edit"/>
   <link href="/servicesNS/nobody/search/storage/passwords/%3Atestuser%3A" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="clear_password">newpwd</s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app">search</s:key>
           <s:key name="can_change_perms">1</s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_share_app">1</s:key>
           <s:key name="can_share_global">1</s:key>
           <s:key name="can_share_user">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">1</s:key>
           <s:key name="owner">admin</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>power</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">1</s:key>
           <s:key name="sharing">app</s:key>
         </s:dict>
       </s:key>
       <s:key name="encr_password">$1$prTUy3vRWg==</s:key>
       <s:key name="password">********</s:key>
       <s:key name="realm"></s:key>
       <s:key name="username">testuser</s:key>
     </s:dict>
   </content>
 </entry>


POST

Create/update new credentials.


Request parameters

Name Type Description
name String Required. Credentials username.
password String Required. Credentials user password.
realm String Credentials realm.

Response keys

Name Description
clear_password Clear text password.
encr_password Encrypted, stored password.
password Password mask, always ********.
realm Realm in which credentials are valid.
username Username associated with credentials.


Example request and response


XML Request

curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/search/storage/passwords -d name=user1 -d password=changeme2

XML Response

.
.
.
<title>passwords</title>
 <id>https://localhost:8089/services/storage/passwords</id>
 <updated>2014-06-30T13:51:44-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/storage/passwords/_new" rel="create"/>
 <link href="/services/storage/passwords/_reload" rel="_reload"/>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>:user1:</title>
   <id>https://localhost:8089/servicesNS/nobody/search/storage/passwords/%3Auser1%3A</id>
   <updated>2014-06-30T13:51:44-07:00</updated>
   <link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="alternate"/>
   <author>
     <name>admin</name>
   </author>
   <link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="list"/>
   <link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="edit"/>
   <link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="clear_password">changeme2</s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app">search</s:key>
           <s:key name="can_change_perms">1</s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_share_app">1</s:key>
           <s:key name="can_share_global">1</s:key>
           <s:key name="can_share_user">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">1</s:key>
           <s:key name="owner">admin</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>power</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">1</s:key>
           <s:key name="sharing">app</s:key>
         </s:dict>
       </s:key>
       <s:key name="encr_password">$1$q7nC1WvQY/pGcQ==</s:key>
       <s:key name="password">********</s:key>
       <s:key name="realm"></s:key>
       <s:key name="username">user1</s:key>
     </s:dict>
   </content>
 </entry>

storage/passwords/{name}

https://<host>:<mPort>/services/storage/passwords/<name>

Update, delete, or list credentials for the {name} user.


DELETE

Delete the specified user credentials.

Usage details
The {name} portion of the URL must be bounded by the colon ( : ) symbol as in this example.

/services/storage/passwords/:uname:

Request parameters
None

Response keys
Returns a list of the remaining credentials in the {name} namespace.

Example request and response


XML Request

curl -k -u admin:changeme --request DELETE https://localhost:8089/servicesNS/nobody/search/storage/passwords/:user1:

XML Response

 <title>passwords</title>
 <id>https://localhost:8089/services/storage/passwords</id>
 <updated>2014-06-30T14:21:11-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/storage/passwords/_new" rel="create"/>
 <link href="/services/storage/passwords/_reload" rel="_reload"/>
 <opensearch:totalResults>0</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>


GET

Access the specified user credentials.


Request parameters
None

Response keys

Name Description
clear_password Clear text password.
encr_password Encrypted, stored password.
password Password mask, always ********.
realm Realm in which credentials are valid.
username User name associated with credentials.

Example request and response


XML Request

curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/search/storage/passwords/user1

XML Response

 <title>passwords</title>
 <id>https://localhost:8089/services/storage/passwords</id>
 <updated>2014-06-30T14:06:04-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/storage/passwords/_new" rel="create"/>
 <link href="/services/storage/passwords/_reload" rel="_reload"/>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>:user1:</title>
   <id>https://localhost:8089/servicesNS/nobody/search/storage/passwords/%3Auser1%3A</id>
   <updated>2014-06-30T14:06:04-07:00</updated>
   <link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="alternate"/>
   <author>
     <name>admin</name>
   </author>
   <link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="list"/>
   <link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="edit"/>
   <link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="clear_password">changeme2</s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app">search</s:key>
           <s:key name="can_change_perms">1</s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_share_app">1</s:key>
           <s:key name="can_share_global">1</s:key>
           <s:key name="can_share_user">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">1</s:key>
           <s:key name="owner">admin</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>power</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">1</s:key>
           <s:key name="sharing">app</s:key>
         </s:dict>
       </s:key>
       <s:key name="eai:attributes">
         <s:dict>
           <s:key name="optionalFields">
             <s:list/>
           </s:key>
           <s:key name="requiredFields">
             <s:list>
               <s:item>password</s:item>
             </s:list>
           </s:key>
           <s:key name="wildcardFields">
             <s:list/>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="encr_password">$1$q7nC1WvQY/pGcQ==</s:key>
       <s:key name="password">********</s:key>
       <s:key name="realm"></s:key>
       <s:key name="username">user1</s:key>
     </s:dict>
   </content>
 </entry>


POST

Update the specified user credentials.

Request parameters

Name Type Description
password String User password credential.

Response keys

Name Description
clear_password Clear text password.
encr_password Encrypted, stored password.
password Password mask, always ********.
realm Realm in which credentials are valid.
username User name associated with credentials.

Example request and response


XML Request

curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/search/storage/passwords/splunker -d password=changemeAgain

XML Response

.
.
.
<title>passwords</title>
 <id>https://localhost:8089/services/storage/passwords</id>
 <updated>2014-06-30T14:13:57-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/storage/passwords/_new" rel="create"/>
 <link href="/services/storage/passwords/_reload" rel="_reload"/>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>:user1:</title>
   <id>https://localhost:8089/servicesNS/nobody/search/storage/passwords/%3Auser1%3A</id>
   <updated>2014-06-30T14:13:57-07:00</updated>
   <link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="alternate"/>
   <author>
     <name>admin</name>
   </author>
   <link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="list"/>
   <link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="edit"/>
   <link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="clear_password">changemeAgain</s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app">search</s:key>
           <s:key name="can_change_perms">1</s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_share_app">1</s:key>
           <s:key name="can_share_global">1</s:key>
           <s:key name="can_share_user">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">1</s:key>
           <s:key name="owner">admin</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>power</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">1</s:key>
           <s:key name="sharing">app</s:key>
         </s:dict>
       </s:key>
       <s:key name="encr_password">$1$q7nC1WvQY/p0UtMdIVM=</s:key>
       <s:key name="password">********</s:key>
       <s:key name="realm"></s:key>
       <s:key name="username">user1</s:key>
     </s:dict>
   </content>
 </entry>

PREVIOUS
URI quick reference
  NEXT
Access endpoint examples

This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters