Splunk® Enterprise

REST API Reference Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Knowledge endpoint descriptions

Knowledge type endpoints,

  • Define data configurations indexed and searched by the Splunk platform.
  • Manage how data is handled, using look-ups, field extractions, field aliases, sourcetypes, and transforms.
  • Manage saved event types.
  • Manage search field configurations and search time tags.


  • Note: Username and password authentication is required for most endpoints and REST operations. Additional capability or role-based authorization may also be required, particularly for POST or DELETE operations.


data/lookup-table-files

https://<host>:<mPort>/services/data/lookup-table-files


Description

Provides access to lookup table files.

Method summary

Method Description Formats
GET List lookup table files. XML, JSON
POST Create a lookup table file by moving a file from the upload staging area into $SPLUNK_HOME. XML, JSON

GET data/lookup-table-files method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
eai:appName The app for which the lookup table applies.
eai:data The source path for the lookup staging area. The lookup table file is moved from here into $SPLUNK_HOME.
eai:userName The Splunk Enterprise user who created the lookup table.

POST data/lookup-table-files method detail

Example

Request parameters
Name Type Default Description
eai:data
required
String Move a lookup table file from the given path into $SPLUNK_HOME. This path must have the lookup staging area as an ancestor.
name
required
String The lookup table filename.
Response data keys
Name Description
eai:appName The app for which the lookup table applies.
eai:data The source path for the lookup staging area. The lookup table file is moved from here into $SPLUNK_HOME.
eai:userName The Splunk Enterprise user who created the lookup table.

[ Top ]


data/lookup-table-files/{name}

https://<host>:<mPort>/services/data/lookup-table-files/{name}

Description

Manage the {name} lookup table file.

Method summary

Method Description Formats
DELETE Delete the named lookup table file. XML, JSON
GET List a single lookup table file. XML, JSON
POST Modify a lookup table file by replacing it with a file from the upload staging area. XML, JSON

DELETE data/lookup-table-files/{name} method detail

Example

Request parameters

None

Response data keys

None


GET data/lookup-table-files/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
eai:appName The app for which the lookup table applies.
eai:attributes Field control information.
eai:data The source path for the lookup staging area. The lookup table file is moved from here into $SPLUNK_HOME.
eai:userName The Splunk Enterprise user who created the lookup table.

POST data/lookup-table-files/{name} method detail

Example

Request parameters
Name Type Default Description
eai:data
required
String Move a lookup table file from the given path into $SPLUNK_HOME. This path must have the lookup staging area as an ancestor.
Response data keys
Name Description
eai:appName The app for which the lookup table applies.
eai:data The source path for the lookup staging area. The lookup table file is moved from here into $SPLUNK_HOME.
eai:userName The Splunk Enterprise user who created the lookup table.

[ Top ]


data/props/calcfields

https://<host>:<mPort>/services/data/props/calcfields

Description

Provides access to calculated fields, which are eval expressions in props.conf.

Method summary

Method Description Formats
GET Returns information on calculated fields for this instance of your Splunk deployment. XML, JSON
POST Create an eval expression defining a calculated field in props.conf. XML, JSON

GET data/props/calcfields method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
attribute The name of the calculated field, which includes the "EVAL-" prefix.
field.name The name of the field which is being calculated with an EVAL expression.
stanza The name of the stanza in props.conf that defines the calculated field.
type The type of the calculated field.

This is always EVAL.

value The EVAL statement for the calculated field.
Application usage

See Define calculated fields in the Splunk Knowledge Manager manual for more information.


POST data/props/calcfields method detail

Example

Request parameters
Name Type Default Description
name
required
String The name of the calculated field. Do not specify the "EVAL-" prefix for the field.

When Splunk Enterprise writes the calculated field to props.conf, it adds the "EVAL-" prefix.

stanza
required
String The name of the stanza in props.conf for the calculated field.

The name can be any of the following:

  • Sourcetype of an event
  • host::<host>, where <host> is the host for an event
  • source::<source>, where <source> is the source for an event.
Note: Use URL-encoding to ensure that Splunk Enterprise interprets the name of the stanza correctly.
value
required
String The eval statement, which can be evaluated to any value type, including multivals, boolean, or null.
Note: Use URL-encoding to ensure that Splunk Enterprise interprets the name of the stanza correctly.

See Create a calculated field by editing props.conf in the Splunk Knowledge Manager manual for details.

Response data keys
Name Description
attribute The name of the calculated field, which includes the "EVAL-" prefix.
field.name The name of the field which is being calculated with an EVAL expression.
stanza The name of the stanza in props.conf that defines the calculated field.
type The type of the calculated field.

This is always EVAL.

value The EVAL statement for the calculated field.
Application usage

See Define calculated fields in the Splunk Knowledge Manager manual for more information.

[ Top ]


data/props/calcfields/{name}

https://<host>:<mPort>/services/data/props/calcfields/{name}

Description

Manage the {name} calculated field.

Method summary

Method Description Formats
DELETE Deletes the named calculated field. XML, JSON
GET Returns details about the named calculated field. XML, JSON
POST Update the named calculated field. XML, JSON

DELETE data/props/calcfields/{name} method detail

Example

Request parameters

None

Response data keys

None

Application usage

Use URL-encoding to ensure that Splunk Enterprise interprets the name of the calculated field correctly.


GET data/props/calcfields/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
attribute The name of the calculated field, which includes the "EVAL-" prefix.
field.name The name of the field which is being calculated with an EVAL expression.
stanza The name of the stanza in props.conf that defines the calculated field.
type The type of the calculated field.

This is always EVAL.

value The EVAL statement for the calculated field.

POST data/props/calcfields/{name} method detail

Example

Request parameters
Name Type Default Description
value String The eval statement, which can be evaluated to any value type, including multivals, boolean, or null.
Note: Use URL-encoding to ensure that Splunk Enterprise interprets the name of the stanza correctly.

See Create a calculated field by editing props.conf in the Splunk Knowledge Manager manual for details.

Response data keys
Name Description
attribute The name of the calculated field, which includes the "EVAL-" prefix.
field.name The name of the field which is being calculated with an EVAL expression.
stanza The name of the stanza in props.conf that defines the calculated field.
type The type of the calculated field.

This is always EVAL.

value The EVAL statement for the calculated field.

[ Top ]


data/props/extractions

https://<host>:<mPort>/services/data/props/extractions

Description

Provides access to search-time field extractions in props.conf.

Method summary

Method Description Formats
GET List field extractions. XML, JSON
POST Create a new field extraction. XML, JSON

GET data/props/extractions method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
attribute Specifies the field extraction configuration.

For example, REPORT-<name> or EXTRACT-<name>.

stanza The props.conf stanza to which this field extraction applies.

for example, the sourcetype or source that triggers this field extraction. The full name of the field extraction includes this stanza name as a prefix.

type Specifies the field extraction type, which can be either inline or uses transform.
value If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.

If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply.


POST data/props/extractions method detail

Example

Request parameters
Name Type Default Description
name
required
String The user-specified part of the field extraction name. The full name of the field extraction includes this identifier as a suffix.
stanza
required
String The props.conf stanza to which this field extraction applies, e.g. the sourcetype or source that triggers this field extraction. The full name of the field extraction includes this stanza name as a prefix.
type
required
Enum Valid values: (REPORT | EXTRACT)

An EXTRACT-type field extraction is defined with an "inline" regular expression. A REPORT-type field extraction refers to a transforms.conf stanza.

value
required
String If this is an EXTRACT-type field extraction, specify a regular expression with named capture groups that define the desired fields. If this is a REPORT-type field extraction, specify a comma- or space-delimited list of transforms.conf stanza names that define the field transformations to apply.
Response data keys
Name Description
attribute Specifies the field extraction configuration.

For example, REPORT-<name> or EXTRACT-<name>.

stanza Specifies the name of the stanza for the field extraction.
type Specifies the field extraction type, which can be either inline or uses transform.
value If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.

If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply.

[ Top ]


data/props/extractions/{name}

https://<host>:<mPort>/services/data/props/extractions/{name}

Description

Manage the {name} field extraction.

Method summary

Method Description Formats
DELETE Delete the named field extraction. XML, JSON
GET List a single field extraction. XML, JSON
POST Modify the named field extraction. XML, JSON

DELETE data/props/extractions/{name} method detail

Example

Request parameters

None

Response data keys

None


GET data/props/extractions/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
attribute Specifies the field extraction configuration.

For example, REPORT-<name> or EXTRACT-<name>.

stanza The props.conf stanza to which this field extraction applies.

for example, the sourcetype or source that triggers this field extraction. The full name of the field extraction includes this stanza name as a prefix.

type Specifies the field extraction type, which can be either inline or uses transform.
value If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.

If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply.


POST data/props/extractions/{name} method detail

Example

Request parameters
Name Type Default Description
value
required
String If this is an EXTRACT-type field extraction, specify a regular expression with named capture groups that define the desired fields. If this is a REPORT-type field extraction, specify a comma- or space-delimited list of transforms.conf stanza names that define the field transformations to apply.
Response data keys
Name Description
attribute Specifies the field extraction configuration.

For example, REPORT-<name> or EXTRACT-<name>.

stanza Specifies the name of the stanza for the field extraction.
type Specifies the field extraction type, which can be either inline or uses transform.
value If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.

If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply.

[ Top ]


data/props/fieldaliases

https://<host>:<mPort>/services/data/props/fieldaliases

Description

Provides access to field aliases in props.conf.

Method summary

Method Description Formats
GET List field aliases. XML, JSON
POST Create a new field alias. XML, JSON

GET data/props/fieldaliases method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
alias.* The user-specified part of the field alias name. The full name of the field alias includes this identifier as a suffix.
attribute Specifies the field extraction configuration.

For example, REPORT-<name> or EXTRACT-<name>.

stanza The props.conf stanza to which this field alias applies, e.g. the sourcetype or source that causes this field alias to be applied. The full name of the field alias includes this stanza name as a prefix.
type Specifies the field extraction type, which can be either inline or uses transform.
value If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.

If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply.


POST data/props/fieldaliases method detail

Example

Request parameters
Name Type Default Description
alias.* String The alias for a given field. For example, supply a value of "bar" for an argument "alias.foo" to alias "foo" to "bar".
name
required
String The user-specified part of the field alias name. The full name of the field alias includes this identifier as a suffix.
stanza
required
String The props.conf stanza to which this field alias applies, e.g. the sourcetype or source that causes this field alias to be applied. The full name of the field alias includes this stanza name as a prefix.
Response data keys
Name Description
alias.* The user-specified part of the field alias name. The full name of the field alias includes this identifier as a suffix.
attribute Specifies the field extraction configuration.

For example, REPORT-<name> or EXTRACT-<name>.

stanza The props.conf stanza to which this field alias applies, e.g. the sourcetype or source that causes this field alias to be applied. The full name of the field alias includes this stanza name as a prefix.
type Specifies the field extraction type, which can be either inline or uses transform.
value If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.

If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply.

[ Top ]


data/props/fieldaliases/{name}

https://<host>:<mPort>/services/data/props/fieldaliases/{name}

Description

Manage the {name} field alias.

Method summary

Method Description Formats
DELETE Delete the named field alias. XML, JSON
GET List a single field alias. XML, JSON
POST Modify the named field alias. XML, JSON

DELETE data/props/fieldaliases/{name} method detail

Example

Request parameters

None

Response data keys

None


GET data/props/fieldaliases/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
alias.* The user-specified part of the field alias name. The full name of the field alias includes this identifier as a suffix.
attribute Specifies the field extraction configuration.

For example, REPORT-<name> or EXTRACT-<name>.

stanza The props.conf stanza to which this field alias applies, e.g. the sourcetype or source that causes this field alias to be applied. The full name of the field alias includes this stanza name as a prefix.
type Specifies the field extraction type, which can be either inline or uses transform.
value If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.

If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply.


POST data/props/fieldaliases/{name} method detail

Example

Request parameters
Name Type Default Description
alias.* String The alias for a given field. For example, supply a value of "bar" for an argument "alias.foo" to alias "foo" to "bar".
Response data keys
Name Description
alias.* The alias for a given field. For example, supply a value of "bar" for an argument "alias.foo" to alias "foo" to "bar".
attribute Specifies the field extraction configuration.

For example, REPORT-<name> or EXTRACT-<name>.

stanza The props.conf stanza to which this field alias applies, e.g. the sourcetype or source that causes this field alias to be applied. The full name of the field alias includes this stanza name as a prefix.
type Specifies the field extraction type, which can be either inline or uses transform.
value If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.

If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply.

[ Top ]


data/props/lookups

https://<host>:<mPort>/services/data/props/lookups

Description

Provides access to automatic lookups in props.conf.

Method summary

Method Description Formats
GET List automatic lookups. XML, JSON
POST Create a new automatic lookup. XML, JSON

GET data/props/lookups method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
attribute Specifies the field extraction configuration.

For example, LOOKUP-my_lookup.

overwrite If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist.
stanza The props.conf stanza to which this automatic lookup applies.

For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix.

transform The transforms.conf stanza that defines the lookup to apply.
type Specifies the field extraction type.

For this endpoint, this is always LOOKUP

value The transform stanza with the value for the lookup.

POST data/props/lookups method detail

Example

Request parameters
Name Type Default Description
lookup.field.input.* String A column in the lookup table to match against. Supply a non-empty value if the corresponding field has a different name in your actual events.
lookup.field.output.* String A column in the lookup table to output. Supply a non-empty value if the field should have a different name in your actual events.
name
required
String The user-specified part of the automatic lookup name. The full name of the automatic lookup includes this identifier as a suffix.
overwrite
required
Boolean If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist.
stanza
required
String The props.conf stanza to which this automatic lookup applies, e.g. the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix.
transform
required
String The transforms.conf stanza that defines the lookup to apply.
Response data keys
Name Description
attribute Specifies the field extraction configuration.

For example, LOOKUP-my_lookup.

lookup.field.input.* A column in the lookup table to match against. Supply a non-empty value if the corresponding field has a different name in your actual events.
lookup.field.output.* A column in the lookup table to output. Supply a non-empty value if the field should have a different name in your actual events.
overwrite If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist.
stanza The props.conf stanza to which this automatic lookup applies.

For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix.

transform The transforms.conf stanza that defines the lookup to apply.
type Specifies the field extraction type.

For this endpoint, this is alwqys LOOKUP.

value The props.conf stanza to which this automatic lookup applies.

For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix.

[ Top ]


data/props/lookups/{name}

https://<host>:<mPort>/services/data/props/lookups/{name}

Description

Manage the {name} automatic lookup.

Method summary

Method Description Formats
DELETE Delete the named automatic lookup. XML, JSON
GET List a single automatic lookup. XML, JSON
POST Modify the named automatic lookup. XML, JSON

DELETE data/props/lookups/{name} method detail

Example

Request parameters

None

Response data keys

None


GET data/props/lookups/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
attribute Specifies the field extraction configuration.

For example, LOOKUP-my_lookup.

overwrite If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist.
stanza The props.conf stanza to which this automatic lookup applies.

For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix.

transform The transforms.conf stanza that defines the lookup to apply.
type Specifies the field extraction type.

For this endpoint, this is always LOOKUP.

value The transform stanza with the value for the lookup.

POST data/props/lookups/{name} method detail

Example

Request parameters
Name Type Default Description
lookup.field.input.* String A column in the lookup table to match against. Supply a non-empty value if the corresponding field has a different name in your actual events.
lookup.field.output.* String A column in the lookup table to output. Supply a non-empty value if the field should have a different name in your actual events.
overwrite
required
Boolean If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist.
transform
required
String The transforms.conf stanza that defines the lookup to apply.
Response data keys
Name Description
attribute Specifies the field extraction configuration.

For example, LOOKUP-my_lookup.

lookup.field.input.* A column in the lookup table to match against. Supply a non-empty value if the corresponding field has a different name in your actual events.
lookup.field.output.* A column in the lookup table to output. Supply a non-empty value if the field should have a different name in your actual events.
overwrite If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist.
stanza The props.conf stanza to which this automatic lookup applies.

For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix.

transform The transforms.conf stanza that defines the lookup to apply.
type Specifies the field extraction type.

For this endpoint, this is alwqys LOOKUP.

value The props.conf stanza to which this automatic lookup applies.

For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix.

[ Top ]


data/props/sourcetype-rename

https://<host>:<mPort>/services/data/props/sourcetype-rename

Description

Provides access to renamed sourcetypes which are configured in props.conf.

Method summary

Method Description Formats
GET List renamed sourcetypes. XML, JSON
POST Rename a sourcetype. XML, JSON

GET data/props/sourcetype-rename method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
attribute The configuration key.
stanza The sourcetype to rename, which is the name of a stanza in props.conf.
type The value of the configuration key.
value The new name for the sourcetype.

POST data/props/sourcetype-rename method detail

Example

Request parameters
Name Type Default Description
name
required
String The original sourcetype name.
value
required
String The new sourcetype name.
Response data keys
Name Description
attribute The configuration key.
stanza The sourcetype to rename, which is the name of a stanza in props.conf.
type The value of the configuration key.
value The new name for the sourcetype.

[ Top ]


data/props/sourcetype-rename/{name}

https://<host>:<mPort>/services/data/props/sourcetype-rename/{name}

Description

Manage {name} sourcetype renaming.

Method summary

Method Description Formats
DELETE Restore original sourcetype name. XML, JSON
GET List a single renamed sourcetype. XML, JSON
POST Rename a sourcetype again, i.e. modify a sourcetype's new name. XML, JSON

DELETE data/props/sourcetype-rename/{name} method detail

Example

Request parameters

None

Response data keys

None


GET data/props/sourcetype-rename/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
attribute The configuration key.
stanza The sourcetype to rename, which is the name of a stanza in props.conf.
type The value of the configuration key.
value The new name for the sourcetype.

POST data/props/sourcetype-rename/{name} method detail

Example

Request parameters
Name Type Default Description
value
required
String The new sourcetype name.
Response data keys
Name Description
attribute The configuration key.
stanza The sourcetype to rename, which is the name of a stanza in props.conf.
type The value of the configuration key.
value The new name for the sourcetype.

[ Top ]


data/transforms/extractions

https://<host>:<mPort>/services/data/transforms/extractions

Description

Provides access to field transformations, i.e. field extraction definitions.

Method summary

Method Description Formats
GET List field transformations. XML, JSON
POST Create a new field transformation. XML, JSON

GET data/transforms/extractions method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
CAN_OPTIMIZE Controls whether Splunk Enterprise can optimize this extraction out (another way of saying the extraction is disabled).

You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk Enterprise only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search.

CLEAN_KEYS If set to true, Splunk Enterprise "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
DEFAULT_VALUE Optional attribute for index-time field extractions. Splunk Enterprise writes the specified value to DEST_KEY if the specified REGEX fails.
DEST_KEY Valid for index-time field extractions, specifies where Splunk Enterprise stores the REGEX results.
FORMAT This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.

This attribute specifies the format of the event, including any field names or values you want to add.

For details, refer to the documentation for this parameter in the POST operation.

KEEP_EMPTY_VALS If set to true, Splunk Enterprise preserves extracted fields with empty values.
LOOKAHEAD Optional attribute for index-time filed extractions. specifies how many characters to search into an event.

Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking).

MV_ADD If Splunk Enterprise extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
REGEX The regular expression to operate on your data.

This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms.

For details, see the documentation for this parameter in the POST operation.

SOURCE_KEY The KEY to which Splunk Enterprise applies REGEX.
WRITE_META Indicates whether to automatically write REGEX to metadata.

This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute).

Use instead of DEST_KEY = meta.

disabled Indicates if the field transformation is disabled.
eai:appName The Splunk Enterprise app for which the field extractions are defined. For example, the search app.
eai:userName The name of the Splunk Enterprise user who created the field extraction definitions. For example, the admin user.

POST data/transforms/extractions method detail

Example

Request parameters
Name Type Default Description
CAN_OPTIMIZE Bool True Controls whether Splunk Enterprise can optimize this extraction out (another way of saying the extraction is disabled). You might use this when you have field discovery turned off--it ensures that certain fields are *always* discovered. Splunk Enterprise only disables an extraction if it can determine that none of the fields identified by the extraction is needed for the successful evaluation of a search.

NOTE: This option should rarely be set to false.

CLEAN_KEYS Boolean True If set to true, Splunk Enterprise "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
disabled Boolean Specifies whether the field transformation is disabled.
FORMAT String This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.

This attribute specifies the format of the event, including any field names or values you want to add.

FORMAT for index-time extractions:

Use $n (for example $1, $2, etc) to specify the output of each REGEX match.

If REGEX does not have n groups, the matching fails.

The special identifier $0 represents what was in the DEST_KEY before the REGEX was performed.

At index-time only, you can use FORMAT to create concatenated fields: FORMAT = ipaddress::$1.$2.$3.$4

When you create concatenated fields with FORMAT, "$" is the only special character. It is treated as a prefix for regex-capturing groups only if it is followed by a number and only if the number applies to an existing capturing group. So if REGEX has only one capturing group and its value is "bar", then: \t"FORMAT = foo$1" yields "foobar" \t"FORMAT = foo$bar" yields "foo$bar" \t"FORMAT = foo$1234" yields "foo$1234" \t"FORMAT = foo$1\\$2" yields "foobar\\$2"

At index-time, FORMAT defaults to <stanza-name>::$1

FORMAT for search-time extractions:

The format of this field as used during search time extractions is as follows: \tFORMAT = <field-name>::<field-value>( <field-name>::<field-value>)* \tfield-name = [<string>|$<extracting-group-number>] \tfield-value = [<string>|$<extracting-group-number>]

Search-time extraction examples: \tFORMAT = first::$1 second::$2 third::other-value \tFORMAT = $1::$2

You cannot create concatenated fields with FORMAT at search time. That functionality is only available at index time.

At search-time, FORMAT defaults to an empty string.

KEEP_EMPTY_VALS Boolean False If set to true, Splunk Enterprise preserves extracted fields with empty values.
MV_ADD Boolean False If Splunk Enterprise extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
name
required
String The name of the field transformation.
REGEX
required
String Specify a regular expression to operate on your data.

This attribute is valid for both index-time and search-time field extractions: \tREGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). \tREGEX is required for all index-time transforms.

REGEX and the FORMAT attribute:

Name-capturing groups in the REGEX are extracted directly to fields. This means that you do not need to specify the FORMAT attribute for simple field extraction cases.

If the REGEX extracts both the field name and its corresponding field value, you can use the following special capturing groups if you want to skip specifying the mapping in FORMAT: _KEY_<string>, _VAL_<string>.

For example, the following are equivalent: \tUsing FORMAT: \t\tREGEX = ([a-z]+)=([a-z]+) \t\tFORMAT = $1::$2 \tWithout using FORMAT \t\tREGEX = (?<_KEY_1>[a-z]+)=(?<_VAL_1>[a-z]+)

REGEX defaults to an empty string.

SOURCE_KEY
required
String _raw Specify the KEY to which Splunk Enterprise applies REGEX.
Response data keys
Name Description
CAN_OPTIMIZE Controls whether Splunk Enterprise can optimize this extraction out (another way of saying the extraction is disabled).

You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk Enterprise only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search.

CLEAN_KEYS If set to true, Splunk Enterprise "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
DEFAULT_VALUE Optional attribute for index-time field extractions. Splunk Enterprise writes the specified value to DEST_KEY if the specified REGEX fails.
DEST_KEY Valid for index-time field extractions, specifies where Splunk Enterprise stores the REGEX results.
FORMAT This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.

This attribute specifies the format of the event, including any field names or values you want to add.

For details, refer to the documentation for this parameter in the POST operation.

KEEP_EMPTY_VALS If set to true, Splunk Enterprise preserves extracted fields with empty values.
LOOKAHEAD Optional attribute for index-time filed extractions. specifies how many characters to search into an event.

Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking).

MV_ADD If Splunk Enterprise extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
REGEX The regular expression to operate on your data.

This attribute is valid for both index-time and search-time field extractions: \\tREGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). \\tREGEX is required for all index-time transforms.

For details, see the documentation for this parameter in the POST operation.

SOURCE_KEY The KEY to which Splunk Enterprise applies REGEX.
WRITE_META Indicates whether to automatically write REGEX to metadata.

This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute).

Use instead of DEST_KEY = meta.

disabled Indicates if the field transformation is disabled.
eai:appName The Splunk Enterprise app for which the field extractions are defined. For example, the search app.
eai:userName The name of the Splunk Enterprise user who created the field extraction definitions. For example, the admin user.

[ Top ]


data/transforms/extractions/{name}

https://<host>:<mPort>/services/data/transforms/extractions/{name}

Description

Manage {name} field transformation.

Method summary

Method Description Formats
DELETE Delete the named field transformation. XML, JSON
GET List a single field transformation. XML, JSON
POST Modify the named field transformation. XML, JSON

DELETE data/transforms/extractions/{name} method detail

Example

Request parameters

None

Response data keys

None


GET data/transforms/extractions/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
CAN_OPTIMIZE Controls whether Splunk Enterprise can optimize this extraction out (another way of saying the extraction is disabled).

You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk Enterprise only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search.

CLEAN_KEYS If set to true, Splunk Enterprise "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
DEFAULT_VALUE Optional attribute for index-time field extractions. Splunk Enterprise writes the specified value to DEST_KEY if the specified REGEX fails.
DEST_KEY Valid for index-time field extractions, specifies where Splunk Enterprise stores the REGEX results.
FORMAT This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.

This attribute specifies the format of the event, including any field names or values you want to add.

For details, refer to the documentation for this parameter in the POST operation.

KEEP_EMPTY_VALS If set to true, Splunk Enterprise preserves extracted fields with empty values.
LOOKAHEAD Optional attribute for index-time filed extractions. specifies how many characters to search into an event.

Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking).

MV_ADD If Splunk Enterprise extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
REGEX The regular expression to operate on your data.

This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms.

For details, see the documentation for this parameter in the POST operation.

SOURCE_KEY The KEY to which Splunk Enterprise applies REGEX.
WRITE_META Indicates whether to automatically write REGEX to metadata.

This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute).

Use instead of DEST_KEY = meta.

disabled Indicates if the field transformation is disabled.
eai:appName The Splunk Enterprise app for which the field extractions are defined. For example, the search app.
eai:attributes Field control information.
eai:userName The name of the Splunk Enterprise user who created the field extraction definitions. For example, the admin user.

POST data/transforms/extractions/{name} method detail

Example

Request parameters
Name Type Default Description
REGEX String Specify a regular expression to operate on your data.

This attribute is valid for both index-time and search-time field extractions: \tREGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). \tREGEX is required for all index-time transforms.

REGEX and the FORMAT attribute:

Name-capturing groups in the REGEX are extracted directly to fields. This means that you do not need to specify the FORMAT attribute for simple field extraction cases.

If the REGEX extracts both the field name and its corresponding field value, you can use the following special capturing groups if you want to skip specifying the mapping in FORMAT: _KEY_<string>, _VAL_<string>.

For example, the following are equivalent: \tUsing FORMAT: \t\tREGEX = ([a-z]+)=([a-z]+) \t\tFORMAT = $1::$2 \tWithout using FORMAT \t\tREGEX = (?<_KEY_1>[a-z]+)=(?<_VAL_1>[a-z]+)

REGEX defaults to an empty string.

SOURCE_KEY String _raw Specify the KEY to which Splunk Enterprise applies REGEX.
CAN_OPTIMIZE Bool True Controls whether Splunk Enterprise can optimize this extraction out (another way of saying the extraction is disabled). You might use this when you have field discovery turned off--it ensures that certain fields are *always* discovered. Splunk Enterprise only disables an extraction if it can determine that none of the fields identified by the extraction is needed for the successful evaluation of a search.

NOTE: This option should rarely be set to false.

CLEAN_KEYS Boolean True If set to true, Splunk Enterprise "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
FORMAT String This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.

This attribute specifies the format of the event, including any field names or values you want to add.

FORMAT for index-time extractions:

Use $n (for example $1, $2, etc) to specify the output of each REGEX match.

If REGEX does not have n groups, the matching fails.

The special identifier $0 represents what was in the DEST_KEY before the REGEX was performed.

At index-time only, you can use FORMAT to create concatenated fields: FORMAT = ipaddress::$1.$2.$3.$4

When you create concatenated fields with FORMAT, "$" is the only special character. It is treated as a prefix for regex-capturing groups only if it is followed by a number and only if the number applies to an existing capturing group. So if REGEX has only one capturing group and its value is "bar", then: \t"FORMAT = foo$1" yields "foobar" \t"FORMAT = foo$bar" yields "foo$bar" \t"FORMAT = foo$1234" yields "foo$1234" \t"FORMAT = foo$1\\$2" yields "foobar\\$2"

At index-time, FORMAT defaults to <stanza-name>::$1

FORMAT for search-time extractions:

The format of this field as used during search time extractions is as follows: \tFORMAT = <field-name>::<field-value>( <field-name>::<field-value>)* \tfield-name = [<string>|$<extracting-group-number>] \tfield-value = [<string>|$<extracting-group-number>]

Search-time extraction examples: \tFORMAT = first::$1 second::$2 third::other-value \tFORMAT = $1::$2

You cannot create concatenated fields with FORMAT at search time. That functionality is only available at index time.

At search-time, FORMAT defaults to an empty string.

KEEP_EMPTY_VALS Boolean False If set to true, Splunk Enterprise preserves extracted fields with empty values.
MV_ADD Boolean False If Splunk Enterprise extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
disabled Boolean Specifies whether the field transformation is disabled.
Response data keys
Name Description
CAN_OPTIMIZE Controls whether Splunk Enterprise can optimize this extraction out (another way of saying the extraction is disabled).

You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk Enterprise only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search.

CLEAN_KEYS If set to true, Splunk Enterprise "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
DEFAULT_VALUE Optional attribute for index-time field extractions. Splunk Enterprise writes the specified value to DEST_KEY if the specified REGEX fails.
DEST_KEY Valid for index-time field extractions, specifies where Splunk Enterprise stores the REGEX results.
FORMAT This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.

This attribute specifies the format of the event, including any field names or values you want to add.

For details, refer to the documentation for this parameter in the POST operation.

KEEP_EMPTY_VALS If set to true, Splunk Enterprise preserves extracted fields with empty values.
LOOKAHEAD Optional attribute for index-time filed extractions. specifies how many characters to search into an event.

Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking).

MV_ADD If Splunk Enterprise extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
REGEX The regular expression to operate on your data.

This attribute is valid for both index-time and search-time field extractions: \\tREGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). \\tREGEX is required for all index-time transforms.

For details, see the documentation for this parameter in the POST operation.

SOURCE_KEY The KEY to which Splunk Enterprise applies REGEX.
WRITE_META Indicates whether to automatically write REGEX to metadata.

This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute).

Use instead of DEST_KEY = meta.

disabled Indicates if the field transformation is disabled.
eai:appName The Splunk Enterprise app for which the field extractions are defined. For example, the search app.
eai:userName The name of the Splunk Enterprise user who created the field extraction definitions. For example, the admin user.

|}

[ Top ]


data/transforms/lookups

https://<host>:<mPort>/services/data/transforms/lookups

Description

Provides access to lookup definitions in transforms.conf.

Method summary

Method Description Formats
GET List lookup definitions. XML, JSON
POST Create a new lookup definition. XML, JSON

GET data/transforms/lookups method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
CAN_OPTIMIZE Controls whether Splunk Enterprise can optimize this extraction out (another way of saying the extraction is disabled).

You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk Enterprise only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search.

CLEAN_KEYS If set to true, Splunk Enterprise "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
DEFAULT_VALUE Optional attribute for index-time field extractions. Splunk Enterprise writes the specified value to DEST_KEY if the specified REGEX fails.
DEST_KEY Valid for index-time field extractions, specifies where Splunk Enterprise stores the REGEX results.
FORMAT This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.

This attribute specifies the format of the event, including any field names or values you want to add.

For details, refer to the documentation for this parameter in the POST operation for data/transforms/extractions.

KEEP_EMPTY_VALS If set to true, Splunk Enterprise preserves extracted fields with empty values.
LOOKAHEAD Optional attribute for index-time filed extractions. specifies how many characters to search into an event.

Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking).

MV_ADD If Splunk Enterprise extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
REGEX The regular expression to operate on your data.

This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms.

For details, see the documentation for this parameter in the POST operation.

SOURCE_KEY The KEY to which Splunk Enterprise applies REGEX.
WRITE_META Indicates whether to automatically write REGEX to metadata.

This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute).

Use instead of DEST_KEY = meta.

disabled Indicates if this lookup is disabled.
eai:appName The Splunk Enterprise app for which the lookups are defined. For example, the search app.
eai:userName The Splunk Enterprise user for which the lookups are defined.
external_cmd Provides the command and arguments to invoke to perform a lookup. Use this for external (or "scripted") lookups, where you interface with with an external script rather than a lookup table.

This string is parsed like a shell command. The first argument is expected to be a python script located in:

$SPLUNK_HOME/etc/<app_name>/bin (or ../etc/searchscripts)

Presence of this field indicates that the lookup is external and command based.

fields_list List of all fields that are supported by the external command.
type Specifies the field extraction type.

Can be either external or file.


POST data/transforms/lookups method detail

Example

Request parameters
Name Type Default Description
name String The name of the lookup definition.
default_match String If min_matches is greater than zero and Splunk Enterprise has less than min_matches for any given input, it provides this default_match value one or more times until the min_matches threshold is reached.
disabled Boolean Specifies whether the lookup definition is disabled.
external_cmd String Provides the command and arguments to invoke to perform a lookup. Use this for external (or "scripted") lookups, where you interface with with an external script rather than a lookup table.

This string is parsed like a shell command. The first argument is expected to be a python script located in:

$SPLUNK_HOME/etc/<app_name>/bin (or ../etc/searchscripts)

Presence of this field indicates that the lookup is external and command based.

fields_list String A comma- and space-delimited list of all fields that are supported by the external command. Use this for external (or "scripted") lookups.
filename String The name of the static lookup table file.
max_matches Number The maximum number of possible matches for each input lookup value.
max_offset_secs Number For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur.
min_matches Number The minimum number of possible matches for each input lookup value.
min_offset_secs Number For temporal lookups, this is the minimum time (in seconds) that the event timestamp can be later than the lookup entry timestamp for a match to occur.
time_field String For temporal lookups, this is the field in the lookup table that represents the timestamp.
time_format String For temporal lookups, this specifies the "strptime" format of the timestamp field.
Response data keys
Name Description
CAN_OPTIMIZE Controls whether Splunk Enterprise can optimize this extraction out (another way of saying the extraction is disabled).

You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk Enterprise only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search.

CLEAN_KEYS If set to true, Splunk Enterprise "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
DEFAULT_VALUE Optional attribute for index-time field extractions. Splunk Enterprise writes the specified value to DEST_KEY if the specified REGEX fails.
DEST_KEY Valid for index-time field extractions, specifies where Splunk Enterprise stores the REGEX results.
FORMAT This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.

This attribute specifies the format of the event, including any field names or values you want to add.

For details, refer to the documentation for this parameter in the POST operation for data/transforms/extractions.

KEEP_EMPTY_VALS If set to true, Splunk Enterprise preserves extracted fields with empty values.
LOOKAHEAD Optional attribute for index-time filed extractions. specifies how many characters to search into an event.

Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking).

MV_ADD If Splunk Enterprise extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
REGEX The regular expression to operate on your data.

This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms.

For details, see the documentation for this parameter in the POST operation.

SOURCE_KEY The KEY to which Splunk Enterprise applies REGEX.
WRITE_META Indicates whether to automatically write REGEX to metadata.

This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute).

Use instead of DEST_KEY = meta.

default_match If min_matches is greater than zero and Splunk Enterprise has less than min_matches for any given input, it provides this default_match value one or more times until the min_matches threshold is reached.
disabled Specifies whether the lookup definition is disabled.
eai:appName The Splunk Enterprise app for which the lookups are defined. For example, the search app.
eai:userName The Splunk Enterprise user for which the lookups are defined.
external_cmd Provides the command and arguments to invoke to perform a lookup. Use this for external (or "scripted") lookups, where you interface with with an external script rather than a lookup table.

This string is parsed like a shell command. The first argument is expected to be a python script located in:

$SPLUNK_HOME/etc/<app_name>/bin (or ../etc/searchscripts)

Presence of this field indicates that the lookup is external and command based.

fields_list List of all fields that are supported by the external command. Use this for external (or "scripted") lookups.
filename The name of the static lookup table file.
max_matches The maximum number of possible matches for each input lookup value.

If the lookup is non-temporal (not time-bounded, meaning the time_field attribute is not specified), Splunk Enterprise uses the first <integer> entries, in file order.

If the lookup is temporal, Splunk Enterprise uses the first <integer> entries in descending time order.

Default = 100 if the lookup is not temporal, default = 1 if it is temporal.

max_offset_secs For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur.
min_matches The minimum number of possible matches for each input lookup value.
min_offset_secs For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur.
time_field For temporal lookups, this is the field in the lookup table that represents the timestamp.
time_format For temporal lookups, this specifies the \\"strptime\\" format of the timestamp field.
type Specifies the field extraction type.

Can be either external or file.

[ Top ]


data/transforms/lookups/{name}

https://<host>:<mPort>/services/data/transforms/lookups/{name}

Description

Manage the {name} lookup definition.

Method summary

Method Description Formats
DELETE Delete the named lookup definition. XML, JSON
GET List a single lookup definition. XML, JSON
POST Modify the named lookup definition. XML, JSON

DELETE data/transforms/lookups/{name} method detail

Example

Request parameters

None

Response data keys

None


GET data/transforms/lookups/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
CAN_OPTIMIZE Indicates whether Splunk Enterprise can optimize this extraction out (another way of saying the extraction is disabled).

You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk Enterprise only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search.

CLEAN_KEYS Indicates whether Splunk Enterprise "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
DEFAULT_VALUE Optional attribute for index-time field extractions. Splunk Enterprise writes the specified value to DEST_KEY if the specified REGEX fails.
DEST_KEY Valid for index-time field extractions, specifies where Splunk Enterprise stores the REGEX results.
FORMAT This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.

This attribute specifies the format of the event, including any field names or values you want to add.

For details, refer to the documentation for this parameter in the POST operation for data/transforms/extractions.

KEEP_EMPTY_VALS Indicates whether Splunk Enterprise preserves extracted fields with empty values.
LOOKAHEAD For index-time filed extractions. Specifies how many characters to search into an event.

Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking).

MV_ADD "If Splunk Enterprise extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
REGEX The regular expression to operate on your data.

This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms.

For details, see the documentation for this parameter in the POST operation.

SOURCE_KEY The KEY to which Splunk Enterprise applies REGEX.
WRITE_META Indicates whether to automatically write REGEX to metadata.

This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute).

Use instead of DEST_KEY = meta.

disabled Indicates if this lookup is disabled.
eai:appName The Splunk Enterprise app for which the lookups are defined. For example, the search app.
eai:attributes Field control information.
eai:userName The Splunk Enterprise user for which the lookups are defined.
filename The name of the static lookup table file.
type Specifies the field extraction type.

Can be either external or file.


POST data/transforms/lookups/{name} method detail

Example

Request parameters
Name Type Default Description
default_match String If min_matches is greater than zero and Splunk Enterprise has less than min_matches for any given input, it provides this default_match value one or more times until the min_matches threshold is reached.
disabled Boolean Specifies whether the lookup definition is disabled.
external_cmd String Provides the command and arguments to invoke to perform a lookup. Use this for external (or "scripted") lookups, where you interface with with an external script rather than a lookup table.

This string is parsed like a shell command. The first argument is expected to be a python script located in:

$SPLUNK_HOME/etc/<app_name>/bin (or ../etc/searchscripts)

Presence of this field indicates that the lookup is external and command based.

fields_list String A comma- and space-delimited list of all fields that are supported by the external command. Use this for external (or "scripted") lookups.
filename String The name of the static lookup table file.
max_matches Number The maximum number of possible matches for each input lookup value.
max_offset_secs Number For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur.
min_matches Number The minimum number of possible matches for each input lookup value.
min_offset_secs Number For temporal lookups, this is the minimum time (in seconds) that the event timestamp can be later than the lookup entry timestamp for a match to occur.
time_field String For temporal lookups, this is the field in the lookup table that represents the timestamp.
time_format String For temporal lookups, this specifies the "strptime" format of the timestamp field.
Response data keys
Name Description
CAN_OPTIMIZE Controls whether Splunk Enterprise can optimize this extraction out (another way of saying the extraction is disabled).

You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk Enterprise only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search.

CLEAN_KEYS If set to true, Splunk Enterprise "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores.
DEFAULT_VALUE Optional attribute for index-time field extractions. Splunk Enterprise writes the specified value to DEST_KEY if the specified REGEX fails.
DEST_KEY Valid for index-time field extractions, specifies where Splunk Enterprise stores the REGEX results.
FORMAT This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.

This attribute specifies the format of the event, including any field names or values you want to add.

For details, refer to the documentation for this parameter in the POST operation for data/transforms/extractions.

KEEP_EMPTY_VALS If set to true, Splunk Enterprise preserves extracted fields with empty values.
LOOKAHEAD Optional attribute for index-time filed extractions. specifies how many characters to search into an event.

Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking).

MV_ADD If Splunk Enterprise extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded.
REGEX The regular expression to operate on your data.

This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms.

For details, see the documentation for this parameter in the POST operation.

SOURCE_KEY The KEY to which Splunk Enterprise applies REGEX.
WRITE_META Indicates whether to automatically write REGEX to metadata.

This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute).

Use instead of DEST_KEY = meta.

default_match If min_matches is greater than zero and Splunk Enterprise has less than min_matches for any given input, it provides this default_match value one or more times until the min_matches threshold is reached.
disabled Specifies whether the lookup definition is disabled.
eai:appName The Splunk Enterprise app for which the lookups are defined. For example, the search app.
eai:userName The Splunk Enterprise user for which the lookups are defined.
external_cmd Provides the command and arguments to invoke to perform a lookup. Use this for external (or "scripted") lookups, where you interface with with an external script rather than a lookup table.

This string is parsed like a shell command. The first argument is expected to be a python script located in:

$SPLUNK_HOME/etc/<app_name>/bin (or ../etc/searchscripts)

Presence of this field indicates that the lookup is external and command based.

fields_list List of all fields that are supported by the external command. Use this for external (or "scripted") lookups.
filename The name of the static lookup table file.
max_matches The maximum number of possible matches for each input lookup value.
max_offset_secs For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur.
min_matches The minimum number of possible matches for each input lookup value.
min_offset_secs For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur.
time_field For temporal lookups, this is the field in the lookup table that represents the timestamp.
time_format For temporal lookups, this specifies the "strptime" format of the timestamp field.
type Specifies the field extraction type.

Can be either external or file.

[ Top ]


data/ui/views

https://<host>:<mPort>/servicesNS/{user}/{app_name}/data/ui/views

Description

Create dashboard source XML.

Method summary

Method Description Formats
POST Create a new dashboard XML definition. XML

POST data/ui/views method detail

Example

Request parameters
Name Type Default Description
name String Dashboard name.
eai:data XML document Dashboard XML definition.
Response data keys
Name Description
eai:appName App context for the dashboard.
eai:data XML definition for the dashboard.
eai:type User interface type. For dashboards, this type is view.
eai:userName User who created the dashboard.
isDashboard Boolean value indicating whether the knowledge object is a dashboard.
isVisible Boolean value indicating whether the dashboard is visible.
label Dashboard label.
rootNode XML root node.

data/ui/views/{name}

https://<host>:<mPort>/servicesNS/{user}/{app_name}/data/ui/views/{name}

Description

Access or update existing dashboard source XML.

Method summary

Method Description Formats
GET Access an existing dashboard XML definition. XML
POST Update an existing dashboard XML definition. XML
DELETE Delete an existing dashboard XML definition. XML

GET data/ui/views/{name} method detail

Example

Request parameters

None.

Response data keys
Name Description
eai:appName App context for the dashboard.
eai:data XML definition for the dashboard.
eai:type User interface type. For dashboards, this type is view.
eai:userName User who created the dashboard.
isDashboard Boolean value indicating whether the knowledge object is a dashboard.
isVisible Boolean value indicating whether the dashboard is visible.
label Dashboard label.
rootNode XML root node.


POST data/ui/views/{name} method detail

Example

Request parameters
Name Type Default Description
eai:data XML document Dashboard XML definition.
Response data keys
Name Description
eai:appName App context for the dashboard.
eai:data XML definition for the dashboard.
eai:type User interface type. For dashboards, this type is view.
eai:userName User who created the dashboard.
isDashboard Boolean value indicating whether the knowledge object is a dashboard.
isVisible Boolean value indicating whether the dashboard is visible.
label Dashboard label.
rootNode XML root node.


DELETE data/ui/views/{name} method detail

Example

Request parameters

None.

Response data keys

None.


datamodel/acceleration (DEPRECATED)

https://<host>:<mPort>/services/datamodel/acceleration

Description

Access information about data models that have acceleration enabled.

Method summary

Method Description Formats
GET List information about data models that have acceleration enabled. XML, JSON

GET datamodel/acceleration method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys

None

Application usage

Refer to Manage data models for more implementation information about data models and acceleration.

[ Top ]


datamodel/acceleration/{name} (DEPRECATED)

https://<host>:<mPort>/services/datamodel/acceleration/{name}

Description

Get information about the {name} datamodel.

Method summary

Method Description Formats
GET List information about the named data model, which has acceleration enabled. XML, JSON

GET datamodel/acceleration/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
acceleration Indicates if acceleration is enabled for this data model.
acceleration.earliest_time The earliest time to dispatch the search.
search Specifies the search to accelerate this data model.

[ Top ]


datamodel/model

https://<host>:<mPort>/services/datamodel/model

Description

Access information about data models.

Method summary

Method Description Formats
GET List data models on the server. XML, JSON
POST Create a new data model. XML, JSON

GET datamodel/model method detail

Example

Request parameters
Name Type Default Description
concise Boolean Indicates whether to list a concise JSON description of the data model.

The concise description is a summary for human readability. It is not used to create the data model.

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
acceleration Indicates whether acceleration is enabled for the data model.
concise Indicates whether to list a concise JSON description of the data model.
description The JSON describing the data model.
displayName The name displayed for the data model in Splunk Web.
eai:appName The Splunk Enterprise app in which the data model was created.
eai:userName The name of the Splunk Enterprise user who created the data model.
Application usage

For more implementation information on data models refer to About data models in the Knowledge Manager manual.


POST datamodel/model method detail

Example

Request parameters
Name Type Default Description
description String JSON description of the data model.
name String Name of the data model.
acceleration String Specify the acceleration settings for the data model. Supply JSON to specify any or all of the following settings:
enabled (true or false)
earliest_time (time modifier)
cron_schedule (cron string)

For example:

acceleration='{"enabled": true, "earliest_time": -1mon, "cron_schedule": 0 */12 * * *}'

Response data keys

None

Application usage

For more implementation information on data models refer to About data models in the Knowledge Manager manual.

[ Top ]


datamodel/model/{name}

https://<host>:<mPort>/services/datamodel/model/{name}

Description

Manage the {name} datamodel resource.

Method summary

Method Description Formats
DELETE Deletes a data model resource. XML, JSON
GET List information about a data model resource. XML, JSON
POST Update a data model resource. XML, JSON

DELETE datamodel/model/{name} method detail

Example

Request parameters

None

Response data keys

None


GET datamodel/model/{name} method detail

Example

Request parameters
Name Type Default Description
concise Boolean Indicates whether to list a concise JSON description of the data model.

The concise description is a summary for human readability. It is not used to create the data model.

Response data keys
Name Description
acceleration Indicates whether acceleration is enabled for the data model.
concise Indicates whether to list a concise JSON description of the data model.
description The JSON describing the data model.
displayName The name displayed for the data model in Splunk Web.
eai:appName The Splunk Enterprise app in which the data model was created.
eai:attributes Field control information.
eai:userName The name of the Splunk Enterprise user who created the data model.

POST datamodel/model/{name} method detail

Example

Request parameters
Name Type Default Description
acceleration String Specify the acceleration settings for the data model. Supply JSON to specify any or all of the following settings:
enabled (true or false)
earliest_time (time modifier)
cron_schedule (cron string)

For example:

acceleration='{"enabled": true, "earliest_time": -1mon, "cron_schedule": 0 */12 * * *}'

description String JSON description of the data model.
provisional Boolean Indicates whether the data model is provisional. Provisional data models are not saved.

Specify true to validate a data model before saving it.

If the endpoint returns with no errors, then specify this endpoint again, with provisional set to false, to save the data model.

Response data keys
Name Description
acceleration Indicates whether acceleration is enabled for the data model.
concise Indicates whether to list a concise JSON description of the data model.
description The JSON describing the data model.
displayName The name displayed for the data model in Splunk Web.
eai:appName The Splunk Enterprise app in which the data model was created.
eai:attributes Field control information.
eai:userName The name of the Splunk Enterprise user who created the data model.

[ Top ]


datamodel/pivot

https://<host>:<mPort>/services/datamodel/pivot/{name}

Description

Provides access to pivots that are based on named data models.

Method summary

Method Description Formats
GET List information about the supplied pivot based on the named data model. XML, JSON

GET datamodel/pivot method detail

Example

Request parameters
Name Type Default Description
pivot_json String JSON specifying a pivot based on the named data model.

Typically, you URL encode this parameter.

This endpoint requires either this pivot_json parameter or a pivot_search parameter.

pivot_search String A pivot search command based on the named data model.

Typically, you URL encode this parameter.

This endpoint requires either a pivot_json or this pivot_search parameter.

Response data keys
Name Description
drilldown_search The search for running this pivot report using drilldown
open_in_search Equivalent to search parameter, but listed more simply.
pivot_json JSON specifying a pivot based on the named data model.
pivot_search A pivot search command based on the named data model.
search The search string for running the pivot report
tstats_search The search for running this pivot report using tstats
Application usage

For information on pivot implementation refer to the Splunk Pivot manual.

{name} refers to a data model on the system.

Specify a pivot using either the pivot_search or pivot_json parameter.

[ Top ]


directory

https://<host>:<mPort>/services/directory

Description

Provides access to user configurable objects.

These objects includes search commands, UI views, UI navigation, saved searches and event types. This is useful to see which objects are provided by all apps, or a specific app when the call is namespaced. The specific configuration in restmap.conf is showInDirSvc.

Method summary

Method Description Formats
GET Provides an enumeration of app-scoped objects. XML, JSON

GET directory method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys

None

Application usage

an enumeration of the following app scoped objects:

   event types
   saved searches
   time configurations
   views
   navs
   manager XML
   quickstart XML
   search commands
   macros
   tags
   field extractions
   lookups
   workflow actions
   field aliases
   sourcetype renames 

This is useful to see which apps provide which objects, or all the objects provided by a specific app. To change the visibility of an object type in this listing, use the showInDirSvc in restmap.conf.

[ Top ]


directory/{name}

https://<host>:<mPort>/services/directory/{name}

Description

Get information about the {name} directory entity.

Method summary

Method Description Formats
GET Displays information about a single entity in the directory service enumeration. XML, JSON

GET directory/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
eai:type Entity type.
Application usage

This is rarely used. Typically after using the directory service enumeration, a client follows the specific link for an object in an enumeration.

[ Top ]


saved/eventtypes

https://<host>:<mPort>/services/saved/eventtypes

Description

Provides access to saved event types.

Method summary

Method Description Formats
GET Retrieve saved event types. XML, JSON
POST Creates a new event type. XML, JSON

GET saved/eventtypes method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
description Description of this event type.
disabled Indicates if the event type is disabled.
eai:appName The Splunk Enterprise app for which this event type applies. For example, the Splunk search app.
eai:userName Splunk Enterprise user name of the creator of this event type. For example, the Splunk admin user.
priority The value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority.
search Search terms for this event type.
tags [Deprecated] Tags associated with this event type.

Use the tags.conf.spec file to assign tags to groups of events with related field values.


POST saved/eventtypes method detail

Example

Request parameters
Name Type Default Description
name String The name for the event type.
search String Search terms for this event type.
description String Human-readable description of this event type.
disabled Boolean 0 If True, disables the event type.
priority Number 1 Specify an integer from 1 to 10 for the value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority.
tags String [Deprecated] Use tags.conf.spec file to assign tags to groups of events with related field values.
Response data keys
Name Description
description Description of this event type.
disabled Indicates if this event type is disabled.
eai:appName The Splunk Enterprise app for which this event type applies. For example, the Splunk search app.
eai:userName Splunk Enterprise user name of the creator of this event type. For example, the Splunk admin user.
priority The value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority.
search Search terms for this event type.
tags [Deprecated] Tags associated with this event type.

Use tags.conf.spec file to assign tags to groups of events with related field values.

[ Top ]


saved/eventtypes/{name}

https://<host>:<mPort>/services/saved/eventtypes/{name}

Description

Manage the {name} event type.

Method summary

Method Description Formats
DELETE Deletes this event type. XML, JSON
GET Returns information on this event type. XML, JSON
POST Updates this event type. XML, JSON

DELETE saved/eventtypes/{name} method detail

Example

Request parameters

None

Response data keys

None


GET saved/eventtypes/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
description Description of this event type.
disabled Indicates if the event type is disabled.
eai:appName The Splunk Enterprise app for which this event type applies. For example, the Splunk search app.
eai:attributes Field control information.
eai:userName Splunk Enterprise user name of the creator of this event type. For example, the Splunk admin user.
priority The value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority.
search Search terms for this event type.
tags [Deprecated] Tags associated with this event type.

Use the tags.conf.spec file to assign tags to groups of events with related field values.


POST saved/eventtypes/{name} method detail

Example

Request parameters
Name Type Default Description
search String Search terms for this event type.
description String Human-readable description of this event type.
disabled Boolean 0 If True, disables the event type.
priority Number 1 Specify an integer from 1 to 10 for the value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority.
tags String [Deprecated] Use tags.conf.spec file to assign tags to groups of events with related field values.
Response data keys
Name Description
description Description of this event type.
disabled Indicates if this event type is disabled.
eai:appName The Splunk Enterprise app for which this event type applies. For example, the Splunk search app.
eai:userName Splunk Enterprise user name of the creator of this event type. For example, the Splunk admin user.
priority The value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority.
search Search terms for this event type.
tags [Deprecated] Tags associated with this event type.

Use tags.conf.spec file to assign tags to groups of events with related field values.

Application usage

the search must be re-specified for this edit.

URI-encode the search string if it contains any of the following characters: =, &, ?, %

Otherwise, these characters can be interpreted as part of the HTTP request.

[ Top ]


search/fields

https://<host>:<mPort>/services/search/fields

Description

Provides management for search field configurations.

Field configuration is specified in $SPLUNK_HOME/etc/system/default/fields.conf, with overriden values in $SPLUNK_HOME/etc/system/local/fields.conf.

Method summary

Method Description Formats
GET Returns a list of fields registered for field configuration. XML, JSON

GET search/fields method detail

Example

Request parameters

None

Response data keys

None

[ Top ]


search/fields/{field_name}

https://<host>:<mPort>/services/search/fields/{field_name}

Description

Get information about the {field_name} field.

Method summary

Method Description Formats
GET Retrieves information about the named field. XML, JSON

GET search/fields/{field_name} method detail

Example

Request parameters

None

Response data keys

None

[ Top ]


search/fields/{field_name}/tags

https://<host>:<mPort>/services/search/fields/{field_name}/tags

Description

Manage the tags associated with the {field_name} field.

Method summary

Method Description Formats
GET Returns a list of tags associated with the field specified by {field_name}. XML, JSON
POST Update the tags associated with the field specified by {field_name}. XML, JSON

GET search/fields/{field_name}/tags method detail

Example

Request parameters

None

Response data keys

None


POST search/fields/{field_name}/tags method detail

Example

Request parameters
Name Type Default Description
value String The specific field value on which to bind the tags.
add String The tag to attach to this field_name:value combination.
delete String The tag to remove to this field_name::value combination.
Response data keys

None

Application usage

The value parameter specifies the specific value on which to bind tag actions. Multiple tags can be attached by passing multiple add or delete form parameters. The server processes all of the adds first, and then processes the deletes.

You must specify at least one add or delete parameter.

[ Top ]


search/tags

https://<host>:<mPort>/services/search/tags

Description

Provides management of search time tags.

Method summary

Method Description Formats
GET Returns a list of all search time tags. XML, JSON

GET search/tags method detail

Example

Request parameters

None

Response data keys

None

[ Top ]


search/tags/{tag_name}

https://<host>:<mPort>/services/search/tags/{tag_name}

Description

Manage {tag_name} values.

Method summary

Method Description Formats
DELETE Deletes the tag, and its associated field:value pair assignments. XML, JSON
GET Returns a list of field:value pairs associated with the tag specified by {tag_name}. XML, JSON
POST Updates the field:value pairs associated with {tag_name}. XML, JSON

DELETE search/tags/{tag_name} method detail

Example

Request parameters

None

Response data keys

None

Application usage

The resulting change in tags.conf is to set all field:value pairs to disabled.


GET search/tags/{tag_name} method detail

Example

Request parameters

None

Response data keys

None


POST search/tags/{tag_name} method detail

Example

Request parameters
Name Type Default Description
add String A field:value pair to tag with {tag_name}.
delete String A field:value pair to remove from {tag_name}.
Response data keys

None

Application usage

Multiple field:value pairs can be attached by passing multiple add or delete form parameters. The server processes all of the adds first, and then deletes.

If {tag_name} does not exist, then the tag is created inline. Notification is sent to the client using the HTTP 201 status.

[ Top ]

services/admin/summarization

https://<host>:<mPort>/services/admin/summarization/?by_tstats=1 

Description

Review data model acceleration information.

Authentication: Required. Authorization to access data model acceleration information is role-based.

Method Description Formats
GET Returns a list of field:value pairs giving current data model acceleration information. XML, JSON

Example


[ Top ]

PREVIOUS
Introspection endpoint examples
  NEXT
Knowledge endpoint examples

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters