Splunk® Enterprise

REST API Reference Manual

Acrobat logo Download manual as PDF


Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

Input endpoint descriptions

Manage and preview input data, including:

  • Non-streaming data
  • Streaming data
  • Note: Username and password authentication is required for most endpoints and REST operations. Additional capability or role-based authorization may also be required, particularly for POST or DELETE operations.

data/inputs/ad

https://<host>:<mPort>/services/data/inputs/ad

Description

Provides access to Active Directory monitoring input.

Method summary

Method Description Formats
GET Gets current active directory monitoring configuration. XML, JSON
POST Creates new or modifies existing performance monitoring settings. XML, JSON

GET data/inputs/ad method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
disabled Indicates whether this input is disabled.
index The index in which to store the gathered data.

If no value is present, send data to the default index.

monitorSubtree Indicates whether or not to monitor the subtrees of a given Active Directory tree path.
startingNode Tells Splunk Enterprise where in the Active Directory directory tree to start monitoring.

If not specified, Splunk Enterprise attempts to start at the root of the directory tree.

The user that you configure Splunk Enterprise to run as at installation determines where Splunk software starts monitoring.

targetDc Fully qualified domain name of a valid, network-accessible Active Directory domain controller.

If not specified, Splunk Enterprise obtains the local computer DC by default, and binds to its root Distinguished Name (DN).

POST data/inputs/ad method detail

Example

Request parameters
Name Datatype Default Description
baseline Boolean Indicates whether to query baseline objects. Defaults to true.

Baseline objects are objects which currently reside in Active Directory and include previously deleted objects.

host String Docs-W8R2-Std7 Host name for the Active Directory Monitor.
index String default The index in which to store the gathered data.

If not specified defaults to the default index.

monitorSubtree
required		 Number Whether or not to monitor the subtree(s) of a given directory tree path. 1 means yes, 0 means no.
name
required		 String A unique name that represents a configuration or set of configurations for a specific domain controller.
printSchema Boolean Indicates whether to print the Active Directory schema. Defaults to true.
source String Source for data inputs.
sourcetype String Source type of data inputs.
startingNode String Where in the Active Directory directory tree to start monitoring. If not specified, attempts to start at the root of the directory tree.
targetDc String Specifies a fully qualified domain name of a valid, network-accessible domain controller. If not specified, Splunk Enterprise gets the local domain controller.
Response data keys

None

[ Top ]

data/inputs/ad/{name}

https://<host>:<mPort>/services/data/inputs/ad/{name}


Description

Manage {name} active directory monitoring.

Method summary

Method Description Formats
DELETE Deletes a given active directory monitoring stanza. XML, JSON
GET Gets the current configuration for a given active directory monitoring stanza. XML, JSON
POST Modifies a given active directory monitoring stanza. XML, JSON

DELETE data/inputs/ad/{name} method detail

Example

Request parameters

None

Response data keys

None

GET data/inputs/ad/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
Attribute Description
disabled Indicates whether this input is disabled.
index The index in which to store the gathered data.

If no value is present, send data to the default index.

monitorSubtree Indicates whether or not to monitor the subtrees of a given Active Directory tree path.

POST data/inputs/ad/{name} method detail

Example

Request parameters
Name Datatype Default Description
baseline Boolean Indicates whether to query baseline objects. Defaults to true.

Baseline objects are objects which currently reside in Active Directory and include previously deleted objects.

host String Docs-W8R2-Std7 Host name for the Active Directory Monitor.
index String default The index in which to store the gathered data.

If not specified defaults to the default index.

monitorSubtree
required		 Number Whether or not to monitor the subtree(s) of a given directory tree path. 1 means yes, 0 means no.
printSchema Boolean Indicates whether to print the Active Directory schema. Defaults to true.
source String Source for data inputs.
sourcetype String Source type of data inputs.
startingNode String Where in the Active Directory directory tree to start monitoring. If not specified, attempts to start at the root of the directory tree.
targetDc String Specifies a fully qualified domain name of a valid, network-accessible DC. If not specified, Splunk Enterprise gets the local computer's DC.
Response data keys

None

data/inputs/all

https://<host>:<mPort>/services/data/inputs/all


Description

Provides access to all inputs to the Splunk Enterprise server. This includes any modular inputs that may be defined on the system.

Method summary

Method Description Formats
GET Lists all inputs, including modular inputs. XML, JSON

GET data/inputs/all method detail

Example

Request parameters
Name Datatype Default Description
common Boolean Indicates whether to return only attributes commom to all inputs. These common attributes are:
app
disabled
host
index
owner
source
sourcetype
title
updated

Pagination and filtering parameters can be used with this method.

Response data keys

None

Returns an <entry> for each input, where <content> lists attributes specific to the input.

[ Top ]

data/inputs/all/{name}

https://<host>:<mPort>/services/data/inputs/all/{name}


Description

Get information about the {name} input source.

Method summary

Method Description Formats
GET Lists details for inputs for the input source specified by {name}. XML, JSON

GET data/inputs/all/{name} method detail

Example

Request parameters
Name Datatype Default Description
common Boolean Indicates whether to return only attributes commom to all inputs. These common attributes are:
app
disabled
host
index
owner
source
sourcetype
title
updated
Response data keys

None

[ Top ]

data/inputs/http

https://<host>:<mPort>/services/data/inputs/http

Authentication: Required

Description

Manage HTTP Event Collector global configuration tokens and application tokens.

GET returns a list of global and application-level configurations. POST can create new applications and modify them.

See also

Method summary

Method Description Formats
GET Return global configuration and a list of tokens. XML
POST Modify global configuration, add and modify tokens. XML

GET data/inputs/http method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys

See data/inputs/http/{name} for app-level response data keys.

POST data/inputs/http method detail

Example

Global request parameters
Name Datatype Default Description
dedicatedIoThreads Number 2 Number of threads used by HTTP Input server.
disabled Boolean 1 Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled.
enableSSL Boolean 1 Enable SSL protocol for HTTP data input. 1 = SSL enabled, 0 = SSL disabled.
index String Index to store generated events.
indexes String Set of indexes allowed for events with this token.
maxSockets Number 0 Maximum number of simultaneous HTTP connections accepted. Adjusting this value may cause server performance issues and is not generally recommended. Possible values for this setting vary by OS.
maxThreads Number 0 Maximum number of threads that can be used by active HTTP transactions. Adjusting this value may cause server performance issues and is not generally recommended. Possible values for this setting vary by OS.
name
required		 String Token name (inputs.conf key)
port
 Number 8088 HTTP data input IP port.
source String Default source for events with this token.
sourcetype String Default sourcetype for events with this token.
Application-level request parameters
Name Datatype Default Description
disabled Boolean 1 Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled.
index String Index to store generated events.
indexes String Set of indexes allowed for events with this token.
name
required		 String Token name (inputs.conf key)
source String Default source for events with this token.
sourcetype String Default sourcetype for events with this token.
Global response data keys
Name Description
dedicatedIoThreads Number of threads used by HTTP Input server.
disabled Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled.
enableSSL Enable SSL protocol for HTTP data input. 1 = SSL enabled, 0 = SSL disabled.
host Host from which the indexer gets data.
index Index to store generated events.
indexes Set of indexes allowed for events with this token.
port
 HTTP data input IP port.
_rcvbuf Socket receive buffer size (bytes).
source Default source for events with this token.
sourcetype Default sourcetype for events with this token.


Application-level response data keys
Name Description
disabled Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled.
host Host from which the indexer gets data.
index Index to store generated events.
_rcvbuf Socket receive buffer size (bytes).
source Source for events with this token.
sourcetype Sourcetype for events with this token.
token Token value for sending data to collector/event endpoint.

[ Top ]

data/inputs/http/{name}

https://<host>:<mPort>/services/data/inputs/http/{name}

Authentication: Required

Description

Manage the {name} HTTP Event Collector token. HTTP, as in data/inputs/http/http, indicates global configuration.

See also

Method summary

Method Description Formats
DELETE Delete token. XML, JSON
GET Get token configuration data. XML, JSON
POST Update token configuration data. XML, JSON

DELETE data/inputs/http/{name} method detail

Example

Request parameters

None

Response data keys

None

GET data/inputs/http/{name} method detail

Example

Request parameters

None

Global response data keys
Name Description
_rcvbuf Socket receive buffer size (bytes).
dedicatedIoThreads Number of threads for HTTP event collector server.
disabled Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled.
enableSSL SSL enablement status.
host Host from which the indexer gets data.
index Index to store generated events.
port HTTP data event collector IP port.
source Source for events with this token.
sourcetype Sourcetype for events with this token.
token Token value for sending data to collector/event endpoint.


Application-level response data keys
Name Description
_rcvbuf Socket receive buffer size (bytes).
disabled Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled.
host Host from which the indexer gets data.
index Index to store generated events.
source Source for events with this token.
sourcetype Sourcetype for events with this token.
token Token value for sending data to collector/event endpoint.

POST data/inputs/http/{name} method detail

Example

Request parameters
Name Datatype Default Description
disabled Boolean 1 Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled.
host String Default host.
index String Index to store generated events.
indexes String Set of indexes allowed for events with this token.
name
required		 String Token name (inputs.conf key)
source String Default source for events with this token.
sourcetype String Default sourcetype for events with this token.
Response data keys
Name Description
_rcvbuf Socket receive buffer size (bytes).
disabled Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled.
host Host from which the indexer gets data.
index Index to store generated events.
source Source for events with this token.
sourcetype Sourcetype for events with this token.
token Token value for sending data to collector/event endpoint.

data/inputs/http/{name}/disable

https://<host>:<mPort>/services/data/inputs/http/{name}/disable

Authentication: Required

Description

Disable the {name} HTTP Event Collector token.

See also

Method summary

Method Description Formats
POST Disable the {name} HTTP Event Collector token. XML, JSON

POST data/inputs/http/{name}/disable method detail

Example

Request parameters

None

Response data keys
Name Description
_rcvbuf Socket receive buffer size (bytes).
disabled Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled.
host Host from which the indexer gets data.
index Index to store generated events.
source Default source for events with this token.
sourcetype Default sourcetype for events with this token.
token Token value for sending data to collector/event endpoint.

[ Top ]

data/inputs/http/{name}/enable

https://<host>:<mPort>/services/data/inputs/http/{name}/enable

Authentication: Required

Description

Enable the {name} HTTP Event Collector token.

See also

Method summary

Method Description Formats
POST Enable the {name} HTTP Event Collector token. XML, JSON

POST data/inputs/http/{name}/enable method detail

Example

Request parameters

None

Response data keys
Name Description
_rcvbuf Socket receive buffer size (bytes).
disabled Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled.
host Host from which the indexer gets data.
index Index to store generated events.
source Default source for events with this token.
sourcetype Default sourcetype for events with this token.
token Token value for sending data to collector/event endpoint.

[ Top ]

data/inputs/http/{name}/rotate

https://<host>:<mPort>/services/data/inputs/http/{name}/rotate

Description

Regenerate the token value.

Supported operations

Operation Description Formats
POST Regenerate the token value. XML, JSON

POST data/inputs/http/{name}/rotate

Request parameters
None

Response keys

Name Description
token Regenerated token value.

Example request and response

POST data/inputs/http/{name}/rotate


XML Request

curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/splunk_httpinput/data/inputs/http/my_app_name/rotate -X post

XML Response

<?xml version="1.0" encoding="UTF-8"?>
        . . . . . .
        <s:key name="token">64D47EC6-C510-4519-A520-EC4CAA157B97</s:key>
        . . . . . .
</feed>

data/inputs/monitor

https://<host>:<mPort>/services/data/inputs/monitor


Description

Provides access to monitor inputs.

Method summary

Method Description Formats
GET List enabled and disabled monitor inputs. XML, JSON
POST Create a new file or directory monitor input. XML, JSON

GET data/inputs/monitor method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
_TCP_ROUTING List of TCP forwarding groups, as specified in outputs.conf.
disabled Indicates if inputs monitoring is disabled.
filecount Number of files monitored.
host Name of the Splunk Enterprise host for which inputs are monitored.
index The index in which to store the gathered data.
sourcetype Source type being monitored.

The source type of an event is the format of the data input from which it originates, such as access_combined or cisco_syslog. The source type determines how Splunk Enterprise formats your data.

POST data/inputs/monitor method detail

Example

Request parameters
Name Datatype Default Description
blacklist String Specify a regular expression for a file path. The file path that matches this regular expression is not indexed.
check-index Boolean If set to true, the "index" value is checked to ensure that it is the name of a valid index.
check-path Boolean If set to true, the "name" value is checked to ensure that it exists.
crc-salt String A string that modifies the file tracking identity for files in this input. The magic value "<SOURCE>" invokes special behavior (see admin documentation).
disabled Boolean Indicates if input monitoring is disabled.
followTail Boolean If set to true, files that are seen for the first time is read from the end.
host String The value to populate in the host field for events from this data input.
host_regex String Specify a regular expression for a file path. If the path for a file matches this regular expression, the captured value is used to populate the host field for events from this data input. The regular expression must have one capture group.
host_segment Number Use the specified slash-separate segment of the filepath as the host field value.
ignore-older-than String Specify a time value. If the modification time of a file being monitored falls outside of this rolling time window, the file is no longer being monitored.
index String default Which index events from this input should be stored in.
name
required		 String The file or directory path to monitor on the system.
recursive Boolean Setting this to "false" prevents monitoring of any subdirectories encountered within this data input.
rename-source String The value to populate in the source field for events from this data input. The same source should not be used for multiple data inputs.
sourcetype String The value to populate in the sourcetype field for incoming events.
time-before-close Number When Splunk Enterprise reaches the end of a file that is being read, the file is kept open for a minimum of the number of seconds specified in this value. After this period has elapsed, the file is checked again for more data.
whitelist String Specify a regular expression for a file path. Only file paths that match this regular expression are indexed.
Response data keys

None

[ Top ]

data/inputs/monitor/{name}

https://<host>:<mPort>/services/data/inputs/monitor/{name}


Description

Manage the {name} monitor input.

Method summary

Method Description Formats
DELETE Disable the named monitor data input and remove it from the configuration. XML, JSON
GET List the properties of a single monitor data input. XML, JSON
POST Update properties of the named monitor input. XML, JSON

DELETE data/inputs/monitor/{name} method detail

Example

Request parameters

None

Response data keys

None

GET data/inputs/monitor/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
disabled Indicates if inputs monitoring is disabled.
filecount Number of files being monitored.
host Name of the Splunk Enterprise host for which inputs are monitored.
index The index events from this input should be stored in.

POST data/inputs/monitor/{name} method detail

Example

Request parameters
Name Datatype Default Description
blacklist String Specify a regular expression for a file path. The file path that matches this regular expression is not indexed.
check-index Boolean If set to true, the "index" value is checked to ensure that it is the name of a valid index.
check-path Boolean If set to true, the "name" value is checked to ensure that it exists.
crc-salt String A string that modifies the file tracking identity for files in this input. The magic value "<SOURCE>" invokes special behavior (see admin documentation).
disabled Boolean Indicates if input monitoring is disabled.
followTail Boolean If set to true, files that are seen for the first time is read from the end.
host String The value to populate in the host field for events from this data input.
host_regex String Specify a regular expression for a file path. If the path for a file matches this regular expression, the captured value is used to populate the host field for events from this data input. The regular expression must have one capture group.
host_segment Number Use the specified slash-separate segment of the filepath as the host field value.
ignore-older-than String Specify a time value. If the modification time of a file being monitored falls outside of this rolling time window, the file is no longer being monitored.
index String default Which index events from this input should be stored in.
recursive Boolean Setting this to "false" prevents monitoring of any subdirectories encountered within this data input.
rename-source String The value to populate in the source field for events from this data input. The same source should not be used for multiple data inputs.
sourcetype String The value to populate in the sourcetype field for incoming events.
time-before-close Number When Splunk Enterprise reaches the end of a file that is being read, the file is kept open for a minimum of the number of seconds specified in this value. After this period has elapsed, the file is checked again for more data.
whitelist String Specify a regular expression for a file path. Only file paths that match this regular expression are indexed.
Response data keys

None

data/inputs/monitor/{name}/members

https://<host>:<mPort>/services/data/inputs/monitor/{name}/members


Description

List {name} monitor input files.

Method summary

Method Description Formats
GET Lists all files monitored under the named monitor input. XML, JSON

GET data/inputs/monitor/{name}/members method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys

None

[ Top ]

data/inputs/oneshot

https://<host>:<mPort>/services/data/inputs/oneshot


Description

Provides access to oneshot inputs.

Method summary

Method Description Formats
GET Enumerates in-progress oneshot inputs. As soon as an input is complete, it is removed from this list. XML, JSON
POST Queues a file for immediate indexing. The file must be locally accessible from the server. This endpoint can handle any single file: plain, compressed or archive. The file is indexed in full, regardless of whether or not it is already indexed. XML, JSON

GET data/inputs/oneshot method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
Bytes Indexed Total number of bytes read and sent to the pipeline for indexing during a oneshot input.

This total includes the uncompressed byte count from a source file that is compressed on disk.

Offset Current position in the source file, indicating how much of the file is read. For compressed source files, this offset represents the position in the compressed format.

You can obtain the percentage of a source file read by calculating offset/size.

Size Size of the source file, in bytes.

You can obtain the percentage of a source file read by calculating offset/size.

Sources Indexed Indicates the number of sources read from a file in a compressed format such as tar or zip.

A value of 0 indicates the source file was not compressed.

Spool Time Time that the request was made to read the source file.

POST data/inputs/oneshot method detail

Example

Request parameters
Name Datatype Default Description
host String The value of the "host" field to be applied to data from this file.
host_regex String A regex to be used to extract a "host" field from the path.

If the path matches this regular expression, the captured value is used to populate the host field for events from this data input. The regular expression must have one capture group.

host_segment Number Use the specified slash-separate segment of the path as the host field value.
index String The destination index for data processed from this file.
name
required		 String The path to the file to be indexed. The file must be locally accessible by the server.
rename-source String The value of the "source" field to be applied to data from this file.
sourcetype String The value of the "sourcetype" field to be applied to data from this file.
Response data keys

None

[ Top ]

data/inputs/oneshot/{name}

https://<host>:<mPort>/services/data/inputs/oneshot/{name}


Description

Get information about the {name} one-shot input.

Method summary

Method Description Formats
GET Finds information about a single in-flight one shot input. This is a subset of the information in the full enumeration. XML, JSON

GET data/inputs/oneshot/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
Bytes Indexed Total number of bytes read and sent to the pipeline for indexing during a oneshot input.

This total includes the uncompressed byte count from a source file that is compressed on disk.

Offset Current position in the source file, indicating how much of the file is read. For compressed source files, this offset represents the position in the compressed format.

You can obtain the percentage of a source file read by calculating offset/size.

Size Size of the source file, in bytes.

You can obtain the percentage of a source file read by calculating offset/size.

Sources Indexed Indicates the number of sources read from a file in a compressed format such as tar or zip.

A value of 0 indicates the source file was not compressed.

Spool Time Time that the request was made to read the source file.

[ Top ]

data/inputs/registry

https://<host>:<mPort>/services/data/inputs/registry


Description

Provides access to Windows registry monitoring input.

Method summary

Method Description Formats
GET Gets current registry monitoring configuration. XML, JSON
POST Creates new or modifies existing registry monitoring settings. XML, JSON

GET data/inputs/registry method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
baseline Indicates whether or not Splunk Enterprise should get a baseline of Registry events when it starts. Defaults to false.

If true, the input captures a baseline for the specified hive when the input starts for the first time.

disabled Indicats whether this input is disabled.
hive Regular expression for Registry hives that this input should monitor for Registry access.

Matches against the Registry key which was accessed.

Events that contain hives that do not match the regular expression get filtered out. Events that contain hives that match the regular expression pass through.

index Specifies the index that this input should send the data to.

If no value is present, defaults to the default index.

monitorSubnodes Indicates whether to monitor all Registry hives beneath the specified hive.
proc Regular expression for processes this input should monitor for Registry access.

It matches against the process name which performed the Registry access.

Events generated by processes that do not match the regular expression get filtered out. Events generated by processes that match the regular expression pass through.

type A regular expression that specifies the types of Registry events to monitor.

POST data/inputs/registry method detail

Example

Request parameters
Name Datatype Default Description
baseline
required		 Number Specifies whether or not to establish a baseline value for the registry keys. 1 means yes, 0 no.
hive
required		 String Specifies the registry hive under which to monitor for changes.
name
required		 String Name of the configuration stanza.
proc
required		 String Specifies a regex. If specified, collect changes if a process name matches that regex.
type
required		 String A list of Registry events types that you want to monitor. Separate each type with a pipe ('|') character. For example,

set|create|delete|rename

disabled Number Indicates whether the monitoring is disabled.
index String default The index in which to store the gathered data.
monitorSubnodes Boolean True Indicates whether to monitor all Registry hives beneath the specified hive.
Response data keys

None

[ Top ]

data/inputs/registry/{name}

https://<host>:<mPort>/services/data/inputs/registry/{name}


Description

Manage registry monitoring {name} stanza.

Method summary

Method Description Formats
DELETE Deletes registry monitoring configuration stanza. XML, JSON
GET Gets current registry monitoring configuration stanza. XML, JSON
POST Modifies given registry monitoring stanza. XML, JSON

DELETE data/inputs/registry/{name} method detail

Example

Request parameters

None

Response data keys

None

GET data/inputs/registry/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
baseline Indicates whether to get a baseline of Registry events when Splunk Enterprise starts.
disabled Indicates if the input is disabled.
hive Regular expression for Registry hives that this input should monitor for Registry access.

Matches against the Registry key which was accessed.

Events that contain hives that do not match the regular expression get filtered out. Events that contain hives that match the regular expression pass through.

index Specifies the index that this input should send the data to.

If no value is present, defaults to the default index.

monitorSubnodes Indicates whether to monitor all Registry hives beneath the specified hive.
proc Regular expression for processes this input should monitor for Registry access.

It matches against the process name which performed the Registry access.

Events generated by processes that do not match the regular expression get filtered out. Events generated by processes that match the regular expression pass through.

type Regular expression that specifies the types of Registry events to monitor.

POST data/inputs/registry/{name} method detail

Example

Request parameters
Name Datatype Default Description
baseline
required		 Number Specifies whether or not to establish a baseline value for the registry keys. 1 means yes, 0 no.
hive
required		 String Specifies the registry hive under which to monitor for changes.
proc
required		 String Specifies a regex. If specified, collect changes if a process name matches that regex.
type
required		 String A list of Registry events types that you want to monitor. Separate each type with a pipe ('|') character.

For example:

set|create|delete|rename

disabled Number Indicates whether the monitoring is disabled.
index String default The index in which to store the gathered data.
monitorSubnodes Boolean True Indicates whether to monitor all Registry hives beneath the specified hive.
Response data keys

None

[ Top ]

data/inputs/script

https://<host>:<mPort>/services/data/inputs/script


Description

Provides access to scripted inputs.

Method summary

Method Description Formats
GET Gets the configuration settings for scripted inputs. XML, JSON
POST Configures settings for new scripted inputs. XML, JSON

GET data/inputs/script method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
disabled Specifies whether the input script is disabled.
endtime If available, the time when the script stopped executing.
group The name of the inputstatus group, which is always "exec commands."
host Host with which these data are identified.
index Sets the index for events from this input. Defaults to the main index.
interval An integer or cron schedule.

Specifies how often to execute the specified script, in seconds or a valid cron schedule. For a cron schedule, the script is not executed on start-up.

source The source key/field for events from this input. Defaults to the input file path.

Sets the source key initial value. The key is used during parsing/indexing, in particular to set the source field during indexing. It is also the source field used at search time. As a convenience, the chosen string is prepended with 'source::'.

sourcetype Sets the sourcetype key/field for events from this input. If unset, Splunk Enterprise picks a source type based on various aspects of the data. There is no hard-coded default.

For more information, see the documentation for the sourcetype parameter for the POST operation.

starttime If available, the time the when the script was executed.

POST data/inputs/script method detail

Example

Request parameters
Name Datatype Default Description
disabled Boolean Specifies whether the input script is disabled.
host String Sets the host for events from this input. Defaults to whatever host sent the event.
index String default Sets the index for events from this input. Defaults to the main index.
interval
required		 Number 60.0 Specify an integer or cron schedule. This parameter specifies how often to execute the specified script, in seconds or a valid cron schedule. If you specify a cron schedule, the script is not executed on start-up.
name
required		 String Specify the name of the scripted input.
passAuth String User to run the script as.

If you provide a username, Splunk Enterprise generates an auth token for that user and passes it to the script.

rename-source String Specify a new name for the source field for the script.
source String Sets the source key/field for events from this input. Defaults to the input file path.

Sets the source key initial value. The key is used during parsing/indexing, in particular to set the source field during indexing. It is also the source field used at search time. As a convenience, the chosen string is prepended with 'source::'.

Note: Overriding the source key is generally not recommended. Typically, the input layer provides a more accurate string to aid in problem analysis and investigation, accurately recording the file from which the data was retrieived. Consider use of source types, tagging, and search wildcards before overriding this value.


sourcetype String Sets the sourcetype key/field for events from this input. If unset, Splunk Enterprise picks a source type based on various aspects of the data. As a convenience, the chosen string is prepended with 'sourcetype::'. There is no hard-coded default.

Sets the sourcetype key initial value. The key is used during parsing/indexing, in particular to set the source type field during indexing. It is also the source type field used at search time.

Primarily used to explicitly declare the source type for this data, as opposed to allowing it to be determined using automated methods. This is typically important both for searchability and for applying the relevant configuration for this type of data during parsing and indexing.

Response data keys

None

[ Top ]

data/inputs/script/restart

https://<host>:<mPort>/services/data/inputs/script/restart


Description

Allows for restarting scripted inputs.

Method summary

Method Description Formats
POST Causes a restart on a given scripted input. XML, JSON

POST data/inputs/script/restart method detail

Example

Request parameters
Name Datatype Default Description
script
required		 String Path to the script to be restarted. This path must match an already-configured existing scripted input.
Response data keys

None

[ Top ]

data/inputs/script/{name}

https://<host>:<mPort>/services/data/inputs/script/{name}


Description

Manage the {name} scripted input.

Method summary

Method Description Formats
DELETE Removes the scripted input specified by {name}. XML, JSON
GET Returns the configuration settings for the scripted input specified by {name}. XML, JSON
POST Configures settings for scripted input specified by {name}. XML, JSON

DELETE data/inputs/script/{name} method detail

Example

Request parameters

None

Response data keys

None

GET data/inputs/script/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
disabled Specifies whether the input script is disabled.
group The name of the inputstatus group, which is always "exec commands."
host Host these data are identified with.
index Sets the index for events from this input. Defaults to the main index.
interval An integer or cron schedule.

Specifies how often to execute the specified script, in seconds or a valid cron schedule. For a cron schedule, the script is not executed on start-up.

POST data/inputs/script/{name} method detail

Example

Request parameters
Name Datatype Default Description
disabled Boolean Specifies whether the input script is disabled.
host String Sets the host for events from this input. Defaults to whatever host sent the event.
index String default Sets the index for events from this input. Defaults to the main index.
interval Number 60.0 Specify an integer or cron schedule. This parameter specifies how often to execute the specified script, in seconds or a valid cron schedule. If you specify a cron schedule, the script is not executed on start-up.
passAuth String User to run the script as.

If you provide a username, Splunk Enterprise generates an auth token for that user and passes it to the script.

rename-source String Specify a new name for the source field for the script.
source String Sets the source key/field for events from this input. Defaults to the input file path.

Sets the source key initial value. The key is used during parsing/indexing, in particular to set the source field during indexing. It is also the source field used at search time. As a convenience, the chosen string is prepended with 'source::'.

Note: Overriding the source key is generally not recommended. Typically, the input layer provides a more accurate string to aid in problem analysis and investigation, accurately recording the file from which the data was retrieived. Consider use of source types, tagging, and search wildcards before overriding this value.


sourcetype String Sets the sourcetype key/field for events from this input. If unset, Splunk Enterprise picks a source type based on various aspects of the data. As a convenience, the chosen string is prepended with 'sourcetype::'. There is no hard-coded default.

Sets the sourcetype key initial value. The key is used during parsing/indexing, in particular to set the source type field during indexing. It is also the source type field used at search time.

Primarily used to explicitly declare the source type for this data, as opposed to allowing it to be determined using automated methods. This is typically important both for searchability and for applying the relevant configuration for this type of data during parsing and indexing.

Response data keys

None

[ Top ]

data/inputs/tcp/cooked

https://<host>:<mPort>/services/data/inputs/tcp/cooked


Description

Provides access to TCP inputs from forwarders.

Forwarders can transmit three types of data: raw, unparsed, or parsed. Cooked data refers to parsed and unparsed formats.

Method summary

Method Description Formats
GET Returns information about all cooked TCP inputs. XML, JSON
POST Creates a new container for managing cooked data. XML, JSON

GET data/inputs/tcp/cooked method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
_rcvbuf [Deprecated]
disabled Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled.
group Set to listenerports for listening ports.
host The default value to fill in for events lacking a host value.
index The index in which to store generated events.

POST data/inputs/tcp/cooked method detail

Example

Request parameters
Name Datatype Default Description
SSL Boolean If SSL is not already configured, error is returned
connection_host Enum dns Valid values: (ip | dns | none)

Set the host for the remote server that is sending data.

ip sets the host to the IP address of the remote server sending data.

dns sets the host to the reverse DNS entry for the IP address of the remote server sending data.

none leaves the host as specified in inputs.conf, which is typically the Splunk Enterprise system hostname.

Default value is dns.

disabled Boolean Indicates whether the input is disabled.
host String The default value to fill in for events lacking a host value.
name
required		 Number The port number of this input.
queue "parsingQueue" | "indexQueue" "parsingQueue" Specifies where the input processor should deposit the events it reads.
restrictToHost String Restrict incoming connections on this port to the host specified here.
Response data keys

None

[ Top ]

data/inputs/tcp/cooked/{name}

https://<host>:<mPort>/services/data/inputs/tcp/cooked/{name}


Description

Manage cooked TCP inputs for the {name} host or port.

Method summary

Method Description Formats
DELETE Removes the cooked TCP inputs for port or host:port specified by {name} XML, JSON
GET Returns information for the cooked TCP input specified by {name}. If port is restricted to a host, name should be URI-encoded host:port. XML, JSON
POST Updates the container for managing cooked data. XML, JSON

DELETE data/inputs/tcp/cooked/{name} method detail

Example

Request parameters

None

Response data keys

None

GET data/inputs/tcp/cooked/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
_rcvbuf [Deprecated]
disabled Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled.
group Set to listenerports for listening ports.
host The default value to fill in for events lacking a host value.
index The index in which to store generated events.
restrictToHost Restrict incoming connections on this port to the specified host.

POST data/inputs/tcp/cooked/{name} method detail

Example

Request parameters
Name Datatype Default Description
SSL Boolean If SSL is not already configured, error is returned
connection_host Enum ip Valid values: (ip | dns | none)

Set the host for the remote server that is sending data.

ip sets the host to the IP address of the remote server sending data.

dns sets the host to the reverse DNS entry for the IP address of the remote server sending data.

none leaves the host as specified in inputs.conf, which is typically the Splunk Enterprise system hostname.

Default value is ip.

disabled Boolean Indicates whether the input is disabled.
host String The default value to fill in for events lacking a host value.
restrictToHost String Restrict incoming connections on this port to the host specified here.
Response data keys

None

[ Top ]

data/inputs/tcp/cooked/{name}/connections

https://<host>:<mPort>/services/data/inputs/tcp/cooked/{name}/connections


Description

Get active connections to the {name} port.

Method summary

Method Description Formats
GET Retrieves list of active connections to the named port. XML, JSON

GET data/inputs/tcp/cooked/{name}/connections method detail

Example

Request parameters

None

Response data keys
Name Description
connection Identifies the connection to port.
servername Server name of forwarder connecting to this port.

[ Top ]

data/inputs/tcp/raw

https://<host>:<mPort>/services/data/inputs/tcp/raw

Authentication: Username and password required. The edit_tcp capability is additionally required for this endpoint.


Description

Container for managing raw tcp inputs from forwarders.

Forwarders can transmit three types of data: raw, unparsed, or parsed. Cooked data refers to parsed and unparsed formats.

Method summary

Method Description Formats
GET Returns information about all raw TCP inputs. XML, JSON
POST Creates a new data input for accepting raw TCP data. XML, JSON

GET data/inputs/tcp/raw method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
_rcvbuf [Deprecated]
disabled Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled.
group Set to listenerports for listening ports.
host Host from which the indexer gets data.
index The index in which to store generated events.

POST data/inputs/tcp/raw method detail

Example

Request parameters
Name Datatype Default Description
connection_host Enum dns Valid values: (ip | dns | none)

Set the host for the remote server that is sending data.

ip sets the host to the IP address of the remote server sending data.

dns sets the host to the reverse DNS entry for the IP address of the remote server sending data.

none leaves the host as specified in inputs.conf, which is typically the Splunk Enterprise system hostname.

Default value is ip.

disabled Boolean Indicates whether the inputs are disabled.
host String Host from which the indexer gets data.
index String default Index to store generated events.
name
required		 String The input port which receives raw data.
queue Enum Valid values: (parsingQueue | indexQueue)

Specifies where the input processor should deposit the events it reads. Defaults to parsingQueue.

Set queue to parsingQueue to apply props.conf and other parsing rules to your data. For more information about props.conf and rules for timestamping and linebreaking, refer to props.conf and the online documentation at "Monitor files and directories with inputs.conf"

Set queue to indexQueue to send your data directly into the index.

rawTcpDoneTimeout Number Specifies in seconds the timeout value for adding a Done-key. Default value is 10 seconds.

If a connection over the port specified by name remains idle after receiving data for specified number of seconds, it adds a Done-key. This implies the last event is completely received.

restrictToHost String Allows for restricting this input to only accept data from the host specified here.
SSL Boolean
source String Sets the source key/field for events from this input. Defaults to the input file path.

Sets the source key initial value. The key is used during parsing/indexing, in particular to set the source field during indexing. It is also the source field used at search time. As a convenience, the chosen string is prepended with 'source::'.

Note: Overriding the source key is generally not recommended. Typically, the input layer provides a more accurate string to aid in problem analysis and investigation, accurately recording the file from which the data was retrieved. Consider use of source types, tagging, and search wildcards before overriding this value.

sourcetype String Set the source type for events from this input.

"sourcetype=" is automatically prepended to <string>.

Defaults to audittrail (if signedaudit=true) or fschange (if signedaudit=false).

Response data keys

None

[ Top ]

data/inputs/tcp/raw/{name}

https://<host>:<mPort>/services/data/inputs/tcp/raw/{name}

Authentication: Username and password required. The edit_tcp capability is additionally required for this endpoint.


Description

Manage raw inputs for the {name} host or port.

Method summary

Method Description Formats
DELETE Removes the raw inputs for port or host:port specified by {name} XML, JSON
GET Returns information about raw TCP input port {name}. If port is restricted to a host, name should be URI-encoded host:port. XML, JSON
POST Updates the container for managing raw data. XML, JSON

DELETE data/inputs/tcp/raw/{name} method detail

Example

Request parameters

None

Response data keys

None

GET data/inputs/tcp/raw/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
_rcvbuf [Deprecated]
disabled Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled.
group Set to listenerports for listening ports.
host Host from which the indexer gets data.
index Index to store generated events.
restrictToHost Restrict incoming connections on this port to the specified host.

POST data/inputs/tcp/raw/{name} method detail

Example

Request parameters
Name Datatype Default Description
SSL Boolean
connection_host Enum dns Valid values: (ip | dns | none)

Set the host for the remote server that is sending data.

ip sets the host to the IP address of the remote server sending data.

dns sets the host to the reverse DNS entry for the IP address of the remote server sending data.

none leaves the host as specified in inputs.conf, which is typically the Splunk Enterprise system hostname.

Default value is ip.

disabled Boolean Indicates whether the inputs are disabled.
host String Host from which the indexer gets data.
index String default Index to store generated events.
queue Enum Valid values: (parsingQueue | indexQueue)

Specifies where the input processor should deposit the events it reads. Defaults to parsingQueue.

Set queue to parsingQueue to apply props.conf and other parsing rules to your data. For more information about props.conf and rules for timestamping and linebreaking, refer to props.conf and the online documentation at "Monitor files and directories with inputs.conf"

Set queue to indexQueue to send your data directly into the index.

rawTcpDoneTimeout Number Specifies in seconds the timeout value for adding a Done-key. Default value is 10 seconds.

If a connection over the port specified by name remains idle after receiving data for specified number of seconds, it adds a Done-key. This implies the last event is completely received.

restrictToHost String Allows for restricting this input to only accept data from the host specified here.
source String Sets the source key/field for events from this input. Defaults to the input file path.

Sets the source key initial value. The key is used during parsing/indexing, in particular to set the source field during indexing. It is also the source field used at search time. As a convenience, the chosen string is prepended with 'source::'.

Note: Overriding the source key is generally not recommended. Typically, the input layer provides a more accurate string to aid in problem analysis and investigation, accurately recording the file from which the data was retrieved. Consider use of source types, tagging, and search wildcards before overriding this value.

sourcetype String Set the source type for events from this input.

"sourcetype=" is automatically prepended to <string>.

Defaults to audittrail (if signedaudit=true) or fschange (if signedaudit=false).

Response data keys

None

[ Top ]

data/inputs/tcp/raw/{name}/connections

https://<host>:<mPort>/services/data/inputs/tcp/raw/{name}/connections

Authentication: Username and password required. The edit_tcp capability is additionally required for this endpoint.


Description

Get active connections the {name} host or port.

Method summary

Method Description Formats
GET View all connections to the named data input. XML, JSON

GET data/inputs/tcp/raw/{name}/connections method detail

Example

Request parameters

None

Response data keys
Name Description
connection IP address and port of the source connecting to this TCP input port.
servername DNS name of the source connecting to this TCP input port.

[ Top ]

data/inputs/tcp/splunktcptoken

https://<host>:<mPort>/services/data/inputs/tcp/splunktcptoken

Description

Manage receiver access using tokens. Get information on all receiver tokens or create a new token. To edit or delete an existing token, see data/inputs/tcp/splunktcptoken/{name}.

  • Note: Configure the forwarder with the same token as the receiver to ensure that the forwarder receives data.

Authentication and Authorization:
Username and password required. The edit_splunktcp_token capability is additionally required for this endpoint.

Method summary

Method Description Formats
GET Returns all configured tokens. XML, JSON
POST Create a new token. XML, JSON

GET /services/data/inputs/tcp/splunktcptoken method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys

Response data keys are returned for each receiver token.

Name Description
host Host from which the indexer gets data.
index Index to store generated events.
token Token value.

POST /services/data/inputs/tcp/splunktcptoken method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Name Datatype Default Description
name String None Required. Name for the token to create.
token String None Optional. Token value to use. If unspecified, a token is generated automatically.
Response data keys
Name Description
host Host from which the indexer gets data.
index Index to store generated events.
token Token value.


[ Top ]

data/inputs/tcp/splunktcptoken/{name}

https://<host>:<mPort>/services/data/inputs/tcp/splunktcptoken/{name}

Description

Manage existing receiver tokens.

Authentication and Authorization
Username and password required. The edit_splunktcp_token capability is additionally required for this endpoint.

Method summary

Method Description Formats
GET Access token information. XML, JSON
POST Update an existing token value. XML, JSON
DELETE Delete an existing token. XML, JSON

GET /services/data/inputs/tcp/splunktcptoken/{name} method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
host Host from which the indexer gets data.
index Index to store generated events.
token Token value.

POST /services/data/inputs/tcp/splunktcptoken/{name} method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Name Datatype Default Description
token String None New token value.
Response data keys
Name Description
host Host from which the indexer gets data.
index Index to store generated events.
token Token value.

DELETE /services/data/inputs/tcp/splunktcptoken/{name} method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
host Host from which the indexer gets data.
index Index to store generated events.
token Token value.

[ Top ]

data/inputs/tcp/ssl

https://<host>:<mPort>/services/data/inputs/tcp/ssl


Description

Provides access to the SSL configuration of a Splunk Enterprise server.

Method summary

Method Description Formats
GET Returns SSL configuration. There is only one SSL configuration for all input ports. XML, JSON

GET data/inputs/tcp/ssl method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
_rcvbuf [Deprecated]
cipherSuite Specifies list of acceptable ciphers to use in ssl.
disabled Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled.
host Host from which the indexer gets data.
index Index to store generated events.

[ Top ]

data/inputs/tcp/ssl/{name}

https://<host>:<mPort>/services/data/inputs/tcp/ssl/{name}


Description

Manage SSL configuration for the {name} host.

Method summary

Method Description Formats
GET Returns the SSL configuration for the host {name}. XML, JSON
POST Configures SSL attributes for the host {name}. XML, JSON

GET data/inputs/tcp/ssl/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
_rcvbuf [Deprecated]
cipherSuite Specifies list of acceptable ciphers to use in ssl.
disabled Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled.
host Host from which the indexer gets data.
index Index to store generated events.

POST data/inputs/tcp/ssl/{name} method detail

Example

Request parameters
Name Datatype Default Description
disabled Boolean Indicates whether the inputs are disabled.
password String Server certificate password, if any.
requireClientCert Boolean Determines whether a client must authenticate.
rootCA String Certificate authority list (root file)
serverCert String Full path to the server certificate.
Response data keys

None

[ Top ]


data/inputs/udp

https://<host>:<mPort>/services/data/inputs/udp


Description

Provides access to UPD data inputs.

Method summary

Method Description Formats
GET List enabled and disabled UDP data inputs. XML, JSON
POST Create a new UDP data input. XML, JSON

GET data/inputs/udp method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
_rcvbuf Socket receive buffer size (bytes).
disabled Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled.
group Set to listenerports for listening ports.
host Host from which the indexer gets data.
index Index to store generated events.

POST data/inputs/udp method detail

Example

Request parameters
Name Datatype Default Description
connection_host Enum ip Valid values: (ip | dns | none)

Set the host for the remote server that is sending data.

ip sets the host to the IP address of the remote server sending data.

dns sets the host to the reverse DNS entry for the IP address of the remote server sending data.

none leaves the host as specified in inputs.conf, which is typically the Splunk Enterprise system hostname.

Default value is ip.

disabled Boolean Indicates if the input is disabled.
host String The value to populate in the host field for incoming events.

This is used during parsing/indexing, in particular to set the host field. It is also the host field used at search time.

index String default Which index events from this input should be stored in.
name
required		 String The UDP port that this input should listen on.
no_appending_timestamp Boolean If set to true, prevents Splunk Enterprise from prepending a timestamp and hostname to incoming events.
no_priority_stripping Boolean If set to true, Splunk Enterprise does remove the priority field from incoming syslog events.
queue String Which queue events from this input should be sent to. Generally this does not need to be changed.
restrictToHost String Restrict incoming connections on this port to the host specified here.

If this is not set, the value specified in [udp://<remote server>:<port>] in inputs.conf is used.

source String The value to populate in the source field for incoming events. The same source should not be used for multiple data inputs.
sourcetype String The value to populate in the sourcetype field for incoming events.
Response data keys

None

[ Top ]

data/inputs/udp/{name}

https://<host>:<mPort>/services/data/inputs/udp/{name}


Description

Manage the {name} UDP host or port.

Method summary

Method Description Formats
DELETE Disable the named UDP data input and remove it from the configuration. XML, JSON
GET List the properties of a single UDP data input port or host:port {name}. If port is restricted to a host, name should be URI-encoded host:port. XML, JSON
POST Edit properties of the named UDP data input. XML, JSON

DELETE data/inputs/udp/{name} method detail

Example

Request parameters

None

Response data keys

None

GET data/inputs/udp/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
_rcvbuf Socket receive buffer size (bytes).
disabled Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled.
group Set to listenerports for listening ports.
host Host from which the indexer gets data.
index Index to store generated events.

POST data/inputs/udp/{name} method detail

Example

Request parameters
Name Datatype Default Description
connection_host Enum ip Valid values: (ip | dns | none)

Set the host for the remote server that is sending data.

ip sets the host to the IP address of the remote server sending data.

dns sets the host to the reverse DNS entry for the IP address of the remote server sending data.

none leaves the host as specified in inputs.conf, which is typically the Splunk Enterprise system hostname.

Default value is ip.

disabled Boolean Indicates if the input is disabled.
host String The value to populate in the host field for incoming events.

This is used during parsing/indexing, in particular to set the host field. It is also the host field used at search time.

index String default Which index events from this input should be stored in.
no_appending_timestamp Boolean If set to true, prevents Splunk Enterprise from prepending a timestamp and hostname to incoming events.
no_priority_stripping Boolean If set to true, Splunk Enterprise does remove the priority field from incoming syslog events.
queue String Which queue events from this input should be sent to. Generally this does not need to be changed.
restrictToHost String Restrict incoming connections on this port to the host specified here.

If this is not set, the value specified in [udp://<remote server>:<port>] in inputs.conf is used.

source String The value to populate in the source field for incoming events. The same source should not be used for multiple data inputs.
sourcetype String The value to populate in the sourcetype field for incoming events.
Response data keys

None

[ Top ]

data/inputs/udp/{name}/connections

https://<host>:<mPort>/services/data/inputs/udp/{name}/connections


Description

List connections to the {name} host or port.

Method summary

Method Description Formats
GET Lists connections to the named UDP input. XML, JSON

GET data/inputs/udp/{name}/connections method detail

Example

Request parameters

None

Response data keys
Name Description
disabled Indicates whether the inputs are disabled.
group Set to 'listenerports' for listening ports.

[ Top ]

data/inputs/win-event-log-collections

https://<host>:<mPort>/services/data/inputs/win-event-log-collections


Description

Provides access to all configured event log collections.

Method summary

Method Description Formats
GET Retrieves a list of configured event log collections. XML, JSON
POST Creates of modifies existing event log collection settings. You can configure both native and WMI collection with this endpoint. XML, JSON

GET data/inputs/win-event-log-collections method detail

Example

Request parameters
Name Datatype Default Description
lookup_host String For internal use. Used by the UI when editing the initial host from which we gather event log data.

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
disabled Indicates if the input is disabled.
hosts Hosts you are monitoring.
index Index to store data.

If not specified defaults to the default index.

logs List of event log channels to monitor.

POST data/inputs/win-event-log-collections method detail

Example

Request parameters
Name Datatype Default Description
hosts String A comma-separated list of additional hosts to be used for monitoring. The first host should be specified with "lookup_host", and the additional ones using this parameter.
index String default The index in which to store the gathered data.
logs String List of event log names from which to gather data:
  • WMI collection format (CSV) example:
    logs=Application%2CSystem%2CSetup%2CSecurity
  • Native event log collection format example:
    logs=Application&logs=System&logs=Setup
lookup_host
required		 String Host from which to monitor log events. To specify additional hosts to be monitored using WMI, use the "hosts" parameter.
name
required		 String Collection name. This name appears in configuration file, as well as the source and the sourcetype of the indexed data. If the value is "localhost", it uses native event log collection; otherwise, it uses WMI.
Response data keys
Name Description
disabled Indicates if the input is disabled.
hosts Monitored hosts.
index Index to store data.
logs List of event log channels to monitor.
lookup_host Host from which to monitor log events.
name The name of the collection. This name appears in a configuration file, as well as the source and the sourcetype of the indexed data. If the value is "localhost", it uses native event log collection; otherwise, it uses WMI

[ Top ]

data/inputs/win-event-log-collections/{name}

https://<host>:<mPort>/services/data/inputs/win-event-log-collections/{name}


Description

Manage the {name} Windows event log.

Method summary

Method Description Formats
DELETE Deletes a given event log collection. XML, JSON
GET Gets the configuration settings for a given event log collection. XML, JSON
POST Modifies existing event log collection. XML, JSON

DELETE data/inputs/win-event-log-collections/{name} method detail

Example

Request parameters

None

Response data keys

None

GET data/inputs/win-event-log-collections/{name} method detail

Example

Request parameters
Name Datatype Default Description
lookup_host String For internal use. Used by the UI when editing the initial host from which we gather event log data.
Response data keys
Name Description
disabled Indicates if the input is disabled.
hosts Monitored hosts.
index Index to store data.

If not specified defaults to the default index.

logs List of event log channels to monitor.
lookup_host Host from which to monitor log events.
name The name of the collection. This name appears in a configuration file, as well as the source and the sourcetype of the indexed data. If the value is localhost, it uses native event log collection; otherwise, it uses WMI.

POST data/inputs/win-event-log-collections/{name} method detail

Example

Request parameters
Name Datatype Default Description
hosts String A comma-separated list of additional hosts to be used for monitoring. The first host should be specified with "lookup_host", and the additional ones using this parameter.
index String default The index in which to store the gathered data.
logs String A comma-separated list of event log names to gather data from.
lookup_host
required		 String This is a host from which we monitor log events. To specify additional hosts to be monitored using WMI, use the "hosts" parameter.
Response data keys
Name Description
disabled Indicates if the input is disabled.
hosts Monitored hosts.
index Index to store data.
logs List of event log channels to monitor.
lookup_host Host from which to monitor log events.
name The name of the collection. This name appears in a configuration file, as well as the source and the sourcetype of the indexed data. If the value is localhost, it uses native event log collection; otherwise, it uses WMI.

[ Top ]

data/inputs/win-wmi-collections

https://<host>:<mPort>/services/data/inputs/win-wmi-collections


Description

Provides access to all configured WMI collections.

Method summary

Method Description Formats
GET Provides access to all configure WMI collections. XML, JSON
POST Creates or modifies existing WMI collection settings. XML, JSON

GET data/inputs/win-wmi-collections method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
class The WMI performance object class being monitored.
disabled Indicates whther the input is disbled.
fields The WMI performance counters being monitored.
index The index to which you are sending input data.
instances Instances of the WMI performance counter.
interval The interval, in seconds, at which the WMI provider(s) are queried.
name the name of the input.
server The server you are monitoring.
wql The actual WQL query for monitoring the performance object.

POST data/inputs/win-wmi-collections method detail

Example

Request parameters
Name Datatype Default Description
classes
required		 String A valid WMI class name.
disabled Number 0 Disables the given collection.
fields String 1. * Properties (fields) that you want to gather from the given class.

Specify each property as a separate argument to the POST operation.

index String default The index in which to store the gathered data.
instances String empty Instances of a given class for which data is gathered.

Specify each instance as a separate argument to the POST operation.

interval
required		 Number The interval, in seconds, at which the WMI provider(s) is queried.
lookup_host
required		 String This is the server from which we is gathering WMI data. If you need to gather data from more than one machine, additional servers can be specified in the 'server' parameter.
name
required		 String This is the name of the collection. This name appears in configuration file, as well as the source and the sourcetype of the indexed data.
server String localhost A comma-separated list of additional servers that you want to gather data from. Use this if you need to gather from more than a single machine. See also lookup_host.
Response data keys
Name Description
classes A valid WMI class name.
disabled Indicates if the input is disabled.
fields Properties (fields) that you want to gather from the given class.
index The index in which to store the gathered data.
instances Instances of a given class for which data is gathered.
interval The interval, in seconds, at which the WMI provider(s) is queried.
lookup_host Host from which to monitor log events.
server Servers from which to gather data. Used if you need to gather from more than a single machine. See also lookup_host.
wql The actual WQL query for monitoring the performance object.

[ Top ]

data/inputs/win-wmi-collections/{name}

https://<host>:<mPort>/services/data/inputs/win-wmi-collections/{name}


Description

Manage the {name} WMI collection.

Method summary

Method Description Formats
DELETE Deletes a given collection. XML, JSON
GET Gets information about a single collection. XML, JSON
POST Modifies a given WMI collection. XML, JSON

DELETE data/inputs/win-wmi-collections/{name} method detail

Example

Request parameters

None

Response data keys

None

Application usage

The method returns HTTP status code = 400, if {name} does not exist.

GET data/inputs/win-wmi-collections/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
classes A valid WMI class name.
disabled Indicates if the input is disabled.
fields Properties (fields) that you want to gather from the given class.
index The index in which to store the gathered data.
instances Instances of a given class for which data is gathered.
interval The interval, in seconds, at which the WMI provider(s) is queried.
lookup_host Host from which to monitor log events.
name Collection name. This name appears in a configuration file, as well as the source and the sourcetype of the indexed data. If the value is localhost, it uses native event log collection; otherwise, it uses WMI.
server Servers frpm which to gather data from. Used if you need to gather from more than a single machine. See also lookup_host.
wql The actual WQL query for monitoring the performance object.

POST data/inputs/win-wmi-collections/{name} method detail

Example

Request parameters
Name Datatype Default Description
classes
required		 String A valid WMI class name.
disabled Number Disables the given collection.
fields String Properties (fields) that you want to gather from the given class.

Specify each property as a separate argument to the POST operation.

index String The index in which to store the gathered data.
instances String Instances of a given class for which data is gathered.

Specify each instance as a separate argument to the POST operation.

interval
required		 Number The interval, in seconds, at which the WMI provider(s) is queried.
lookup_host
required		 String This is the server from which we is gathering WMI data. If you need to gather data from more than one machine, additional servers can be specified in the 'server' parameter.
server String A comma-separated list of additional servers that you want to gather data from. Use this if you need to gather from more than a single machine. See also lookup_host parameter.
Response data keys
Name Description
classes A valid WMI class name.
disabled Indicates if the input is disabled.
fields Properties (fields) that you want to gather from the given class.
index The index in which to store the gathered data.
instances Instances of a given class for which data is gathered.
interval The interval, in seconds, at which the WMI provider(s) are queried.
lookup_host Host from which to monitor log events.
name Collection name. This name appears in a configuration file, as well as the source and the sourcetype of the indexed data. If the value is localhost, it uses native event log collection; otherwise, it uses WMI.
server Servers from which to gather data. Used if you need to gather from more than a single machine. See also lookup_host.
wql The actual WQL query for monitoring the performance object.

[ Top ]

data/inputs/win-perfmon

https://<host>:<mPort>/services/data/inputs/win-perfmon


Description

Provides access to performance monitoring configuration. This input allows you to poll Windows performance monitor counters.

Method summary

Method Description Formats
GET Gets current performance monitoring configuration. XML, JSON
POST Creates new or modifies existing performance monitoring collection settings. XML, JSON

GET data/inputs/win-perfmon method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
counters List of valid Performance Monitor counters.
disabled Indicates whether the input is disabled.
index The index that this input should send data to.

If no value is present, send data to the default index.

instances List of valid instances for a Performance Monitor counter.
interval How often, in seconds, to poll for new data.
object A valid Performance Monitor object as defined within Performance Monitor.

POST data/inputs/win-perfmon method detail

Example

Request parameters
Name Datatype Default Description
counters String A set of counters to monitor. A '*' is equivalent to all counters.

Specify each counter as a separate argument to the POST operation.

host String Docs-W8R2-Std7 Name of the host for the Windows Performance Monitor.
index String default The index in which to store the gathered data.
instances String A set of counter instances to monitor. A '*' is equivalent to all instances.

Specify each instance as a separate argument to the POST operation.

interval Number How frequently, in seconds, to poll for new data.
name
required		 String This is the name of the collection. This name appears in configuration file, as well as the source and the sourcetype of the indexed data.
object String A valid performance monitor object (for example, 'Process,' 'Server,' 'PhysicalDisk.')
source String Source for inputs.
sourcetype String Source type of input.
Response data keys
Name Description
counters List of valid Performance Monitor counters.
disabled Indicates whether the input is disabled.
host Name of the host for the Windows Performance Monitor.
index The index that this input should send data to.

If no value is present, send data to the default index.

instances List of valid instances for a Performance Monitor counter.
interval How frequently, in seconds, to poll for new data.
object A valid Performance Monitor object as defined within Performance Monitor.
source Source for inputs.
sourcetype Source type of the input.

[ Top ]

data/inputs/win-perfmon/{name}

https://<host>:<mPort>/services/data/inputs/win-perfmon/{name}


Description

Manage the {name} performance monitoring stanza.

Method summary

Method Description Formats
DELETE Deletes a given monitoring stanza. XML, JSON
GET Gets settings for a given perfmon stanza. XML, JSON
POST Modifies existing monitoring stanza XML, JSON

DELETE data/inputs/win-perfmon/{name} method detail

Example

Request parameters

None

Response data keys

None

GET data/inputs/win-perfmon/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
counters List of valid Performance Monitor counters.
disabled Indicates whether the input is disabled.
index The index that this input should send data to.

If no value is present, send data to the default index.

instances List of valid instances for a Performance Monitor counter.
interval How often, in seconds, to poll for new data.
object A valid Performance Monitor object as defined within Performance Monitor.

POST data/inputs/win-perfmon/{name} method detail

Example

Request parameters
Name Datatype Default Description
counters String A set of counters to monitor. A '*' is equivalent to all counters.

Specify each counter as a separate argument to the POST operation.

host String Docs-W8R2-Std7 Name of the host for the Windows Performance Monitor.
index String default The index in which to store the gathered data.
instances String A set of counter instances to monitor. A '*' is equivalent to all instances.

Specify each instance as a separate argument to the POST operation.

interval Number How frequently, in seconds, to poll for new data.
object String A valid performance monitor object (for example, 'Process,' 'Server,' 'PhysicalDisk.')
source String Source for inputs.
sourcetype String Source type of input.
Response data keys
Name Description
counters List of valid Performance Monitor counters.
disabled Indicates whether the input is disabled.
host Name of the host for the Windows Performance Monitor.
index The index that this input should send data to.

If no value is present, send data to the default index.

instances List of valid instances for a Performance Monitor counter.
interval How frequently, in seconds, to poll for new data.
object A valid Performance Monitor object as defined within Performance Monitor,
source Source for inputs.
sourcetype Source type of the input.

[ Top ]

data/modular-inputs

https://<host>:<mPort>/services/data/modular-inputs


Description

Provides access to currently defined modular inputs on the system.

Method summary

Method Description Formats
GET Lists information about configured modular inputs. XML, JSON

GET data/modular-inputs method detail

Example

Request parameters

Pagination and filtering parameters can be used with this method.

Response data keys
Name Description
description Provides descriptive text for title in the Splunk Manager page for Data inputs.

The description also appears on the Add new data inputs Manager page.

For more information, refer to Modular inputs: Introspection scheme details.

endpoint Contains one or more <arg> elements, which define the parameters to an endpoint.

For more information, refer to Modular inputs: Introspection scheme details.

streaming_mode Indicates the streaming mode for the modular input.

Valid values:

xml
simple

For more information, refer to Modular inputs: Introspection scheme details.

title The label for a modular input script.

The label appears in the Splunk Manager page for Data inputs.

For more information, refer to Modular inputs: Introspection scheme details.

Application usage

For more information on modular inputs, see Modular inputs overview in the Developing Views and Apps for Splunk Web manual.

[ Top ]

data/modular-inputs/{name}

https://<host>:<mPort>/services/data/modular-inputs/{name}


Description

Get information about the {name} modular input.

Method summary

Method Description Formats
GET Lists information about the modular input specified by {name}. XML, JSON

GET data/modular-inputs/{name} method detail

Example

Request parameters

None

Response data keys
Name Description
description The label for a modular input script.

The label appears in the Splunk Manager page for Data inputs.

For more information, refer to Modular inputs: Introspcetion scheme details.

endpoint Contains one or more <arg> elements, which define the parameters to an endpoint.

For more information, refer to Modular inputs: Introspcetion scheme details.

streaming_mode Indicates the streaming mode for the modular input.

Valid values:

xml
simple (plain text)

Contains one or more <arg> elements, which define the parameters to an endpoint.

For more information, refer to Modular inputs: Introspcetion scheme details.

title The label for a modular input script.

The label appears in the Splunk Manager page for Data inputs.

For more information, refer to Modular inputs: Introspection scheme details.

Application usage

For more information on modular inputs, see Modular inputs overview in the Developing Views and Apps for Splunk Web manual.

[ Top ]

indexing/preview

https://<host>:<mPort>/services/indexing/preview


Description

Preview events from a source file before you index the file.

Method summary

Method Description Formats
GET Return a list of all data preview jobs. Data returned includes the Splunk Enterprise management URI to access each preview job. XML, JSON
POST Create a preview data job for the specified source file, returning the preview data job ID. XML, JSON

GET indexing/preview method detail

Example

Request parameters

None

Response data keys

None

Application usage

ou can also check the status of a data preview job with GET /search/jobs/{search_id} to obtain information such as the dispatchState, doneProgress, and eventCount. For more information, see GET /search/jobs/{search_id}.

Use the data preview job ID as the search_id parameter in GET /search/jobs/{search_id}/results_preview to preview events from the source file.

Data returned includes the Splunk Enterprise management URI for each data preview job.

POST indexing/preview method detail

Example

Request parameters
Name Datatype Default Description
input.path
required		 String The absolute file path to a local file that you want to preview data returned from indexing.
props.<props_attr> String Define a new sourcetype in props.conf for preview data that you are indexing.

Typically, you first examine preview data events returned from GET /search/jobs/{job_id}events. Then you define new sourcetypes as needed with this endpoint.

Response data keys

None

Application usage

Use the POST operation of this endpoint to create a data preview job and return the corresponding data preview job ID.

Use the preview job ID as the search_id parameter in GET /search/jobs/{search_id}/results_preview to obtain a data preview.

You can optionally define sourcetypes for preview data job in props.conf.

[ Top ]

indexing/preview/{job_id}

https://<host>:<mPort>/services/indexing/preview/{job_id}


Description

Get props.conf file settings for the {job_id} job.

Method summary

Method Description Formats
GET Returns the props.conf settings for the data preview job specified by {job_id}. XML, JSON

GET indexing/preview/{job_id} method detail

Example

Request parameters

None

Response data keys

None

[ Top ]

receivers/simple

https://<host>:<mPort>/services/receivers/simple

Authentication: Username and password required. The edit_tcp capability is additionally required for this endpoint.


Description

Allows for sending events to Splunk Enterprise in an HTTP request.

Method summary

Method Description Formats
POST Create events from the contents contained in the HTTP body. XML, JSON

POST receivers/simple method detail

Example

Request parameters
Name Datatype Default Description
<arbitrary_data>
required		 String Raw event text. This is the entirety of the HTTP request body.
host String The value to populate in the host field for events from this data input.
host_regex String A regular expression used to extract the host value from each event.
index String default The destination index where events are sent.
source String The source value to fill in the metadata for this input's events.
sourcetype String The sourcetype to apply to events from this input.
Response data keys

None

[ Top ]

receivers/stream

https://<host>:<mPort>/services/receivers/stream

Authentication: Username and password required. The edit_tcp capability is additionally required for this endpoint.


Description

Open a socket to receive streaming data.

  • Note: For HTTP uploads, if the caller passes a content-type of "multipart/form data", the HTTP file upload protocol is used and files are indexed.

Method summary

Method Description Formats
POST Create events from the stream of data following HTTP headers. XML, JSON

POST receivers/stream method detail

Example

Request parameters
Name Datatype Default Description
<data_stream>
required		 String Raw event text. This does not need to be presented as a complete HTTP request, but can be streamed in as data is available.
host String The value to populate in the host field for events from this data input.
host_regex String A regular expression used to extract the host value from each event.
index String The index to send events from this input to.
source String The source value to fill in the metadata for this input's events.
sourcetype String The sourcetype to apply to events from this input.
Response data keys

None

Application usage

Data transfer continues until you enter <CTRL-C>.

For streaming connections, set streaming and x-splunk-input-mode arguments in the header.

[ Top ]

services/collector

<protocol>://<host>:<mPort>/services/collector

Authorization: Requires an HTTP Event Collector <Token>.

Description

Send events to HTTP Event Collector using the Splunk platform JSON event protocol.

By default, this endpoint works on port 8088 and uses HTTPs for transport. The port and HTTP protocol settings can be configured independently of settings for any other servers in your deployment.

Note: When using an ACK-enabled token, an ackID is returned within a JSON object in the response. For example, {"ackID": "0"} indicates an ackID of 0. Use the ackID to query the services/collector/ack endpoint to verify event indexing. For more information, see services/collector/ack.

See also

Method summary

Method Description Formats
POST Send events to the HTTP Event Collector. JSON

POST services/collector method detail

Example

Request parameters

Name Datatype Description
channel See description Required if useAck is enabled. Pass in the channel GUID as a string parameter or using the "x-splunk-request-channel" header.
event string Required. Event payload key-value. Value can be a string or a JSON object.

JSON example: {"event": {"message":"Access log test message"}}
String example: "event": "Access log test message."

host string Host name. Specify with the host query string parameter. Sets a default for all events in the request. The default host name can be overridden.
index string Index name. Specify with the index query string parameter. Sets a default for all events in the request. The default index name can be overridden.
source string User-defined event source. Specify with the source query string parameter. Sets a default for all events in the request. The default source can be overridden.
sourcetype string User-defined event sourcetype. Specify with the sourcetype query string parameter. Sets a default for all events in the request. The default sourcetype can be overridden.
time string or unsigned integer Epoch-formatted time. Specify with the time query string parameter. Sets a default for all events in the request. The default time can be overridden.

Response keys

Name Description
text Human readable status, same value as code.
code Machine format status, same value as text.
invalid-event-number When errors occur, indicates the zero-based index of first invalid event in an event sequence.
ackId If useACK is enabled for the token, indicates the ackId to use for checking an indexer acknowledgement.

Response status codes

The following status codes have particular meaning for all HTTP Event Collector endpoints:

Status Code HTTP status code ID HTTP status code Status message
0 200 OK Success
1 403 Forbidden Token disabled
2 401 Unauthorized Token is required
3 401 Unauthorized Invalid authorization
4 403 Forbidden Invalid token
5 400 Bad Request No data
6 400 Bad Request Invalid data format
7 400 Bad Request Incorrect index
8 500 Internal Error Internal server error
9 503 Service Unavailable Server is busy
10 400 Bad Request Data channel is missing
11 400 Bad Request Invalid data channel
12 400 Bad Request Event field is required
13 400 Bad Request Event field cannot be blank
14 400 Bad Request ACK is disabled
Example response messages

Success: 

    {"text":"Success","code":0}

Failure: 

    {"text":"Incorrect data format","code":5,"invalid-event-number":0}

Application usage

HTTP Event Collector functionality must be enabled to send events.

To send events to the HTTP Event Collector, you must provide an HTTP Event Collector token in the authorization header. The token is created using the data/inputs/http endpoint. You can then retrieve the token with a GET request on the data/inputs/http/{name} endpoint, where {name} is the name of your token. Include the authentication token in the request header using the following format: Authorization: Splunk <token>. The format is case-sensitive.

Use the Splunk platform search application to view the logged events. For example, use index=main | search sourcetype=access to view all logged events with a sourcetype of access.

For performance reasons, the data input endpoint follows a simple error handling model. It assumes that in most cases it receives a well-formed event data payload. If there is malformed event data in the payload, events continue to be extracted until an error is encountered. Processing stops immediately on an error and the error and number of payload events processed successfully are reported. Events processed before the error are sent to indexers and all events after the first error are dropped.

[ Top ]

services/collector/ack

<protocol>://<host>:<mPort>/services/collector/ack

Description

Query event indexing status.

For events sent using HTTP Event Collector, check event indexing status. Requests must use a valid channel ID and authorization token with useACK enabled. An event ACK ID, returned in response to a POST to services/collector, is also required.

By default, this endpoint works on port 8088 and uses HTTPs for transport. The port and HTTP protocol settings can be configured independently of settings for any other servers in your deployment.

Authorization: Requires an HTTP Event Collector <Token>.

Method summary

Method Description Formats
GET Get HTTP Event Collector event indexing status. JSON

GET services/collector/ack method detail

Example

Request parameters

Parameter Datatype Description
channel See description Required. Pass in the channel GUID as the channel string parameter or using the x-splunk-request-channel header.
"acks" JSON object Required. JSON object with an array of ack ID values. Include in the request payload.

Response keys

Name Description
acks Contains the key/value pairs for each ACK ID requested. For each key in the "acks" object, a true value means the ACK ID's events were indexed. A false value means that indexing status is unknown. For example, an event may have an indexing delay long enough that it is no longer tracked.

Here is an example response.
{"acks" : { "0" : true, "1" : false, "2" : true, "3" : false}}


Response status codes

Several HTTP status codes have particular meaning for all HTTP Event Collector endpoints. See HTTP Status Codes in services/collector.

services/collector/event

This endpoint works identically to services/collector but introduces a format option for future scalability. For more information, see services/collector.

[ Top ]

services/collector/event/1.0

This endpoint works identically to services/collector/event but introduces a protocol version for future scalability. For more information, see services/collector.

[ Top ]

services/collector/mint

<protocol>://<host>:<mPort>/services/collector/mint

Post MINT formatted data to the HTTP Event Collector. The authorization header contains the authorization scheme and application token. The HTTP POST body contains event data in the MINT payload format.

  • Note: By default, this endpoint works on port 8088 and uses HTTPs for transport. The port and HTTP protocol settings can be configured independently of settings for any other servers in your deployment.

Authorization: Requires an HTTP Event Collector <Token>.

Method summary

Method Description Formats
POST Post MINT formatted data. MINT

POST services/collector/mint method detail

Example

Request Parameters

Name Datatype Description
host String Host name. Specify with the host query string parameter. Sets a default for all events in the request. Can be overridden.
index String Index name. Specify with the index query string parameter. Sets a default for all events in the request. Can be overridden.
source String User-defined event source. Specify with the source query string parameter. Sets a default for all events in the request. The default source can be overridden.
sourcetype string User-defined event sourcetype. Specify with the sourcetype query string parameter. Sets a default for all events in the request. The default sourcetype can be overridden.
time string or unsigned integer Epoch-formatted time. Specify with the time query string parameter. Sets a default for all events in the request. The default time can be overridden.

Response data keys

None

Response status codes

Several HTTP status codes have particular meaning for all HTTP Event Collector endpoints. See HTTP Status Codes in services/collector.

[ Top ]

services/collector/mint/1.0

This endpoint works identically to receivers/token/mint but introduces a protocol version for future scalability.

[ Top ]


services/collector/raw

<protocol>://<host>:<mPort>/services/collector/raw

Description

Send raw data directly to the HTTP Event Collector. This endpoint allows one or more raw events to be sent in a single request. All events are parsed using the standard Splunk software pipeline, which includes breaking rules and timestamp extraction. This endpoint requires a data channel GUID to differentiate data from different clients. Generate a GUID and provide it in a POST request as a custom HTTP header or as a parameter.

If a channel is not provided in the POST request, an error response is sent. Only valid GUIDs can be used. An error message is returned if GUID validation fails.

By default, this endpoint works on port 8088 and uses HTTPs for transport. The port and HTTP protocol settings can be configured independently of settings for any other servers in your deployment.

Authorization: Requires an HTTP Event Collector <Token>.

Method summary

Method Description Formats
POST Send raw data to the to the indexer queue. Requires a data channel GUID, provided as a custom HTTP header or request parameter.

POST services/collector/raw method detail

Send raw data to the indexer queue.

Examples

Request parameters
Name Datatype Description
channel See description. Required. Pass in the channel GUID as the channel string parameter or using the x-splunk-request-channel header.
host String Host name. Specify with the host query string parameter. Sets a default for all events in the request. Can be overridden.
index String Index name. Specify with the index query string parameter. Sets a default for all events in the request. Can be overridden.
source String User-defined event source. Specify with the source query string parameter. Sets a default for all events in the request. The default source can be overridden.
sourcetype string User-defined event sourcetype. Specify with the sourcetype query string parameter. Sets a default for all events in the request. The default sourcetype can be overridden.
time string or unsigned integer Epoch-formatted time. Specify with the time query string parameter. Sets a default for all events in the request. The default time can be overridden.
Response data keys

None

Response status codes

Several HTTP status codes have particular meaning for all HTTP Event Collector endpoints. See HTTP Status Codes in services/collector.

[ Top ]

services/collector/raw/1.0

This endpoint works identically to services/collector/raw but introduces a protocol version for future scalability. See services/collector/raw.

Last modified on 30 August, 2016
PREVIOUS
Deployment endpoint examples 		  NEXT
Input endpoint examples

This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters