Splunk Enterprise versions higher than version 9.4.2 are documented on our new documentation portal only. To get started, see the Splunk Enterprise page on help.splunk.com and the Splunk Enterprise 9.4.3 release notes. For information about how version selection works in the new portal, see Version selection on the About This Site page.
Input endpoint descriptions
Manage and preview streaming and non-streaming and other input data.
Usage details
Review ACL information for an endpoint
To check Access Control List (ACL) properties for an endpoint, append /acl to the path. For more information see Access Control List in the REST API User Manual.
Authentication and Authorization
Username and password authentication is required for access to endpoints and REST operations.
Splunk users must have role and/or capability-based authorization to use REST endpoints. Users with an administrative role, such as admin, can access authorization information in Splunk Web. To view the roles assigned to a user, select Settings > Access controls and click Users. To determine the capabilities assigned to a role, select Settings > Access controls and click Roles.
App and user context
Typically, knowledge objects, such as saved searches or event types, have an app/user context that is the namespace. For more information about specifying a namespace, see Namespace in the REST API User Manual.
Splunk Cloud URL for REST API access
Splunk Cloud has a different host and management port syntax than Splunk Enterprise. Depending on your deployment type, use one of the following options to access REST API resources.
Managed Splunk Cloud deployments
https://<deployment-name>.splunkcloud.com:8089
Self-service Splunk Cloud deployments
To get the required credentials, submit a support case on the Support Portal. After installing the credentials, use the following URL.
https://input-<deployment-name>.cloud.splunk.com:8089
See Using the REST API in Splunk Cloud in the the Splunk REST API Tutorials for more information.
data/ingest/rfsdestinations
https://<host>:<mPort>/services/data/ingest/rfsdestinations
Create/configure, get, or delete an S3 destination for ingest action.
Authentication and authorization
Requires the capabilities list_ingest_rulesets and edit_ingest_rulesets.
DELETE
Deletes the S3 destination.
Request parameters
| Name | Description |
|---|---|
| name | Name of the S3 destination to delete. |
Returned values
| Name | Description |
|---|---|
| name | Name of the S3 destination. |
| path | Path (bucket and folder) of the destination. |
| remote.s3.access_key | See indexes.conf. |
| remote.s3.secret_key | See indexes.conf. |
| description | Description of the destination (optional). |
| remote.s3.endpoint | See indexes.conf. |
| remote.s3.encryption | See indexes.conf. |
| remote.s3.kms.key_id: | See indexes.conf. |
| remote.s3.kms.auth_region | See indexes.conf. |
| remote.s3.signature_version | See indexes.conf. |
| remote.s3.supports_versioning | See indexes.conf. |
| remote.s3.url_version | See indexes.conf. |
| compression | See outputs.conf. |
| dropEventsOnUploadError | See outputs.conf. |
| batchTimeout | See outputs.conf. |
| batchSizeThresholdKB | See outputs.conf. |
| target | When provided, the request will be proxied to the host specified here (optional). |
Example request and response
Request
To delete a destination named a3:
curl -v -k -u username:password -X DELETE https://host:port/services/data/ingest/rfsdestinations/a3
Response
* Trying 10.140.178.120:9091...
* Connected to mrt (10.140.178.120) port 9091 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
* CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=SplunkServerDefaultCert; O=SplunkUser
* start date: May 25 18:24:21 2022 GMT
* expire date: May 24 18:24:21 2025 GMT
* issuer: C=US; ST=CA; L=San Francisco; O=Splunk; CN=SplunkCommonCA; emailAddress=support@splunk.com
* SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
* Server auth using Basic with user 'admin'
> DELETE /services/data/ingest/rfsdestinations/a3 HTTP/1.1
> Host: mrt:9091
> Authorization: Basic YWRtaW46Y2hhbmdlbWU=
> User-Agent: curl/7.79.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Wed, 25 May 2022 20:55:25 GMT
< Expires: Thu, 26 Oct 1978 00:00:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, max-age=0
< Content-Type: text/xml; charset=UTF-8
< X-Content-Type-Options: nosniff
< Content-Length: 3783
< Vary: Cookie, Authorization
< Connection: Keep-Alive
< X-Frame-Options: SAMEORIGIN
< Server: Splunkd
<
<?xml version="1.0" encoding="UTF-8"?>
<!--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-->
<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>ingest-rfs-destinations</title>
<id>https://mrt:9091/services/data/ingest/rfsdestinations</id>
<updated>2022-05-25T20:55:25+00:00</updated>
<generator build="fee4ee9be79e70f02f4d13d69c0688e981ab5120" version="20220525"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/ingest/rfsdestinations/_new" rel="create"/>
<link href="/services/data/ingest/rfsdestinations/_reload" rel="_reload"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>s3</title>
<id>https://mrt:9091/services/data/ingest/rfsdestinations/s3</id>
<updated>1970-01-01T00:00:00+00:00</updated>
<link href="/services/data/ingest/rfsdestinations/s3" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/data/ingest/rfsdestinations/s3" rel="list"/>
<link href="/services/data/ingest/rfsdestinations/s3/_reload" rel="_reload"/>
<link href="/services/data/ingest/rfsdestinations/s3" rel="edit"/>
<link href="/services/data/ingest/rfsdestinations/s3" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="path">s3://s2-testing-infra/data-action1/sharun/</s:key>
<s:key name="remote.s3.access_key"><hidden></s:key>
<s:key name="remote.s3.endpoint">https://s3.us-west-2.amazonaws.com</s:key>
<s:key name="remote.s3.secret_key"><hidden></s:key>
</s:dict>
</content>
</entry>
</feed>
GET
Gets list of the s3 destination configuration values.
Request parameters
| Name | Description |
|---|---|
| name | Name of the S3 destination. An empty name returns information for all S3 destinations. |
Returned values
| Name | Description |
|---|---|
| name | Name of the S3 destination. |
| path | Path (bucket and folder) of the destination. |
| remote.s3.access_key | See indexes.conf. |
| remote.s3.secret_key | See indexes.conf. |
| description | Description of the destination (optional). |
| remote.s3.endpoint | See indexes.conf. |
| remote.s3.encryption | See indexes.conf. |
| remote.s3.kms.key_id: | See indexes.conf. |
| remote.s3.kms.auth_region | See indexes.conf. |
| remote.s3.signature_version | See indexes.conf. |
| remote.s3.supports_versioning | See indexes.conf. |
| remote.s3.url_version | See indexes.conf. |
| compression | See outputs.conf. |
| dropEventsOnUploadError | See outputs.conf. |
| batchTimeout | See outputs.conf. |
| batchSizeThresholdKB | See outputs.conf. |
| target | When provided, the request will be proxied to the host specified here (optional). |
Example request and response
Request
Gets information for destination named "s3":
curl -v -k -u username:password https://host:port/services/data/ingest/rfsdestinations/s3
Response
* Trying 10.140.178.120:9091...
* Connected to mrt (10.140.178.120) port 9091 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
* CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=SplunkServerDefaultCert; O=SplunkUser
* start date: May 25 18:24:21 2022 GMT
* expire date: May 24 18:24:21 2025 GMT
* issuer: C=US; ST=CA; L=San Francisco; O=Splunk; CN=SplunkCommonCA; emailAddress=support@splunk.com
* SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
* Server auth using Basic with user 'admin'
> GET /services/data/ingest/rfsdestinations/s3 HTTP/1.1
> Host: mrt:9091
> Authorization: Basic YWRtaW46Y2hhbmdlbWU=
> User-Agent: curl/7.79.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Wed, 25 May 2022 20:13:13 GMT
< Expires: Thu, 26 Oct 1978 00:00:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, max-age=0
< Content-Type: text/xml; charset=UTF-8
< X-Content-Type-Options: nosniff
< Content-Length: 5036
< Vary: Cookie, Authorization
< Connection: Keep-Alive
< X-Frame-Options: SAMEORIGIN
< Server: Splunkd
<
<?xml version="1.0" encoding="UTF-8"?>
<!--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-->
<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>ingest-rfs-destinations</title>
<id>https://mrt:9091/services/data/ingest/rfsdestinations</id>
<updated>2022-05-25T20:13:13+00:00</updated>
<generator build="fee4ee9be79e70f02f4d13d69c0688e981ab5120" version="20220525"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/ingest/rfsdestinations/_new" rel="create"/>
<link href="/services/data/ingest/rfsdestinations/_reload" rel="_reload"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>s3</title>
<id>https://mrt:9091/services/data/ingest/rfsdestinations/s3</id>
<updated>1970-01-01T00:00:00+00:00</updated>
<link href="/services/data/ingest/rfsdestinations/s3" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/data/ingest/rfsdestinations/s3" rel="list"/>
<link href="/services/data/ingest/rfsdestinations/s3/_reload" rel="_reload"/>
<link href="/services/data/ingest/rfsdestinations/s3" rel="edit"/>
<link href="/services/data/ingest/rfsdestinations/s3" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>authMethod</s:item>
<s:item>batchSizeThresholdKB</s:item>
<s:item>batchTimeout</s:item>
<s:item>compression</s:item>
<s:item>description</s:item>
<s:item>dropEventsOnUploadError</s:item>
<s:item>path</s:item>
<s:item>remote.s3.access_key</s:item>
<s:item>remote.s3.encryption</s:item>
<s:item>remote.s3.endpoint</s:item>
<s:item>remote.s3.kms.auth_region</s:item>
<s:item>remote.s3.kms.key_id</s:item>
<s:item>remote.s3.secret_key</s:item>
<s:item>remote.s3.signature_version</s:item>
<s:item>remote.s3.supports_versioning</s:item>
<s:item>remote.s3.url_version</s:item>
<s:item>target</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="path">s3://s2-testing-infra/data-action1/sharun/</s:key>
<s:key name="remote.s3.access_key"><hidden></s:key>
<s:key name="remote.s3.endpoint">https://s3.us-west-2.amazonaws.com</s:key>
<s:key name="remote.s3.secret_key"><hidden></s:key>
</s:dict>
</content>
</entry>
</feed>
POST
Creates and configures the S3 destination.
Request parameters
| Name | Description |
|---|---|
| name | (Required) Name of the S3 destination. |
| path | (Required) Path (bucket and folder) of the destination. |
| remote.s3.access_key | (Optional) See indexes.conf. |
| remote.s3.secret_key | (Optional) See indexes.conf. |
| description | (Optional) Description of the destination. |
| remote.s3.endpoint | (Optional) See indexes.conf. |
| remote.s3.encryption | (Optional) See indexes.conf. |
| remote.s3.kms.key_id: | (Optional) See indexes.conf. |
| remote.s3.kms.auth_region | (Optional) See indexes.conf. |
| remote.s3.signature_version | (Optional) See indexes.conf. |
| remote.s3.supports_versioning | (Optional) See indexes.conf. |
| remote.s3.url_version | (Optional) See indexes.conf. |
| compression | (Optional) See outputs.conf. |
| dropEventsOnUploadError | (Optional) See outputs.conf. |
| batchTimeout | (Optional) See outputs.conf. |
| batchSizeThresholdKB | (Optional) See outputs.conf. |
| target | (Optional) When provided, the request will be proxied to the host specified here. |
Returned values
| Name | Description |
|---|---|
| name | Name of the S3 destination. |
| path | Path (bucket and folder) of the destination. |
| remote.s3.access_key | See indexes.conf. |
| remote.s3.secret_key | See indexes.conf. |
| description | Description of the destination. |
| remote.s3.endpoint | See indexes.conf. |
| remote.s3.encryption | See indexes.conf. |
| remote.s3.kms.key_id: | See indexes.conf. |
| remote.s3.kms.auth_region | See indexes.conf. |
| remote.s3.signature_version | See indexes.conf. |
| remote.s3.supports_versioning | See indexes.conf. |
| remote.s3.url_version | See indexes.conf. |
| compression | See outputs.conf. |
| dropEventsOnUploadError | See outputs.conf. |
| batchTimeout | See outputs.conf. |
| batchSizeThresholdKB | See outputs.conf. |
| target | When provided, the request will be proxied to the host specified here (optional). |
Example requests and responses
Request
Create a destination with name=s3:
curl -v -k -u username:password https://host:port/services/data/ingest/rfsdestinations -d name=s3 -d path=s3://s2-testing-infra/data-action1/sharun/ -d remote.s3.access_key=ddd -d remote.s3.secret_key=ddd -d remote.s3.endpoint=https://s3.us-west-2.amazonaws.com
Response
* Trying 10.140.178.120:9091...
* Connected to mrt (10.140.178.120) port 9091 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
* CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=SplunkServerDefaultCert; O=SplunkUser
* start date: May 25 18:24:21 2022 GMT
* expire date: May 24 18:24:21 2025 GMT
* issuer: C=US; ST=CA; L=San Francisco; O=Splunk; CN=SplunkCommonCA; emailAddress=support@splunk.com
* SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
* Server auth using Basic with user 'admin'
> POST /services/data/ingest/rfsdestinations HTTP/1.1
> Host: mrt:9091
> Authorization: Basic YWRtaW46Y2hhbmdlbWU=
> User-Agent: curl/7.79.1
> Accept: */*
> Content-Length: 159
> Content-Type: application/x-www-form-urlencoded
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 201 Created
< Date: Wed, 25 May 2022 20:03:09 GMT
< Expires: Thu, 26 Oct 1978 00:00:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, max-age=0
< Content-Type: text/xml; charset=UTF-8
< X-Content-Type-Options: nosniff
< Content-Length: 3783
< Vary: Cookie, Authorization
< Connection: Keep-Alive
< X-Frame-Options: SAMEORIGIN
< Server: Splunkd
<
<?xml version="1.0" encoding="UTF-8"?>
<!--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-->
<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>ingest-rfs-destinations</title>
<id>https://mrt:9091/services/data/ingest/rfsdestinations</id>
<updated>2022-05-25T20:03:09+00:00</updated>
<generator build="fee4ee9be79e70f02f4d13d69c0688e981ab5120" version="20220525"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/ingest/rfsdestinations/_new" rel="create"/>
<link href="/services/data/ingest/rfsdestinations/_reload" rel="_reload"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>s3</title>
<id>https://mrt:9091/services/data/ingest/rfsdestinations/s3</id>
<updated>1970-01-01T00:00:00+00:00</updated>
<link href="/services/data/ingest/rfsdestinations/s3" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/data/ingest/rfsdestinations/s3" rel="list"/>
<link href="/services/data/ingest/rfsdestinations/s3/_reload" rel="_reload"/>
<link href="/services/data/ingest/rfsdestinations/s3" rel="edit"/>
<link href="/services/data/ingest/rfsdestinations/s3" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="path">s3://s2-testing-infra/data-action1/sharun/</s:key>
<s:key name="remote.s3.access_key"><hidden></s:key>
<s:key name="remote.s3.endpoint">https://s3.us-west-2.amazonaws.com</s:key>
<s:key name="remote.s3.secret_key"><hidden></s:key>
</s:dict>
</content>
</entry>
</feed>
===========================
Note also that this action will create an outputs.conf file with the following stanza:
[rfs:s3] path = s3://s2-testing-infra/data-action1/sharun/ remote.s3.access_key = $7$F2Amvz3gXvMdCAX9p8RKwjdWKItSkSRakj9G2ZmULuWkccs= (encrypted) remote.s3.endpoint = https://s3.us-west-2.amazonaws.com remote.s3.secret_key = $7$AL6QuynbFGdNQu5dwh6puzt9dSFXDKdQn6ypEhVjxz0feAI= (encrypted)
Request
Edit a destination:
curl -v -k -u username:password https://host:port/services/data/ingest/rfsdestinations/s3 -d path=s3://s2-testing-infra/data-action1/sharun100/-d remote.s3.access_key=aaa -d remote.s3.secret_key=bbb -d remote.s3.endpoint=https://s3.us-west-2.amazonaws.com
Response
* Trying 10.140.178.120:9011...
* TCP_NODELAY set
* Connected to mrt (10.140.178.120) port 9011 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=SplunkServerDefaultCert; O=SplunkUser
* start date: May 10 22:10:51 2022 GMT
* expire date: May 9 22:10:51 2025 GMT
* issuer: C=US; ST=CA; L=San Francisco; O=Splunk; CN=SplunkCommonCA; emailAddress=support@splunk.com
* SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
* Server auth using Basic with user 'admin'
> POST /services/data/ingest/rfsdestinations/s3 HTTP/1.1
> Host: mrt:9011
> Authorization: Basic YWRtaW46Y2hhbmdlbWU=
> User-Agent: curl/7.68.0
> Accept: */*
> Content-Length: 208
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 208 out of 208 bytes
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Tue, 31 May 2022 19:01:37 GMT
< Expires: Thu, 26 Oct 1978 00:00:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, max-age=0
< Content-Type: text/xml; charset=UTF-8
< X-Content-Type-Options: nosniff
< Content-Length: 3786
< Vary: Cookie, Authorization
< Connection: Keep-Alive
< X-Frame-Options: SAMEORIGIN
< Server: Splunkd
<
<?xml version="1.0" encoding="UTF-8"?>
<!--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-->
<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>ingest-rfs-destinations</title>
<id>https://mrt:9011/services/data/ingest/rfsdestinations</id>
<updated>2022-05-31T19:01:37+00:00</updated>
<generator build="d7f338ee11f8c6ff9ba4e4d98ff6e9b1b8da6a9c" version="20220510"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/ingest/rfsdestinations/_new" rel="create"/>
<link href="/services/data/ingest/rfsdestinations/_reload" rel="_reload"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>s3</title>
<id>https://mrt:9011/services/data/ingest/rfsdestinations/s3</id>
<updated>1970-01-01T00:00:00+00:00</updated>
<link href="/services/data/ingest/rfsdestinations/s3" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/data/ingest/rfsdestinations/s3" rel="list"/>
<link href="/services/data/ingest/rfsdestinations/s3/_reload" rel="_reload"/>
<link href="/services/data/ingest/rfsdestinations/s3" rel="edit"/>
<link href="/services/data/ingest/rfsdestinations/s3" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="path">s3://s2-testing-infra/data-action1/sharun100/</s:key>
<s:key name="remote.s3.access_key"><hidden></s:key>
<s:key name="remote.s3.endpoint">https://s3.us-west-2.amazonaws.com</s:key>
<s:key name="remote.s3.secret_key"><hidden></s:key>
</s:dict>
</content>
</entry>
</feed>
Request
Test connection to destination:
curl -v -k -u username:password https://host:port/services/data/ingest/rfsdestinations/a3/test -d path=s3://s2-testing-infra/data-action1/sharun/-d remote.s3.access_key=aaa -d remote.s3.secret_key=bbb -d remote.s3.endpoint=https://s3.us-west-2.amazonaws.com
Response
* Trying 10.140.178.120:9011...
* TCP_NODELAY set
* Connected to mrt (10.140.178.120) port 9011 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=SplunkServerDefaultCert; O=SplunkUser
* start date: May 10 22:10:51 2022 GMT
* expire date: May 9 22:10:51 2025 GMT
* issuer: C=US; ST=CA; L=San Francisco; O=Splunk; CN=SplunkCommonCA; emailAddress=support@splunk.com
* SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
* Server auth using Basic with user 'admin'
> POST /services/data/ingest/rfsdestinations/a3/test HTTP/1.1
> Host: mrt:9011
> Authorization: Basic YWRtaW46Y2hhbmdlbWU=
> User-Agent: curl/7.68.0
> Accept: */*
> Content-Length: 205
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 205 out of 205 bytes
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Tue, 31 May 2022 19:07:32 GMT
< Expires: Thu, 26 Oct 1978 00:00:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, max-age=0
< Content-Type: text/xml; charset=UTF-8
< X-Content-Type-Options: nosniff
< Content-Length: 1998
< Vary: Cookie, Authorization
< Connection: Keep-Alive
< X-Frame-Options: SAMEORIGIN
< Server: Splunkd
<
<?xml version="1.0" encoding="UTF-8"?>
<!--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-->
<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>ingest-rfs-destinations</title>
<id>https://mrt:9011/services/data/ingest/rfsdestinations</id>
<updated>2022-05-31T19:07:32+00:00</updated>
<generator build="d7f338ee11f8c6ff9ba4e4d98ff6e9b1b8da6a9c" version="20220510"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/ingest/rfsdestinations/_new" rel="create"/>
<link href="/services/data/ingest/rfsdestinations/_reload" rel="_reload"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages>
<s:msg type="INFO">The given s3/s3-supported destination and credentials are valid.</s:msg>
</s:messages>
</feed>
data/ingest/rulesets
https://<host>:<mPort>/services/data/ingest/rulesets
Retrieve a list of your rulesets.
GET
Return a list of your deployed rulesets.
Request parameters
None
Returned values
| Name | Description |
|---|---|
| Name | The name of the retrieved ruleset. |
| Sourcetype | The sourcetype of the deployed ruleset. |
| Rules | The rules for your deployed ruleset. |
Example request and response.
JSON Request
curl -k -u admin:changeme https://localhost:8089/services/data/ingest/rulesets\?output_mode\=json
JSON Encoded Response
{"links":{},"entry":[{"name":"audittrail_to_s3","content":{"name":"audittrail_to_s3","description":"","sourcetype":"audittrail","rules":[{"name":"fgf5emvw","action":"filter_regex","field":"_raw","match":"lis"},{"name":"ripxbt8o","action":"route_regex","dest":"rfs:s3","field":"_raw","match":"acc"}]}},{"name":"ruleset1","content":{"name":"ruleset1","description":"","sourcetype":"foo1","rules":[]}},{"name":"ruleset_splunkd_ui_access","content":{"name":"ruleset_splunkd_ui_access","description":"x","sourcetype":"splunkd_ui_access","rules":[{"name":"f3kbymjc","action":"filter_regex","field":"_raw","match":"server/health"}]}}]}%
POST
Creates and updates a ruleset.
Request parameters
| Name | Description |
|---|---|
| Name | The name of the retrieved ruleset. |
| Sourcetype | The sourcetype of the deployed ruleset. |
| Rules | The rules for your deployed ruleset. |
Returned values
| Name | Description |
|---|---|
| Name | The name of the retrieved ruleset. |
| Sourcetype | The sourcetype of the deployed ruleset. |
| Rules | The rules for your deployed ruleset. |
Example request and response.
JSON Request
curl -k -u admin:changeme -X POST -d name=hello1 -d sourcetype=foobar1 -d 'rules=[{"name":"r1","action":"filter_regex","match":"hello"}]' https://localhost:8089/services/data/ingest/rulesets\?output_mode\=json
JSON Encoded Response
{"links":{},"entry":[{"name":"audittrail_to_s3","content":{"name":"audittrail_to_s3","description":"","sourcetype":"audittrail","rules":[{"name":"fgf5emvw","action":"filter_regex","field":"_raw","match":"lis"},{"name":"ripxbt8o","action":"route_regex","dest":"rfs:s3","field":"_raw","match":"acc"}]}},{"name":"ruleset1","content":{"name":"ruleset1","description":"","sourcetype":"foo1","rules":[]}},{"name":"ruleset_splunkd_ui_access","content":{"name":"ruleset_splunkd_ui_access","description":"x","sourcetype":"splunkd_ui_access","rules":[{"name":"f3kbymjc","action":"filter_regex","field":"_raw","match":"server/health"}]}}]}%
data/ingest/rulesets/{name}
https://<host>:<mPort>/services/data/ingest/rulesets/{name}
Retrieve a particular ruleset.
GET
Return a named deployed ruleset.
Request parameters
None
Returned values
| Name | Description |
|---|---|
| Name | The name of the retrieved ruleset. |
| Sourcetype | The sourcetype of the deployed ruleset. |
| Rules | The rules for your deployed ruleset. |
Example request and response.
JSON Request
GET /data/ingest/rulesets?output_mode=json
JSON Encoded Response
{
name: "Drop security data",
sourcetype: "syslog",
rules: [
{ name: "Security - rarely important",
match: "Kerberos service ticket was (requested|renewed)",
action: "filter_regex"
} ]
}
POST
Creates and updates a named ruleset.
Request parameters
| Name | Description |
|---|---|
| Name | The name of the retrieved ruleset. |
| Match | What your deployed ruleset matches. |
| Action | The action that your deployed ruleset does. |
Returned values
| Name | Description |
|---|---|
| Name | The name of the retrieved ruleset. |
| Match | What your deployed ruleset matches. |
| Action | The action that your deployed ruleset does. |
Example request and response.
JSON Request
curl -k -u admin:Chang3d! https://localhost:8089/services/data/ingest/rulesets?output_mode=json -d name=ruleset1 -d sourcetype=splunkd_access -d rules="[{\"name\": \"rule1\", \"cond\": {\"type\": \"regex\", \"field\": \"_raw\", \"match\": \"DEBUG\"}, \"action\": \"filter\"}]"
JSON Encoded Response
{
"links": {},
"entry": [
{
"name": "hello1",
"content": {
"name": "hello1",
"description": "",
"sourcetype": "foobar1",
"rules": [
{
"name": "r1",
"action": "filter_regex",
"field": "_raw",
"match": "hello"
}
]
}
}
]
}
data/ingest/rulesets/publish
https://<host>:<mPort>/services/data/ingest/rulesets/publish
Publish ruleset changes on the indexer cluster manager.
POST
Push the ruleset changes into deployment.
Request parameters
None
Returned values
| Name | Description |
|---|---|
| Name | The name of the retrieved ruleset. |
| Match | What your deployed ruleset matches. |
| Action | The action that your deployed ruleset does. |
Example request and response.
JSON Request
curl -k -u admin:changeme -X POST -d 'rules=[{"name":"r1","action":"filter_regex","match":"hello"}]' https://localhost:8089/services/data/ingest/rulesets/hello1\?output_mode\=json
JSON Encoded Response
{
"messages": [
{
"status": "succeeded",
"new_checksum": "B4D4DB74DD2BF50AD9D51F999E3EBBAD"
}
]
}
data/inputs/ad
https://<host>:<mPort>/services/data/inputs/ad
Access and configure the active directory monitoring input.
GET
Get the current active directory monitoring configuration.
Request parameters
Pagination and filtering parameters can be used with this method.
Returned values
| Name | Description |
|---|---|
| disabled | Indicates whether this input is disabled. |
| index | The index in which to store the gathered data.
If no value is present, sends data to the default index. |
| monitorSubtree | Indicates whether or not to monitor the subtrees of a given Active Directory tree path. |
| startingNode | Tells Splunk software where in the Active Directory directory tree to start monitoring.
If not specified, Splunk software attempts to start at the root of the directory tree. The user as which you configure Splunk to run at installation determines where Splunk software starts monitoring. |
| targetDc | Fully qualified domain name of a valid, network-accessible Active Directory domain controller.
If not specified, Splunk software obtains the local computer DC by default, and binds to its root Distinguished Name (DN). |
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/services/data/inputs/ad
XML Response
...
<title>win-admon</title>
<id>https://10.1.5.157:8089/services/data/inputs/ad</id>
<updated>2011-07-29T19:13:28-07:00</updated>
<generator version="104976"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/ad/_new" rel="create"/>
<link href="/services/data/inputs/ad/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>NearestDC</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/ad/NearestDC</id>
<updated>2011-07-29T19:13:28-07:00</updated>
<link href="/servicesNS/nobody/windows/data/inputs/ad/NearestDC" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/windows/data/inputs/ad/NearestDC" rel="list"/>
<link href="/servicesNS/nobody/windows/data/inputs/ad/NearestDC/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/windows/data/inputs/ad/NearestDC" rel="edit"/>
<link href="/servicesNS/nobody/windows/data/inputs/ad/NearestDC/enable" rel="enable"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">1</s:key>
... eai:acl node elided ...
<s:key name="index">default</s:key>
<s:key name="monitorSubtree">1</s:key>
<s:key name="startingNode"/>
<s:key name="targetDc"/>
</s:dict>
</content>
</entry>
POST
Create or modify performance monitoring settings.
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| baseline | Boolean | Indicates whether to query baseline objects. Defaults to true.
Baseline objects are objects which currently reside in Active Directory and include previously deleted objects. | |
| host | String | Docs-W8R2-Std7 | Host name for the Active Directory Monitor. |
| index | String | default | The index in which to store the gathered data.
If not specified defaults to the default index. |
| monitorSubtree | Number | Required. Whether or not to monitor the subtree(s) of a given directory tree path. 1 means yes, 0 means no. | |
| name | String | Required. A unique name that represents a configuration or set of configurations for a specific domain controller. | |
| printSchema | Boolean | Indicates whether to print the Active Directory schema. Defaults to true. | |
| source | String | Source for data inputs. | |
| sourcetype | String | Source type of data inputs. | |
| startingNode | String | Where in the Active Directory directory tree to start monitoring. If not specified, attempts to start at the root of the directory tree. | |
| targetDc | String | Specifies a fully qualified domain name of a valid, network-accessible domain controller. If not specified, Splunk software gets the local domain controller. |
Returned values
None
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/servicesNS/admin/search/data/inputs/ad -d monitorSubtree=0 -d name=newdc
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-admon</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/ad</id>
<updated>2011-07-29T19:14:57-07:00</updated>
<generator version="104976"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/ad/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/ad/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
data/inputs/ad/{name}
https://<host>:<mPort>/services/data/inputs/ad/{name}
Manage {name} active directory monitoring.
DELETE
Delete the {name} Active Directory monitoring stanza.
Request parameters
None
Returned values
None
Example request and response
XML Request
curl -u admin:pass --request DELETE https://localhost:8089/servicesNS/nobody/search/data/inputs/ad/newdc
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-admon</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/ad</id>
<updated>2011-07-29T19:22:50-07:00</updated>
<generator version="104976"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/ad/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/ad/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
GET
Gets the current configuration for the {name} Active Directory monitoring stanza.
Request parameters
None
Returned values
| Name | Description |
|---|---|
| Attribute | Description |
| disabled | Indicates whether this input is disabled. |
| index | The index in which to store the gathered data.
If no value is present, send data to the default index. |
| monitorSubtree | Indicates whether or not to monitor the subtrees of a given Active Directory tree path. |
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/ad/newdc
XML Response
...
<title>win-admon</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/ad</id>
<updated>2011-07-29T19:18:18-07:00</updated>
<generator version="104976"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/ad/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/ad/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>newdc</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/ad/newdc</id>
<updated>2011-07-29T19:18:18-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/ad/newdc" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/ad/newdc" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/ad/newdc/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/ad/newdc" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/ad/newdc" rel="remove"/>
<link href="/servicesNS/nobody/search/data/inputs/ad/newdc/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>disabled</s:item>
<s:item>index</s:item>
<s:item>startingNode</s:item>
<s:item>targetDc</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list>
<s:item>monitorSubtree</s:item>
</s:list>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="index">default</s:key>
<s:key name="monitorSubtree">0</s:key>
</s:dict>
</content>
</entry>
POST
Update the {name} Active Directory monitoring stanza.
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| baseline | Boolean | Indicates whether to query baseline objects. Defaults to true.
Baseline objects are objects which currently reside in Active Directory and include previously deleted objects. | |
| host | String | Docs-W8R2-Std7 | Host name for the Active Directory Monitor. |
| index | String | default | The index in which to store the gathered data.
If not specified defaults to the default index. |
| monitorSubtree required |
Number | Whether or not to monitor the subtree(s) of a given directory tree path. 1 means yes, 0 means no. | |
| printSchema | Boolean | Indicates whether to print the Active Directory schema. Defaults to true. | |
| source | String | Source for data inputs. | |
| sourcetype | String | Source type of data inputs. | |
| startingNode | String | Where in the Active Directory directory tree to start monitoring. If not specified, attempts to start at the root of the directory tree. | |
| targetDc | String | Specifies a fully qualified domain name of a valid, network-accessible DC. If not specified, Splunk software gets the local computer's DC. |
Returned values
None
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/ad/newdc -d monitorSubtree=1
XML Response
...
<title>win-admon</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/ad</id>
<updated>2011-07-29T19:20:16-07:00</updated>
<generator version="104976"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/ad/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/ad/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
data/inputs/all
https://<host>:<mPort>/services/data/inputs/all
Access all inputs to the Splunk deployment. This includes any modular inputs that may be defined on the system.
GET
List all inputs, including modular inputs.
Request parameters
| Name | Datatype | Description |
|---|---|---|
| common | Boolean | Indicates whether to return only attributes common to all inputs. The common attributes are as follows.
|
Pagination and filtering parameters can be used with this method.
Returned values
Returns an <entry> element for each input, listing attributes specific to the input. See the following example for more details.
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/services/data/inputs/all
XML Response
...
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>all</title>
<id>https://localhost:8089/services/data/inputs/all</id>
<updated>2012-10-01T16:08:24-07:00</updated>
<generator build="138753" version="5.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/all/_new" rel="create"/>
<link href="/services/data/inputs/all/_reload" rel="_reload"/>
<link href="/services/data/inputs/all/restart" rel="restart"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title></title>
<id>https://localhost:8089/servicesNS/nobody/system/data/inputs/all/</id>
<updated>2012-10-01T16:08:24-07:00</updated>
<link href="/servicesNS/nobody/system/data/inputs/all/" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/inputs/all/" rel="list"/>
<link href="/servicesNS/nobody/system/data/inputs/all//_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/inputs/all/" rel="edit"/>
<link href="/servicesNS/nobody/system/data/inputs/all//enable" rel="enable"/>
<content type="text/xml">
<s:dict>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="cipherSuite">ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM</s:key>
<s:key name="disabled">1</s:key>
... eai:acl node elided ...
<s:key name="host">splunks-ombra.sv.splunk.com</s:key>
<s:key name="index">default</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>$SPLUNK_HOME/etc/splunk.version</title>
<id>https://localhost:8089/servicesNS/nobody/system/data/inputs/all/%24SPLUNK_HOME%252Fetc%252Fsplunk.version</id>
<updated>2012-10-01T16:08:24-07:00</updated>
<link href="/servicesNS/nobody/system/data/inputs/all/%24SPLUNK_HOME%252Fetc%252Fsplunk.version" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/inputs/all/%24SPLUNK_HOME%252Fetc%252Fsplunk.version" rel="list"/>
<link href="/servicesNS/nobody/system/data/inputs/all/%24SPLUNK_HOME%252Fetc%252Fsplunk.version/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/inputs/all/%24SPLUNK_HOME%252Fetc%252Fsplunk.version" rel="edit"/>
<link href="/servicesNS/nobody/system/data/inputs/all/%24SPLUNK_HOME%252Fetc%252Fsplunk.version/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="_TCP_ROUTING">*</s:key>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="filecount">1</s:key>
<s:key name="host">splunks-ombra.sv.splunk.com</s:key>
<s:key name="index">_internal</s:key>
<s:key name="sourcetype">splunk_version</s:key>
</s:dict>
</content>
</entry>
. . . elided ...
data/inputs/all/{name}
https://<host>:<mPort>/services/data/inputs/all/{name}
Get information about the {name} input source.
GET
List details for the {name} input.
Request parameters
| Name | Datatype | Description |
|---|---|---|
| common | Boolean | Indicates whether to return only attributes common to all inputs. These common attributes are as follows.
|
Returned values
The response lists attributes for the {name} input. See the following example for details.
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/services/data/inputs/all/twitter
XML Response
...
<title>all</title>
<id>https://localhost:8089/services/data/inputs/all</id>
<updated>2012-07-11T08:03:17-07:00</updated>
<generator build="129290" version="5.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/all/restart" rel="restart"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>twitter</title>
<id>https://localhost:8089/services/data/inputs/all/twitter</id>
<updated>2012-07-11T08:03:17-07:00</updated>
<link href="/services/data/inputs/all/twitter" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/data/inputs/all/twitter" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="description">Get data from Twitter.</s:key>
... eai:acl nodes and eai:attribute nodes elided ...
<s:key name="endpoint">
<s:dict>
<s:key name="args">
<s:dict>
<s:key name="name">
<s:dict>
<s:key name="data_type">string</s:key>
<s:key name="description">Name of the current feed using the user credentials supplied.</s:key>
<s:key name="order">0</s:key>
<s:key name="title">Twitter feed name</s:key>
</s:dict>
</s:key>
<s:key name="password">
<s:dict>
<s:key name="data_type">string</s:key>
<s:key name="description">Your twitter password</s:key>
<s:key name="order">2</s:key>
<s:key name="required_on_create">1</s:key>
<s:key name="required_on_edit">0</s:key>
<s:key name="title">Password</s:key>
</s:dict>
</s:key>
<s:key name="username">
<s:dict>
<s:key name="data_type">string</s:key>
<s:key name="description">Your Twitter ID.</s:key>
<s:key name="order">1</s:key>
<s:key name="required_on_create">1</s:key>
<s:key name="required_on_edit">0</s:key>
<s:key name="title">Twitter ID/Handle</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
<s:key name="streaming_mode">simple</s:key>
<s:key name="title">Twitter</s:key>
</s:dict>
</content>
</entry>
data/inputs/http
https://<host>:<mPort>/services/data/inputs/http
Access or update HTTP Event Collector global configuration tokens and application tokens.
See also
For more information, see details for the following associated endpoints.
- data/inputs/http/{name}
- data/inputs/http/{name}/enable
- data/inputs/http/{name}/disable
- collector/event
GET
Access global configuration information and a list of tokens
Request parameters
Pagination and filtering parameters can be used with this method.
Returned values
See data/inputs/http/{name} for app-level response data keys.
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/services/data/inputs/http
XML Response
<title>http</title>
<id>https://localhost:8089/services/data/inputs/http</id>
<updated>2015-01-26T22:43:26-08:00</updated>
<generator build="250128" version="20150120"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/http/_new" rel="create"/>
<link href="/services/data/inputs/http/_reload" rel="_reload"/>
... opensearch elided ...
<s:messages/>
<entry>
<title>http</title>
<id>https://localhost:8089/servicesNS/nobody/system/data/inputs/http/http</id>
<updated>2015-01-26T22:43:26-08:00</updated>
<link href="/servicesNS/nobody/system/data/inputs/http/http" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/inputs/http/http" rel="list"/>
<link href="/servicesNS/nobody/system/data/inputs/http/http/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/inputs/http/http" rel="edit"/>
<link href="/servicesNS/nobody/system/data/inputs/http/http/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="disabled">0</s:key>
... eai:acl elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="host">$decideOnStartup</s:key>
<s:key name="index">default</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>http://%22myapp"</title>
<id>https://localhost:8089/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252F%22myapp%22</id>
<updated>2015-01-26T22:43:26-08:00</updated>
<link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252F%22myapp%22" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252F%22myapp%22" rel="list"/>
<link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252F%22myapp%22/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252F%22myapp%22" rel="edit"/>
<link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252F%22myapp%22" rel="remove"/>
<link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252F%22myapp%22/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="disabled">0</s:key>
... eai:acl elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="host">$decideOnStartup</s:key>
<s:key name="index">default</s:key>
<s:key name="token">3DEA16E1-413A-46C2-A74F-E79DC3DF3CA2</s:key>
</s:dict>
</content>
</entry>
POST
Modify global configuration. Add and modify tokens.
Global request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| dedicatedIoThreads | Number | 2 | Number of threads used by HTTP Input server. |
| disabled | Boolean | 1 | Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled. |
| enableSSL | Boolean | 1 | Enable SSL protocol for HTTP data input. 1 = SSL enabled, 0 = SSL disabled. |
| index | String | Index to store generated events. | |
| indexes | String | Set of indexes allowed for events with this token. | |
| maxSockets | Number | 0 | Maximum number of simultaneous HTTP connections accepted. Adjusting this value may cause server performance issues and is not generally recommended. Possible values for this setting vary by OS. |
| maxThreads | Number | 0 | Maximum number of threads that can be used by active HTTP transactions. Adjusting this value may cause server performance issues and is not generally recommended. Possible values for this setting vary by OS. |
| name required |
String | Token name (inputs.conf key) | |
| port |
Number | 8088 | HTTP data input IP port. |
| source | String | Default source for events with this token. | |
| sourcetype | String | Default sourcetype for events with this token. | |
| useDeploymentServer | Boolean | 0 (disabled) |
Indicates whether the event collector input writes its configuration to a deployment server repository.
When this setting is set to Copy the full contents of the When enabled, only the tokens defined in the When disabled, the input writes its configuration to Defaults to 0 (disabled). |
Application-level request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| disabled | Boolean | 1 | Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled. |
| index | String | Index to store generated events. | |
| indexes | String | Set of indexes allowed for events with this token. | |
| name required |
String | Token name (inputs.conf key) | |
| source | String | Default source for events with this token. | |
| sourcetype | String | Default sourcetype for events with this token. |
Global returned values
| Name | Description | ||
|---|---|---|---|
| dedicatedIoThreads | Number of threads used by HTTP Input server. | ||
| disabled | Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled. | ||
| enableSSL | Enable SSL protocol for HTTP data input. 1 = SSL enabled, 0 = SSL disabled. | ||
| host | Host from which the indexer gets data. | ||
| index | Index to store generated events. | ||
| indexes | Set of indexes allowed for events with this token. | ||
| port |
HTTP data input IP port. | ||
| _rcvbuf | Socket receive buffer size (bytes). | ||
| source | Default source for events with this token. | ||
| sourcetype | Default sourcetype for events with this token. | ||
| useDeploymentServer | Boolean | 0 (disabled) |
Indicates whether the event collector input writes its configuration to a deployment server repository.
When this setting is set to Copy the full contents of the When enabled, only the tokens defined in the When disabled, the input writes its configuration to Defaults to 0 (disabled). |
Application-level returned values
| Name | Description |
|---|---|
| disabled | Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled. |
| host | Host from which the indexer gets data. |
| index | Index to store generated events. |
| _rcvbuf | Socket receive buffer size (bytes). |
| source | Source for events with this token. |
| sourcetype | Sourcetype for events with this token. |
| token | Token value for sending data to collector/event endpoint. |
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/http -d name=myapp
XML Response
...
<title>http</title>
<id>https://localhost:8089/servicesNS/nobody/system/data/inputs/http</id>
<updated>2015-01-30T12:45:28-08:00</updated>
<generator build="250128" version="20150120"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/system/data/inputs/http/_new" rel="create"/>
<link href="/servicesNS/nobody/system/data/inputs/http/_reload" rel="_reload"/>
... opensearch ...
<s:messages/>
<entry>
<title>http://myapp</title>
<id>https://localhost:8089/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp</id>
<updated>2015-01-30T12:45:28-08:00</updated>
<link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp" rel="list"/>
<link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp" rel="edit"/>
<link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp" rel="remove"/>
<link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="disabled">0</s:key>
... eai:acl ...
<s:key name="eai:appName">system</s:key>
<s:key name="eai:userName">nobody</s:key>
<s:key name="host">$decideOnStartup</s:key>
<s:key name="index">default</s:key>
<s:key name="token">AABD8B82-2810-4BE8-823F-FE6C15ECB46E</s:key>
</s:dict>
</content>
</entry>
data/inputs/http/{name}
https://<host>:<mPort>/services/data/inputs/http/{name}
Manage the {name} HTTP Event Collector token. HTTP, as in data/inputs/http/http, indicates global configuration.
See also
For more information, see details for the following associated endpoints.
DELETE
Delete a token.
Request parameters
None
Returned values
None
Example request and response
XML Request
curl -u admin:pass --request DELETE https://localhost:8089/servicesNS/nobody/search/data/inputs/http/http%3A%252F%252Fmyapp
XML Response
<title>http</title> <id>https://localhost:8089/servicesNS/nobody/system/data/inputs/http</id> <updated>2015-01-30T13:03:18-08:00</updated> <generator build="250128" version="20150120"/> <author> <name>Splunk</name> </author> <link href="/servicesNS/nobody/system/data/inputs/http/_new" rel="create"/> <link href="/servicesNS/nobody/system/data/inputs/http/_reload" rel="_reload"/> ... opensearch elided ... <s:messages/> </feed>
GET
Get token configuration details.
Request parameters
None
Global response data keys
| Name | Description |
|---|---|
| _rcvbuf | Socket receive buffer size (bytes). |
| dedicatedIoThreads | Number of threads for HTTP event collector server. |
| disabled | Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled.
|
| enableSSL | SSL enablement status. |
| host | Host from which the indexer gets data. |
| index | Index to store generated events. |
| port | HTTP data event collector IP port. |
| source | Source for events with this token. |
| sourcetype | Sourcetype for events with this token. |
| token | Token value for sending data to collector/event endpoint.
|
| useDeploymentServer | Indicates whether the event collector input writes its configuration to a deployment server repository.
When this setting is set to Copy the full contents of the When enabled, only the tokens defined in the When disabled, the input writes its configuration to Defaults to 0 (disabled). |
Application-level response data keys
| Name | Description |
|---|---|
| _rcvbuf | Socket receive buffer size (bytes). |
| disabled | Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled.
|
| host | Host from which the indexer gets data. |
| index | Index to store generated events. |
| source | Source for events with this token. |
| sourcetype | Sourcetype for events with this token. |
| token | Token value for sending data to collector/event endpoint.
|
Example request and response
XML Request
curl -u admin:pass https://localhost:8089//servicesNS/nobody/system/data/inputs/http/http%3A%252F%252F%22myapp%22/http/%252Fvar%252Flog
XML Response
...
<title>http</title>
<id>https://localhost:8089/servicesNS/nobody/system/data/inputs/http</id>
<updated>2015-01-26T23:01:34-08:00</updated>
<generator build="250128" version="20150120"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/system/data/inputs/http/_new" rel="create"/>
<link href="/servicesNS/nobody/system/data/inputs/http/_reload" rel="_reload"/>
... opensearch elided ...
<s:messages/>
<entry>
<title>http://%22myapp"</title>
<id>https://localhost:8089/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252F%22myapp%22</id>
<updated>2015-01-26T23:01:34-08:00</updated>
<link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252F%22myapp%22" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252F%22myapp%22" rel="list"/>
<link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252F%22myapp%22/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252F%22myapp%22" rel="edit"/>
<link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252F%22myapp%22" rel="remove"/>
<link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252F%22myapp%22/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="disabled">0</s:key>
... eai:acl elided ...
<s:key name="eai:appName">system</s:key>
... eai:attributes elided ...
<s:key name="eai:userName">nobody</s:key>
<s:key name="host">$decideOnStartup</s:key>
<s:key name="index">default</s:key>
<s:key name="token">3DEA16E1-413A-46C2-A74F-E79DC3DF3CA2</s:key>
</s:dict>
</content>
</entry>
POST
Update token configuration information.
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| disabled | Boolean | 1 |
Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled.
|
| host | String | Default host. | |
| index | String | Index to store generated events. | |
| indexes | String | Set of indexes allowed for events with this token. | |
| name | String | Required. Token name (inputs.conf key)
| |
| source | String | Default source for events with this token. | |
| sourcetype | String | Default sourcetype for events with this token. | |
| useDeploymentServer | Boolean | 0 (disabled) |
Indicates whether the event collector input writes its configuration to a deployment server repository.
When this setting is set to Copy the full contents of the When enabled, only the tokens defined in the When disabled, the input writes its configuration to Defaults to 0 (disabled). |
Returned values
| Name | Description |
|---|---|
| _rcvbuf | Socket receive buffer size (bytes). |
| disabled | Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled.
|
| host | Host from which the indexer gets data. |
| index | Index to store generated events. |
| source | Source for events with this token. |
| sourcetype | Sourcetype for events with this token. |
| token | Token value for sending data to collector/event endpoint.
|
| useDeploymentServer | Indicates whether the event collector input writes its configuration to a deployment server repository.
When this setting is set to Copy the full contents of the When enabled, only the tokens defined in the When disabled, the input writes its configuration to Defaults to 0 (disabled). |
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/http%3A%252F%252Fmyapp -d recursive=false
XML Response
...
<title>http</title>
<id>https://localhost:8089/servicesNS/nobody/system/data/inputs/http</id>
<updated>2015-01-30T12:51:17-08:00</updated>
<generator build="250128" version="20150120"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/system/data/inputs/http/_new" rel="create"/>
<link href="/servicesNS/nobody/system/data/inputs/http/_reload" rel="_reload"/>
... opensearch elided ...
<s:messages/>
<entry>
<title>http://myapp</title>
<id>https://localhost:8089/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp</id>
<updated>2015-01-30T12:51:17-08:00</updated>
<link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp" rel="list"/>
<link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp" rel="edit"/>
<link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp" rel="remove"/>
<link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="disabled">0</s:key>
... eai:acl elided ...
<s:key name="eai:appName">system</s:key>
<s:key name="eai:userName">nobody</s:key>
<s:key name="host">$decideOnStartup</s:key>
<s:key name="index">default</s:key>
<s:key name="recursive">false</s:key>
<s:key name="token">AABD8B82-2810-4BE8-823F-FE6C15ECB46E</s:key>
</s:dict>
</content>
</entry>
data/inputs/http/{name}/disable
https://<host>:<mPort>/services/data/inputs/http/{name}/disable
Disable the {name} HTTP Event Collector token.
See also
POST
Disable the {name} HTTP Event Collector token.
Request parameters
None
Returned values
| Name | Description |
|---|---|
| _rcvbuf | Socket receive buffer size (bytes). |
| disabled | Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled.
|
| host | Host from which the indexer gets data. |
| index | Index to store generated events. |
| source | Default source for events with this token. |
| sourcetype | Default sourcetype for events with this token. |
| token | Token value for sending data to collector/event endpoint.
|
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/http/http%3A%252F%252Fmyapp/disable
XML Response
<title>http</title>
<id>https://localhost:8089/servicesNS/nobody/system/data/inputs/http</id>
<updated>2015-01-30T12:59:44-08:00</updated>
<generator build="250128" version="20150120"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/system/data/inputs/http/_new" rel="create"/>
<link href="/servicesNS/nobody/system/data/inputs/http/_reload" rel="_reload"/>
... opensearch elided ...
<s:messages/>
<entry>
<title>http://myapp</title>
<id>https://localhost:8089/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp</id>
<updated>2015-01-30T12:59:44-08:00</updated>
<link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp" rel="list"/>
<link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp" rel="edit"/>
<link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp" rel="remove"/>
<link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp/enable" rel="enable"/>
<content type="text/xml">
<s:dict>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="disabled">1</s:key>
... eai:acl elided ...
<s:key name="eai:appName">system</s:key>
<s:key name="eai:userName">nobody</s:key>
<s:key name="host">$decideOnStartup</s:key>
<s:key name="index">default</s:key>
<s:key name="recursive">false</s:key>
<s:key name="token">AABD8B82-2810-4BE8-823F-FE6C15ECB46E</s:key>
</s:dict>
</content>
</entry>
data/inputs/http/{name}/enable
https://<host>:<mPort>/services/data/inputs/http/{name}/enable
Enable the {name} HTTP Event Collector token.
The POST request to this endpoint reloads the HTTP Event Collector server, including when the server is already enabled and running.
See also
POST
Enable the {name} HTTP Event Collector token.
The POST request reloads the HTTP Event Collector server, including when the server is already enabled and running.
Request parameters
None
Returned values
| Name | Description |
|---|---|
| _rcvbuf | Socket receive buffer size (bytes). |
| disabled | Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled. |
| host | Host from which the indexer gets data. |
| index | Index to store generated events. |
| source | Default source for events with this token. |
| sourcetype | Default sourcetype for events with this token. |
| token | Token value for sending data to collector/event endpoint. |
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/http/http%3A%252F%252Fmyapp/enable
XML Response
...
<title>http</title>
<id>https://localhost:8089/servicesNS/nobody/system/data/inputs/http</id>
<updated>2015-01-30T12:56:38-08:00</updated>
<generator build="250128" version="20150120"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/system/data/inputs/http/_new" rel="create"/>
<link href="/servicesNS/nobody/system/data/inputs/http/_reload" rel="_reload"/>
... opensearch elided ...
<s:messages/>
<entry>
<title>http://myapp</title>
<id>https://localhost:8089/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp</id>
<updated>2015-01-30T12:56:38-08:00</updated>
<link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp" rel="list"/>
<link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp" rel="edit"/>
<link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp" rel="remove"/>
<link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="disabled">0</s:key>
... eai:acl elided ...
<s:key name="eai:appName">system</s:key>
<s:key name="eai:userName">nobody</s:key>
<s:key name="host">$decideOnStartup</s:key>
<s:key name="index">default</s:key>
<s:key name="recursive">false</s:key>
<s:key name="token">AABD8B82-2810-4BE8-823F-FE6C15ECB46E</s:key>
</s:dict>
</content>
</entry>
data/inputs/http/{name}/rotate
https://<host>:<mPort>/services/data/inputs/http/{name}/rotate
Regenerate the {name} token value.
POST
Regenerate the {name} token value.
Request parameters
None
Returned values
| Name | Description |
|---|---|
| token | Regenerated token value. |
Example request and response
XML Request
curl -u admin:changeme https://localhost:8089/servicesNS/nobody/splunk_httpinput/data/inputs/http/my_app_name/rotate -X post
XML Response
<?xml version="1.0" encoding="UTF-8"?>
. . . . . .
<s:key name="token">64D47EC6-C510-4519-A520-EC4CAA157B97</s:key>
. . . . . .
</feed>
data/inputs/monitor
https://<host>:<mPort>/services/data/inputs/monitor
Access monitor inputs.
GET
List enabled and disabled monitor inputs.
Request parameters
Pagination and filtering parameters can be used with this method.
Returned values
| Name | Description |
|---|---|
| _TCP_ROUTING | List of TCP forwarding groups, as specified in outputs.conf.
|
| disabled | Indicates if inputs monitoring is disabled. |
| filecount | Number of files monitored. |
| host | Name of the Splunk host for which inputs are monitored. |
| index | The index in which to store the gathered data. |
| sourcetype | Source type being monitored.
The source type of an event is the format of the data input from which it originates, such as access_combined or cisco_syslog. The source type determines how Splunk software formats your data. |
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/services/data/inputs/monitor
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>monitor</title>
<id>https://localhost:8089/services/data/inputs/monitor</id>
<updated>2011-07-10T14:25:53-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/monitor/_new" rel="create"/>
<link href="/services/data/inputs/monitor/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>$SPLUNK_HOME/etc/splunk.version</title>
<id>https://localhost:8089/servicesNS/nobody/system/data/inputs/monitor/%24SPLUNK_HOME%252Fetc%252Fsplunk.version</id>
<updated>2011-07-10T14:25:53-07:00</updated>
<link href="/servicesNS/nobody/system/data/inputs/monitor/%24SPLUNK_HOME%252Fetc%252Fsplunk.version" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/inputs/monitor/%24SPLUNK_HOME%252Fetc%252Fsplunk.version" rel="list"/>
<link href="/servicesNS/nobody/system/data/inputs/monitor/%24SPLUNK_HOME%252Fetc%252Fsplunk.version/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/inputs/monitor/%24SPLUNK_HOME%252Fetc%252Fsplunk.version" rel="edit"/>
<link href="/servicesNS/nobody/system/data/inputs/monitor/%24SPLUNK_HOME%252Fetc%252Fsplunk.version/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="_TCP_ROUTING">*</s:key>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="filecount">1</s:key>
<s:key name="host">MrT</s:key>
<s:key name="index">_internal</s:key>
<s:key name="sourcetype">splunk_version</s:key>
</s:dict>
</content>
</entry>
</feed>
POST
Create a new file or directory monitor input.
Request parameters
| Name | Datatype | Description |
|---|---|---|
| blacklist | String | Specify a regular expression for a file path. The file path that matches this regular expression is not indexed. |
| check-index | Boolean | If set to true, the index value is checked to ensure that it is the name of a valid index. |
| check-path | Boolean | If set to true, the name value is checked to ensure that it exists. |
| crc-salt | String | A string that modifies the file tracking identity for files in this input. The magic value "<SOURCE>" invokes special behavior (see admin documentation). |
| disabled | Boolean | Indicates if input monitoring is disabled. |
| followTail | Boolean | If set to true, files that are seen for the first time is read from the end. |
| host | String | The value to populate in the host field for events from this data input. |
| host_regex | String | Specify a regular expression for a file path. If the path for a file matches this regular expression, the captured value is used to populate the host field for events from this data input. The regular expression must have one capture group. |
| host_segment | Number | Use the specified slash-separate segment of the filepath as the host field value. |
| ignore-older-than | String | Specify a time value. If the modification time of a file being monitored falls outside of this rolling time window, the file is no longer being monitored. |
| index | String | Which index events from this input should be stored in. Defaults to default.
|
| name | String | Required. The file or directory path to monitor on the system. |
| recursive | Boolean | Setting this to false prevents monitoring of any subdirectories encountered within this data input.
|
| rename-source | String | The value to populate in the source field for events from this data input. The same source should not be used for multiple data inputs. |
| sourcetype | String | The value to populate in the sourcetype field for incoming events. |
| time-before-close | Number | When Splunk software reaches the end of a file that is being read, the file is kept open for a minimum of the number of seconds specified in this value. After this period has elapsed, the file is checked again for more data. |
| whitelist | String | Specify a regular expression for a file path. Only file paths that match this regular expression are indexed. |
Returned values
None
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor -d name=/var/log
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>monitor</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor</id>
<updated>2011-07-10T14:27:57-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/monitor/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/monitor/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
data/inputs/monitor/{name}
https://<host>:<mPort>/services/data/inputs/monitor/{name}
Manage the {name} monitor input.
DELETE
Disable the named monitor data input and remove it from the configuration.
Request parameters
None
Returned values
None
Example request and response
XML Request
curl -u admin:pass --request DELETE https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>monitor</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor</id>
<updated>2011-07-10T14:35:35-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/monitor/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/monitor/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
GET
List the properties of a single monitor data input.
Request parameters
None
Returned values
| Name | Description |
|---|---|
| disabled | Indicates if inputs monitoring is disabled. |
| filecount | Number of files being monitored. |
| host | Name of the Splunk host for which inputs are monitored. |
| index | The index events from this input should be stored in. |
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>monitor</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor</id>
<updated>2011-07-10T14:33:54-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/monitor/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/monitor/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>/var/log</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog</id>
<updated>2011-07-10T14:33:54-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog/members" rel="members"/>
<link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog" rel="remove"/>
<link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>blacklist</s:item>
<s:item>check-index</s:item>
<s:item>check-path</s:item>
<s:item>crc-salt</s:item>
<s:item>followTail</s:item>
<s:item>host</s:item>
<s:item>host_regex</s:item>
<s:item>host_segment</s:item>
<s:item>ignore-older-than</s:item>
<s:item>index</s:item>
<s:item>recursive</s:item>
<s:item>rename-source</s:item>
<s:item>sourcetype</s:item>
<s:item>time-before-close</s:item>
<s:item>whitelist</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="filecount">108</s:key>
<s:key name="host">MrT</s:key>
<s:key name="index">default</s:key>
</s:dict>
</content>
</entry>
</feed>
POST
Update properties of the named monitor input.
Request parameters
| Name | Datatype | Description |
|---|---|---|
| blacklist | String | Specify a regular expression for a file path. The file path that matches this regular expression is not indexed. |
| check-index | Boolean | If set to true, the "index" value is checked to ensure that it is the name of a valid index. |
| check-path | Boolean | If set to true, the "name" value is checked to ensure that it exists. |
| crc-salt | String | A string that modifies the file tracking identity for files in this input. The magic value "<SOURCE>" invokes special behavior (see admin documentation). |
| disabled | Boolean | Indicates if input monitoring is disabled. |
| followTail | Boolean | If set to true, files that are seen for the first time is read from the end. |
| host | String | The value to populate in the host field for events from this data input. |
| host_regex | String | Specify a regular expression for a file path. If the path for a file matches this regular expression, the captured value is used to populate the host field for events from this data input. The regular expression must have one capture group. |
| host_segment | Number | Use the specified slash-separate segment of the filepath as the host field value. |
| ignore-older-than | String | Specify a time value. If the modification time of a file being monitored falls outside of this rolling time window, the file is no longer being monitored. |
| index | String | Which index events from this input should be stored in. Defaults to default.
|
| recursive | Boolean | Setting this to "false" prevents monitoring of any subdirectories encountered within this data input. |
| rename-source | String | The value to populate in the source field for events from this data input. The same source should not be used for multiple data inputs. |
| sourcetype | String | The value to populate in the sourcetype field for incoming events. |
| time-before-close | Number | When Splunk software reaches the end of a file that is being read, the file is kept open for a minimum of the number of seconds specified in this value. After this period has elapsed, the file is checked again for more data. |
| whitelist | String | Specify a regular expression for a file path. Only file paths that match this regular expression are indexed. |
Returned values
None
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog -d recursive=false
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>monitor</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor</id>
<updated>2011-07-10T14:35:28-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/monitor/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/monitor/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
data/inputs/monitor/{name}/members
https://<host>:<mPort>/services/data/inputs/monitor/{name}/members
List {name} monitor input files.
GET
List all files monitored under the named monitor input.
Request parameters
Pagination and filtering parameters can be used with this method.
Returned values
The response includes a list of monitored files. See the following example for more details.
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog/members
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>monitor</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor</id>
<updated>2011-07-10T14:34:28-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/monitor/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/monitor/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>/var/log/acpid</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog%252Facpid</id>
<updated>2011-07-10T14:34:28-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog%252Facpid" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog%252Facpid" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog%252Facpid/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog%252Facpid" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog%252Facpid" rel="remove"/>
<content type="text/xml">
<s:dict>
... eai:acl node elided ...
</s:dict>
</content>
</entry>
. . . elided . . .
</feed>
data/inputs/oneshot
https://<host>:<mPort>/services/data/inputs/oneshot
Access oneshot inputs in progress or queue a file for immediate indexing.
GET
Access oneshot inputs in progress.
Request parameters
None
Returned values
| Name | Description |
|---|---|
| Bytes Indexed | Total number of bytes read and sent to the pipeline for indexing during a oneshot input.
This total includes the uncompressed byte count from a source file that is compressed on disk. |
| Offset | Current position in the source file, indicating how much of the file is read. For compressed source files, this offset represents the position in the compressed format.
You can obtain the percentage of a source file read by calculating offset/size. |
| Size | Size of the source file, in bytes.
You can obtain the percentage of a source file read by calculating offset/size. |
| Sources Indexed | Indicates the number of sources read from a file in a compressed format such as tar or zip.
A value of 0 indicates the source file was not compressed. |
| Spool Time | Time that the request was made to read the source file. |
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/services/data/inputs/oneshot
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>oneshotinput</title>
<id>https://localhost:8089/services/data/inputs/oneshot</id>
<updated>2011-07-08T01:48:04-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/oneshot/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>/var/log/distccd.log</title>
<id>https://localhost:8089/services/data/inputs/oneshot/%252Fvar%252Flog%252Fdistccd.log</id>
<updated>2011-07-08T01:48:04-07:00</updated>
<link href="/services/data/inputs/oneshot/%252Fvar%252Flog%252Fdistccd.log" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/data/inputs/oneshot/%252Fvar%252Flog%252Fdistccd.log" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="Bytes Indexed">7200768</s:key>
<s:key name="Offset">7200768</s:key>
<s:key name="Size">449630160</s:key>
<s:key name="Sources Indexed">0</s:key>
<s:key name="Spool Time">Fri Jul 8 01:47:53 PDT 2011</s:key>
... eai:acl node elided ...
</s:dict>
</content>
</entry>
</feed>
POST
Queue a file for immediate indexing.
Usage details
The file being queued must be locally accessible from the server. This endpoint can handle any single file: plain, compressed or archive. The file is indexed in full, regardless of whether it is already indexed.
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| host | String | The value of the host field to be applied to data from this file.
| |
| host_regex | String | A regex to be used to extract a host field from the path.
If the path matches this regular expression, the captured value is used to populate the host field for events from this data input. The regular expression must have one capture group. | |
| host_segment | Number | Use the specified slash-separate segment of the path as the host field value. | |
| index | String | The destination index for data processed from this file. | |
| name | String | Required. The path to the file to be indexed. The file must be locally accessible by the server. | |
| rename-source | String | The value of the source field to be applied to data from this file.
| |
| sourcetype | String | The value of the sourcetype field to be applied to data from this file.
|
Returned values
None
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/services/data/inputs/oneshot -d name=/var/log/messages
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>oneshotinput</title>
<id>https://localhost:8089/services/data/inputs/oneshot</id>
<updated>2011-07-08T01:48:04-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/oneshot/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
data/inputs/oneshot/{name}
https://<host>:<mPort>/services/data/inputs/oneshot/{name}
Get information about the {name} one-shot input.
GET
Access information about the {name} in-progress oneshot input.
Request parameters
None
Returned values
| Name | Description |
|---|---|
| Bytes Indexed | Total number of bytes read and sent to the pipeline for indexing during a oneshot input.
This total includes the uncompressed byte count from a source file that is compressed on disk. |
| Offset | Current position in the source file, indicating how much of the file is read. For compressed source files, this offset represents the position in the compressed format.
You can obtain the percentage of a source file read by calculating offset/size. |
| Size | Size of the source file, in bytes.
You can obtain the percentage of a source file read by calculating offset/size. |
| Sources Indexed | Indicates the number of sources read from a file in a compressed format such as tar or zip.
A value of 0 indicates the source file was not compressed. |
| Spool Time | Time that the request was made to read the source file. |
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/services/data/inputs/oneshot/%252Fvar%252Flog%252Fmessages
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>oneshotinput</title>
<id>https://localhost:8089/services/data/inputs/oneshot</id>
<updated>2011-07-08T01:49:20-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/oneshot/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>/var/log/messages</title>
<id>https://localhost:8089/services/data/inputs/oneshot/%252Fvar%252Flog%252Fmessages</id>
<updated>2011-07-08T01:49:20-07:00</updated>
<link href="/services/data/inputs/oneshot/%252Fvar%252Flog%252Fmessages" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/data/inputs/oneshot/%252Fvar%252Flog%252Fmessages" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="Bytes Indexed">114822</s:key>
<s:key name="Offset">114822</s:key>
<s:key name="Size">114822</s:key>
<s:key name="Sources Indexed">0</s:key>
<s:key name="Spool Time">Fri Jul 8 01:48:04 PDT 2011</s:key>
... eai:acl node elided ...
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list/>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
</s:dict>
</content>
</entry>
</feed>
data/inputs/registry
https://<host>:<mPort>/services/data/inputs/registry
Access the Windows registry monitoring input.
GET
Get current registry monitoring configuration details.
Request parameters
Pagination and filtering parameters can be used with this method.
Returned values
| Name | Description |
|---|---|
| baseline | Indicates whether or not Splunk software should get a baseline of Registry events when it starts. Defaults to false.
If true, the input captures a baseline for the specified hive when the input starts for the first time. |
| disabled | Indicats whether this input is disabled. |
| hive | Regular expression for Registry hives that this input should monitor for Registry access.
Matches against the Registry key which was accessed. Events that contain hives that do not match the regular expression get filtered out. Events that contain hives that match the regular expression pass through. |
| index | Specifies the index that this input should send the data to.
If no value is present, defaults to the default index. |
| monitorSubnodes | Indicates whether to monitor all Registry hives beneath the specified hive. |
| proc | Regular expression for processes this input should monitor for Registry access.
It matches against the process name which performed the Registry access. Events generated by processes that do not match the regular expression get filtered out. Events generated by processes that match the regular expression pass through. |
| type | A regular expression that specifies the types of Registry events to monitor. |
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/services/data/inputs/registry
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-regmon</title>
<id>https://10.1.5.157:8089/services/data/inputs/registry</id>
<updated>2011-07-29T19:31:32-07:00</updated>
<generator version="104976"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/registry/_new" rel="create"/>
<link href="/services/data/inputs/registry/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>Machine keys</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/registry/Machine%20keys</id>
<updated>2011-07-29T19:31:32-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/registry/Machine%20keys" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/registry/Machine%20keys" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/registry/Machine%20keys/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/registry/Machine%20keys" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/registry/Machine%20keys/enable" rel="enable"/>
<content type="text/xml">
<s:dict>
<s:key name="baseline">0</s:key>
<s:key name="disabled">1</s:key>
... eai:acl node elided ...
<s:key name="hive">HKLM</s:key>
<s:key name="index">default</s:key>
<s:key name="monitorSubnodes">1</s:key>
<s:key name="proc">c:\.*</s:key>
<s:key name="type">
<s:list>
<s:item>set</s:item>
<s:item>create</s:item>
<s:item>delete</s:item>
<s:item>rename</s:item>
</s:list>
</s:key>
</s:dict>
</content>
</entry>
</feed>
POST
Creates new or modify existing registry monitoring settings.
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| baseline | Boolean | Required. Indicate whether to establish a baseline value for the registry keys. Use 1 to establish the baseline, 0 for no baseline.
| |
| hive | String | Required. Specify the registry hive for monitoring changes. | |
| name | String | Required. Name of the configuration stanza. | |
| proc | String | Required. Specify a regex for collecting changes if a process name matches the regex. | |
| type | String | Required. List registry event types that you want to monitor. Separate each type with a pipe ('|') character. For example,
set | create | delete | rename | |
| disabled | Boolean | Indicates whether the monitoring is disabled. | |
| index | String | default | The index in which to store the gathered data. |
| monitorSubnodes | Boolean | True | Indicates whether to monitor all registry hives beneath the specified hive. |
Returned values
None
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/registry -d baseline=1 -d hive="HKU\\.*" -d name=mykeys -d proc="c:\\.*" -d type="set|create|delete|rename"
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-regmon</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/registry</id>
<updated>2011-07-29T19:29:18-07:00</updated>
<generator version="104976"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/registry/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/registry/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
data/inputs/registry/{name}
https://<host>:<mPort>/services/data/inputs/registry/{name}
Manage registry monitoring {name} stanza.
DELETE
Delete a registry monitoring configuration stanza.
Request parameters
None
Returned values
None
Example request and response
XML Request
curl -u admin:pass --request DELETE https://localhost:8089/servicesNS/nobody/search/data/inputs/registry/mykeys
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-regmon</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/registry</id>
<updated>2011-07-29T19:36:54-07:00</updated>
<generator version="104976"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/registry/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/registry/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
GET
Gets current registry monitoring configuration stanza
Request parameters
None
Returned values
| Name | Description |
|---|---|
| baseline | Indicates whether to get a baseline of Registry events when Splunk software starts. |
| disabled | Indicates if the input is disabled. |
| hive | Regular expression for Registry hives that this input should monitor for Registry access.
Matches against the Registry key which was accessed. Events that contain hives that do not match the regular expression get filtered out. Events that contain hives that match the regular expression pass through. |
| index | Specifies the index that this input should send the data to.
If no value is present, defaults to the default index. |
| monitorSubnodes | Indicates whether to monitor all Registry hives beneath the specified hive. |
| proc | Regular expression for processes this input should monitor for Registry access.
It matches against the process name which performed the Registry access. Events generated by processes that do not match the regular expression get filtered out. Events generated by processes that match the regular expression pass through. |
| type | Regular expression that specifies the types of Registry events to monitor. |
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/registry/mykeys
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-regmon</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/registry</id>
<updated>2011-07-29T19:33:21-07:00</updated>
<generator version="104976"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/registry/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/registry/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>mykeys</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/registry/mykeys</id>
<updated>2011-07-29T19:33:21-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/registry/mykeys" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/registry/mykeys" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/registry/mykeys/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/registry/mykeys" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/registry/mykeys" rel="remove"/>
<link href="/servicesNS/nobody/search/data/inputs/registry/mykeys/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="baseline">1</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>disabled</s:item>
<s:item>index</s:item>
<s:item>monitorSubnodes</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list>
<s:item>baseline</s:item>
<s:item>hive</s:item>
<s:item>proc</s:item>
<s:item>type</s:item>
</s:list>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="hive">HKU</s:key>
<s:key name="index">default</s:key>
<s:key name="monitorSubnodes">1</s:key>
<s:key name="proc">c:\.*</s:key>
<s:key name="type">
<s:list>
<s:item>set</s:item>
<s:item>create</s:item>
<s:item>delete</s:item>
<s:item>rename</s:item>
</s:list>
</s:key>
</s:dict>
</content>
</entry>
</feed>
POST
Modify the named registry monitoring stanza.
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| baseline | Number | Required. Specifies whether or not to establish a baseline value for the registry keys. 1 means yes, 0 no. | |
| hive | String | Required. Specifies the registry hive under which to monitor for changes. | |
| proc | String | Required. Specifies a regex. If specified, collect changes if a process name matches that regex. | |
| type | String | Required. A list of registry events types that you want to monitor. Separate each type with a pipe ('|') character.
For example: set | create | delete | rename | |
| disabled | Number | Indicates whether the monitoring is disabled. | |
| index | String | default | The index in which to store the gathered data. |
| monitorSubnodes | Boolean | True | Indicates whether to monitor all Registry hives beneath the specified hive. |
Returned values
None
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/registry/mykeys -d baseline=1 -d hive="HKU\\.*" -d proc="c:\\.*" -d type="set|create"
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-regmon</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/registry</id>
<updated>2011-07-29T19:36:07-07:00</updated>
<generator version="104976"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/registry/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/registry/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
data/inputs/script
https://<host>:<mPort>/services/data/inputs/script
Access scripted inputs.
GET
Get the configuration settings for scripted inputs.
Request parameters
Pagination and filtering parameters can be used with this method.
Returned values
| Name | Description |
|---|---|
| disabled | Specifies whether the input script is disabled. |
| endtime | If available, the time when the script stopped executing. |
| group | The name of the inputstatus group, which is always "exec commands." |
| host | Host with which these data are identified. |
| index | Sets the index for events from this input. Defaults to the main index. |
| interval | An integer or cron schedule.
Specifies how often to execute the specified script, in seconds or a valid cron schedule. For a cron schedule, the script is not executed on start-up. |
| source | The source key/field for events from this input. Defaults to the input file path.
Sets the source key initial value. The key is used during parsing/indexing, in particular to set the source field during indexing. It is also the source field used at search time. As a convenience, the chosen string is prepended with 'source::'. |
| sourcetype | Sets the sourcetype key/field for events from this input. If unset, Splunk software picks a source type based on various aspects of the data. There is no hard-coded default.
For more information, see the documentation for the sourcetype parameter for the POST operation. |
| starttime | If available, the time the when the script was executed. |
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/services/data/inputs/script
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>script</title>
<id>https://localhost:8089/services/data/inputs/script</id>
<updated>2011-07-09T20:16:11-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/script/_new" rel="create"/>
<link href="/services/data/inputs/script/_reload" rel="_reload"/>
<link href="/services/data/inputs/script/restart" rel="restart"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>/Applications/splunk4.3/etc/apps/unix/bin/cpu.sh</title>
<id>https://localhost:8089/servicesNS/nobody/unix/data/inputs/script/.%252Fbin%252Fcpu.sh</id>
<updated>2011-07-09T20:16:11-07:00</updated>
<link href="/servicesNS/nobody/unix/data/inputs/script/.%252Fbin%252Fcpu.sh" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/unix/data/inputs/script/.%252Fbin%252Fcpu.sh" rel="list"/>
<link href="/servicesNS/nobody/unix/data/inputs/script/.%252Fbin%252Fcpu.sh/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/unix/data/inputs/script/.%252Fbin%252Fcpu.sh" rel="edit"/>
<link href="/servicesNS/nobody/unix/data/inputs/script/.%252Fbin%252Fcpu.sh/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="endtime">Sat Jul 9 20:15:54 2011</s:key>
<s:key name="group">exec commands</s:key>
<s:key name="host">myhost.splunk.com</s:key>
<s:key name="index">os</s:key>
<s:key name="interval">30</s:key>
<s:key name="source">cpu</s:key>
<s:key name="sourcetype">cpu</s:key>
<s:key name="starttime">Sat Jul 9 20:15:52 2011</s:key>
</s:dict>
</content>
</entry>
</feed>
POST
Configure scripted input settings.
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| disabled | Boolean | Specifies whether the input script is disabled. | |
| host | String | Sets the host for events from this input. Defaults to whatever host sent the event. | |
| index | String | default | Sets the index for events from this input. Defaults to the main index. |
| interval | Number | 60.0 | Required. Specify an integer or cron schedule. This parameter specifies how often to execute the specified script, in seconds or a valid cron schedule. If you specify a cron schedule, the script is not executed on start-up. |
| name | String | Required. Specify the name of the scripted input. | |
| passAuth | String | User to run the script as.
If you provide a username, Splunk software generates an auth token for that user and passes it to the script. | |
| rename-source | String | Specify a new name for the source field for the script. | |
| source | String | Sets the source key/field for events from this input. Defaults to the input file path.
Sets the source key initial value. The key is used during parsing/indexing, in particular to set the source field during indexing. It is also the source field used at search time. As a convenience, the chosen string is prepended with 'source::'. Note: Overriding the source key is generally not recommended. Typically, the input layer provides a more accurate string to aid in problem analysis and investigation, accurately recording the file from which the data was retrieved. Consider use of source types, tagging, and search wildcards before overriding this value. | |
| sourcetype | String | Sets the sourcetype key/field for events from this input. If unset, Splunk software picks a source type based on various aspects of the data. As a convenience, the chosen string is prepended with 'sourcetype::'. There is no hard-coded default.
Sets the sourcetype key initial value. The key is used during parsing/indexing, in particular to set the source type field during indexing. It is also the source type field used at search time. Primarily used to explicitly declare the source type for this data, as opposed to allowing it to be determined using automated methods. This is typically important both for searchability and for applying the relevant configuration for this type of data during parsing and indexing. |
Returned values
None
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/script -d name=/Applications/splunk4.3/etc/apps/myApp/bin/myScript.sh -d disabled=true -d interval=3600
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>script</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/script</id>
<updated>2011-07-09T20:25:17-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/script/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/script/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/script/restart" rel="restart"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
data/inputs/script/restart
https://<host>:<mPort>/services/data/inputs/script/restart
Allows for restarting scripted inputs.
POST
Causes a restart on a given scripted input.
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| script | String | Required. Path to the script to be restarted. This path must match an already-configured existing scripted input. |
Returned values
None
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/script/restart -d script=/Applications/splunk/bin/scripts/myScript.sh
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>script</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/script</id>
<updated>2011-07-09T20:38:38-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/script/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/script/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/script/restart" rel="restart"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
data/inputs/script/{name}
https://<host>:<mPort>/services/data/inputs/script/{name}
Manage the {name} scripted input.
DELETE
Removes the {name} scripted input.
Request parameters
None
Returned values
None
Example request and response
XML Request
curl -u admin:pass --request DELETE https://localhost:8089/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk4.3%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>script</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/script</id>
<updated>2011-07-09T20:29:18-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/script/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/script/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/script/restart" rel="restart"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
GET
Returns the configuration settings for the {name} scripted input.
Request parameters
None
Returned values
| Name | Description |
|---|---|
| disabled | Specifies whether the input script is disabled. |
| group | The name of the inputstatus group, which is always "exec commands." |
| host | Host these data are identified with. |
| index | Sets the index for events from this input. Defaults to the main index. |
| interval | An integer or cron schedule.
Specifies how often to execute the specified script, in seconds or a valid cron schedule. For a cron schedule, the script is not executed on start-up. |
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>script</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/script</id>
<updated>2011-07-09T21:53:43-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/script/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/script/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/script/restart" rel="restart"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>/Applications/splunk/etc/apps/myApp/bin/myScript.sh</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh</id>
<updated>2011-07-09T21:53:43-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh" rel="remove"/>
<link href="/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>disabled</s:item>
<s:item>host</s:item>
<s:item>index</s:item>
<s:item>interval</s:item>
<s:item>rename-source</s:item>
<s:item>source</s:item>
<s:item>sourcetype</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="group">exec commands</s:key>
<s:key name="host">ombroso-mbp15.splunk.com</s:key>
<s:key name="index">default</s:key>
<s:key name="interval">3600</s:key>
</s:dict>
</content>
</entry>
</feed>
POST
Configures settings for the {name} scripted input.
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| disabled | Boolean | Specifies whether the input script is disabled. | |
| host | String | Sets the host for events from this input. Defaults to whatever host sent the event. | |
| index | String | default | Sets the index for events from this input. Defaults to the main index. |
| interval | Number | 60.0 | Specify an integer or cron schedule. This parameter specifies how often to execute the specified script, in seconds or a valid cron schedule. If you specify a cron schedule, the script is not executed on start-up. |
| passAuth | String | User to run the script as.
If you provide a username, Splunk software generates an auth token for that user and passes it to the script. | |
| rename-source | String | Specify a new name for the source field for the script. | |
| source | String | Sets the source key/field for events from this input. Defaults to the input file path.
Sets the source key initial value. The key is used during parsing/indexing, in particular to set the source field during indexing. It is also the source field used at search time. As a convenience, the chosen string is prepended with 'source::'. Note: Overriding the source key is generally not recommended. Typically, the input layer provides a more accurate string to aid in problem analysis and investigation, accurately recording the file from which the data was retrieived. Consider use of source types, tagging, and search wildcards before overriding this value.
| |
| sourcetype | String | Sets the sourcetype key/field for events from this input. If unset, Splunk software picks a source type based on various aspects of the data. As a convenience, the chosen string is prepended with 'sourcetype::'. There is no hard-coded default.
Sets the sourcetype key initial value. The key is used during parsing/indexing, in particular to set the source type field during indexing. It is also the source type field used at search time. Primarily used to explicitly declare the source type for this data, as opposed to allowing it to be determined using automated methods. This is typically important both for searchability and for applying the relevant configuration for this type of data during parsing and indexing. |
Returned values
None
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh -d interval=86400
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>script</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/script</id>
<updated>2011-07-09T20:27:59-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/script/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/script/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/script/restart" rel="restart"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
data/inputs/tcp/cooked
https://<host>:<mPort>/services/data/inputs/tcp/cooked
Access cooked TCP input information and create new containers for managing cooked data.
Usage details
Forwarders can transmit three types of data: raw, unparsed, or parsed. "Cooked" data refers to parsed and unparsed formats.
GET
Access information about all cooked TCP inputs.
Request parameters
Pagination and filtering parameters can be used with this method.
Returned values
| Name | Description |
|---|---|
| _rcvbuf | [Deprecated] |
| disabled | Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled. |
| group | Set to listenerports for listening ports. |
| host | The default value to fill in for events lacking a host value. |
| index | The index in which to store generated events. |
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/services/data/inputs/tcp/cooked
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>cooked</title>
<id>https://localhost:8089/services/data/inputs/tcp/cooked</id>
<updated>2011-07-10T14:50:50-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/tcp/cooked/_new" rel="create"/>
<link href="/services/data/inputs/tcp/cooked/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>9993</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked/9993</id>
<updated>2011-07-10T14:50:50-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9993" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9993" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9993/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9993" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9993" rel="remove"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9993/connections" rel="connections"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9993/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="group">listenerports</s:key>
<s:key name="host">MrT</s:key>
<s:key name="index">default</s:key>
</s:dict>
</content>
</entry>
</feed>
POST
Create a new container for managing cooked data.
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| SSL | Boolean | If SSL is not already configured, error is returned | |
| connection_host | Enum | dns | Valid values: (ip | dns | none)
Set the host for the remote server that is sending data.
Default value is |
| disabled | Boolean | Indicates whether the input is disabled. | |
| host | String | The default value to fill in for events lacking a host value. | |
| name | Number | Required. The port number of this input. | |
| queue | "parsingQueue" | "indexQueue" | "parsingQueue" | Specifies where the input processor should deposit the events it reads. |
| restrictToHost | String | Restrict incoming connections on this port to the host specified here. |
Returned values
None
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked -d name=9998
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>cooked</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked</id>
<updated>2011-07-10T14:52:33-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
data/inputs/tcp/cooked/{name}
https://<host>:<mPort>/services/data/inputs/tcp/cooked/{name}
Manage cooked TCP inputs for the {name} host or port.
DELETE
Remove the cooked TCP inputs for port or host:port specified by {name}.
Request parameters
None
Returned values
None
Example request and response
XML Request
curl -u admin:pass --request DELETE https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked/tiny:9998
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>cooked</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked</id>
<updated>2011-07-10T14:54:45-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
GET
Access information for the {name} cooked TCP input.
Usage details
If port is restricted to a host, {name} should be a URI-encoded host:port.
Request parameters
None
Returned values
| Name | Description |
|---|---|
| _rcvbuf | [Deprecated] |
| disabled | Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled. |
| group | Set to listenerports for listening ports. |
| host | The default value to fill in for events lacking a host value. |
| index | The index in which to store generated events. |
| restrictToHost | Restrict incoming connections on this port to the specified host. |
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked/9998
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>cooked</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked</id>
<updated>2011-07-10T14:52:40-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>9998</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked/9998</id>
<updated>2011-07-10T14:52:40-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9998" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9998" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9998/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9998" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9998" rel="remove"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9998/connections" rel="connections"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9998/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>SSL</s:item>
<s:item>connection_host</s:item>
<s:item>disabled</s:item>
<s:item>host</s:item>
<s:item>index</s:item>
<s:item>queue</s:item>
<s:item>restrictToHost</s:item>
<s:item>source</s:item>
<s:item>sourcetype</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="group">listenerports</s:key>
<s:key name="host">MrT</s:key>
<s:key name="index">default</s:key>
</s:dict>
</content>
</entry>
</feed>
POST
Update the container for managing cooked data.
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| SSL | Boolean | If SSL is not already configured, error is returned | |
| connection_host | Enum | ip | Valid values: (ip | dns | none)
Set the host for the remote server that is sending data.
Default value is |
| disabled | Boolean | Indicates whether the input is disabled. | |
| host | String | The default value to fill in for events lacking a host value. | |
| restrictToHost | String | Restrict incoming connections on this port to the host specified here. |
Returned values
None
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked/9998 -d restrictToHost=tiny
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>cooked</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked</id>
<updated>2011-07-10T14:52:54-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
data/inputs/tcp/cooked/{name}/connections
https://<host>:<mPort>/services/data/inputs/tcp/cooked/{name}/connections
Get active connections to the {name} port.
GET
List active connections to the {name} port.
Request parameters
None
Returned values
| Name | Description |
|---|---|
| connection | Identifies the connection to port. |
| servername | Server name of forwarder connecting to this port. |
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked/9998/connections
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>cooked</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked</id>
<updated>2011-07-13T14:55:18-0700</updated>
<generator version="101277"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_reload" rel="_reload"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>Cooked:9998:127.0.0.1:20089</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked/Cooked%3A9998%3A127.0.0.1%3A20089</id>
<updated>2011-07-13T14:55:18-0700</updated>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/Cooked%3A9998%3A127.0.0.1%3A20089" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/Cooked%3A9998%3A127.0.0.1%3A20089" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/Cooked%3A9998%3A127.0.0.1%3A20089/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/Cooked%3A9998%3A127.0.0.1%3A20089" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/Cooked%3A9998%3A127.0.0.1%3A20089" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="connection">9998:127.0.0.1:20089</s:key>
... eai:acl node elided ...
<s:key name="servername">fool03.splunk.com</s:key>
</s:dict>
</content>
</entry>
</feed>
data/inputs/tcp/raw
https://<host>:<mPort>/services/data/inputs/tcp/raw
Container for managing raw tcp inputs from forwarders.
Forwarders can transmit three types of data: raw, unparsed, or parsed. Cooked data refers to parsed and unparsed formats.
Authentication and authorization
The edit_tcp capability is required for this endpoint.
GET
Get information about all raw TCP inputs.
Request parameters
Pagination and filtering parameters can be used with this method.
Returned values
| Name | Description |
|---|---|
| _rcvbuf | [Deprecated] |
| disabled | Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled. |
| group | Set to listenerports for listening ports. |
| host | Host from which the indexer gets data. |
| index | The index in which to store generated events. |
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/services/data/inputs/tcp/raw
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>raw</title>
<id>https://localhost:8089/services/data/inputs/tcp/raw</id>
<updated>2011-07-08T02:30:30-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/tcp/raw/_new" rel="create"/>
<link href="/services/data/inputs/tcp/raw/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>44000</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw/44000</id>
<updated>2011-07-08T02:30:30-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44000" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44000" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44000/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44000" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44000" rel="remove"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44000/connections" rel="connections"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44000/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="group">listenerports</s:key>
<s:key name="host">MrT</s:key>
<s:key name="index">default</s:key>
</s:dict>
</content>
</entry>
</feed>
POST
Create a new data input for accepting raw TCP data.
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| connection_host | Enum | dns | Valid values: (ip | dns | none)
Set the host for the remote server that is sending data.
Default value is |
| disabled | Boolean | Indicates whether the inputs are disabled. | |
| host | String | Host from which the indexer gets data. | |
| index | String | default | Index to store generated events. |
| name required |
String | The input port which receives raw data. | |
| queue | Enum | Valid values: (parsingQueue | indexQueue)
Specifies where the input processor should deposit the events it reads. Defaults to parsingQueue. Set queue to Set queue to | |
| rawTcpDoneTimeout | Number | Specifies in seconds the timeout value for adding a Done-key. Default value is 10 seconds.
If a connection over the port specified by | |
| restrictToHost | String | Allows for restricting this input to only accept data from the host specified here. | |
| SSL | Boolean | ||
| source | String | Sets the source key/field for events from this input. Defaults to the input file path.
Sets the source key initial value. The key is used during parsing/indexing, in particular to set the source field during indexing. It is also the source field used at search time. As a convenience, the chosen string is prepended with 'source::'. Note: Overriding the source key is generally not recommended. Typically, the input layer provides a more accurate string to aid in problem analysis and investigation, accurately recording the file from which the data was retrieved. Consider use of source types, tagging, and search wildcards before overriding this value. | |
| sourcetype | String | Set the source type for events from this input.
"sourcetype=" is automatically prepended to <string>. Defaults to audittrail (if signedaudit=true) or fschange (if signedaudit=false). |
Returned values
None
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw -d name=44343
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>raw</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw</id>
<updated>2011-07-08T02:30:30-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
data/inputs/tcp/raw/{name}
https://<host>:<mPort>/services/data/inputs/tcp/raw/{name}
Manage raw inputs for the {name} host or port.
Authentication and authorization
The edit_tcp capability is additionally required for this endpoint.
DELETE
Remove the raw inputs for port or host:port specified by {name}
Request parameters
None
Returned values
None
Example request and response
XML Request
curl -u admin:pass --request DELETE https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw/44343
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>raw</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw</id>
<updated>2011-07-08T02:30:31-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
GET
Returns information about raw TCP input port {name}.
If port is restricted to a host, name should be URI-encoded host:port.
Request parameters
None
Returned values
| Name | Description |
|---|---|
| _rcvbuf | [Deprecated] |
| disabled | Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled. |
| group | Set to listenerports for listening ports. |
| host | Host from which the indexer gets data. |
| index | Index to store generated events. |
| restrictToHost | Restrict incoming connections on this port to the specified host. |
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw/44343
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>raw</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw</id>
<updated>2011-07-08T02:37:09-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>44343</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw/44343</id>
<updated>2011-07-08T02:37:09-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44343" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44343" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44343/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44343" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44343" rel="remove"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44343/connections" rel="connections"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44343/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>SSL</s:item>
<s:item>connection_host</s:item>
<s:item>disabled</s:item>
<s:item>host</s:item>
<s:item>index</s:item>
<s:item>queue</s:item>
<s:item>restrictToHost</s:item>
<s:item>source</s:item>
<s:item>sourcetype</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="group">listenerports</s:key>
<s:key name="host">MrT</s:key>
<s:key name="index">default</s:key>
</s:dict>
</content>
</entry>
</feed>
POST
Updates the container for managing raw data.
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| SSL | Boolean | ||
| connection_host | Enum | dns | Valid values: (ip | dns | none)
Set the host for the remote server that is sending data.
Default value is |
| disabled | Boolean | Indicates whether the inputs are disabled. | |
| host | String | Host from which the indexer gets data. | |
| index | String | default | Index to store generated events. |
| queue | Enum | Valid values: (parsingQueue | indexQueue)
Specifies where the input processor should deposit the events it reads. Defaults to parsingQueue. Set queue to Set queue to | |
| rawTcpDoneTimeout | Number | Specifies in seconds the timeout value for adding a Done-key. Default value is 10 seconds.
If a connection over the port specified by | |
| restrictToHost | String | Allows for restricting this input to only accept data from the host specified here. | |
| source | String | Sets the source key/field for events from this input. Defaults to the input file path.
Sets the source key initial value. The key is used during parsing/indexing, in particular to set the source field during indexing. It is also the source field used at search time. As a convenience, the chosen string is prepended with 'source::'. Note: Overriding the source key is generally not recommended. Typically, the input layer provides a more accurate string to aid in problem analysis and investigation, accurately recording the file from which the data was retrieved. Consider use of source types, tagging, and search wildcards before overriding this value. | |
| sourcetype | String | Set the source type for events from this input.
"sourcetype=" is automatically prepended to <string>. Defaults to audittrail (if signedaudit=true) or fschange (if signedaudit=false). |
Returned values
None
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw/44343 -d sourcetype=syslog
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>raw</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw</id>
<updated>2011-07-08T02:30:30-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
data/inputs/tcp/raw/{name}/connections
https://<host>:<mPort>/services/data/inputs/tcp/raw/{name}/connections
Get active connections the {name} host or port.
Authentication and authorization
The edit_tcp capability is additionally required for this endpoint.
GET
View all connections to the named data input.
Request parameters
None
Returned values
| Name | Description |
|---|---|
| connection | IP address and port of the source connecting to this TCP input port. |
| servername | DNS name of the source connecting to this TCP input port. |
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/services/data/inputs/tcp/raw/9998/connections
XML Response
...
<title>raw</title>
<id>https://localhost:8089/services/data/inputs/tcp/raw</id>
<updated>2011-07-13T16:14:33-07:00</updated>
<generator version="103477"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/tcp/raw/_new" rel="create"/>
<link href="/services/data/inputs/tcp/raw/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>Raw:9998:127.0.0.1</title>
<id>https://localhost:8089/services/data/inputs/tcp/raw/Raw%3A9998%3A127.0.0.1</id>
<updated>2011-07-13T16:14:33-07:00</updated>
<link href="/services/data/inputs/tcp/raw/Raw%3A9998%3A127.0.0.1" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/data/inputs/tcp/raw/Raw%3A9998%3A127.0.0.1" rel="list"/>
<link href="/services/data/inputs/tcp/raw/Raw%3A9998%3A127.0.0.1/_reload" rel="_reload"/>
<link href="/services/data/inputs/tcp/raw/Raw%3A9998%3A127.0.0.1" rel="edit"/>
<link href="/services/data/inputs/tcp/raw/Raw%3A9998%3A127.0.0.1" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="connection">9998:127.0.0.1</s:key>
... eai:acl node elided ...
<s:key name="servername"></s:key>
</s:dict>
</content>
</entry>
data/inputs/tcp/splunktcptoken
https://<host>:<mPort>/services/data/inputs/tcp/splunktcptoken
Manage receiver access using tokens.
Usage details
Get information on all receiver tokens or create a new token. To edit or delete an existing token, see data/inputs/tcp/splunktcptoken/{name}.
Note: Configure the forwarder with the same token as the receiver to ensure that the forwarder receives data.
Authentication and Authorization:
The edit_splunktcp_token capability is required for this endpoint.
GET
Return all configured tokens.
Request parameters
Pagination and filtering parameters can be used with this method.
Returned values
Response data keys are returned for each receiver token.
| Name | Description |
|---|---|
| host | Host from which the indexer gets data. |
| index | Index to store generated events. |
| token | Token value. |
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8089/services/data/inputs/tcp/splunktcptoken
XML Response
<title>splunktcptoken</title>
<id>https://localhost:8089/services/data/inputs/tcp/splunktcptoken</id>
<updated>2015-09-16T09:31:52-07:00</updated>
<generator build="71e3b8d1908254f21434f97320ac5ad7e6bb1c16" version="20150910"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/tcp/splunktcptoken/_new" rel="create"/>
<link href="/services/data/inputs/tcp/splunktcptoken/_reload" rel="_reload"/>
<link href="/services/data/inputs/tcp/splunktcptoken/_acl" rel="_acl"/>
<opensearch:totalResults>2</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>splunktcptoken://tok1</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1</id>
<updated>2015-09-16T09:31:52-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1" rel="remove"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="host">$decideOnStartup</s:key>
<s:key name="index">default</s:key>
<s:key name="token">99C91C9E-F92E-40AF-BCDC-1A6AD2DC7AEF</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>splunktcptoken://tok3</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok3</id>
<updated>2015-09-16T09:31:52-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok3" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok3" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok3/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok3" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok3" rel="remove"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok3/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="host">$decideOnStartup</s:key>
<s:key name="index">default</s:key>
<s:key name="token">4EFFBD13-B26F-4F3A-BED9-03850001EDA1</s:key>
</s:dict>
</content>
</entry>
POST
Create a new token.
Request parameters
Pagination and filtering parameters can be used with this method.
| Name | Datatype | Default | Description |
|---|---|---|---|
| name | String | None | Required. Name for the token to create. |
| token | String | None | Optional. Token value to use. If unspecified, a token is generated automatically. |
Returned values
| Name | Description |
|---|---|
| host | Host from which the indexer gets data. |
| index | Index to store generated events. |
| token | Token value. |
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8089/services/data/inputs/tcp/splunktcptoken -d "name=tok1" -d "token=99C91C9E-F92E-40AF-BCDC-1A6AD2DC7AEF"
XML Response
<title>splunktcptoken</title>
<id>https://localhost:8089/services/data/inputs/tcp/splunktcptoken</id>
<updated>2015-09-16T09:27:03-07:00</updated>
<generator build="71e3b8d1908254f21434f97320ac5ad7e6bb1c16" version="20150910"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/tcp/splunktcptoken/_new" rel="create"/>
<link href="/services/data/inputs/tcp/splunktcptoken/_reload" rel="_reload"/>
<link href="/services/data/inputs/tcp/splunktcptoken/_acl" rel="_acl"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>splunktcptoken://tok1</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1</id>
<updated>2015-09-16T09:27:03-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1" rel="remove"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="host">$decideOnStartup</s:key>
<s:key name="index">default</s:key>
<s:key name="token">99C91C9E-F92E-40AF-BCDC-1A6AD2DC7AEF</s:key>
</s:dict>
</content>
</entry>
data/inputs/tcp/splunktcptoken/{name}
https://<host>:<mPort>/services/data/inputs/tcp/splunktcptoken/{name}
Manage existing receiver tokens.
Authentication and Authorization
The edit_splunktcp_token capability is required for this endpoint.
GET
Access token information.
Request parameters
Pagination and filtering parameters can be used with this method.
Returned values
| Name | Description |
|---|---|
| host | Host from which the indexer gets data. |
| index | Index to store generated events. |
| token | Token value. |
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/services/data/inputs/tcp/splunktcptoken
XML Response
...
<title>splunktcptoken</title>
<id>https://localhost:8089/services/data/inputs/tcp/splunktcptoken</id>
<updated>2015-09-16T09:28:22-07:00</updated>
<generator build="71e3b8d1908254f21434f97320ac5ad7e6bb1c16" version="20150910"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/tcp/splunktcptoken/_new" rel="create"/>
<link href="/services/data/inputs/tcp/splunktcptoken/_reload" rel="_reload"/>
<link href="/services/data/inputs/tcp/splunktcptoken/_acl" rel="_acl"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>splunktcptoken://tok1</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1</id>
<updated>2015-09-16T09:28:22-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1" rel="remove"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>disabled</s:item>
<s:item>token</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list>
<s:item>.*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="host">$decideOnStartup</s:key>
<s:key name="index">default</s:key>
<s:key name="token">99C91C9E-F92E-40AF-BCDC-1A6AD2DC7AEF</s:key>
</s:dict>
</content>
</entry>
POST
Update the {name} token.
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| token | String | None | New token value. |
Pagination and filtering parameters can be used with this method.
Returned values
| Name | Description |
|---|---|
| host | Host from which the indexer gets data. |
| index | Index to store generated events. |
| token | Token value. |
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8089/services/data/inputs/tcp/splunktcptoken/tok1
XML Response
...
<title>splunktcptoken://tok1</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1</id>
<updated>2015-09-16T09:28:22-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1" rel="remove"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>disabled</s:item>
<s:item>token</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list>
<s:item>.*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="host">$decideOnStartup</s:key>
<s:key name="index">default</s:key>
<s:key name="token">99C91C9E-F92E-40AF-BCDC-1A6AD2DC7AEF</s:key>
...
DELETE
Delete the {name} token.
Request parameters
None.
Returned values
| Name | Description |
|---|---|
| host | Host from which the indexer gets data. |
| index | Index to store generated events. |
| token | Token value. |
Example request and response
XML Request
curl -k -X "DELETE" -u admin:changeme https://localhost:8089/services/data/inputs/tcp/splunktcptoken/tok1
XML Response
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>splunktcptoken</title>
<id>https://localhost:8089/services/data/inputs/tcp/splunktcptoken</id>
<updated>2015-09-16T09:34:51-07:00</updated>
<generator build="71e3b8d1908254f21434f97320ac5ad7e6bb1c16" version="20150910"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/tcp/splunktcptoken/_new" rel="create"/>
<link href="/services/data/inputs/tcp/splunktcptoken/_reload" rel="_reload"/>
<link href="/services/data/inputs/tcp/splunktcptoken/_acl" rel="_acl"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
</feed>
data/inputs/tcp/ssl
https://<host>:<mPort>/services/data/inputs/tcp/ssl
Provides access to the SSL configuration of a Splunk server.
GET
Get SSL configuration details. There is only one SSL configuration for all input ports.
Request parameters
Pagination and filtering parameters can be used with this method.
Returned values
| Name | Description |
|---|---|
| _rcvbuf | [Deprecated] |
| cipherSuite | Specifies list of acceptable ciphers to use in ssl. |
| disabled | Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled. |
| host | Host from which the indexer gets data. |
| index | Index to store generated events. |
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/services/data/inputs/tcp/ssl
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>ssl</title>
<id>https://localhost:8089/services/data/inputs/tcp/ssl</id>
<updated>2011-07-12T15:02:58-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/tcp/ssl/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title/>
<id>https://localhost:8089/servicesNS/nobody/system/data/inputs/tcp/ssl/</id>
<updated>2011-07-12T15:02:58-07:00</updated>
<link href="/servicesNS/nobody/system/data/inputs/tcp/ssl/" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/inputs/tcp/ssl/" rel="list"/>
<link href="/servicesNS/nobody/system/data/inputs/tcp/ssl//_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/inputs/tcp/ssl/" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="cipherSuite">ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM</s:key>
<s:key name="disabled">1</s:key>
... eai:acl node elided ...
<s:key name="host">ombroso-mbp15.splunk.com</s:key>
<s:key name="index">default</s:key>
</s:dict>
</content>
</entry>
</feed>
data/inputs/tcp/ssl/{name}
https://<host>:<mPort>/services/data/inputs/tcp/ssl/{name}
Access or update the SSL configuration for the {name} host.
GET
Returns the SSL configuration for the host {name}.
Request parameters
None
Returned values
| Name | Description |
|---|---|
| _rcvbuf | [Deprecated] |
| cipherSuite | Specifies list of acceptable ciphers to use in ssl. |
| disabled | Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled. |
| host | Host from which the indexer gets data. |
| index | Index to store generated events. |
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/services/data/inputs/tcp/ssl/ssl
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>ssl</title>
<id>https://localhost:8089/services/data/inputs/tcp/ssl</id>
<updated>2011-07-12T15:04:41-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/tcp/ssl/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title/>
<id>https://localhost:8089/servicesNS/nobody/system/data/inputs/tcp/ssl/</id>
<updated>2011-07-12T15:04:41-07:00</updated>
<link href="/servicesNS/nobody/system/data/inputs/tcp/ssl/" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/inputs/tcp/ssl/" rel="list"/>
<link href="/servicesNS/nobody/system/data/inputs/tcp/ssl//_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/inputs/tcp/ssl/" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="cipherSuite">ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM</s:key>
<s:key name="disabled">1</s:key>
... eai:acl node elided ...
<s:key name="host">ombroso-mbp15.splunk.com</s:key>
<s:key name="index">default</s:key>
</s:dict>
</content>
</entry>
</feed>
POST
Configure SSL for the {name} host.
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| disabled | Boolean | Indicates whether the inputs are disabled. | |
| password | String | Server certificate password, if any. | |
| requireClientCert | Boolean | Determines whether a client must authenticate. | |
| rootCA | String | Certificate authority list (root file) | |
| serverCert | String | Full path to the server certificate. |
Returned values
None
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/services/data/inputs/tcp/ssl/ssl -d disabled=true
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>ssl</title>
<id>https://localhost:8089/services/data/inputs/tcp/ssl</id>
<updated>2011-07-12T15:05:42-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/tcp/ssl/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
data/inputs/udp
https://<host>:<mPort>/services/data/inputs/udp
Access or create UDP data inputs.
GET
List enabled and disabled UDP data inputs.
Request parameters
Pagination and filtering parameters can be used with this method.
Returned values
| Name | Description |
|---|---|
| _rcvbuf | Socket receive buffer size (bytes). |
| disabled | Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled.
|
| group | Set to listenerports for listening ports.
|
| host | Host from which the indexer gets data. |
| index | Index to store generated events. |
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/services/data/inputs/udp
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>udp</title>
<id>https://localhost:8089/services/data/inputs/udp</id>
<updated>2011-07-08T14:11:57-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/udp/_new" rel="create"/>
<link href="/services/data/inputs/udp/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>44000</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp/44000</id>
<updated>2011-07-08T14:11:57-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/udp/44000" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/udp/44000" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/44000/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/44000" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/44000" rel="remove"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/44000/connections" rel="connections"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/44000/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="group">listenerports</s:key>
<s:key name="host">MrT</s:key>
<s:key name="index">default</s:key>
</s:dict>
</content>
</entry>
</feed>
POST
Create a new UDP data input.
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| connection_host | Enum | ip | Valid values: (ip | dns | none)
Set the host for the remote server that is sending data.
Default value is |
| disabled | Boolean | Indicates if the input is disabled. | |
| host | String | The value to populate in the host field for incoming events.
This is used during parsing/indexing, in particular to set the host field. It is also the host field used at search time. | |
| index | String | default | Which index events from this input should be stored in. |
| name | String | Required. The UDP port that this input should listen on. | |
| no_appending_timestamp | Boolean | If set to true, prevents Splunk software from prepending a timestamp and hostname to incoming events. | |
| no_priority_stripping | Boolean | If set to true, Splunk software does not remove the priority field from incoming syslog events. | |
| queue | String | Which queue events from this input should be sent to. Generally this does not need to be changed. | |
| restrictToHost | String | Restrict incoming connections on this port to the host specified here.
If this is not set, the value specified in | |
| source | String | The value to populate in the source field for incoming events. The same source should not be used for multiple data inputs. | |
| sourcetype | String | The value to populate in the sourcetype field for incoming events. |
Returned values
None
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/udp -d name=44321
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>udp</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp</id>
<updated>2011-07-08T14:12:13-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/udp/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
data/inputs/udp/{name}
https://<host>:<mPort>/services/data/inputs/udp/{name}
Manage the {name} UDP host or port.
DELETE
Disable the named UDP data input and remove it from the configuration.
Request parameters
None
Returned values
None
Example request and response
XML Request
curl -u admin:pass --request DELETE https://localhost:8089/servicesNS/nobody/search/data/inputs/udp/44321
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>udp</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp</id>
<updated>2011-07-08T14:12:53-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/udp/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
GET
List the properties of a single UDP data input port or host:port {name}.
Usage details
If port is restricted to a host, {name} should be URI-encoded host:port.
Request parameters
None
Returned values
| Name | Description |
|---|---|
| _rcvbuf | Socket receive buffer size (bytes). |
| disabled | Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled. |
| group | Set to listenerports for listening ports. |
| host | Host from which the indexer gets data. |
| index | Index to store generated events. |
XML Request
curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/udp/44321
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>udp</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp</id>
<updated>2011-07-08T14:12:27-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/udp/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>44321</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp/44321</id>
<updated>2011-07-08T14:12:27-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/udp/44321" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/udp/44321" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/44321/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/44321" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/44321" rel="remove"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/44321/connections" rel="connections"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/44321/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>connection_host</s:item>
<s:item>host</s:item>
<s:item>index</s:item>
<s:item>no_appending_timestamp</s:item>
<s:item>no_priority_stripping</s:item>
<s:item>queue</s:item>
<s:item>source</s:item>
<s:item>sourcetype</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="group">listenerports</s:key>
<s:key name="host">MrT</s:key>
<s:key name="index">default</s:key>
</s:dict>
</content>
</entry>
</feed>
POST
Edit properties of the named UDP data input.
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| connection_host | Enum | ip | Valid values: (ip | dns | none)
Set the host for the remote server that is sending data.
Default value is |
| disabled | Boolean | Indicates if the input is disabled. | |
| host | String | The value to populate in the host field for incoming events.
This is used during parsing/indexing, in particular to set the host field. It is also the host field used at search time. | |
| index | String | default | Which index events from this input should be stored in. |
| no_appending_timestamp | Boolean | If set to true, prevents Splunk software from prepending a timestamp and hostname to incoming events. | |
| no_priority_stripping | Boolean | If set to true, Splunk software does not remove the priority field from incoming syslog events. | |
| queue | String | Which queue events from this input should be sent to. Generally this does not need to be changed. | |
| restrictToHost | String | Restrict incoming connections on this port to the host specified here.
If this is not set, the value specified in [udp://<remote server>:<port>] in inputs.conf is used. | |
| source | String | The value to populate in the source field for incoming events. The same source should not be used for multiple data inputs. | |
| sourcetype | String | The value to populate in the sourcetype field for incoming events. |
Returned values
None
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/udp/44321 -d sourcetype=syslog
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>udp</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp</id>
<updated>2011-07-08T14:12:47-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/udp/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
data/inputs/udp/{name}/connections
https://<host>:<mPort>/services/data/inputs/udp/{name}/connections
List connections to the {name} host or port.
GET
List connections to the {name} host or port.
Request parameters
None
Returned values
| Name | Description |
|---|---|
| disabled | Indicates whether the inputs are disabled. |
| group | Set to 'listenerports' for listening ports. |
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/udp/9998/connections
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>udp</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp</id>
<updated>2011-07-13T17:08:18-07:00</updated>
<generator version="103477"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/udp/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/_reload" rel="_reload"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>127.0.0.1</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp/127.0.0.1</id>
<updated>2011-07-13T17:08:18-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/udp/127.0.0.1" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/udp/127.0.0.1" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/127.0.0.1/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/127.0.0.1" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/127.0.0.1" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="group">hosts</s:key>
</s:dict>
</content>
</entry>
</feed>
data/inputs/win-event-log-collections
https://<host>:<mPort>/services/data/inputs/win-event-log-collections
Provides access to all configured event log collections.
GET
Retrieve a list of configured event log collections.
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| lookup_host | String | For internal use. Used by the UI when editing the initial host from which we gather event log data. |
Pagination and filtering parameters can be used with this method.
Returned values
| Name | Description |
|---|---|
| disabled | Indicates if the input is disabled. |
| hosts | Hosts you are monitoring. |
| index | Index to store data.
If not specified defaults to the default index. |
| logs | List of event log channels to monitor. |
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/services/data/inputs/win-event-log-collections
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-event-log-collections</title>
<id>https://10.1.5.157:8089/services/data/inputs/win-event-log-collections</id>
<updated>2011-07-27T11:26:47-07:00</updated>
<generator version="103620"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/win-event-log-collections/_new" rel="create"/>
<link href="/services/data/inputs/win-event-log-collections/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>localhost</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost</id>
<updated>2011-07-27T11:26:47-07:00</updated>
<link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="list"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="edit"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost/enable" rel="enable"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">1</s:key>
... eai:acl node elided ...
<s:key name="hosts">localhost</s:key>
<s:key name="index">default</s:key>
<s:key name="logs">
<s:list>
<s:item>Application</s:item>
<s:item>ForwardedEvents</s:item>
<s:item>HardwareEvents</s:item>
<s:item>Internet Explorer</s:item>
<s:item>Security</s:item>
<s:item>Setup</s:item>
<s:item>System</s:item>
</s:list>
</s:key>
</s:dict>
</content>
</entry>
</feed>
POST
Create or modify existing event log collection settings.
Usage details
You can configure both native and WMI collections with this endpoint.
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| hosts | String | A comma-separated list of additional hosts to be used for monitoring. The first host should be specified with "lookup_host", and the additional ones using this parameter. | |
| index | String | default | The index in which to store the gathered data. |
| logs | String | List of event log names from which to gather data:
| |
| lookup_host | String | Required. Host from which to monitor log events. To specify additional hosts to be monitored using WMI, use the "hosts" parameter. | |
| name | String | Required. Collection name. This name appears in configuration file, as well as the source and the sourcetype of the indexed data. If the value is "localhost", it uses native event log collection; otherwise, it uses WMI. |
Returned values
| Name | Description |
|---|---|
| disabled | Indicates if the input is disabled. |
| hosts | Monitored hosts. |
| index | Index to store data. |
| logs | List of event log channels to monitor. |
| lookup_host | Host from which to monitor log events. |
| name | The name of the collection. This name appears in a configuration file, as well as the source and the sourcetype of the indexed data. If the value is "localhost", it uses native event log collection; otherwise, it uses WMI |
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections -d lookup_host=localhost -d name=mylogs -d logs=Application,System
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-event-log-collections</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections</id>
<updated>2011-07-27T11:56:24-07:00</updated>
<generator version="103620"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>localhost</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost</id>
<updated>2011-07-27T11:56:24-07:00</updated>
<link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="list"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">1</s:key>
... eai:acl node elided ...
<s:key name="hosts">localhost</s:key>
<s:key name="index">default</s:key>
<s:key name="logs">
<s:list>
<s:item>Application</s:item>
<s:item>ForwardedEvents</s:item>
<s:item>HardwareEvents</s:item>
<s:item>Internet Explorer</s:item>
<s:item>Security</s:item>
<s:item>Setup</s:item>
<s:item>System</s:item>
</s:list>
</s:key>
<s:key name="lookup_host">localhost</s:key>
<s:key name="name">localhost</s:key>
</s:dict>
</content>
</entry>
</feed>
data/inputs/win-event-log-collections/{name}
https://<host>:<mPort>/services/data/inputs/win-event-log-collections/{name}
Manage the {name} Windows event log.
DELETE
Deletes an event log collection.
Request parameters
None
Returned values
None
Example request and response
XML Request
curl -u admin:pass --request DELETE https://localhost:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-event-log-collections</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections</id>
<updated>2011-07-27T13:45:24-07:00</updated>
<generator version="103620"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
GET
Gets event log collection configurations.
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| lookup_host | String | For internal use. Used by the UI when editing the initial host from which we gather event log data. |
Returned values
| Name | Description |
|---|---|
| disabled | Indicates if the input is disabled. |
| hosts | Monitored hosts. |
| index | Index to store data.
If not specified defaults to the default index. |
| logs | List of event log channels to monitor. |
| lookup_host | Host from which to monitor log events. |
| name | The name of the collection. This name appears in a configuration file, as well as the source and the sourcetype of the indexed data. If the value is localhost, it uses native event log collection; otherwise, it uses WMI. |
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-event-log-collections</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections</id>
<updated>2011-07-27T12:00:38-07:00</updated>
<generator version="103620"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>mylogs</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs</id>
<updated>2011-07-27T12:00:38-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs" rel="remove"/>
<link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>hosts</s:item>
<s:item>index</s:item>
<s:item>logs</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list>
<s:item>lookup_host</s:item>
</s:list>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="hosts"/>
<s:key name="index">default</s:key>
<s:key name="logs">
<s:list>
<s:item>Application,System</s:item>
</s:list>
</s:key>
<s:key name="lookup_host">localhost</s:key>
<s:key name="name">mylogs</s:key>
</s:dict>
</content>
</entry>
</feed>
POST
Modify an existing event log collection.
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| hosts | String | A comma-separated list of additional hosts to be used for monitoring. The first host should be specified with "lookup_host", and the additional ones using this parameter. | |
| index | String | default | The index in which to store the gathered data. |
| logs | String | A comma-separated list of event log names to gather data from. | |
| lookup_host | String | Required. This is a host from which we monitor log events. To specify additional hosts to be monitored using WMI, use the "hosts" parameter. |
Returned values
| Name | Description |
|---|---|
| disabled | Indicates if the input is disabled. |
| hosts | Monitored hosts. |
| index | Index to store data. |
| logs | List of event log channels to monitor. |
| lookup_host | Host from which to monitor log events. |
| name | The name of the collection. This name appears in a configuration file, as well as the source and the sourcetype of the indexed data. If the value is localhost, it uses native event log collection; otherwise, it uses WMI. |
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs -d lookup_host=localhost -d logs=Application
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-event-log-collections</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections</id>
<updated>2011-07-27T13:43:46-07:00</updated>
<generator version="103620"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>localhost</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost</id>
<updated>2011-07-27T13:43:46-07:00</updated>
<link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="list"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">1</s:key>
... eai:acl node elided ...
<s:key name="hosts">localhost</s:key>
<s:key name="index">default</s:key>
<s:key name="logs">
<s:list>
<s:item>Application</s:item>
<s:item>ForwardedEvents</s:item>
<s:item>HardwareEvents</s:item>
<s:item>Internet Explorer</s:item>
<s:item>Security</s:item>
<s:item>Setup</s:item>
<s:item>System</s:item>
</s:list>
</s:key>
<s:key name="lookup_host">localhost</s:key>
<s:key name="name">localhost</s:key>
</s:dict>
</content>
</entry>
</feed>
data/inputs/win-wmi-collections
https://<host>:<mPort>/services/data/inputs/win-wmi-collections
Access configured WMI collections.
GET
Access configured WMI collections.
Request parameters
Pagination and filtering parameters can be used with this method.
Returned values
| Name | Description |
|---|---|
| class | The WMI performance object class being monitored. |
| disabled | Indicates whther the input is disbled. |
| fields | The WMI performance counters being monitored. |
| index | The index to which you are sending input data. |
| instances | Instances of the WMI performance counter. |
| interval | The interval, in seconds, at which the WMI provider(s) are queried. |
| name | the name of the input. |
| server | The server you are monitoring. |
| wql | The actual WQL query for monitoring the performance object. |
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/services/data/inputs/win-wmi-collections
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-wmi-collections</title>
<id>https://10.1.5.157:8089/services/data/inputs/win-wmi-collections</id>
<updated>2011-07-27T14:00:24-07:00</updated>
<generator version="103620"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/win-wmi-collections/_new" rel="create"/>
<link href="/services/data/inputs/win-wmi-collections/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>CPUTime</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime</id>
<updated>2011-07-27T14:00:24-07:00</updated>
<link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime" rel="list"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime" rel="edit"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime/enable" rel="enable"/>
<content type="text/xml">
<s:dict>
<s:key name="class">Win32_PerfFormattedData_PerfOS_Processor</s:key>
<s:key name="disabled">1</s:key>
... eai:acl node elided ...
<s:key name="fields">
<s:list>
<s:item>PercentProcessorTime</s:item>
<s:item>PercentUserTime</s:item>
</s:list>
</s:key>
<s:key name="index">default</s:key>
<s:key name="instances">
<s:list>
<s:item>_Total</s:item>
</s:list>
</s:key>
<s:key name="interval">3</s:key>
<s:key name="name"/>
<s:key name="server">localhost</s:key>
<s:key name="wql">SELECT PercentProcessorTime,PercentUserTime FROM Win32_PerfFormattedData_PerfOS_Processor WHERE Name="_Total"</s:key>
</s:dict>
</content>
</entry>
</feed>
POST
Create or modify existing WMI collection settings.
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| classes | String | Required. A valid WMI class name. | |
| disabled | Number | 0 |
Disables the given collection. |
| fields | String | 1. * |
Properties (fields) that you want to gather from the given class.
Specify each property as a separate argument to the POST operation. |
| index | String | default |
The index in which to store the gathered data. |
| instances | String | empty |
Instances of a given class for which data is gathered.
Specify each instance as a separate argument to the POST operation. |
| interval | Number | Required. The interval, in seconds, at which the WMI provider(s) is queried. | |
| lookup_host | String | Required. This is the server from which we is gathering WMI data. If you need to gather data from more than one machine, additional servers can be specified in the 'server' parameter. | |
| name | String | Required. This is the name of the collection. This name appears in configuration file, as well as the source and the sourcetype of the indexed data. | |
| server | String | localhost |
A comma-separated list of additional servers that you want to gather data from. Use this if you need to gather from more than a single machine. See also lookup_host. |
Returned values
| Name | Description |
|---|---|
| classes | A valid WMI class name. |
| disabled | Indicates if the input is disabled. |
| fields | Properties (fields) that you want to gather from the given class. |
| index | The index in which to store the gathered data. |
| instances | Instances of a given class for which data is gathered. |
| interval | The interval, in seconds, at which the WMI provider(s) is queried. |
| lookup_host | Host from which to monitor log events. |
| server | Servers from which to gather data. Used if you need to gather from more than a single machine. See also lookup_host. |
| wql | The actual WQL query for monitoring the performance object. |
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections -d classes=Win32_PerfFormattedData_PerfOS_Processor -d interval=5 -d lookup_host=localhost -d name=cpu
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-wmi-collections</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections</id>
<updated>2011-07-27T14:05:43-07:00</updated>
<generator version="103620"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>CPUTime</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime</id>
<updated>2011-07-27T14:05:43-07:00</updated>
<link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime" rel="list"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">1</s:key>
... eai:acl node elided ...
<s:key name="index">default</s:key>
<s:key name="interval">3</s:key>
<s:key name="wql">SELECT PercentProcessorTime,PercentUserTime FROM Win32_PerfFormattedData_PerfOS_Processor WHERE Name="_Total"</s:key>
</s:dict>
</content>
</entry>
</feed>
data/inputs/win-wmi-collections/{name}
https://<host>:<mPort>/services/data/inputs/win-wmi-collections/{name}
Manage the {name} WMI collection.
Method summary
| Method | Description | Formats |
|---|---|---|
| DELETE | Deletes a given collection. | XML, JSON |
| GET | Gets information about a single collection. | XML, JSON |
| POST | Modifies a given WMI collection. | XML, JSON |
DELETE
Delete a given collection.
Usage details
The method returns HTTP status code = 400, if {name} does not exist.
Request parameters
None
Returned values
None
Example request and response
XML Request
curl -u admin:pass --request DELETE https://localhost:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-wmi-collections</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections</id>
<updated>2011-07-27T14:21:17-07:00</updated>
<generator version="103620"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
GET
Get information about a single collection.
Request parameters
None
Returned values
| Name | Description |
|---|---|
| classes | A valid WMI class name. |
| disabled | Indicates if the input is disabled. |
| fields | Properties (fields) that you want to gather from the given class. |
| index | The index in which to store the gathered data. |
| instances | Instances of a given class for which data is gathered. |
| interval | The interval, in seconds, at which the WMI provider(s) is queried. |
| lookup_host | Host from which to monitor log events. |
| name | Collection name. This name appears in a configuration file, as well as the source and the sourcetype of the indexed data. If the value is localhost, it uses native event log collection; otherwise, it uses WMI. |
| server | Servers frpm which to gather data from. Used if you need to gather from more than a single machine. See also lookup_host. |
| wql | The actual WQL query for monitoring the performance object. |
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-wmi-collections</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections</id>
<updated>2011-07-27T14:09:39-07:00</updated>
<generator version="103620"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>cpu</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu</id>
<updated>2011-07-27T14:09:39-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="remove"/>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="classes">Win32_PerfFormattedData_PerfOS_Processor</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>disabled</s:item>
<s:item>fields</s:item>
<s:item>index</s:item>
<s:item>instances</s:item>
<s:item>server</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list>
<s:item>classes</s:item>
<s:item>interval</s:item>
<s:item>lookup_host</s:item>
</s:list>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="fields">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="index">default</s:key>
<s:key name="instances">
<s:list/>
</s:key>
<s:key name="interval">5</s:key>
<s:key name="lookup_host">localhost</s:key>
<s:key name="name">cpu</s:key>
<s:key name="server"/>
<s:key name="wql">Select * from Win32_PerfFormattedData_PerfOS_Processor</s:key>
</s:dict>
</content>
</entry>
</feed>
POST
Modify a collection.
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| classes | String | Required. A valid WMI class name. | |
| disabled | Number | Disables the given collection. | |
| fields | String | Properties (fields) that you want to gather from the given class.
Specify each property as a separate argument to the POST operation. | |
| index | String | The index in which to store the gathered data. | |
| instances | String | Instances of a given class for which data is gathered.
Specify each instance as a separate argument to the POST operation. | |
| interval | Number | Required. The interval, in seconds, at which the WMI provider(s) is queried. | |
| lookup_host | String | Required. This is the server from which we is gathering WMI data. If you need to gather data from more than one machine, additional servers can be specified in the 'server' parameter. | |
| server | String | A comma-separated list of additional servers that you want to gather data from. Use this if you need to gather from more than a single machine. See also lookup_host parameter. |
Returned values
| Name | Description |
|---|---|
| classes | A valid WMI class name. |
| disabled | Indicates if the input is disabled. |
| fields | Properties (fields) that you want to gather from the given class. |
| index | The index in which to store the gathered data. |
| instances | Instances of a given class for which data is gathered. |
| interval | The interval, in seconds, at which the WMI provider(s) are queried. |
| lookup_host | Host from which to monitor log events. |
| name | Collection name. This name appears in a configuration file, as well as the source and the sourcetype of the indexed data. If the value is localhost, it uses native event log collection; otherwise, it uses WMI. |
| server | Servers from which to gather data. Used if you need to gather from more than a single machine. See also lookup_host. |
| wql | The actual WQL query for monitoring the performance object. |
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu -d classes=Win32_PerfFormattedData_PerfOS_Processor -d interval=5 -d lookup_host=localhost -d server=xx.1.5.157,10.1.5.158
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-wmi-collections</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections</id>
<updated>2011-07-27T14:15:33-07:00</updated>
<generator version="103620"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>cpu</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu</id>
<updated>2011-07-27T14:15:33-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="classes">Win32_PerfFormattedData_PerfOS_Processor</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="fields">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="index">default</s:key>
<s:key name="instances">
<s:list/>
</s:key>
<s:key name="interval">5</s:key>
<s:key name="lookup_host">localhost</s:key>
<s:key name="name">cpu</s:key>
<s:key name="server"/>
<s:key name="wql">Select * from Win32_PerfFormattedData_PerfOS_Processor</s:key>
</s:dict>
</content>
</entry>
</feed>
data/inputs/win-perfmon
https://<host>:<mPort>/services/data/inputs/win-perfmon
Access and manage performance monitoring configurations. This input allows you to poll Windows performance monitor counters.
GET
Get current performance monitoring configuration details.
Request parameters
Pagination and filtering parameters can be used with this method.
Returned values
| Name | Description |
|---|---|
| counters | List of valid Performance Monitor counters. |
| disabled | Indicates whether the input is disabled. |
| index | The index that this input should send data to.
If no value is present, send data to the default index. |
| instances | List of valid instances for a Performance Monitor counter. |
| interval | How often, in seconds, to poll for new data. |
| nonmetric_counters | List of valid Performance Monitor counters. |
| object | A valid Performance Monitor object as defined within Performance Monitor. |
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/services/data/inputs/win-perfmon
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-perfmon</title>
<id>https://10.1.5.157:8089/services/data/inputs/win-perfmon</id>
<updated>2011-07-29T19:42:06-07:00</updated>
<generator version="104976"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/win-perfmon/_new" rel="create"/>
<link href="/services/data/inputs/win-perfmon/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>Available Memory</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory</id>
<updated>2011-07-29T19:42:06-07:00</updated>
<link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="list"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="edit"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory/enable" rel="enable"/>
<content type="text/xml">
<s:dict>
<s:key name="counters">
<s:list>
<s:item>Available Bytes</s:item>
</s:list>
</s:key>
<s:key name="disabled">1</s:key>
... eai:acl node elided ...
<s:key name="index">default</s:key>
<s:key name="instances">
<s:list/>
</s:key>
<s:key name="interval">10</s:key>
<s:key name="object">Memory</s:key>
</s:dict>
</content>
</entry>
</feed>
POST
Update performance monitoring collection settings.
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| counters | String | A set of counters to monitor. A '*' is equivalent to all counters.
Specify each counter as a separate argument to the POST operation. | |
| host | String | Docs-W8R2-Std7 | Name of the host for the Windows Performance Monitor. |
| index | String | default | The index in which to store the gathered data. |
| instances | String | A set of counter instances to monitor. A '*' is equivalent to all instances.
Specify each instance as a separate argument to the POST operation. | |
| interval | Number | How frequently, in seconds, to poll for new data. | |
| name required |
String | This is the name of the collection. This name appears in configuration file, as well as the source and the sourcetype of the indexed data. | |
| object | String | A valid performance monitor object (for example, 'Process,' 'Server,' 'PhysicalDisk.') | |
| source | String | Source for inputs. | |
| sourcetype | String | Source type of input. |
Returned values
| Name | Description |
|---|---|
| counters | List of valid Performance Monitor counters. |
| disabled | Indicates whether the input is disabled. |
| host | Name of the host for the Windows Performance Monitor. |
| index | The index that this input should send data to.
If no value is present, send data to the default index. |
| instances | List of valid instances for a Performance Monitor counter. |
| interval | How frequently, in seconds, to poll for new data. |
| nonmetric_counters | List of valid Performance Monitor counters. |
| object | A valid Performance Monitor object as defined within Performance Monitor. |
| source | Source for inputs. |
| sourcetype | Source type of the input. |
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/win-perfmon -d interval=4 -d name=mymemory -d object=Memory
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-perfmon</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-perfmon</id>
<updated>2011-07-29T19:40:38-07:00</updated>
<generator version="104976"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>Available Memory</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory</id>
<updated>2011-07-29T19:40:38-07:00</updated>
<link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="list"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="counters">Available Bytes</s:key>
<s:key name="disabled">1</s:key>
... eai:acl node elided ...
<s:key name="instances"/>
<s:key name="interval">10</s:key>
<s:key name="object">Memory</s:key>
</s:dict>
</content>
</entry>
</feed>
data/inputs/win-perfmon/{name}
https://<host>:<mPort>/services/data/inputs/win-perfmon/{name}
Manage the {name} performance monitoring stanza.
DELETE
Delete a given monitoring stanza.
Request parameters
None
Returned values
None
Example request and response
XML Request
curl -u admin:pass --request DELETE https://localhost:8089/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-perfmon</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-perfmon</id>
<updated>2011-07-29T19:47:06-07:00</updated>
<generator version="104976"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
GET
Get settings for a given performance stanza.
Request parameters
None
Returned values
| Name | Description |
|---|---|
| counters | List of valid Performance Monitor counters. |
| disabled | Indicates whether the input is disabled. |
| index | The index that this input should send data to.
If no value is present, send data to the default index. |
| instances | List of valid instances for a Performance Monitor counter. |
| interval | How often, in seconds, to poll for new data. |
| nonmetric_counters | List of valid Performance Monitor counters. |
| object | A valid Performance Monitor object as defined within Performance Monitor. |
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-perfmon</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-perfmon</id>
<updated>2011-07-29T19:44:21-07:00</updated>
<generator version="104976"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>mymemory</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory</id>
<updated>2011-07-29T19:44:21-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory" rel="remove"/>
<link href="/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="counters">
<s:list/>
</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>counters</s:item>
<s:item>disabled</s:item>
<s:item>index</s:item>
<s:item>instances</s:item>
<s:item>interval</s:item>
<s:item>object</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="index">default</s:key>
<s:key name="instances">
<s:list/>
</s:key>
<s:key name="interval">4</s:key>
<s:key name="object">Memory</s:key>
</s:dict>
</content>
</entry>
</feed>
POST
Modify an existing monitoring stanza.
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| counters | String | A set of counters to monitor. A '*' is equivalent to all counters.
Specify each counter as a separate argument to the POST operation. | |
| host | String | Docs-W8R2-Std7 | Name of the host for the Windows Performance Monitor. |
| index | String | default | The index in which to store the gathered data. |
| instances | String | A set of counter instances to monitor. A '*' is equivalent to all instances.
Specify each instance as a separate argument to the POST operation. | |
| interval | Number | How frequently, in seconds, to poll for new data. | |
| object | String | A valid performance monitor object (for example, 'Process,' 'Server,' 'PhysicalDisk.') | |
| source | String | Source for inputs. | |
| sourcetype | String | Source type of input. |
Returned values
| Name | Description |
|---|---|
| counters | List of valid Performance Monitor counters. |
| disabled | Indicates whether the input is disabled. |
| host | Name of the host for the Windows Performance Monitor. |
| index | The index that this input should send data to.
If no value is present, send data to the default index. |
| instances | List of valid instances for a Performance Monitor counter. |
| interval | How frequently, in seconds, to poll for new data. |
| nonmetric_counters | List of valid Performance Monitor counters. |
| object | A valid Performance Monitor object as defined within Performance Monitor, |
| source | Source for inputs. |
| sourcetype | Source type of the input. |
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory -d interval=10
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-perfmon</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-perfmon</id>
<updated>2011-07-29T19:45:59-07:00</updated>
<generator version="104976"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>Available Memory</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory</id>
<updated>2011-07-29T19:45:59-07:00</updated>
<link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="list"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="counters">Available Bytes</s:key>
<s:key name="disabled">1</s:key>
... eai:acl node elided ...
<s:key name="instances"/>
<s:key name="interval">10</s:key>
<s:key name="object">Memory</s:key>
</s:dict>
</content>
</entry>
</feed>
data/modular-inputs
https://<host>:<mPort>/services/data/modular-inputs
Access currently defined modular inputs on the system.
For more information, refer to Modular inputs: Introspection scheme details in Developing Views and Apps for Splunk Web.
GET
Get information about configured modular inputs.
Request parameters
Pagination and filtering parameters can be used with this method.
Returned values
| Name | Description |
|---|---|
| description | Provides descriptive text for title shown on the Data inputs manager page.
The description also appears on the Add new data inputs page. |
| endpoint | Contains one or more <arg> elements, which define the parameters to an endpoint. |
| streaming_mode | Indicates the streaming mode for the modular input. Valid values are xml and simple.
|
| title | The label for a modular input script. The title appears on the Data inputs manager page. |
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/services/data/modular-inputs
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>modular-inputs</title>
<id>https://localhost:8089/services/data/modular-inputs</id>
<updated>2012-07-09T09:12:41-07:00</updated>
<generator build="129290" version="5.0"/>
<author>
<name>Splunk</name>
</author>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>s3</title>
<id>https://localhost:8089/services/data/modular-inputs/s3</id>
<updated>2012-07-09T09:12:41-07:00</updated>
<link href="/services/data/modular-inputs/s3" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/data/modular-inputs/s3" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="description">Get data from Amazon S3.</s:key>
... eai:acl node elided ...
<s:key name="endpoint">
<s:dict>
<s:key name="args">
<s:dict>
<s:key name="key_id">
<s:dict>
<s:key name="data_type">string</s:key>
<s:key name="description">Your Amazon key ID.</s:key>
<s:key name="order">1</s:key>
<s:key name="required_on_create">1</s:key>
<s:key name="required_on_edit">0</s:key>
<s:key name="title">Key ID</s:key>
</s:dict>
</s:key>
<s:key name="name">
<s:dict>
<s:key name="data_type">string</s:key>
<s:key name="description"><![CDATA[An S3 resource name without the leading s3://. For example, for s3://bucket/file.txt specify bucket/file.txt. You can also monitor a whole bucket (for example by specifying 'bucket'), or files within a sub-directory of a bucket (for example 'bucket/some/directory/'; note the trailing slash).]]></s:key>
<s:key name="order">0</s:key>
<s:key name="title">Resource name</s:key>
</s:dict>
</s:key>
<s:key name="secret_key">
<s:dict>
<s:key name="data_type">string</s:key>
<s:key name="description">Your Amazon secret key.</s:key>
<s:key name="order">2</s:key>
<s:key name="required_on_create">1</s:key>
<s:key name="required_on_edit">0</s:key>
<s:key name="title">Secret key</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
<s:key name="streaming_mode">xml</s:key>
<s:key name="title">Amazon S3</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>twitter</title>
<id>https://localhost:8089/services/data/modular-inputs/twitter</id>
. . . elided . . .
</entry>
</feed>
data/modular-inputs/{name}
https://<host>:<mPort>/services/data/modular-inputs/{name}
Get information about the {name} modular input.
GET
Get information about a modular input.
Request parameters
None
Returned values
| Name | Description |
|---|---|
| description | The label for a modular input script.
The label appears in the Data inputs manager page. |
| endpoint | Contains one or more <arg> elements, which define the parameters to an endpoint. |
| streaming_mode | Indicates the streaming mode for the modular input. Valid values are xml or simple (plain text).
Contains one or more <arg> elements, which define the parameters to an endpoint. |
| title | The label for a modular input script. The label appears in the Data inputs manager page. |
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/services/data/modular-inputs/twitter
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>modular-inputs</title>
<id>https://localhost:8089/services/data/modular-inputs</id>
<updated>2012-07-09T11:07:29-07:00</updated>
<generator build="129290" version="5.0"/>
<author>
<name>Splunk</name>
</author>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>twitter</title>
<id>https://localhost:8089/services/data/modular-inputs/twitter</id>
<updated>2012-07-09T11:07:29-07:00</updated>
<link href="/services/data/modular-inputs/twitter" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/data/modular-inputs/twitter" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="description">Get data from Twitter.</s:key>
... eai:acl and eai:attribute nodes elided ...
<s:key name="endpoint">
<s:dict>
<s:key name="args">
<s:dict>
<s:key name="name">
<s:dict>
<s:key name="data_type">string</s:key>
<s:key name="description">Name of the current feed using the user credentials supplied.</s:key>
<s:key name="order">0</s:key>
<s:key name="title">Twitter feed name</s:key>
</s:dict>
</s:key>
<s:key name="password">
<s:dict>
<s:key name="data_type">string</s:key>
<s:key name="description">Your twitter password</s:key>
<s:key name="order">2</s:key>
<s:key name="required_on_create">1</s:key>
<s:key name="required_on_edit">0</s:key>
<s:key name="title">Password</s:key>
</s:dict>
</s:key>
<s:key name="username">
<s:dict>
<s:key name="data_type">string</s:key>
<s:key name="description">Your Twitter ID.</s:key>
<s:key name="order">1</s:key>
<s:key name="required_on_create">1</s:key>
<s:key name="required_on_edit">0</s:key>
<s:key name="title">Twitter ID/Handle</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
<s:key name="streaming_mode">simple</s:key>
<s:key name="title">Twitter</s:key>
</s:dict>
</content>
</entry>
</feed>
indexing/preview
https://<host>:<mPort>/services/indexing/preview
Preview events from a source file before you index the file.
The edit_monitor or edit_upload_and_index capabilities are required for this endpoint.
GET
Return a list of all data preview jobs.
Usage details
Data returned includes the Splunk management URI to access each preview job.
You can check the status of a data preview job with GET request to /search/jobs/{search_id} to obtain information such as the dispatchState, doneProgress, and eventCount. You can also use the data preview job ID as the search_id parameter in a GET request to /search/jobs/{search_id}/results_preview to preview events from the source file.
Request parameters
None
Returned values
None
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/services/indexing/preview
XML Response
<title>preview</title>
<id>https://localhost:8089/services/indexing/preview</id>
<updated>2011-11-28T14:35:35-08:00</updated>
<generator version="108769"/>
<author>
<name>Splunk</name>
</author>
<entry>
<title>1322518170.8</title>
<id>https://localhost:8089/services/indexing/preview/1322518170.8</id>
<updated>2011-11-28T14:35:35-08:00</updated>
<link href="/services/indexing/preview/1322518170.8" rel="alternate"/>
<link href="/services/search/jobs/1322518170.8" rel="job"/>
</entry>
<entry>
<title>1322519686.9</title>
<id>https://localhost:8089/services/indexing/preview/1322519686.9</id>
<updated>2011-11-28T14:35:35-08:00</updated>
<link href="/services/indexing/preview/1322519686.9" rel="alternate"/>
<link href="/services/search/jobs/1322519686.9" rel="job"/>
</entry>
<entry>
<title>1322519724.10</title>
<id>https://localhost:8089/services/indexing/preview/1322519724.10</id>
<updated>2011-11-28T14:35:35-08:00</updated>
<link href="/services/indexing/preview/1322519724.10" rel="alternate"/>
<link href="/services/search/jobs/1322519724.10" rel="job"/>
</entry>
POST
Create a preview data job for the specified source file, returning the preview data job ID.
Usage details
Typically, you first examine preview data events returned from GET /search/jobs/{job_id}events. Then you define new sourcetypes as needed with this endpoint.
Use the POST operation to create a data preview job and return the corresponding data preview job ID. Use the preview job ID as the search_id parameter in GET /search/jobs/{search_id}/results_preview to obtain a data preview.
You can optionally define sourcetypes for a preview data job in props.conf.
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| input.path | String | Required. The absolute file path to a local file that you want to preview data returned from indexing. | |
| props.<props_attr> | String | Define a new sourcetype in props.conf for preview data that you are indexing. |
Returned values
None
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/services/indexing/preview -d input.path=/Applications/splunk/var/log/splunk/metrics.log
XML Response
<response>
<messages>
<msg type='INFO'>1319496093.11</msg>
</messages>
</response>
indexing/preview/{job_id}
https://<host>:<mPort>/services/indexing/preview/{job_id}
Get props.conf file settings for the {job_id} job.
GET
Get props.conf file settings for a job.
Request parameters
None
Returned values
None
Example request and response
XML Request
curl -u admin:pass https://localhost:8089/services/indexing/preview/1319496093.11
XML Response
<entry xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest">
<title>1319496093.11</title>
<id>https://localhost:8089/services/indexing/preview/1319496093.11</id>
<updated>2011-10-24T15:44:09-07:00</updated>
<link href="/services/indexing/preview/1319496093.11" rel="alternate"/>
<content type="text/xml">
<s:dict>
<s:key name="explicit">
<s:dict>
<s:key name="PREFERRED_SOURCETYPE">
<s:dict>
<s:key name="value">splunkd</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
<s:key name="inherited">
<s:dict>
<s:key name="ANNOTATE_PUNCT">
<s:dict>
<s:key name="value">True</s:key>
<s:key name="stanza">default</s:key>
</s:dict>
</s:key>
. . . elided . . .
<s:key name="sourcetype">
<s:dict>
<s:key name="value">splunkd</s:key>
<s:key name="stanza">source::.../var/log/splunk/metrics.log(.\d+)?</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
</s:dict>
</content>
<link href="/services/search/jobs/1319496093.11" rel="job"/>
</entry>
receivers/simple
https://<host>:<mPort>/services/receivers/simple
Allows for sending events to Splunk in an HTTP request.
Authentication and authorization
The edit_tcp capability is additionally required for this endpoint.
POST
Create events from the contents contained in the HTTP body.
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| <arbitrary_data> | String | Required. Raw event text. This is the entirety of the HTTP request body. | |
| host | String | The value to populate in the host field for events from this data input. | |
| host_regex | String | A regular expression used to extract the host value from each event. | |
| index | String | default | The destination index where events are sent. |
| source | String | The source value to fill in the metadata for this input's events. | |
| sourcetype | String | The sourcetype to apply to events from this input. |
Returned values
None
Example request and response
XML Request
curl -u admin:pass "https://localhost:8089/services/receivers/simple?source=www&sourcetype=web_event" -d "Sun Jul 10 15:56:02 PDT 2011 User myusername logged in successfully."
XML Response
<response>
<results>
<result>
<field k="_index">
<value>
<text>default</text>
</value>
</field>
<field k="bytes">
<value>
<text>67</text>
</value>
</field>
<field k="host">
<value>
<text>127.0.0.1</text>
</value>
</field>
<field k="source">
<value>
<text>www</text>
</value>
</field>
<field k="sourcetype">
<value>
<text>web_event</text>
</value>
</field>
</result>
</results>
</response>
receivers/stream
https://<host>:<mPort>/services/receivers/stream
Open a socket to receive streaming data.
Authentication and authorization
The edit_tcp or edit_tcp_stream capabilities are required for this endpoint.
POST
Create events from the stream of data following HTTP headers.
Usage details
Data transfer continues until you enter <CTRL-C>.
For streaming connections, set streaming and x-splunk-input-mode arguments in the header.
For HTTP uploads, if the caller passes a content-type of "multipart/form data", the HTTP file upload protocol is used and files are indexed.
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| <data_stream> | String | Required. Raw event text. This does not need to be presented as a complete HTTP request, but can be streamed in as data is available. | |
| host | String | The value to populate in the host field for events from this data input. | |
| host_regex | String | A regular expression used to extract the host value from each event. | |
| index | String | The index to send events from this input to. | |
| source | String | The source value to fill in the metadata for this input's events. | |
| sourcetype | String | The sourcetype to apply to events from this input. |
Returned values
None
Example
Python Request
import httplib, time
conn = httplib.HTTPSConnection("localhost", 8089)
conn.connect()
conn.putrequest("POST", "/services/receivers/stream?source=www&sourcetype=web_data")
conn.putheader("Authorization", "Splunk 67bed982ce1af9ba2e393b15ed63c916")
conn.putheader("x-splunk-input-mode", "streaming")
conn.endheaders()
i = 0
while i < 100:
conn.send("%s A sample event (idx: %s).\n" % (time.asctime(), i))
time.sleep(1)
i += 1
conn.close()
server/pipelinesets
https://<host>:<mPort>/services/server/pipelinesets
Provides information on the ingestion pipeline sets on an indexer.
Authentication and authorization
The list_pipeline_sets capability is required for this endpoint.
Usage details
See Manage pipeline sets for index parallelization in Managing Indexers and Clusters of Indexers.
GET
Query the status of pipeline sets.
Request parameters
None
Returned values
| Name | Description |
|---|---|
| busiest_thread_name | The name of the busiest pipeline thread within the pipeline set for past calculation period. |
| dutycycle_ratio | The dutycycle ratio of the busiest pipeline thread within the pipeline set for past calculation period. |
| requests_last_period | The number of ingestion requests processed by the pipeline set in the past calculation period. |
| share | The relative probability of selection of the pipeline set for the past calculation period. |
Example request and response
XML Request
curl -k -u admin:changeme https://ronnie:8178/services/server/pipelinesets
XML Response
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>server-pipeline-sets</title>
<id>https://ronnie:8178/services/server/pipelinesets</id>
<updated>2019-02-20T12:24:55-08:00</updated>
<generator build="62a7f5ca3846ba6f152b123cfab9d4432e97a4a2" version="20190219"/>
<author>
<name>Splunk</name>
</author>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>ingest_pipe_0</title>
<id>https://ronnie:8178/services/server/pipelinesets/ingest_pipe_0</id>
<updated>1969-12-31T16:00:00-08:00</updated>
<link href="/services/server/pipelinesets/ingest_pipe_0" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/server/pipelinesets/ingest_pipe_0" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="busiest_thread_name">indexerPipe</s:key>
<s:key name="dutycycle_ratio">0.0017552064875708618</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="requests_last_period">0</s:key>
<s:key name="share">1</s:key>
</s:dict>
</content>
</entry>
</feed>
services/collector
<protocol>://<host>:<mPort>/services/collector
Send events to HTTP Event Collector using the Splunk platform JSON event protocol.
By default, this endpoint works on port 8088 and uses HTTPs for transport. The port and HTTP protocol settings can be configured independently of settings for any other servers in your deployment.
Note: When using an ACK-enabled token, an ackID is returned within a JSON object in the response. For example, {"ackID": "0"} indicates an ackID of 0. Use the ackID to query the services/collector/ack endpoint to verify event indexing. For more information, see services/collector/ack.
Authorization
Requires an HTTP Event Collector token or basic auth, as defined in RFC 1945. See request examples for more details.
See also
- data/inputs/http
- data/inputs/http/{name}
- data/inputs/http/{name}/disable
- data/inputs/http/{name}/enable
POST
Send events to the HTTP Event Collector.
Usage details
HTTP Event Collector functionality must be enabled to send events.
To send events to the HTTP Event Collector, you must provide an HTTP Event Collector token in the authorization header. The token is created using the data/inputs/http endpoint. You can then retrieve the token with a GET request on the data/inputs/http/{name} endpoint, where {name} is the name of your token. Include the authentication token in the request header using the following format: Authorization: Splunk <token>. The format is case-sensitive.
Use the Splunk search application to view the logged events. For example, use
index=main | search sourcetype=access to view all logged events with a sourcetype of access.
For performance reasons, the data input endpoint follows a simple error handling model. It assumes that in most cases it receives a well-formed event data payload. If there is malformed event data in the payload, events continue to be extracted until an error is encountered. Processing stops immediately on an error and the error and number of payload events processed successfully are reported. Events processed before the error are sent to indexers and all events after the first error are dropped.
Request parameters
| Name | Datatype | Description |
|---|---|---|
| channel | See description | Required if useAck is enabled. Pass in the channel GUID as a string parameter or using the "x-splunk-request-channel" header.
|
| event | string | Required. Event payload key-value. Value can be a string or a JSON object. JSON example: |
| fields | JSON object | Fields for indexing that do not occur in the event payload itself. You can use this parameter when you do not want particular fields to be included in the event data, but you need additional metadata for indexing and searching. Specify one or more additional fields to include for indexing with the event payload. For each field, use a key to specify the name and include one or more values. Specify multiple values in an array. In the following example, the "severity" field gets the value "INFO" and the "category" key gets both "foo" and "bar" values.
-d {"event": "something happened", "fields": {"severity": "INFO", "category": ["foo", "bar"]}}
|
| host | string | Host name. Specify with the host query string parameter. Sets a default for all events in the request. The default host name can be overridden. |
| index | string | Index name. Specify with the index query string parameter. Sets a default for all events in the request. The default index name can be overridden. |
| source | string | User-defined event source. Specify with the source query string parameter. Sets a default for all events in the request. The default source can be overridden. |
| sourcetype | string | User-defined event sourcetype. Specify with the sourcetype query string parameter. Sets a default for all events in the request. The default sourcetype can be overridden. |
| time | string or unsigned integer | Epoch-formatted time. Specify with the time query string parameter. Sets a default for all events in the request. The default time can be overridden. For more information about formatting, see Format events for HTTP Event Collector. |
Returned values
| Name | Description |
|---|---|
| text | Human readable status, same value as code. |
| code | Machine format status, same value as text. |
| invalid-event-number | When errors occur, indicates the zero-based index of first invalid event in an event sequence. |
| ackId | If useACK is enabled for the token, indicates the ackId to use for checking an indexer acknowledgement.
|
Response status codes
The following status codes have particular meaning for all HTTP Event Collector endpoints:
| Status Code | HTTP status code ID | HTTP status code | Status message |
|---|---|---|---|
| 0 | 200 | OK | Success
|
| 1 | 403 | Forbidden | Token disabled
|
| 2 | 401 | Unauthorized | Token is required
|
| 3 | 401 | Unauthorized | Invalid authorization
|
| 4 | 403 | Forbidden | Invalid token
|
| 5 | 400 | Bad Request | No data
|
| 6 | 400 | Bad Request | Invalid data format
|
| 7 | 400 | Bad Request | Incorrect index
|
| 8 | 500 | Internal Error | Internal server error
|
| 9 | 503 | Service Unavailable | Server is busy
|
| 10 | 400 | Bad Request | Data channel is missing
|
| 11 | 400 | Bad Request | Invalid data channel
|
| 12 | 400 | Bad Request | Event field is required
|
| 13 | 400 | Bad Request | Event field cannot be blank
|
| 14 | 400 | Bad Request | ACK is disabled
|
| 15 | 400 | Bad Request | Error in handling indexed fields
|
| 16 | 400 | Bad Request | Query string authorization is not enabled
|
Example response messages
Success:
{"text":"Success","code":0}
Failure:
{"text":"Incorrect data format","code":5,"invalid-event-number":0}
Example request and response
JSON Request
curl https://localhost:8089/services/collector -H 'Authorization: Splunk 3DEA16E1-413A-46C2-A74F-E79DC3DF3CA2' -d '{"sourcetype":"access", "source":"/var/log/access.log", "event": {"message":"Access log test message"}} {"sourcetype":"access", "source":"/var/log/access.log", "event": {"message":"Access log test message 2"}}'
JSON Response
{"text":"Success","code":0}
JSON Response
For index=main | search sourcetype=access
Time Event
1/26/15
10:07:09.000 PM
{ [-]
message: Access log test message 2
}
1/26/15
10:07:09.000 PM
{ [-]
message: Access log test message
}
Request including the fields parameter
curl https://localhost:8088/services/collector?
-H 'Authorization: Splunk 46931F1C-352C-4DF6-820C-F2689CF88494'
-d '{"event":"something happened", "fields":{"severity":"INFO", "category":["foo","bar"]}}'
Basic auth request
curl -u x:46931F1C-352C-4DF6-820C-F2689CF88494 https://localhost:8088/services/collector/JSON -d 'Hello World'
services/collector/ack
<protocol>://<host>:<mPort>/services/collector/ack
Query event indexing status.
For events sent using HTTP Event Collector, check event indexing status. Requests must use a valid channel ID and authorization token with useACK enabled. An event ACK ID, returned in response to a POST to services/collector, is also required.
By default, this endpoint works on port 8088 and uses HTTPs for transport. The port and HTTP protocol settings can be configured independently of settings for any other servers in your deployment.
Authentication and authorization
Requires an HTTP Event Collector <Token>.
GET
Get HTTP Event Collector event indexing status.
Request parameters
| Parameter | Datatype | Description |
|---|---|---|
| channel | See description | Required. Pass in the channel GUID as the channel string parameter or using the x-splunk-request-channel header.
|
"acks"
|
JSON object | Required. JSON object with an array of ack ID values. Include in the request payload. |
Returned values
| Name | Description |
|---|---|
| acks | Contains the key/value pairs for each ACK ID requested. For each key in the "acks" object, a true value means the ACK ID's events were indexed. A false value means that indexing status is unknown. For example, an event may have an indexing delay long enough that it is no longer tracked.Here is an example response. |
Response status codes
Several HTTP status codes have particular meaning for all HTTP Event Collector endpoints. See HTTP Status Codes in services/collector.
Example requests and responses
For application token = B48F6736-479F-486B-96F9-3EF8C6378E70.
Note: useACK must be enabled on the token for use with this endpoint.
JSON request
curl https://localhost:8088/services/collector/ack?channel=2AC79941-CB26-421C-8826-F57AE23E9702 -H "Authorization: Splunk B48F6736-479F-486B-96F9-3EF8C6378E70" -d '{"acks":[0,1]}'
JSON response body
{"acks":{"0":true,"1":true}}
services/collector/event
Sends timestamped events to HTTP Event Collector using the Splunk platform JSON event protocol when auto_extract_timestamp is set to "true" in the /event URL.
- An example of a timestamp is: 2017-01-02 00:00:00.
- If there is a timestamp in the event's JSON envelope, Splunk honors that timestamp first.
- If there is no timestamp in the event's JSON envelope, the merging pipeline extracts the timestamp from the event.
- If "time=xxx" is used in the /event URL then
auto_extract_timestampis disabled. - Splunk supports timestamps using the Epoch format.
services/collector/event/1.0
This endpoint works identically to services/collector/event but introduces a protocol version for future scalability. For more information, see services/collector.
services/collector/health
<protocol>://<host>:8088/services/collector/health
This endpoint checks if HEC is healthy and able to accept new data from a load balancer.
When there is no optional parameter defined, the default query string is services/collector/health. In this case, the service will check the status of the HttpInputQueue for all tokens.
When ack is defined, the query string is either set to services/collector/health?ack=true or services/collector/health?ack=1.The service will check the status of the HttpInputQueue for all tokens, and the overall health of the AckService.
When a token is defined, the query string is set to services/collector/health?token=<token>. The service will check whether HttpInputQueue is able to accept further data using that specific token.
When both a token and ack are defined, the query string is set to services/collector/health?ack=true&token=<token>. The service will check whether HttpInputQueue is able to accept further data using that specific token, and the overall health of the AckService. This operation will run even if ack is disabled for the specified token. To check whether a specific token has ack enabled or disabled, see About HTTP Event Collector Indexer Acknowledgment in the Getting Data In manual to learn more about useAck status.
In this context, the overall health of the AckService refers to checking three things:
max_number_of_acked_requests_pending_query_per_ack_channel: the number of acks inside each channel- If backpressureState is
disabled(which is the default and existing state), the AckService is unhealthy when at least one channel is full. - If backpressureState is
warn_at_80, the AckService is unhealthy when every channel is full.
- If backpressureState is
max_number_of_ack_channel: maximum number of ack channels- ack is unhealthy when the number of channels meets or exceeds this number
- max_number_of_acked_requests_pending_query: number of acks across all channels
- ack is unhealthy when the number of pending requests meets or exceeds this number
Usage details
Port and protocol
By default, this endpoint works on port 8088 and uses HTTPS for transport. The port and HTTP protocol settings can be configured independently of settings for any other servers in your deployment.
Response codes
| Status Code | Description |
|---|---|
| 200 | HEC is available and accepting input |
| 17 | HEC is available and accepting input |
| 503 | HEC is unhealthy, queues are full |
services/collector/health/1.0
<protocol>://<host>:8088/services/collector/health/1.0
This endpoint checks if HEC is healthy and able to accept new data from a load balancer. HEC health is determined if there is space available in the queue.
This endpoint works identically to services/health but introduces a protocol version for future scalability. For more information, see services/collector/health.
Usage details
Port and protocol
By default, this endpoint works on port 8088 and uses HTTPs for transport. The port and HTTP protocol settings can be configured independently of settings for any other servers in your deployment.
Response codes
| Status Code | Description |
|---|---|
| 200 | HEC is available and accepting input |
| 17 | HEC is available and accepting input |
| 503 | HEC is unhealthy, queues are full |
services/collector/mint
<protocol>://<host>:<mPort>/services/collector/mint
Post MINT formatted data to the HTTP Event Collector. The authorization header contains the authorization scheme and application token. The HTTP POST body contains event data in the MINT payload format.
Authentication and authorization
Requires an HTTP Event Collector <token>.
Note: By default, this endpoint works on port 8088 and uses HTTPs for transport. The port and HTTP protocol settings can be configured independently of settings for any other servers in your deployment.
POST
Post MINT formatted data.
Request parameters
| Name | Datatype | Description |
|---|---|---|
| host | String | Host name. Specify with the host query string parameter. Sets a default for all events in the request. Can be overridden. |
| index | String | Index name. Specify with the index query string parameter. Sets a default for all events in the request. Can be overridden. |
| source | String | User-defined event source. Specify with the source query string parameter. Sets a default for all events in the request. The default source can be overridden. |
| sourcetype | string | User-defined event sourcetype. Specify with the sourcetype query string parameter. Sets a default for all events in the request. The default sourcetype can be overridden. |
| time | string or unsigned integer | Epoch-formatted time. Specify with the time query string parameter. Sets a default for all events in the request. The default time can be overridden. |
Returned values
None
Response status codes
Several HTTP status codes have particular meaning for all HTTP Event Collector endpoints. See HTTP Status Codes in services/collector.
Example request and response
Observe that the POST request is made to port 8088 and uses HTTPs for transport. The port and HTTP protocol settings can be configured independently of settings for any other servers in your deployment.
MINT
For application token = B5A79AAD-D822-46CC-80D1-819F80D7BFB0
MINT Request
curl http://localhost:8088/services/collector/mint -H 'Authorization: Splunk B5A79AAD-D822-46CC-80D1-819F80D7BFB0' -d '{"data":"hello"}{^1^log^1433256}'
services/collector/mint/1.0
This endpoint works identically to receivers/token/mint but introduces a protocol version for future scalability.
[ Top ]
services/collector/raw
<protocol>://<host>:<mPort>/services/collector/raw
Send raw data directly to the HTTP Event Collector. This endpoint allows one or more raw events to be sent in a single request. Events are parsed using regex or JSON extraction. JSON field extraction works at index time.
Usage details
Channel
This endpoint requires a data channel GUID to differentiate data from different clients. Generate a GUID and provide it in a POST request as a custom HTTP header or as a parameter.
If a channel is not provided in the POST request, an error response is sent. Only valid GUIDs can be used. An error message is returned if GUID validation fails.
Port and protocol
By default, this endpoint works on port 8088 and uses HTTPs for transport. The port and HTTP protocol settings can be configured independently of settings for any other servers in your deployment.
Authentication and authorization
Requires an HTTP Event Collector token or basic auth, as defined in RFC 1945. See request examples for more details.
POST
Send raw data to the to the indexer queue. Requires a data channel GUID, provided as a custom HTTP header or request parameter.
Request parameters
| Name | Datatype | Description |
|---|---|---|
| channel | See description. | Required. Pass in the channel GUID as the channel string parameter or using the x-splunk-request-channel header.
|
| host | String | Host name. Specify with the host query string parameter. Sets a default for all events in the request. Can be overridden. |
| index | String | Index name. Specify with the index query string parameter. Sets a default for all events in the request. Can be overridden. |
| source | String | User-defined event source. Specify with the source query string parameter. Sets a default for all events in the request. The default source can be overridden. |
| sourcetype | string | User-defined event sourcetype. Specify with the sourcetype query string parameter. Sets a default for all events in the request. The default sourcetype can be overridden. |
| time | string or unsigned integer | Epoch-formatted time. Specify with the time query string parameter. Sets a default for all events in the request. The default time can be overridden. |
Returned values
None
Response status codes
Several HTTP status codes have particular meaning for all HTTP Event Collector endpoints. See HTTP Status Codes in services/collector.
Example request and response
Note that the following POST request examples are made to port 8088 and uses HTTPs for transport. The port and HTTP protocol settings can be configured independently of settings for any other servers in your deployment.
Simple request
This example passes the channel ID as part of the header.
curl https://localhost:8088/services/collector/raw?channel=934793C0-FC91-467E-965A-7EAACEFBC4AB -H "Authorization: Splunk B5A79AAD-D822-46CC-80D1-819F80D7BFB0" -d 'Hello World'}'
Request including a timestamp
curl https://localhost:8088/services/collector/raw?channel=934793C0-FC91-467E-965A-7EAACEFBC4AB -H 'Authorization: Splunk 934793C0-FC91-467E-965A-7EAACEFBC4AB' -d 'Wed Aug 10 12:27:53 PDT 2016 Hello World'
JSON request with timestamp
curl https://localhost:8088/services/collector/raw?channel=934793C0-FC91-467E-965A-7EAACEFBC4AB
-H 'Authorization: Splunk 934793C0-FC91-467E-965A-7EAACEFBC4AB'
-d '{"message":"Hello World", "date":"Wed Aug 10 12:27:53 PDT 2016"}'
Basic auth request
curl -u x:46931F1C-352C-4DF6-820C-F2689CF88494 https://localhost:8088/services/collector/raw?channel=934793C0-FC91-467E-965A-7EAACEFBC4AB -d 'Hello World'
Example JSON Response
{"text":"Success","code":0}
services/collector/raw/1.0
This endpoint works identically to services/collector/raw but introduces a protocol version for future scalability. See services/collector/raw.
services/collector/s2s
Compatible with Splunk Enterprise versions 8.1.0 and higher
<protocol>://<host>:8088/services/collector/s2s
This endpoint receives Splunk TCP data over HTTP from the Splunk Universal Forwarder. Compatible with Splunk 8.1.0 and later.
Usage details
Port and protocol
By default, this endpoint works on port 8088 and uses HTTPs for transport. The port and HTTP protocol settings can be configured independently of settings for any other servers in your deployment.
Response codes
| Status Code | Description |
|---|---|
| 200 | HEC is available and accepting input |
| 400 | Invalid HEC token |
| 503 | HEC is unhealthy, queues are full |
Last modified on 17 March, 2025
| Federated search endpoint descriptions | Introspection endpoint descriptions |
This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.8, 9.1.9, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.4.0, 9.4.1, 9.4.2
Download manual
Feedback submitted, thanks!