Related Answers
Download topic as PDF
Input endpoint descriptions
Manage and preview input data, including:
- Non-streaming data
- Streaming data
- Note: Username and password authentication is required for most endpoints and REST operations. Additional capability or role-based authorization may also be required, particularly for POST or DELETE operations.
data/inputs/ad
https://<host>:<mPort>/services/data/inputs/ad
Description
Provides access to Active Directory monitoring input.
Method summary
| Method | Description | Formats |
|---|---|---|
| GET | Gets current active directory monitoring configuration. | XML, JSON |
| POST | Creates new or modifies existing performance monitoring settings. | XML, JSON |
GET data/inputs/ad method detail
Request parameters
Pagination and filtering parameters can be used with this method.
Response data keys
| Name | Description |
|---|---|
| disabled | Indicates whether this input is disabled. |
| index | The index in which to store the gathered data.
If no value is present, send data to the default index. |
| monitorSubtree | Indicates whether or not to monitor the subtrees of a given Active Directory tree path. |
| startingNode | Tells Splunk Enterprise where in the Active Directory directory tree to start monitoring.
If not specified, Splunk Enterprise attempts to start at the root of the directory tree. The user that you configure Splunk Enterprise to run as at installation determines where Splunk software starts monitoring. |
| targetDc | Fully qualified domain name of a valid, network-accessible Active Directory domain controller.
If not specified, Splunk Enterprise obtains the local computer DC by default, and binds to its root Distinguished Name (DN). |
POST data/inputs/ad method detail
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| baseline | Boolean | Indicates whether to query baseline objects. Defaults to true.
Baseline objects are objects which currently reside in Active Directory and include previously deleted objects. | |
| host | String | Docs-W8R2-Std7 | Host name for the Active Directory Monitor. |
| index | String | default | The index in which to store the gathered data.
If not specified defaults to the default index. |
| monitorSubtree required |
Number | Whether or not to monitor the subtree(s) of a given directory tree path. 1 means yes, 0 means no. | |
| name required |
String | A unique name that represents a configuration or set of configurations for a specific domain controller. | |
| printSchema | Boolean | Indicates whether to print the Active Directory schema. Defaults to true. | |
| source | String | Source for data inputs. | |
| sourcetype | String | Source type of data inputs. | |
| startingNode | String | Where in the Active Directory directory tree to start monitoring. If not specified, attempts to start at the root of the directory tree. | |
| targetDc | String | Specifies a fully qualified domain name of a valid, network-accessible domain controller. If not specified, Splunk Enterprise gets the local domain controller. |
Response data keys
None
[ Top ]
data/inputs/ad/{name}
https://<host>:<mPort>/services/data/inputs/ad/{name}
Description
Manage {name} active directory monitoring.
Method summary
| Method | Description | Formats |
|---|---|---|
| DELETE | Deletes a given active directory monitoring stanza. | XML, JSON |
| GET | Gets the current configuration for a given active directory monitoring stanza. | XML, JSON |
| POST | Modifies a given active directory monitoring stanza. | XML, JSON |
DELETE data/inputs/ad/{name} method detail
Request parameters
None
Response data keys
None
GET data/inputs/ad/{name} method detail
Request parameters
None
Response data keys
| Name | Description |
|---|---|
| Attribute | Description |
| disabled | Indicates whether this input is disabled. |
| index | The index in which to store the gathered data.
If no value is present, send data to the default index. |
| monitorSubtree | Indicates whether or not to monitor the subtrees of a given Active Directory tree path. |
POST data/inputs/ad/{name} method detail
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| baseline | Boolean | Indicates whether to query baseline objects. Defaults to true.
Baseline objects are objects which currently reside in Active Directory and include previously deleted objects. | |
| host | String | Docs-W8R2-Std7 | Host name for the Active Directory Monitor. |
| index | String | default | The index in which to store the gathered data.
If not specified defaults to the default index. |
| monitorSubtree required |
Number | Whether or not to monitor the subtree(s) of a given directory tree path. 1 means yes, 0 means no. | |
| printSchema | Boolean | Indicates whether to print the Active Directory schema. Defaults to true. | |
| source | String | Source for data inputs. | |
| sourcetype | String | Source type of data inputs. | |
| startingNode | String | Where in the Active Directory directory tree to start monitoring. If not specified, attempts to start at the root of the directory tree. | |
| targetDc | String | Specifies a fully qualified domain name of a valid, network-accessible DC. If not specified, Splunk Enterprise gets the local computer's DC. |
Response data keys
None
data/inputs/all
https://<host>:<mPort>/services/data/inputs/all
Description
Provides access to all inputs to the Splunk Enterprise server. This includes any modular inputs that may be defined on the system.
Method summary
| Method | Description | Formats |
|---|---|---|
| GET | Lists all inputs, including modular inputs. | XML, JSON |
GET data/inputs/all method detail
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| common | Boolean | Indicates whether to return only attributes commom to all inputs. These common attributes are:
|
Pagination and filtering parameters can be used with this method.
Response data keys
None
Returns an <entry> for each input, where <content> lists attributes specific to the input.
[ Top ]
data/inputs/all/{name}
https://<host>:<mPort>/services/data/inputs/all/{name}
Description
Get information about the {name} input source.
Method summary
| Method | Description | Formats |
|---|---|---|
| GET | Lists details for inputs for the input source specified by {name}. | XML, JSON |
GET data/inputs/all/{name} method detail
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| common | Boolean | Indicates whether to return only attributes commom to all inputs. These common attributes are:
|
Response data keys
None
[ Top ]
data/inputs/http
https://<host>:<mPort>/services/data/inputs/http
Authentication: Required
Description
Manage HTTP Event Collector global configuration tokens and application tokens.
GET returns a list of global and application-level configurations. POST can create new applications and modify them.
See also
- data/inputs/http/{name}
- data/inputs/http/{name}/enable
- data/inputs/http/{name}/disable
- collector/event
Method summary
| Method | Description | Formats |
|---|---|---|
| GET | Return global configuration and a list of tokens. | XML |
| POST | Modify global configuration, add and modify tokens. | XML |
GET data/inputs/http method detail
Request parameters
Pagination and filtering parameters can be used with this method.
Response data keys
See data/inputs/http/{name} for app-level response data keys.
POST data/inputs/http method detail
Global request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| dedicatedIoThreads | Number | 2 | Number of threads used by HTTP Input server. |
| disabled | Boolean | 1 | Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled. |
| enableSSL | Boolean | 1 | Enable SSL protocol for HTTP data input. 1 = SSL enabled, 0 = SSL disabled. |
| index | String | Index to store generated events. | |
| indexes | String | Set of indexes allowed for events with this token. | |
| maxSockets | Number | 0 | Maximum number of simultaneous HTTP connections accepted. Adjusting this value may cause server performance issues and is not generally recommended. Possible values for this setting vary by OS. |
| maxThreads | Number | 0 | Maximum number of threads that can be used by active HTTP transactions. Adjusting this value may cause server performance issues and is not generally recommended. Possible values for this setting vary by OS. |
| name required |
String | Token name (inputs.conf key) | |
| port |
Number | 8088 | HTTP data input IP port. |
| source | String | Default source for events with this token. | |
| sourcetype | String | Default sourcetype for events with this token. |
Application-level request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| disabled | Boolean | 1 | Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled. |
| index | String | Index to store generated events. | |
| indexes | String | Set of indexes allowed for events with this token. | |
| name required |
String | Token name (inputs.conf key) | |
| source | String | Default source for events with this token. | |
| sourcetype | String | Default sourcetype for events with this token. |
Global response data keys
| Name | Description |
|---|---|
| dedicatedIoThreads | Number of threads used by HTTP Input server. |
| disabled | Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled. |
| enableSSL | Enable SSL protocol for HTTP data input. 1 = SSL enabled, 0 = SSL disabled. |
| host | Host from which the indexer gets data. |
| index | Index to store generated events. |
| indexes | Set of indexes allowed for events with this token. |
| port |
HTTP data input IP port. |
| _rcvbuf | Socket receive buffer size (bytes). |
| source | Default source for events with this token. |
| sourcetype | Default sourcetype for events with this token. |
Application-level response data keys
| Name | Description |
|---|---|
| disabled | Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled. |
| host | Host from which the indexer gets data. |
| index | Index to store generated events. |
| _rcvbuf | Socket receive buffer size (bytes). |
| source | Source for events with this token. |
| sourcetype | Sourcetype for events with this token. |
| token | Token value for sending data to collector/event endpoint. |
[ Top ]
data/inputs/http/{name}
https://<host>:<mPort>/services/data/inputs/http/{name}
Authentication: Required
Description
Manage the {name} HTTP Event Collector token. HTTP, as in data/inputs/http/http, indicates global configuration.
See also
Method summary
| Method | Description | Formats |
|---|---|---|
| DELETE | Delete token. | XML, JSON |
| GET | Get token configuration data. | XML, JSON |
| POST | Update token configuration data. | XML, JSON |
DELETE data/inputs/http/{name} method detail
Request parameters
None
Response data keys
None
GET data/inputs/http/{name} method detail
Request parameters
None
Global response data keys
| Name | Description |
|---|---|
| _rcvbuf | Socket receive buffer size (bytes). |
| dedicatedIoThreads | Number of threads for HTTP event collector server. |
| disabled | Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled. |
| enableSSL | SSL enablement status. |
| host | Host from which the indexer gets data. |
| index | Index to store generated events. |
| port | HTTP data event collector IP port. |
| source | Source for events with this token. |
| sourcetype | Sourcetype for events with this token. |
| token | Token value for sending data to collector/event endpoint. |
Application-level response data keys
| Name | Description |
|---|---|
| _rcvbuf | Socket receive buffer size (bytes). |
| disabled | Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled. |
| host | Host from which the indexer gets data. |
| index | Index to store generated events. |
| source | Source for events with this token. |
| sourcetype | Sourcetype for events with this token. |
| token | Token value for sending data to collector/event endpoint. |
POST data/inputs/http/{name} method detail
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| disabled | Boolean | 1 | Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled. |
| host | String | Default host. | |
| index | String | Index to store generated events. | |
| indexes | String | Set of indexes allowed for events with this token. | |
| name required |
String | Token name (inputs.conf key) | |
| source | String | Default source for events with this token. | |
| sourcetype | String | Default sourcetype for events with this token. |
Response data keys
| Name | Description |
|---|---|
| _rcvbuf | Socket receive buffer size (bytes). |
| disabled | Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled. |
| host | Host from which the indexer gets data. |
| index | Index to store generated events. |
| source | Source for events with this token. |
| sourcetype | Sourcetype for events with this token. |
| token | Token value for sending data to collector/event endpoint. |
data/inputs/http/{name}/disable
https://<host>:<mPort>/services/data/inputs/http/{name}/disable
Authentication: Required
Description
Disable the {name} HTTP Event Collector token.
See also
Method summary
| Method | Description | Formats |
|---|---|---|
| POST | Disable the {name} HTTP Event Collector token. | XML, JSON |
POST data/inputs/http/{name}/disable method detail
Request parameters
None
Response data keys
| Name | Description |
|---|---|
| _rcvbuf | Socket receive buffer size (bytes). |
| disabled | Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled. |
| host | Host from which the indexer gets data. |
| index | Index to store generated events. |
| source | Default source for events with this token. |
| sourcetype | Default sourcetype for events with this token. |
| token | Token value for sending data to collector/event endpoint. |
[ Top ]
data/inputs/http/{name}/enable
https://<host>:<mPort>/services/data/inputs/http/{name}/enable
Authentication: Required
Description
Enable the {name} HTTP Event Collector token.
See also
Method summary
| Method | Description | Formats |
|---|---|---|
| POST | Enable the {name} HTTP Event Collector token. | XML, JSON |
POST data/inputs/http/{name}/enable method detail
Request parameters
None
Response data keys
| Name | Description |
|---|---|
| _rcvbuf | Socket receive buffer size (bytes). |
| disabled | Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled. |
| host | Host from which the indexer gets data. |
| index | Index to store generated events. |
| source | Default source for events with this token. |
| sourcetype | Default sourcetype for events with this token. |
| token | Token value for sending data to collector/event endpoint. |
[ Top ]
data/inputs/http/{name}/rotate
https://<host>:<mPort>/services/data/inputs/http/{name}/rotate
Description
Regenerate the token value.
Supported operations
| Operation | Description | Formats |
|---|---|---|
| POST | Regenerate the token value. | XML, JSON |
POST data/inputs/http/{name}/rotate
Request parameters
None
Response keys
| Name | Description |
|---|---|
| token | Regenerated token value. |
Example request and response
POST data/inputs/http/{name}/rotate
XML Request
curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/splunk_httpinput/data/inputs/http/my_app_name/rotate -X post
XML Response
<?xml version="1.0" encoding="UTF-8"?>
. . . . . .
<s:key name="token">64D47EC6-C510-4519-A520-EC4CAA157B97</s:key>
. . . . . .
</feed>
data/inputs/monitor
https://<host>:<mPort>/services/data/inputs/monitor
Description
Provides access to monitor inputs.
Method summary
| Method | Description | Formats |
|---|---|---|
| GET | List enabled and disabled monitor inputs. | XML, JSON |
| POST | Create a new file or directory monitor input. | XML, JSON |
GET data/inputs/monitor method detail
Request parameters
Pagination and filtering parameters can be used with this method.
Response data keys
| Name | Description |
|---|---|
| _TCP_ROUTING | List of TCP forwarding groups, as specified in outputs.conf.
|
| disabled | Indicates if inputs monitoring is disabled. |
| filecount | Number of files monitored. |
| host | Name of the Splunk Enterprise host for which inputs are monitored. |
| index | The index in which to store the gathered data. |
| sourcetype | Source type being monitored.
The source type of an event is the format of the data input from which it originates, such as access_combined or cisco_syslog. The source type determines how Splunk Enterprise formats your data. |
POST data/inputs/monitor method detail
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| blacklist | String | Specify a regular expression for a file path. The file path that matches this regular expression is not indexed. | |
| check-index | Boolean | If set to true, the "index" value is checked to ensure that it is the name of a valid index. | |
| check-path | Boolean | If set to true, the "name" value is checked to ensure that it exists. | |
| crc-salt | String | A string that modifies the file tracking identity for files in this input. The magic value "<SOURCE>" invokes special behavior (see admin documentation). | |
| disabled | Boolean | Indicates if input monitoring is disabled. | |
| followTail | Boolean | If set to true, files that are seen for the first time is read from the end. | |
| host | String | The value to populate in the host field for events from this data input. | |
| host_regex | String | Specify a regular expression for a file path. If the path for a file matches this regular expression, the captured value is used to populate the host field for events from this data input. The regular expression must have one capture group. | |
| host_segment | Number | Use the specified slash-separate segment of the filepath as the host field value. | |
| ignore-older-than | String | Specify a time value. If the modification time of a file being monitored falls outside of this rolling time window, the file is no longer being monitored. | |
| index | String | default | Which index events from this input should be stored in. |
| name required |
String | The file or directory path to monitor on the system. | |
| recursive | Boolean | Setting this to "false" prevents monitoring of any subdirectories encountered within this data input. | |
| rename-source | String | The value to populate in the source field for events from this data input. The same source should not be used for multiple data inputs. | |
| sourcetype | String | The value to populate in the sourcetype field for incoming events. | |
| time-before-close | Number | When Splunk Enterprise reaches the end of a file that is being read, the file is kept open for a minimum of the number of seconds specified in this value. After this period has elapsed, the file is checked again for more data. | |
| whitelist | String | Specify a regular expression for a file path. Only file paths that match this regular expression are indexed. |
Response data keys
None
[ Top ]
data/inputs/monitor/{name}
https://<host>:<mPort>/services/data/inputs/monitor/{name}
Description
Manage the {name} monitor input.
Method summary
| Method | Description | Formats |
|---|---|---|
| DELETE | Disable the named monitor data input and remove it from the configuration. | XML, JSON |
| GET | List the properties of a single monitor data input. | XML, JSON |
| POST | Update properties of the named monitor input. | XML, JSON |
DELETE data/inputs/monitor/{name} method detail
Request parameters
None
Response data keys
None
GET data/inputs/monitor/{name} method detail
Request parameters
None
Response data keys
| Name | Description |
|---|---|
| disabled | Indicates if inputs monitoring is disabled. |
| filecount | Number of files being monitored. |
| host | Name of the Splunk Enterprise host for which inputs are monitored. |
| index | The index events from this input should be stored in. |
POST data/inputs/monitor/{name} method detail
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| blacklist | String | Specify a regular expression for a file path. The file path that matches this regular expression is not indexed. | |
| check-index | Boolean | If set to true, the "index" value is checked to ensure that it is the name of a valid index. | |
| check-path | Boolean | If set to true, the "name" value is checked to ensure that it exists. | |
| crc-salt | String | A string that modifies the file tracking identity for files in this input. The magic value "<SOURCE>" invokes special behavior (see admin documentation). | |
| disabled | Boolean | Indicates if input monitoring is disabled. | |
| followTail | Boolean | If set to true, files that are seen for the first time is read from the end. | |
| host | String | The value to populate in the host field for events from this data input. | |
| host_regex | String | Specify a regular expression for a file path. If the path for a file matches this regular expression, the captured value is used to populate the host field for events from this data input. The regular expression must have one capture group. | |
| host_segment | Number | Use the specified slash-separate segment of the filepath as the host field value. | |
| ignore-older-than | String | Specify a time value. If the modification time of a file being monitored falls outside of this rolling time window, the file is no longer being monitored. | |
| index | String | default | Which index events from this input should be stored in. |
| recursive | Boolean | Setting this to "false" prevents monitoring of any subdirectories encountered within this data input. | |
| rename-source | String | The value to populate in the source field for events from this data input. The same source should not be used for multiple data inputs. | |
| sourcetype | String | The value to populate in the sourcetype field for incoming events. | |
| time-before-close | Number | When Splunk Enterprise reaches the end of a file that is being read, the file is kept open for a minimum of the number of seconds specified in this value. After this period has elapsed, the file is checked again for more data. | |
| whitelist | String | Specify a regular expression for a file path. Only file paths that match this regular expression are indexed. |
Response data keys
None
data/inputs/monitor/{name}/members
https://<host>:<mPort>/services/data/inputs/monitor/{name}/members
Description
List {name} monitor input files.
Method summary
| Method | Description | Formats |
|---|---|---|
| GET | Lists all files monitored under the named monitor input. | XML, JSON |
GET data/inputs/monitor/{name}/members method detail
Request parameters
Pagination and filtering parameters can be used with this method.
Response data keys
None
[ Top ]
data/inputs/oneshot
https://<host>:<mPort>/services/data/inputs/oneshot
Description
Provides access to oneshot inputs.
Method summary
| Method | Description | Formats |
|---|---|---|
| GET | Enumerates in-progress oneshot inputs. As soon as an input is complete, it is removed from this list. | XML, JSON |
| POST | Queues a file for immediate indexing. The file must be locally accessible from the server. This endpoint can handle any single file: plain, compressed or archive. The file is indexed in full, regardless of whether or not it is already indexed. | XML, JSON |
GET data/inputs/oneshot method detail
Request parameters
Pagination and filtering parameters can be used with this method.
Response data keys
| Name | Description |
|---|---|
| Bytes Indexed | Total number of bytes read and sent to the pipeline for indexing during a oneshot input.
This total includes the uncompressed byte count from a source file that is compressed on disk. |
| Offset | Current position in the source file, indicating how much of the file is read. For compressed source files, this offset represents the position in the compressed format.
You can obtain the percentage of a source file read by calculating offset/size. |
| Size | Size of the source file, in bytes.
You can obtain the percentage of a source file read by calculating offset/size. |
| Sources Indexed | Indicates the number of sources read from a file in a compressed format such as tar or zip.
A value of 0 indicates the source file was not compressed. |
| Spool Time | Time that the request was made to read the source file. |
POST data/inputs/oneshot method detail
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| host | String | The value of the "host" field to be applied to data from this file. | |
| host_regex | String | A regex to be used to extract a "host" field from the path.
If the path matches this regular expression, the captured value is used to populate the host field for events from this data input. The regular expression must have one capture group. | |
| host_segment | Number | Use the specified slash-separate segment of the path as the host field value. | |
| index | String | The destination index for data processed from this file. | |
| name required |
String | The path to the file to be indexed. The file must be locally accessible by the server. | |
| rename-source | String | The value of the "source" field to be applied to data from this file. | |
| sourcetype | String | The value of the "sourcetype" field to be applied to data from this file. |
Response data keys
None
[ Top ]
data/inputs/oneshot/{name}
https://<host>:<mPort>/services/data/inputs/oneshot/{name}
Description
Get information about the {name} one-shot input.
Method summary
| Method | Description | Formats |
|---|---|---|
| GET | Finds information about a single in-flight one shot input. This is a subset of the information in the full enumeration. | XML, JSON |
GET data/inputs/oneshot/{name} method detail
Request parameters
None
Response data keys
| Name | Description |
|---|---|
| Bytes Indexed | Total number of bytes read and sent to the pipeline for indexing during a oneshot input.
This total includes the uncompressed byte count from a source file that is compressed on disk. |
| Offset | Current position in the source file, indicating how much of the file is read. For compressed source files, this offset represents the position in the compressed format.
You can obtain the percentage of a source file read by calculating offset/size. |
| Size | Size of the source file, in bytes.
You can obtain the percentage of a source file read by calculating offset/size. |
| Sources Indexed | Indicates the number of sources read from a file in a compressed format such as tar or zip.
A value of 0 indicates the source file was not compressed. |
| Spool Time | Time that the request was made to read the source file. |
[ Top ]
data/inputs/registry
https://<host>:<mPort>/services/data/inputs/registry
Description
Provides access to Windows registry monitoring input.
Method summary
| Method | Description | Formats |
|---|---|---|
| GET | Gets current registry monitoring configuration. | XML, JSON |
| POST | Creates new or modifies existing registry monitoring settings. | XML, JSON |
GET data/inputs/registry method detail
Request parameters
Pagination and filtering parameters can be used with this method.
Response data keys
| Name | Description |
|---|---|
| baseline | Indicates whether or not Splunk Enterprise should get a baseline of Registry events when it starts. Defaults to false.
If true, the input captures a baseline for the specified hive when the input starts for the first time. |
| disabled | Indicats whether this input is disabled. |
| hive | Regular expression for Registry hives that this input should monitor for Registry access.
Matches against the Registry key which was accessed. Events that contain hives that do not match the regular expression get filtered out. Events that contain hives that match the regular expression pass through. |
| index | Specifies the index that this input should send the data to.
If no value is present, defaults to the default index. |
| monitorSubnodes | Indicates whether to monitor all Registry hives beneath the specified hive. |
| proc | Regular expression for processes this input should monitor for Registry access.
It matches against the process name which performed the Registry access. Events generated by processes that do not match the regular expression get filtered out. Events generated by processes that match the regular expression pass through. |
| type | A regular expression that specifies the types of Registry events to monitor. |
POST data/inputs/registry method detail
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| baseline required |
Number | Specifies whether or not to establish a baseline value for the registry keys. 1 means yes, 0 no. | |
| hive required |
String | Specifies the registry hive under which to monitor for changes. | |
| name required |
String | Name of the configuration stanza. | |
| proc required |
String | Specifies a regex. If specified, collect changes if a process name matches that regex. | |
| type required |
String | A list of Registry events types that you want to monitor. Separate each type with a pipe ('|') character. For example,
set|create|delete|rename | |
| disabled | Number | Indicates whether the monitoring is disabled. | |
| index | String | default | The index in which to store the gathered data. |
| monitorSubnodes | Boolean | True | Indicates whether to monitor all Registry hives beneath the specified hive. |
Response data keys
None
[ Top ]
data/inputs/registry/{name}
https://<host>:<mPort>/services/data/inputs/registry/{name}
Description
Manage registry monitoring {name} stanza.
Method summary
| Method | Description | Formats |
|---|---|---|
| DELETE | Deletes registry monitoring configuration stanza. | XML, JSON |
| GET | Gets current registry monitoring configuration stanza. | XML, JSON |
| POST | Modifies given registry monitoring stanza. | XML, JSON |
DELETE data/inputs/registry/{name} method detail
Request parameters
None
Response data keys
None
GET data/inputs/registry/{name} method detail
Request parameters
None
Response data keys
| Name | Description |
|---|---|
| baseline | Indicates whether to get a baseline of Registry events when Splunk Enterprise starts. |
| disabled | Indicates if the input is disabled. |
| hive | Regular expression for Registry hives that this input should monitor for Registry access.
Matches against the Registry key which was accessed. Events that contain hives that do not match the regular expression get filtered out. Events that contain hives that match the regular expression pass through. |
| index | Specifies the index that this input should send the data to.
If no value is present, defaults to the default index. |
| monitorSubnodes | Indicates whether to monitor all Registry hives beneath the specified hive. |
| proc | Regular expression for processes this input should monitor for Registry access.
It matches against the process name which performed the Registry access. Events generated by processes that do not match the regular expression get filtered out. Events generated by processes that match the regular expression pass through. |
| type | Regular expression that specifies the types of Registry events to monitor. |
POST data/inputs/registry/{name} method detail
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| baseline required |
Number | Specifies whether or not to establish a baseline value for the registry keys. 1 means yes, 0 no. | |
| hive required |
String | Specifies the registry hive under which to monitor for changes. | |
| proc required |
String | Specifies a regex. If specified, collect changes if a process name matches that regex. | |
| type required |
String | A list of Registry events types that you want to monitor. Separate each type with a pipe ('|') character.
For example: set|create|delete|rename | |
| disabled | Number | Indicates whether the monitoring is disabled. | |
| index | String | default | The index in which to store the gathered data. |
| monitorSubnodes | Boolean | True | Indicates whether to monitor all Registry hives beneath the specified hive. |
Response data keys
None
[ Top ]
data/inputs/script
https://<host>:<mPort>/services/data/inputs/script
Description
Provides access to scripted inputs.
Method summary
| Method | Description | Formats |
|---|---|---|
| GET | Gets the configuration settings for scripted inputs. | XML, JSON |
| POST | Configures settings for new scripted inputs. | XML, JSON |
GET data/inputs/script method detail
Request parameters
Pagination and filtering parameters can be used with this method.
Response data keys
| Name | Description |
|---|---|
| disabled | Specifies whether the input script is disabled. |
| endtime | If available, the time when the script stopped executing. |
| group | The name of the inputstatus group, which is always "exec commands." |
| host | Host with which these data are identified. |
| index | Sets the index for events from this input. Defaults to the main index. |
| interval | An integer or cron schedule.
Specifies how often to execute the specified script, in seconds or a valid cron schedule. For a cron schedule, the script is not executed on start-up. |
| source | The source key/field for events from this input. Defaults to the input file path.
Sets the source key initial value. The key is used during parsing/indexing, in particular to set the source field during indexing. It is also the source field used at search time. As a convenience, the chosen string is prepended with 'source::'. |
| sourcetype | Sets the sourcetype key/field for events from this input. If unset, Splunk Enterprise picks a source type based on various aspects of the data. There is no hard-coded default.
For more information, see the documentation for the sourcetype parameter for the POST operation. |
| starttime | If available, the time the when the script was executed. |
POST data/inputs/script method detail
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| disabled | Boolean | Specifies whether the input script is disabled. | |
| host | String | Sets the host for events from this input. Defaults to whatever host sent the event. | |
| index | String | default | Sets the index for events from this input. Defaults to the main index. |
| interval required |
Number | 60.0 | Specify an integer or cron schedule. This parameter specifies how often to execute the specified script, in seconds or a valid cron schedule. If you specify a cron schedule, the script is not executed on start-up. |
| name required |
String | Specify the name of the scripted input. | |
| passAuth | String | User to run the script as.
If you provide a username, Splunk Enterprise generates an auth token for that user and passes it to the script. | |
| rename-source | String | Specify a new name for the source field for the script. | |
| source | String | Sets the source key/field for events from this input. Defaults to the input file path.
Sets the source key initial value. The key is used during parsing/indexing, in particular to set the source field during indexing. It is also the source field used at search time. As a convenience, the chosen string is prepended with 'source::'. Note: Overriding the source key is generally not recommended. Typically, the input layer provides a more accurate string to aid in problem analysis and investigation, accurately recording the file from which the data was retrieived. Consider use of source types, tagging, and search wildcards before overriding this value.
| |
| sourcetype | String | Sets the sourcetype key/field for events from this input. If unset, Splunk Enterprise picks a source type based on various aspects of the data. As a convenience, the chosen string is prepended with 'sourcetype::'. There is no hard-coded default.
Sets the sourcetype key initial value. The key is used during parsing/indexing, in particular to set the source type field during indexing. It is also the source type field used at search time. Primarily used to explicitly declare the source type for this data, as opposed to allowing it to be determined using automated methods. This is typically important both for searchability and for applying the relevant configuration for this type of data during parsing and indexing. |
Response data keys
None
[ Top ]
data/inputs/script/restart
https://<host>:<mPort>/services/data/inputs/script/restart
Description
Allows for restarting scripted inputs.
Method summary
| Method | Description | Formats |
|---|---|---|
| POST | Causes a restart on a given scripted input. | XML, JSON |
POST data/inputs/script/restart method detail
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| script required |
String | Path to the script to be restarted. This path must match an already-configured existing scripted input. |
Response data keys
None
[ Top ]
data/inputs/script/{name}
https://<host>:<mPort>/services/data/inputs/script/{name}
Description
Manage the {name} scripted input.
Method summary
| Method | Description | Formats |
|---|---|---|
| DELETE | Removes the scripted input specified by {name}. | XML, JSON |
| GET | Returns the configuration settings for the scripted input specified by {name}. | XML, JSON |
| POST | Configures settings for scripted input specified by {name}. | XML, JSON |
DELETE data/inputs/script/{name} method detail
Request parameters
None
Response data keys
None
GET data/inputs/script/{name} method detail
Request parameters
None
Response data keys
| Name | Description |
|---|---|
| disabled | Specifies whether the input script is disabled. |
| group | The name of the inputstatus group, which is always "exec commands." |
| host | Host these data are identified with. |
| index | Sets the index for events from this input. Defaults to the main index. |
| interval | An integer or cron schedule.
Specifies how often to execute the specified script, in seconds or a valid cron schedule. For a cron schedule, the script is not executed on start-up. |
POST data/inputs/script/{name} method detail
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| disabled | Boolean | Specifies whether the input script is disabled. | |
| host | String | Sets the host for events from this input. Defaults to whatever host sent the event. | |
| index | String | default | Sets the index for events from this input. Defaults to the main index. |
| interval | Number | 60.0 | Specify an integer or cron schedule. This parameter specifies how often to execute the specified script, in seconds or a valid cron schedule. If you specify a cron schedule, the script is not executed on start-up. |
| passAuth | String | User to run the script as.
If you provide a username, Splunk Enterprise generates an auth token for that user and passes it to the script. | |
| rename-source | String | Specify a new name for the source field for the script. | |
| source | String | Sets the source key/field for events from this input. Defaults to the input file path.
Sets the source key initial value. The key is used during parsing/indexing, in particular to set the source field during indexing. It is also the source field used at search time. As a convenience, the chosen string is prepended with 'source::'. Note: Overriding the source key is generally not recommended. Typically, the input layer provides a more accurate string to aid in problem analysis and investigation, accurately recording the file from which the data was retrieived. Consider use of source types, tagging, and search wildcards before overriding this value.
| |
| sourcetype | String | Sets the sourcetype key/field for events from this input. If unset, Splunk Enterprise picks a source type based on various aspects of the data. As a convenience, the chosen string is prepended with 'sourcetype::'. There is no hard-coded default.
Sets the sourcetype key initial value. The key is used during parsing/indexing, in particular to set the source type field during indexing. It is also the source type field used at search time. Primarily used to explicitly declare the source type for this data, as opposed to allowing it to be determined using automated methods. This is typically important both for searchability and for applying the relevant configuration for this type of data during parsing and indexing. |
Response data keys
None
[ Top ]
data/inputs/tcp/cooked
https://<host>:<mPort>/services/data/inputs/tcp/cooked
Description
Provides access to TCP inputs from forwarders.
Forwarders can transmit three types of data: raw, unparsed, or parsed. Cooked data refers to parsed and unparsed formats.
Method summary
| Method | Description | Formats |
|---|---|---|
| GET | Returns information about all cooked TCP inputs. | XML, JSON |
| POST | Creates a new container for managing cooked data. | XML, JSON |
GET data/inputs/tcp/cooked method detail
Request parameters
Pagination and filtering parameters can be used with this method.
Response data keys
| Name | Description |
|---|---|
| _rcvbuf | [Deprecated] |
| disabled | Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled. |
| group | Set to listenerports for listening ports. |
| host | The default value to fill in for events lacking a host value. |
| index | The index in which to store generated events. |
POST data/inputs/tcp/cooked method detail
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| SSL | Boolean | If SSL is not already configured, error is returned | |
| connection_host | Enum | dns | Valid values: (ip | dns | none)
Set the host for the remote server that is sending data.
Default value is |
| disabled | Boolean | Indicates whether the input is disabled. | |
| host | String | The default value to fill in for events lacking a host value. | |
| name required |
Number | The port number of this input. | |
| queue | "parsingQueue" | "indexQueue" | "parsingQueue" | Specifies where the input processor should deposit the events it reads. |
| restrictToHost | String | Restrict incoming connections on this port to the host specified here. |
Response data keys
None
[ Top ]
data/inputs/tcp/cooked/{name}
https://<host>:<mPort>/services/data/inputs/tcp/cooked/{name}
Description
Manage cooked TCP inputs for the {name} host or port.
Method summary
| Method | Description | Formats |
|---|---|---|
| DELETE | Removes the cooked TCP inputs for port or host:port specified by {name} | XML, JSON |
| GET | Returns information for the cooked TCP input specified by {name}. If port is restricted to a host, name should be URI-encoded host:port. | XML, JSON |
| POST | Updates the container for managing cooked data. | XML, JSON |
DELETE data/inputs/tcp/cooked/{name} method detail
Request parameters
None
Response data keys
None
GET data/inputs/tcp/cooked/{name} method detail
Request parameters
None
Response data keys
| Name | Description |
|---|---|
| _rcvbuf | [Deprecated] |
| disabled | Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled. |
| group | Set to listenerports for listening ports. |
| host | The default value to fill in for events lacking a host value. |
| index | The index in which to store generated events. |
| restrictToHost | Restrict incoming connections on this port to the specified host. |
POST data/inputs/tcp/cooked/{name} method detail
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| SSL | Boolean | If SSL is not already configured, error is returned | |
| connection_host | Enum | ip | Valid values: (ip | dns | none)
Set the host for the remote server that is sending data.
Default value is |
| disabled | Boolean | Indicates whether the input is disabled. | |
| host | String | The default value to fill in for events lacking a host value. | |
| restrictToHost | String | Restrict incoming connections on this port to the host specified here. |
Response data keys
None
[ Top ]
data/inputs/tcp/cooked/{name}/connections
https://<host>:<mPort>/services/data/inputs/tcp/cooked/{name}/connections
Description
Get active connections to the {name} port.
Method summary
| Method | Description | Formats |
|---|---|---|
| GET | Retrieves list of active connections to the named port. | XML, JSON |
GET data/inputs/tcp/cooked/{name}/connections method detail
Request parameters
None
Response data keys
| Name | Description |
|---|---|
| connection | Identifies the connection to port. |
| servername | Server name of forwarder connecting to this port. |
[ Top ]
data/inputs/tcp/raw
https://<host>:<mPort>/services/data/inputs/tcp/raw
Authentication: Username and password required. The edit_tcp capability is additionally required for this endpoint.
Description
Container for managing raw tcp inputs from forwarders.
Forwarders can transmit three types of data: raw, unparsed, or parsed. Cooked data refers to parsed and unparsed formats.
Method summary
| Method | Description | Formats |
|---|---|---|
| GET | Returns information about all raw TCP inputs. | XML, JSON |
| POST | Creates a new data input for accepting raw TCP data. | XML, JSON |
GET data/inputs/tcp/raw method detail
Request parameters
Pagination and filtering parameters can be used with this method.
Response data keys
| Name | Description |
|---|---|
| _rcvbuf | [Deprecated] |
| disabled | Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled. |
| group | Set to listenerports for listening ports. |
| host | Host from which the indexer gets data. |
| index | The index in which to store generated events. |
POST data/inputs/tcp/raw method detail
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| connection_host | Enum | dns | Valid values: (ip | dns | none)
Set the host for the remote server that is sending data.
Default value is |
| disabled | Boolean | Indicates whether the inputs are disabled. | |
| host | String | Host from which the indexer gets data. | |
| index | String | default | Index to store generated events. |
| name required |
String | The input port which receives raw data. | |
| queue | Enum | Valid values: (parsingQueue | indexQueue)
Specifies where the input processor should deposit the events it reads. Defaults to parsingQueue. Set queue to Set queue to | |
| rawTcpDoneTimeout | Number | Specifies in seconds the timeout value for adding a Done-key. Default value is 10 seconds.
If a connection over the port specified by | |
| restrictToHost | String | Allows for restricting this input to only accept data from the host specified here. | |
| SSL | Boolean | ||
| source | String | Sets the source key/field for events from this input. Defaults to the input file path.
Sets the source key initial value. The key is used during parsing/indexing, in particular to set the source field during indexing. It is also the source field used at search time. As a convenience, the chosen string is prepended with 'source::'. Note: Overriding the source key is generally not recommended. Typically, the input layer provides a more accurate string to aid in problem analysis and investigation, accurately recording the file from which the data was retrieved. Consider use of source types, tagging, and search wildcards before overriding this value. | |
| sourcetype | String | Set the source type for events from this input.
"sourcetype=" is automatically prepended to <string>. Defaults to audittrail (if signedaudit=true) or fschange (if signedaudit=false). |
Response data keys
None
[ Top ]
data/inputs/tcp/raw/{name}
https://<host>:<mPort>/services/data/inputs/tcp/raw/{name}
Authentication: Username and password required. The edit_tcp capability is additionally required for this endpoint.
Description
Manage raw inputs for the {name} host or port.
Method summary
| Method | Description | Formats |
|---|---|---|
| DELETE | Removes the raw inputs for port or host:port specified by {name} | XML, JSON |
| GET | Returns information about raw TCP input port {name}. If port is restricted to a host, name should be URI-encoded host:port. | XML, JSON |
| POST | Updates the container for managing raw data. | XML, JSON |
DELETE data/inputs/tcp/raw/{name} method detail
Request parameters
None
Response data keys
None
GET data/inputs/tcp/raw/{name} method detail
Request parameters
None
Response data keys
| Name | Description |
|---|---|
| _rcvbuf | [Deprecated] |
| disabled | Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled. |
| group | Set to listenerports for listening ports. |
| host | Host from which the indexer gets data. |
| index | Index to store generated events. |
| restrictToHost | Restrict incoming connections on this port to the specified host. |
POST data/inputs/tcp/raw/{name} method detail
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| SSL | Boolean | ||
| connection_host | Enum | dns | Valid values: (ip | dns | none)
Set the host for the remote server that is sending data.
Default value is |
| disabled | Boolean | Indicates whether the inputs are disabled. | |
| host | String | Host from which the indexer gets data. | |
| index | String | default | Index to store generated events. |
| queue | Enum | Valid values: (parsingQueue | indexQueue)
Specifies where the input processor should deposit the events it reads. Defaults to parsingQueue. Set queue to Set queue to | |
| rawTcpDoneTimeout | Number | Specifies in seconds the timeout value for adding a Done-key. Default value is 10 seconds.
If a connection over the port specified by | |
| restrictToHost | String | Allows for restricting this input to only accept data from the host specified here. | |
| source | String | Sets the source key/field for events from this input. Defaults to the input file path.
Sets the source key initial value. The key is used during parsing/indexing, in particular to set the source field during indexing. It is also the source field used at search time. As a convenience, the chosen string is prepended with 'source::'. Note: Overriding the source key is generally not recommended. Typically, the input layer provides a more accurate string to aid in problem analysis and investigation, accurately recording the file from which the data was retrieved. Consider use of source types, tagging, and search wildcards before overriding this value. | |
| sourcetype | String | Set the source type for events from this input.
"sourcetype=" is automatically prepended to <string>. Defaults to audittrail (if signedaudit=true) or fschange (if signedaudit=false). |
Response data keys
None
[ Top ]
data/inputs/tcp/raw/{name}/connections
https://<host>:<mPort>/services/data/inputs/tcp/raw/{name}/connections
Authentication: Username and password required. The edit_tcp capability is additionally required for this endpoint.
Description
Get active connections the {name} host or port.
Method summary
| Method | Description | Formats |
|---|---|---|
| GET | View all connections to the named data input. | XML, JSON |
GET data/inputs/tcp/raw/{name}/connections method detail
Request parameters
None
Response data keys
| Name | Description |
|---|---|
| connection | IP address and port of the source connecting to this TCP input port. |
| servername | DNS name of the source connecting to this TCP input port. |
[ Top ]
data/inputs/tcp/splunktcptoken
https://<host>:<mPort>/services/data/inputs/tcp/splunktcptoken
Description
Manage receiver access using tokens. Get information on all receiver tokens or create a new token. To edit or delete an existing token, see data/inputs/tcp/splunktcptoken/{name}.
- Note: Configure the forwarder with the same token as the receiver to ensure that the forwarder receives data.
Authentication and Authorization:
Username and password required. The edit_splunktcp_token capability is additionally required for this endpoint.
Method summary
| Method | Description | Formats |
|---|---|---|
| GET | Returns all configured tokens. | XML, JSON |
| POST | Create a new token. | XML, JSON |
GET /services/data/inputs/tcp/splunktcptoken method detail
Request parameters
Pagination and filtering parameters can be used with this method.
Response data keys
Response data keys are returned for each receiver token.
| Name | Description |
|---|---|
| host | Host from which the indexer gets data. |
| index | Index to store generated events. |
| token | Token value. |
POST /services/data/inputs/tcp/splunktcptoken method detail
Request parameters
Pagination and filtering parameters can be used with this method.
| Name | Datatype | Default | Description |
|---|---|---|---|
| name | String | None | Required. Name for the token to create. |
| token | String | None | Optional. Token value to use. If unspecified, a token is generated automatically. |
Response data keys
| Name | Description |
|---|---|
| host | Host from which the indexer gets data. |
| index | Index to store generated events. |
| token | Token value. |
[ Top ]
data/inputs/tcp/splunktcptoken/{name}
https://<host>:<mPort>/services/data/inputs/tcp/splunktcptoken/{name}
Description
Manage existing receiver tokens.
Authentication and Authorization
Username and password required. The edit_splunktcp_token capability is additionally required for this endpoint.
Method summary
| Method | Description | Formats |
|---|---|---|
| GET | Access token information. | XML, JSON |
| POST | Update an existing token value. | XML, JSON |
| DELETE | Delete an existing token. | XML, JSON |
GET /services/data/inputs/tcp/splunktcptoken/{name} method detail
Request parameters
Pagination and filtering parameters can be used with this method.
Response data keys
| Name | Description |
|---|---|
| host | Host from which the indexer gets data. |
| index | Index to store generated events. |
| token | Token value. |
POST /services/data/inputs/tcp/splunktcptoken/{name} method detail
Request parameters
Pagination and filtering parameters can be used with this method.
| Name | Datatype | Default | Description |
|---|---|---|---|
| token | String | None | New token value. |
Response data keys
| Name | Description |
|---|---|
| host | Host from which the indexer gets data. |
| index | Index to store generated events. |
| token | Token value. |
DELETE /services/data/inputs/tcp/splunktcptoken/{name} method detail
Request parameters
Pagination and filtering parameters can be used with this method.
Response data keys
| Name | Description |
|---|---|
| host | Host from which the indexer gets data. |
| index | Index to store generated events. |
| token | Token value. |
[ Top ]
data/inputs/tcp/ssl
https://<host>:<mPort>/services/data/inputs/tcp/ssl
Description
Provides access to the SSL configuration of a Splunk Enterprise server.
Method summary
| Method | Description | Formats |
|---|---|---|
| GET | Returns SSL configuration. There is only one SSL configuration for all input ports. | XML, JSON |
GET data/inputs/tcp/ssl method detail
Request parameters
Pagination and filtering parameters can be used with this method.
Response data keys
| Name | Description |
|---|---|
| _rcvbuf | [Deprecated] |
| cipherSuite | Specifies list of acceptable ciphers to use in ssl. |
| disabled | Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled. |
| host | Host from which the indexer gets data. |
| index | Index to store generated events. |
[ Top ]
data/inputs/tcp/ssl/{name}
https://<host>:<mPort>/services/data/inputs/tcp/ssl/{name}
Description
Manage SSL configuration for the {name} host.
Method summary
| Method | Description | Formats |
|---|---|---|
| GET | Returns the SSL configuration for the host {name}. | XML, JSON |
| POST | Configures SSL attributes for the host {name}. | XML, JSON |
GET data/inputs/tcp/ssl/{name} method detail
Request parameters
None
Response data keys
| Name | Description |
|---|---|
| _rcvbuf | [Deprecated] |
| cipherSuite | Specifies list of acceptable ciphers to use in ssl. |
| disabled | Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled. |
| host | Host from which the indexer gets data. |
| index | Index to store generated events. |
POST data/inputs/tcp/ssl/{name} method detail
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| disabled | Boolean | Indicates whether the inputs are disabled. | |
| password | String | Server certificate password, if any. | |
| requireClientCert | Boolean | Determines whether a client must authenticate. | |
| rootCA | String | Certificate authority list (root file) | |
| serverCert | String | Full path to the server certificate. |
Response data keys
None
[ Top ]
data/inputs/udp
https://<host>:<mPort>/services/data/inputs/udp
Description
Provides access to UPD data inputs.
Method summary
| Method | Description | Formats |
|---|---|---|
| GET | List enabled and disabled UDP data inputs. | XML, JSON |
| POST | Create a new UDP data input. | XML, JSON |
GET data/inputs/udp method detail
Request parameters
Pagination and filtering parameters can be used with this method.
Response data keys
| Name | Description |
|---|---|
| _rcvbuf | Socket receive buffer size (bytes). |
| disabled | Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled. |
| group | Set to listenerports for listening ports. |
| host | Host from which the indexer gets data. |
| index | Index to store generated events. |
POST data/inputs/udp method detail
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| connection_host | Enum | ip | Valid values: (ip | dns | none)
Set the host for the remote server that is sending data.
Default value is |
| disabled | Boolean | Indicates if the input is disabled. | |
| host | String | The value to populate in the host field for incoming events.
This is used during parsing/indexing, in particular to set the host field. It is also the host field used at search time. | |
| index | String | default | Which index events from this input should be stored in. |
| name required |
String | The UDP port that this input should listen on. | |
| no_appending_timestamp | Boolean | If set to true, prevents Splunk Enterprise from prepending a timestamp and hostname to incoming events. | |
| no_priority_stripping | Boolean | If set to true, Splunk Enterprise does remove the priority field from incoming syslog events. | |
| queue | String | Which queue events from this input should be sent to. Generally this does not need to be changed. | |
| restrictToHost | String | Restrict incoming connections on this port to the host specified here.
If this is not set, the value specified in [udp://<remote server>:<port>] in inputs.conf is used. | |
| source | String | The value to populate in the source field for incoming events. The same source should not be used for multiple data inputs. | |
| sourcetype | String | The value to populate in the sourcetype field for incoming events. |
Response data keys
None
[ Top ]
data/inputs/udp/{name}
https://<host>:<mPort>/services/data/inputs/udp/{name}
Description
Manage the {name} UDP host or port.
Method summary
| Method | Description | Formats |
|---|---|---|
| DELETE | Disable the named UDP data input and remove it from the configuration. | XML, JSON |
| GET | List the properties of a single UDP data input port or host:port {name}. If port is restricted to a host, name should be URI-encoded host:port. | XML, JSON |
| POST | Edit properties of the named UDP data input. | XML, JSON |
DELETE data/inputs/udp/{name} method detail
Request parameters
None
Response data keys
None
GET data/inputs/udp/{name} method detail
Request parameters
None
Response data keys
| Name | Description |
|---|---|
| _rcvbuf | Socket receive buffer size (bytes). |
| disabled | Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled. |
| group | Set to listenerports for listening ports. |
| host | Host from which the indexer gets data. |
| index | Index to store generated events. |
POST data/inputs/udp/{name} method detail
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| connection_host | Enum | ip | Valid values: (ip | dns | none)
Set the host for the remote server that is sending data.
Default value is |
| disabled | Boolean | Indicates if the input is disabled. | |
| host | String | The value to populate in the host field for incoming events.
This is used during parsing/indexing, in particular to set the host field. It is also the host field used at search time. | |
| index | String | default | Which index events from this input should be stored in. |
| no_appending_timestamp | Boolean | If set to true, prevents Splunk Enterprise from prepending a timestamp and hostname to incoming events. | |
| no_priority_stripping | Boolean | If set to true, Splunk Enterprise does remove the priority field from incoming syslog events. | |
| queue | String | Which queue events from this input should be sent to. Generally this does not need to be changed. | |
| restrictToHost | String | Restrict incoming connections on this port to the host specified here.
If this is not set, the value specified in [udp://<remote server>:<port>] in inputs.conf is used. | |
| source | String | The value to populate in the source field for incoming events. The same source should not be used for multiple data inputs. | |
| sourcetype | String | The value to populate in the sourcetype field for incoming events. |
Response data keys
None
[ Top ]
data/inputs/udp/{name}/connections
https://<host>:<mPort>/services/data/inputs/udp/{name}/connections
Description
List connections to the {name} host or port.
Method summary
| Method | Description | Formats |
|---|---|---|
| GET | Lists connections to the named UDP input. | XML, JSON |
GET data/inputs/udp/{name}/connections method detail
Request parameters
None
Response data keys
| Name | Description |
|---|---|
| disabled | Indicates whether the inputs are disabled. |
| group | Set to 'listenerports' for listening ports. |
[ Top ]
data/inputs/win-event-log-collections
https://<host>:<mPort>/services/data/inputs/win-event-log-collections
Description
Provides access to all configured event log collections.
Method summary
| Method | Description | Formats |
|---|---|---|
| GET | Retrieves a list of configured event log collections. | XML, JSON |
| POST | Creates of modifies existing event log collection settings. You can configure both native and WMI collection with this endpoint. | XML, JSON |
GET data/inputs/win-event-log-collections method detail
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| lookup_host | String | For internal use. Used by the UI when editing the initial host from which we gather event log data. |
Pagination and filtering parameters can be used with this method.
Response data keys
| Name | Description |
|---|---|
| disabled | Indicates if the input is disabled. |
| hosts | Hosts you are monitoring. |
| index | Index to store data.
If not specified defaults to the default index. |
| logs | List of event log channels to monitor. |
POST data/inputs/win-event-log-collections method detail
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| hosts | String | A comma-separated list of additional hosts to be used for monitoring. The first host should be specified with "lookup_host", and the additional ones using this parameter. | |
| index | String | default | The index in which to store the gathered data. |
| logs | String | List of event log names from which to gather data:
| |
| lookup_host required |
String | Host from which to monitor log events. To specify additional hosts to be monitored using WMI, use the "hosts" parameter. | |
| name required |
String | Collection name. This name appears in configuration file, as well as the source and the sourcetype of the indexed data. If the value is "localhost", it uses native event log collection; otherwise, it uses WMI. |
Response data keys
| Name | Description |
|---|---|
| disabled | Indicates if the input is disabled. |
| hosts | Monitored hosts. |
| index | Index to store data. |
| logs | List of event log channels to monitor. |
| lookup_host | Host from which to monitor log events. |
| name | The name of the collection. This name appears in a configuration file, as well as the source and the sourcetype of the indexed data. If the value is "localhost", it uses native event log collection; otherwise, it uses WMI |
[ Top ]
data/inputs/win-event-log-collections/{name}
https://<host>:<mPort>/services/data/inputs/win-event-log-collections/{name}
Description
Manage the {name} Windows event log.
Method summary
| Method | Description | Formats |
|---|---|---|
| DELETE | Deletes a given event log collection. | XML, JSON |
| GET | Gets the configuration settings for a given event log collection. | XML, JSON |
| POST | Modifies existing event log collection. | XML, JSON |
DELETE data/inputs/win-event-log-collections/{name} method detail
Request parameters
None
Response data keys
None
GET data/inputs/win-event-log-collections/{name} method detail
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| lookup_host | String | For internal use. Used by the UI when editing the initial host from which we gather event log data. |
Response data keys
| Name | Description |
|---|---|
| disabled | Indicates if the input is disabled. |
| hosts | Monitored hosts. |
| index | Index to store data.
If not specified defaults to the default index. |
| logs | List of event log channels to monitor. |
| lookup_host | Host from which to monitor log events. |
| name | The name of the collection. This name appears in a configuration file, as well as the source and the sourcetype of the indexed data. If the value is localhost, it uses native event log collection; otherwise, it uses WMI. |
POST data/inputs/win-event-log-collections/{name} method detail
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| hosts | String | A comma-separated list of additional hosts to be used for monitoring. The first host should be specified with "lookup_host", and the additional ones using this parameter. | |
| index | String | default | The index in which to store the gathered data. |
| logs | String | A comma-separated list of event log names to gather data from. | |
| lookup_host required |
String | This is a host from which we monitor log events. To specify additional hosts to be monitored using WMI, use the "hosts" parameter. |
Response data keys
| Name | Description |
|---|---|
| disabled | Indicates if the input is disabled. |
| hosts | Monitored hosts. |
| index | Index to store data. |
| logs | List of event log channels to monitor. |
| lookup_host | Host from which to monitor log events. |
| name | The name of the collection. This name appears in a configuration file, as well as the source and the sourcetype of the indexed data. If the value is localhost, it uses native event log collection; otherwise, it uses WMI. |
[ Top ]
data/inputs/win-wmi-collections
https://<host>:<mPort>/services/data/inputs/win-wmi-collections
Description
Provides access to all configured WMI collections.
Method summary
| Method | Description | Formats |
|---|---|---|
| GET | Provides access to all configure WMI collections. | XML, JSON |
| POST | Creates or modifies existing WMI collection settings. | XML, JSON |
GET data/inputs/win-wmi-collections method detail
Request parameters
Pagination and filtering parameters can be used with this method.
Response data keys
| Name | Description |
|---|---|
| class | The WMI performance object class being monitored. |
| disabled | Indicates whther the input is disbled. |
| fields | The WMI performance counters being monitored. |
| index | The index to which you are sending input data. |
| instances | Instances of the WMI performance counter. |
| interval | The interval, in seconds, at which the WMI provider(s) are queried. |
| name | the name of the input. |
| server | The server you are monitoring. |
| wql | The actual WQL query for monitoring the performance object. |
POST data/inputs/win-wmi-collections method detail
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| classes required |
String | A valid WMI class name. | |
| disabled | Number | 0 | Disables the given collection. |
| fields | String | 1. * | Properties (fields) that you want to gather from the given class.
Specify each property as a separate argument to the POST operation. |
| index | String | default | The index in which to store the gathered data. |
| instances | String | empty | Instances of a given class for which data is gathered.
Specify each instance as a separate argument to the POST operation. |
| interval required |
Number | The interval, in seconds, at which the WMI provider(s) is queried. | |
| lookup_host required |
String | This is the server from which we is gathering WMI data. If you need to gather data from more than one machine, additional servers can be specified in the 'server' parameter. | |
| name required |
String | This is the name of the collection. This name appears in configuration file, as well as the source and the sourcetype of the indexed data. | |
| server | String | localhost | A comma-separated list of additional servers that you want to gather data from. Use this if you need to gather from more than a single machine. See also lookup_host. |
Response data keys
| Name | Description |
|---|---|
| classes | A valid WMI class name. |
| disabled | Indicates if the input is disabled. |
| fields | Properties (fields) that you want to gather from the given class. |
| index | The index in which to store the gathered data. |
| instances | Instances of a given class for which data is gathered. |
| interval | The interval, in seconds, at which the WMI provider(s) is queried. |
| lookup_host | Host from which to monitor log events. |
| server | Servers from which to gather data. Used if you need to gather from more than a single machine. See also lookup_host. |
| wql | The actual WQL query for monitoring the performance object. |
[ Top ]
data/inputs/win-wmi-collections/{name}
https://<host>:<mPort>/services/data/inputs/win-wmi-collections/{name}
Description
Manage the {name} WMI collection.
Method summary
| Method | Description | Formats |
|---|---|---|
| DELETE | Deletes a given collection. | XML, JSON |
| GET | Gets information about a single collection. | XML, JSON |
| POST | Modifies a given WMI collection. | XML, JSON |
DELETE data/inputs/win-wmi-collections/{name} method detail
Request parameters
None
Response data keys
None
Application usage
The method returns HTTP status code = 400, if {name} does not exist.
GET data/inputs/win-wmi-collections/{name} method detail
Request parameters
None
Response data keys
| Name | Description |
|---|---|
| classes | A valid WMI class name. |
| disabled | Indicates if the input is disabled. |
| fields | Properties (fields) that you want to gather from the given class. |
| index | The index in which to store the gathered data. |
| instances | Instances of a given class for which data is gathered. |
| interval | The interval, in seconds, at which the WMI provider(s) is queried. |
| lookup_host | Host from which to monitor log events. |
| name | Collection name. This name appears in a configuration file, as well as the source and the sourcetype of the indexed data. If the value is localhost, it uses native event log collection; otherwise, it uses WMI. |
| server | Servers frpm which to gather data from. Used if you need to gather from more than a single machine. See also lookup_host. |
| wql | The actual WQL query for monitoring the performance object. |
POST data/inputs/win-wmi-collections/{name} method detail
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| classes required |
String | A valid WMI class name. | |
| disabled | Number | Disables the given collection. | |
| fields | String | Properties (fields) that you want to gather from the given class.
Specify each property as a separate argument to the POST operation. | |
| index | String | The index in which to store the gathered data. | |
| instances | String | Instances of a given class for which data is gathered.
Specify each instance as a separate argument to the POST operation. | |
| interval required |
Number | The interval, in seconds, at which the WMI provider(s) is queried. | |
| lookup_host required |
String | This is the server from which we is gathering WMI data. If you need to gather data from more than one machine, additional servers can be specified in the 'server' parameter. | |
| server | String | A comma-separated list of additional servers that you want to gather data from. Use this if you need to gather from more than a single machine. See also lookup_host parameter. |
Response data keys
| Name | Description |
|---|---|
| classes | A valid WMI class name. |
| disabled | Indicates if the input is disabled. |
| fields | Properties (fields) that you want to gather from the given class. |
| index | The index in which to store the gathered data. |
| instances | Instances of a given class for which data is gathered. |
| interval | The interval, in seconds, at which the WMI provider(s) are queried. |
| lookup_host | Host from which to monitor log events. |
| name | Collection name. This name appears in a configuration file, as well as the source and the sourcetype of the indexed data. If the value is localhost, it uses native event log collection; otherwise, it uses WMI. |
| server | Servers from which to gather data. Used if you need to gather from more than a single machine. See also lookup_host. |
| wql | The actual WQL query for monitoring the performance object. |
[ Top ]
data/inputs/win-perfmon
https://<host>:<mPort>/services/data/inputs/win-perfmon
Description
Provides access to performance monitoring configuration. This input allows you to poll Windows performance monitor counters.
Method summary
| Method | Description | Formats |
|---|---|---|
| GET | Gets current performance monitoring configuration. | XML, JSON |
| POST | Creates new or modifies existing performance monitoring collection settings. | XML, JSON |
GET data/inputs/win-perfmon method detail
Request parameters
Pagination and filtering parameters can be used with this method.
Response data keys
| Name | Description |
|---|---|
| counters | List of valid Performance Monitor counters. |
| disabled | Indicates whether the input is disabled. |
| index | The index that this input should send data to.
If no value is present, send data to the default index. |
| instances | List of valid instances for a Performance Monitor counter. |
| interval | How often, in seconds, to poll for new data. |
| object | A valid Performance Monitor object as defined within Performance Monitor. |
POST data/inputs/win-perfmon method detail
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| counters | String | A set of counters to monitor. A '*' is equivalent to all counters.
Specify each counter as a separate argument to the POST operation. | |
| host | String | Docs-W8R2-Std7 | Name of the host for the Windows Performance Monitor. |
| index | String | default | The index in which to store the gathered data. |
| instances | String | A set of counter instances to monitor. A '*' is equivalent to all instances.
Specify each instance as a separate argument to the POST operation. | |
| interval | Number | How frequently, in seconds, to poll for new data. | |
| name required |
String | This is the name of the collection. This name appears in configuration file, as well as the source and the sourcetype of the indexed data. | |
| object | String | A valid performance monitor object (for example, 'Process,' 'Server,' 'PhysicalDisk.') | |
| source | String | Source for inputs. | |
| sourcetype | String | Source type of input. |
Response data keys
| Name | Description |
|---|---|
| counters | List of valid Performance Monitor counters. |
| disabled | Indicates whether the input is disabled. |
| host | Name of the host for the Windows Performance Monitor. |
| index | The index that this input should send data to.
If no value is present, send data to the default index. |
| instances | List of valid instances for a Performance Monitor counter. |
| interval | How frequently, in seconds, to poll for new data. |
| object | A valid Performance Monitor object as defined within Performance Monitor. |
| source | Source for inputs. |
| sourcetype | Source type of the input. |
[ Top ]
data/inputs/win-perfmon/{name}
https://<host>:<mPort>/services/data/inputs/win-perfmon/{name}
Description
Manage the {name} performance monitoring stanza.
Method summary
| Method | Description | Formats |
|---|---|---|
| DELETE | Deletes a given monitoring stanza. | XML, JSON |
| GET | Gets settings for a given perfmon stanza. | XML, JSON |
| POST | Modifies existing monitoring stanza | XML, JSON |
DELETE data/inputs/win-perfmon/{name} method detail
Request parameters
None
Response data keys
None
GET data/inputs/win-perfmon/{name} method detail
Request parameters
None
Response data keys
| Name | Description |
|---|---|
| counters | List of valid Performance Monitor counters. |
| disabled | Indicates whether the input is disabled. |
| index | The index that this input should send data to.
If no value is present, send data to the default index. |
| instances | List of valid instances for a Performance Monitor counter. |
| interval | How often, in seconds, to poll for new data. |
| object | A valid Performance Monitor object as defined within Performance Monitor. |
POST data/inputs/win-perfmon/{name} method detail
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| counters | String | A set of counters to monitor. A '*' is equivalent to all counters.
Specify each counter as a separate argument to the POST operation. | |
| host | String | Docs-W8R2-Std7 | Name of the host for the Windows Performance Monitor. |
| index | String | default | The index in which to store the gathered data. |
| instances | String | A set of counter instances to monitor. A '*' is equivalent to all instances.
Specify each instance as a separate argument to the POST operation. | |
| interval | Number | How frequently, in seconds, to poll for new data. | |
| object | String | A valid performance monitor object (for example, 'Process,' 'Server,' 'PhysicalDisk.') | |
| source | String | Source for inputs. | |
| sourcetype | String | Source type of input. |
Response data keys
| Name | Description |
|---|---|
| counters | List of valid Performance Monitor counters. |
| disabled | Indicates whether the input is disabled. |
| host | Name of the host for the Windows Performance Monitor. |
| index | The index that this input should send data to.
If no value is present, send data to the default index. |
| instances | List of valid instances for a Performance Monitor counter. |
| interval | How frequently, in seconds, to poll for new data. |
| object | A valid Performance Monitor object as defined within Performance Monitor, |
| source | Source for inputs. |
| sourcetype | Source type of the input. |
[ Top ]
data/modular-inputs
https://<host>:<mPort>/services/data/modular-inputs
Description
Provides access to currently defined modular inputs on the system.
Method summary
| Method | Description | Formats |
|---|---|---|
| GET | Lists information about configured modular inputs. | XML, JSON |
GET data/modular-inputs method detail
Request parameters
Pagination and filtering parameters can be used with this method.
Response data keys
| Name | Description |
|---|---|
| description | Provides descriptive text for title in the Splunk Manager page for Data inputs.
The description also appears on the Add new data inputs Manager page. For more information, refer to Modular inputs: Introspection scheme details. |
| endpoint | Contains one or more <arg> elements, which define the parameters to an endpoint.
For more information, refer to Modular inputs: Introspection scheme details. |
| streaming_mode | Indicates the streaming mode for the modular input.
Valid values:
For more information, refer to Modular inputs: Introspection scheme details. |
| title | The label for a modular input script.
The label appears in the Splunk Manager page for Data inputs. For more information, refer to Modular inputs: Introspection scheme details. |
Application usage
For more information on modular inputs, see Modular inputs overview in the Developing Views and Apps for Splunk Web manual.
[ Top ]
data/modular-inputs/{name}
https://<host>:<mPort>/services/data/modular-inputs/{name}
Description
Get information about the {name} modular input.
Method summary
| Method | Description | Formats |
|---|---|---|
| GET | Lists information about the modular input specified by {name}. | XML, JSON |
GET data/modular-inputs/{name} method detail
Request parameters
None
Response data keys
| Name | Description |
|---|---|
| description | The label for a modular input script.
The label appears in the Splunk Manager page for Data inputs. For more information, refer to Modular inputs: Introspcetion scheme details. |
| endpoint | Contains one or more <arg> elements, which define the parameters to an endpoint.
For more information, refer to Modular inputs: Introspcetion scheme details. |
| streaming_mode | Indicates the streaming mode for the modular input.
Valid values:
Contains one or more <arg> elements, which define the parameters to an endpoint. For more information, refer to Modular inputs: Introspcetion scheme details. |
| title | The label for a modular input script.
The label appears in the Splunk Manager page for Data inputs. For more information, refer to Modular inputs: Introspection scheme details. |
Application usage
For more information on modular inputs, see Modular inputs overview in the Developing Views and Apps for Splunk Web manual.
[ Top ]
indexing/preview
https://<host>:<mPort>/services/indexing/preview
Description
Preview events from a source file before you index the file.
Method summary
| Method | Description | Formats |
|---|---|---|
| GET | Return a list of all data preview jobs. Data returned includes the Splunk Enterprise management URI to access each preview job. | XML, JSON |
| POST | Create a preview data job for the specified source file, returning the preview data job ID. | XML, JSON |
GET indexing/preview method detail
Request parameters
None
Response data keys
None
Application usage
ou can also check the status of a data preview job with GET /search/jobs/{search_id} to obtain information such as the dispatchState, doneProgress, and eventCount. For more information, see GET /search/jobs/{search_id}.
Use the data preview job ID as the search_id parameter in GET /search/jobs/{search_id}/results_preview to preview events from the source file.
Data returned includes the Splunk Enterprise management URI for each data preview job.
POST indexing/preview method detail
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| input.path required |
String | The absolute file path to a local file that you want to preview data returned from indexing. | |
| props.<props_attr> | String | Define a new sourcetype in props.conf for preview data that you are indexing.
Typically, you first examine preview data events returned from GET /search/jobs/{job_id}events. Then you define new sourcetypes as needed with this endpoint. |
Response data keys
None
Application usage
Use the POST operation of this endpoint to create a data preview job and return the corresponding data preview job ID.
Use the preview job ID as the search_id parameter in GET /search/jobs/{search_id}/results_preview to obtain a data preview.
You can optionally define sourcetypes for preview data job in props.conf.
[ Top ]
indexing/preview/{job_id}
https://<host>:<mPort>/services/indexing/preview/{job_id}
Description
Get props.conf file settings for the {job_id} job.
Method summary
| Method | Description | Formats |
|---|---|---|
| GET | Returns the props.conf settings for the data preview job specified by {job_id}. | XML, JSON |
GET indexing/preview/{job_id} method detail
Request parameters
None
Response data keys
None
[ Top ]
receivers/simple
https://<host>:<mPort>/services/receivers/simple
Authentication: Username and password required. The edit_tcp capability is additionally required for this endpoint.
Description
Allows for sending events to Splunk Enterprise in an HTTP request.
Method summary
| Method | Description | Formats |
|---|---|---|
| POST | Create events from the contents contained in the HTTP body. | XML, JSON |
POST receivers/simple method detail
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| <arbitrary_data> required |
String | Raw event text. This is the entirety of the HTTP request body. | |
| host | String | The value to populate in the host field for events from this data input. | |
| host_regex | String | A regular expression used to extract the host value from each event. | |
| index | String | default | The destination index where events are sent. |
| source | String | The source value to fill in the metadata for this input's events. | |
| sourcetype | String | The sourcetype to apply to events from this input. |
Response data keys
None
[ Top ]
receivers/stream
https://<host>:<mPort>/services/receivers/stream
Authentication: Username and password required. The edit_tcp capability is additionally required for this endpoint.
Description
Open a socket to receive streaming data.
- Note: For HTTP uploads, if the caller passes a content-type of "multipart/form data", the HTTP file upload protocol is used and files are indexed.
Method summary
| Method | Description | Formats |
|---|---|---|
| POST | Create events from the stream of data following HTTP headers. | XML, JSON |
POST receivers/stream method detail
Request parameters
| Name | Datatype | Default | Description |
|---|---|---|---|
| <data_stream> required |
String | Raw event text. This does not need to be presented as a complete HTTP request, but can be streamed in as data is available. | |
| host | String | The value to populate in the host field for events from this data input. | |
| host_regex | String | A regular expression used to extract the host value from each event. | |
| index | String | The index to send events from this input to. | |
| source | String | The source value to fill in the metadata for this input's events. | |
| sourcetype | String | The sourcetype to apply to events from this input. |
Response data keys
None
Application usage
Data transfer continues until you enter <CTRL-C>.
For streaming connections, set streaming and x-splunk-input-mode arguments in the header.
[ Top ]
services/collector
<protocol>://<host>:<mPort>/services/collector
Authorization: Requires an HTTP Event Collector <Token>.
Description
Send events to HTTP Event Collector using the Splunk platform JSON event protocol.
By default, this endpoint works on port 8088 and uses HTTPs for transport. The port and HTTP protocol settings can be configured independently of settings for any other servers in your deployment.
- Note: When using an ACK-enabled token, an
ackIDis returned within a JSON object in the response. For example,{"ackID": "0"}indicates an ackID of 0. Use theackIDto query theservices/collector/ackendpoint to verify event indexing. For more information, see services/collector/ack.
See also
- data/inputs/http
- data/inputs/http/{name}
- data/inputs/http/{name}/disable
- data/inputs/http/{name}/enable
Method summary
| Method | Description | Formats |
|---|---|---|
| POST | Send events to the HTTP Event Collector. | JSON |
POST services/collector method detail
Request parameters
| Name | Datatype | Description |
|---|---|---|
| channel | See description | Required if useAck is enabled. Pass in the channel GUID as a string parameter or using the "x-splunk-request-channel" header.
|
| event | string | Required. Event payload key-value. Value can be a string or a JSON object. JSON example: |
| host | string | Host name. Specify with the host query string parameter. Sets a default for all events in the request. The default host name can be overridden. |
| index | string | Index name. Specify with the index query string parameter. Sets a default for all events in the request. The default index name can be overridden. |
| source | string | User-defined event source. Specify with the source query string parameter. Sets a default for all events in the request. The default source can be overridden. |
| sourcetype | string | User-defined event sourcetype. Specify with the sourcetype query string parameter. Sets a default for all events in the request. The default sourcetype can be overridden. |
| time | string or unsigned integer | Epoch-formatted time. Specify with the time query string parameter. Sets a default for all events in the request. The default time can be overridden. |
Response keys
| Name | Description |
|---|---|
| text | Human readable status, same value as code. |
| code | Machine format status, same value as text. |
| invalid-event-number | When errors occur, indicates the zero-based index of first invalid event in an event sequence. |
| ackId | If useACK is enabled for the token, indicates the ackId to use for checking an indexer acknowledgement.
|
Response status codes
The following status codes have particular meaning for all HTTP Event Collector endpoints:
| Status Code | HTTP status code ID | HTTP status code | Status message |
|---|---|---|---|
| 0 | 200 | OK | Success
|
| 1 | 403 | Forbidden | Token disabled
|
| 2 | 401 | Unauthorized | Token is required
|
| 3 | 401 | Unauthorized | Invalid authorization
|
| 4 | 403 | Forbidden | Invalid token
|
| 5 | 400 | Bad Request | No data
|
| 6 | 400 | Bad Request | Invalid data format
|
| 7 | 400 | Bad Request | Incorrect index
|
| 8 | 500 | Internal Error | Internal server error
|
| 9 | 503 | Service Unavailable | Server is busy
|
| 10 | 400 | Bad Request | Data channel is missing
|
| 11 | 400 | Bad Request | Invalid data channel
|
| 12 | 400 | Bad Request | Event field is required
|
| 13 | 400 | Bad Request | Event field cannot be blank
|
| 14 | 400 | Bad Request | ACK is disabled
|
Example response messages
Success:
{"text":"Success","code":0}
Failure:
{"text":"Incorrect data format","code":5,"invalid-event-number":0}
Application usage
HTTP Event Collector functionality must be enabled to send events.
To send events to the HTTP Event Collector, you must provide an HTTP Event Collector token in the authorization header. The token is created using the data/inputs/http endpoint. You can then retrieve the token with a GET request on the data/inputs/http/{name} endpoint, where {name} is the name of your token. Include the authentication token in the request header using the following format: Authorization: Splunk <token>. The format is case-sensitive.
Use the Splunk platform search application to view the logged events. For example, use
index=main | search sourcetype=access to view all logged events with a sourcetype of access.
For performance reasons, the data input endpoint follows a simple error handling model. It assumes that in most cases it receives a well-formed event data payload. If there is malformed event data in the payload, events continue to be extracted until an error is encountered. Processing stops immediately on an error and the error and number of payload events processed successfully are reported. Events processed before the error are sent to indexers and all events after the first error are dropped.
[ Top ]
services/collector/ack
<protocol>://<host>:<mPort>/services/collector/ack
Description
Query event indexing status.
For events sent using HTTP Event Collector, check event indexing status. Requests must use a valid channel ID and authorization token with useACK enabled. An event ACK ID, returned in response to a POST to services/collector, is also required.
By default, this endpoint works on port 8088 and uses HTTPs for transport. The port and HTTP protocol settings can be configured independently of settings for any other servers in your deployment.
Authorization: Requires an HTTP Event Collector <Token>.
Method summary
| Method | Description | Formats |
|---|---|---|
| GET | Get HTTP Event Collector event indexing status. | JSON |
GET services/collector/ack method detail
Request parameters
| Parameter | Datatype | Description |
|---|---|---|
| channel | See description | Required. Pass in the channel GUID as the channel string parameter or using the x-splunk-request-channel header.
|
"acks"
|
JSON object | Required. JSON object with an array of ack ID values. Include in the request payload. |
Response keys
| Name | Description |
|---|---|
| acks | Contains the key/value pairs for each ACK ID requested. For each key in the "acks" object, a true value means the ACK ID's events were indexed. A false value means that indexing status is unknown. For example, an event may have an indexing delay long enough that it is no longer tracked.Here is an example response. |
Response status codes
Several HTTP status codes have particular meaning for all HTTP Event Collector endpoints. See HTTP Status Codes in services/collector.
services/collector/event
This endpoint works identically to services/collector but introduces a format option for future scalability. For more information, see services/collector.
[ Top ]
services/collector/event/1.0
This endpoint works identically to services/collector/event but introduces a protocol version for future scalability. For more information, see services/collector.
[ Top ]
services/collector/mint
<protocol>://<host>:<mPort>/services/collector/mint
Post MINT formatted data to the HTTP Event Collector. The authorization header contains the authorization scheme and application token. The HTTP POST body contains event data in the MINT payload format.
- Note: By default, this endpoint works on port 8088 and uses HTTPs for transport. The port and HTTP protocol settings can be configured independently of settings for any other servers in your deployment.
Authorization: Requires an HTTP Event Collector <Token>.
Method summary
| Method | Description | Formats |
|---|---|---|
| POST | Post MINT formatted data. | MINT |
POST services/collector/mint method detail
Request Parameters
| Name | Datatype | Description |
|---|---|---|
| host | String | Host name. Specify with the host query string parameter. Sets a default for all events in the request. Can be overridden. |
| index | String | Index name. Specify with the index query string parameter. Sets a default for all events in the request. Can be overridden. |
| source | String | User-defined event source. Specify with the source query string parameter. Sets a default for all events in the request. The default source can be overridden. |
| sourcetype | string | User-defined event sourcetype. Specify with the sourcetype query string parameter. Sets a default for all events in the request. The default sourcetype can be overridden. |
| time | string or unsigned integer | Epoch-formatted time. Specify with the time query string parameter. Sets a default for all events in the request. The default time can be overridden. |
Response data keys
None
Response status codes
Several HTTP status codes have particular meaning for all HTTP Event Collector endpoints. See HTTP Status Codes in services/collector.
[ Top ]
services/collector/mint/1.0
This endpoint works identically to receivers/token/mint but introduces a protocol version for future scalability.
[ Top ]
services/collector/raw
<protocol>://<host>:<mPort>/services/collector/raw
Description
Send raw data directly to the HTTP Event Collector. This endpoint allows one or more raw events to be sent in a single request. All events are parsed using the standard Splunk software pipeline, which includes breaking rules and timestamp extraction. This endpoint requires a data channel GUID to differentiate data from different clients. Generate a GUID and provide it in a POST request as a custom HTTP header or as a parameter.
If a channel is not provided in the POST request, an error response is sent. Only valid GUIDs can be used. An error message is returned if GUID validation fails.
By default, this endpoint works on port 8088 and uses HTTPs for transport. The port and HTTP protocol settings can be configured independently of settings for any other servers in your deployment.
Authorization: Requires an HTTP Event Collector <Token>.
Method summary
| Method | Description | Formats |
|---|---|---|
| POST | Send raw data to the to the indexer queue. Requires a data channel GUID, provided as a custom HTTP header or request parameter. |
POST services/collector/raw method detail
Send raw data to the indexer queue.
Request parameters
| Name | Datatype | Description |
|---|---|---|
| channel | See description. | Required. Pass in the channel GUID as the channel string parameter or using the x-splunk-request-channel header.
|
| host | String | Host name. Specify with the host query string parameter. Sets a default for all events in the request. Can be overridden. |
| index | String | Index name. Specify with the index query string parameter. Sets a default for all events in the request. Can be overridden. |
| source | String | User-defined event source. Specify with the source query string parameter. Sets a default for all events in the request. The default source can be overridden. |
| sourcetype | string | User-defined event sourcetype. Specify with the sourcetype query string parameter. Sets a default for all events in the request. The default sourcetype can be overridden. |
| time | string or unsigned integer | Epoch-formatted time. Specify with the time query string parameter. Sets a default for all events in the request. The default time can be overridden. |
Response data keys
None
Response status codes
Several HTTP status codes have particular meaning for all HTTP Event Collector endpoints. See HTTP Status Codes in services/collector.
[ Top ]
services/collector/raw/1.0
This endpoint works identically to services/collector/raw but introduces a protocol version for future scalability. See services/collector/raw.
|
PREVIOUS Deployment endpoint examples |
NEXT Input endpoint examples |
This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11
Feedback submitted, thanks!