Related Answers
Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk.
Click here for the latest version.
Download topic as PDF
Knowledge endpoint examples
data/lookup-table-files GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/lookup-table-files
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>lookup-table-files</title>
<id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files</id>
<updated>2011-07-21T19:26:11-07:00</updated>
<generator version="104309"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/lookup-table-files/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>lookup.csv</title>
<id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv</id>
<updated>2011-07-21T19:26:11-07:00</updated>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="list"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="edit"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="remove"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/move" rel="move"/>
<content type="text/xml">
<s:dict>
... eai:acl nodes elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:data">
<![CDATA[/opt/splunk/etc/users/admin/search/lookups/lookup.csv]]> </s:key>
<s:key name="eai:userName">admin</s:key>
</s:dict>
</content>
</entry>
</feed>
data/lookup-table-files POST
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/lookup-table-files -d eai:data=/opt/splunk/var/run/splunk/lookup_tmp/lookup-in-staging-dir.csv -d name=lookup.csv
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>lookup-table-files</title>
<id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files</id>
<updated>2011-07-21T18:26:35-07:00</updated>
<generator version="104309"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/lookup-table-files/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>lookup.csv</title>
<id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv</id>
<updated>2011-07-21T18:26:35-07:00</updated>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="list"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="edit"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="remove"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/move" rel="move"/>
<content type="text/xml">
<s:dict>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:data">
<![CDATA[/opt/splunk/etc/users/admin/search/lookups/lookup.csv]]> </s:key>
<s:key name="eai:userName">admin</s:key>
</s:dict>
</content>
</entry>
</feed>
data/lookup-table-files/{name} DELETE
XML
XML Request
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>lookup-table-files</title>
<id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files</id>
<updated>2011-07-21T18:43:11-07:00</updated>
<generator version="104309"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/lookup-table-files/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
data/lookup-table-files/{name} GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>lookup-table-files</title>
<id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files</id>
<updated>2011-07-21T18:37:25-07:00</updated>
<generator version="104309"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/lookup-table-files/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>lookup.csv</title>
<id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv</id>
<updated>2011-07-21T18:37:25-07:00</updated>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="list"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="edit"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="remove"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/move" rel="move"/>
<content type="text/xml">
<s:dict>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list/>
</s:key>
<s:key name="requiredFields">
<s:list>
<s:item>eai:data</s:item>
</s:list>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="eai:data">
<![CDATA[/opt/splunk/etc/users/admin/search/lookups/lookup.csv]]> </s:key>
<s:key name="eai:userName">admin</s:key>
</s:dict>
</content>
</entry>
</feed>
data/lookup-table-files/{name} POST
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv -d eai:data=/opt/splunk/var/run/splunk/lookup_tmp/another-lookup-in-staging-dir.csv
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>lookup-table-files</title>
<id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files</id>
<updated>2011-07-21T18:41:52-07:00</updated>
<generator version="104309"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/lookup-table-files/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>lookup.csv</title>
<id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv</id>
<updated>2011-07-21T18:41:52-07:00</updated>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="list"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="edit"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="remove"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/move" rel="move"/>
<content type="text/xml">
<s:dict>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:data">
<![CDATA[/opt/splunk/etc/users/admin/search/lookups/lookup.csv]]> </s:key>
<s:key name="eai:userName">admin</s:key>
</s:dict>
</content>
</entry>
</feed>
data/props/calcfields GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/data/props/calcfields
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>props-eval</title>
<id>https://localhost:8089/services/data/props/calcfields</id>
<updated>2012-10-01T15:01:50-07:00</updated>
<generator build="138753" version="5.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/props/calcfields/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title><access_common> : EVAL-response_time</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time</id>
<updated>2012-10-01T15:01:50-07:00</updated>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="list"/>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="attribute">EVAL-response_time</s:key>
... eai:acl node elided ...
<s:key name="field.name">response_time</s:key>
<s:key name="stanza"><access_common></s:key>
<s:key name="type">EVAL</s:key>
<s:key name="value">response_time/1000</s:key>
</s:dict>
</content>
</entry>
</feed>
data/props/calcfields POST
XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/data/props/calcfields -d name=response_time -d stanza=%3Caccess_common%3E -d value=response_time/1000
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>props-eval</title>
<id>https://localhost:8089/services/data/props/calcfields</id>
<updated>2012-10-01T14:58:45-07:00</updated>
<generator build="138753" version="5.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/props/calcfields/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title><access_common> : EVAL-response_time</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time</id>
<updated>2012-10-01T14:58:45-07:00</updated>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="list"/>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="attribute">EVAL-response_time</s:key>
... eai:acl node elided ...
<s:key name="field.name">response_time</s:key>
<s:key name="stanza"><access_common></s:key>
<s:key name="type">EVAL</s:key>
<s:key name="value">response_time/1000</s:key>
</s:dict>
</content>
</entry>
</feed>
data/props/calcfields/{name} DELETE
XML
XML Request
curl -k -u admin:pass --request DELETE https://localhost:8089/services/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>props-eval</title>
<id>https://localhost:8089/services/data/props/calcfields</id>
<updated>2012-10-01T15:33:06-07:00</updated>
<generator build="138753" version="5.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/props/calcfields/_new" rel="create"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
</feed>
data/props/calcfields/{name} GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>props-eval</title>
<id>https://localhost:8089/services/data/props/calcfields</id>
<updated>2012-10-01T15:05:09-07:00</updated>
<generator build="138753" version="5.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/props/calcfields/_new" rel="create"/>
... opensearch nodes elided ...
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title><access_common> : EVAL-response_time</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time</id>
<updated>2012-10-01T15:05:09-07:00</updated>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="list"/>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="attribute">EVAL-response_time</s:key>
... eai:acl node elided ...
... eai:attributes node elided ...
<s:key name="field.name">response_time</s:key>
<s:key name="stanza"><access_common></s:key>
<s:key name="type">EVAL</s:key>
<s:key name="value">response_time/1000</s:key>
</s:dict>
</content>
</entry>
</feed>
data/props/calcfields/{name} POST
XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time -d value=response_time/100
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>props-eval</title>
<id>https://localhost:8089/services/data/props/calcfields</id>
<updated>2012-10-01T15:14:19-07:00</updated>
<generator build="138753" version="5.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/props/calcfields/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title><access_common> : EVAL-response_time</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time</id>
<updated>2012-10-01T15:14:19-07:00</updated>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="list"/>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="attribute">EVAL-response_time</s:key>
... eai:acl node elided ...
<s:key name="field.name">response_time</s:key>
<s:key name="stanza"><access_common></s:key>
<s:key name="type">EVAL</s:key>
<s:key name="value">response_time/100</s:key>
</s:dict>
</content>
</entry>
</feed>
data/props/extractions GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/extractions
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>props-extract</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/extractions</id>
<updated>2011-07-10T22:55:04-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/extractions/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>access_combined : REPORT-access</title>
<id>https://localhost:8089/servicesNS/nobody/system/data/props/extractions/access_combined%20%3A%20REPORT-access</id>
<updated>2011-07-10T22:55:04-07:00</updated>
<link href="/servicesNS/nobody/system/data/props/extractions/access_combined%20%3A%20REPORT-access" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/props/extractions/access_combined%20%3A%20REPORT-access" rel="list"/>
<link href="/servicesNS/nobody/system/data/props/extractions/access_combined%20%3A%20REPORT-access" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="attribute">REPORT-access</s:key>
... eai:acl node elided ...
<s:key name="stanza">access_combined</s:key>
<s:key name="type">Uses transform</s:key>
<s:key name="value">access-extractions</s:key>
</s:dict>
</content>
</entry>
</feed>
data/props/extractions POST
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/extractions -d name=port -d stanza=ftp_log -d type=EXTRACT -d "value=port (?<port_number>\d+)"
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>props-extract</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/extractions</id>
<updated>2011-07-10T22:56:17-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/extractions/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>ftp_log : EXTRACT-port</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port</id>
<updated>2011-07-10T22:56:17-07:00</updated>
<link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="list"/>
<link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="attribute">EXTRACT-port</s:key>
... eai:acl node elided ...
<s:key name="stanza">ftp_log</s:key>
<s:key name="type">Inline</s:key>
<s:key name="value">port (?<port_number>\d )</s:key>
</s:dict>
</content>
</entry>
</feed>
data/props/extractions/{name} DELETE
XML
XML Request
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>props-extract</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/extractions</id>
<updated>2011-07-10T23:05:42-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/extractions/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
data/props/extractions/{name} GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>props-extract</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/extractions</id>
<updated>2011-07-10T23:02:31-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/extractions/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>ftp_log : EXTRACT-port</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port</id>
<updated>2011-07-10T23:02:31-07:00</updated>
<link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="list"/>
<link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="attribute">EXTRACT-port</s:key>
... eai:acl node elided ...
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list/>
</s:key>
<s:key name="requiredFields">
<s:list>
<s:item>value</s:item>
</s:list>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="stanza">ftp_log</s:key>
<s:key name="type">Inline</s:key>
<s:key name="value">connection on port (?<port_number>\d )</s:key>
</s:dict>
</content>
</entry>
</feed>
data/props/extractions/{name} POST
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port -d "value=connection on port (?<port_number>\d+)"
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>props-extract</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/extractions</id>
<updated>2011-07-10T23:05:05-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/extractions/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>ftp_log : EXTRACT-port</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port</id>
<updated>2011-07-10T23:05:05-07:00</updated>
<link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="list"/>
<link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="attribute">EXTRACT-port</s:key>
... eai:acl node elided ...
<s:key name="stanza">ftp_log</s:key>
<s:key name="type">Inline</s:key>
<s:key name="value">connection on port (?<port_number>\d )</s:key>
</s:dict>
</content>
</entry>
</feed>
data/props/fieldaliases GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>fieldaliases</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases</id>
<updated>2011-07-21T19:31:41-07:00</updated>
<generator version="104309"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/fieldaliases/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>my_sourcetype : FIELDALIAS-alias_name</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name</id>
<updated>2011-07-21T19:31:41-07:00</updated>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="list"/>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="alias.foo">bar</s:key>
<s:key name="attribute">FIELDALIAS-alias_name</s:key>
... eai:acl node elided ...
<s:key name="stanza">my_sourcetype</s:key>
<s:key name="type">FIELDALIAS</s:key>
<s:key name="value">foo AS bar</s:key>
</s:dict>
</content>
</entry>
</feed>
data/props/fieldaliases POST
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases -d name=alias_name -d stanza=my_sourcetype -d alias.foo=bar
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>fieldaliases</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases</id>
<updated>2011-07-21T19:30:17-07:00</updated>
<generator version="104309"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/fieldaliases/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>my_sourcetype : FIELDALIAS-alias_name</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name</id>
<updated>2011-07-21T19:30:17-07:00</updated>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="list"/>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="alias.foo">bar</s:key>
<s:key name="attribute">FIELDALIAS-alias_name</s:key>
... eai:acl node elided ...
<s:key name="stanza">my_sourcetype</s:key>
<s:key name="type">FIELDALIAS</s:key>
<s:key name="value">foo AS bar</s:key>
</s:dict>
</content>
</entry>
</feed>
data/props/fieldaliases/{name} DELETE
XML
XML Request
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>fieldaliases</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases</id>
<updated>2011-07-21T19:37:45-07:00</updated>
<generator version="104309"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/fieldaliases/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
data/props/fieldaliases/{name} GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>fieldaliases</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases</id>
<updated>2011-07-21T19:33:00-07:00</updated>
<generator version="104309"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/fieldaliases/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>my_sourcetype : FIELDALIAS-alias_name</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name</id>
<updated>2011-07-21T19:33:00-07:00</updated>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="list"/>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="alias.foo">bar</s:key>
<s:key name="attribute">FIELDALIAS-alias_name</s:key>
... eai:acl node elided ...
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list/>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list>
<s:item>alias\..*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="stanza">my_sourcetype</s:key>
<s:key name="type">FIELDALIAS</s:key>
<s:key name="value">foo AS bar</s:key>
</s:dict>
</content>
</entry>
</feed>
data/props/fieldaliases/{name} POST
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name -d alias.hi=hello -d alias.bye=goodbye
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>fieldaliases</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases</id>
<updated>2011-07-21T19:34:36-07:00</updated>
<generator version="104309"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/fieldaliases/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>my_sourcetype : FIELDALIAS-alias_name</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name</id>
<updated>2011-07-21T19:34:36-07:00</updated>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="list"/>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="alias.bye">goodbye</s:key>
<s:key name="alias.hi">hello</s:key>
<s:key name="attribute">FIELDALIAS-alias_name</s:key>
... eai:acl node elided ...
<s:key name="stanza">my_sourcetype</s:key>
<s:key name="type">FIELDALIAS</s:key>
<s:key name="value">bye AS goodbye hi AS hello</s:key>
</s:dict>
</content>
</entry>
</feed>
data/props/lookups GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/lookups
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>props-lookup</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/lookups</id>
<updated>2011-08-01T20:43:53-07:00</updated>
<generator version="105049"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/lookups/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>my_sourcetype : LOOKUP-my_lookup</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup</id>
<updated>2011-08-01T20:43:53-07:00</updated>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="list"/>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="attribute">LOOKUP-my_lookup</s:key>
... eai:acl node elided ...
<s:key name="lookup.field.input.foo"/>
<s:key name="lookup.field.output.fuzz"/>
<s:key name="overwrite">1</s:key>
<s:key name="stanza">my_sourcetype</s:key>
<s:key name="transform">my_transform</s:key>
<s:key name="type">LOOKUP</s:key>
<s:key name="value">my_transform foo OUTPUT fuzz</s:key>
</s:dict>
</content>
</entry>
</feed>
data/props/lookups POST
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/lookups -d name=my_lookup -d overwrite=1 -d stanza=my_sourcetype -d transform=my_transform -d lookup.field.input.foo= -d lookup.field.output.fuzz=
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>props-lookup</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/lookups</id>
<updated>2011-08-01T20:43:31-07:00</updated>
<generator version="105049"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/lookups/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>my_sourcetype : LOOKUP-my_lookup</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup</id>
<updated>2011-08-01T20:43:31-07:00</updated>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="list"/>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="attribute">LOOKUP-my_lookup</s:key>
... eai:acl node elided ...
<s:key name="lookup.field.input.foo"/>
<s:key name="lookup.field.output.fuzz"/>
<s:key name="overwrite">1</s:key>
<s:key name="stanza">my_sourcetype</s:key>
<s:key name="transform">my_transform</s:key>
<s:key name="type">LOOKUP</s:key>
<s:key name="value">my_transform foo OUTPUT fuzz</s:key>
</s:dict>
</content>
</entry>
</feed>
data/props/lookups/{name} DELETE
XML
XML Request
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>props-lookup</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/lookups</id>
<updated>2011-08-01T20:44:32-07:00</updated>
<generator version="105049"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/lookups/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
data/props/lookups/{name} GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>props-lookup</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/lookups</id>
<updated>2011-08-01T20:44:06-07:00</updated>
<generator version="105049"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/lookups/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>my_sourcetype : LOOKUP-my_lookup</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup</id>
<updated>2011-08-01T20:44:06-07:00</updated>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="list"/>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="attribute">LOOKUP-my_lookup</s:key>
... eai:acl node elided ...
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list/>
</s:key>
<s:key name="requiredFields">
<s:list>
<s:item>overwrite</s:item>
<s:item>transform</s:item>
</s:list>
</s:key>
<s:key name="wildcardFields">
<s:list>
<s:item>lookup\.field\.input\..*</s:item>
<s:item>lookup\.field\.output\..*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="lookup.field.input.foo"/>
<s:key name="lookup.field.output.fuzz"/>
<s:key name="overwrite">1</s:key>
<s:key name="stanza">my_sourcetype</s:key>
<s:key name="transform">my_transform</s:key>
<s:key name="type">LOOKUP</s:key>
<s:key name="value">my_transform foo OUTPUT fuzz</s:key>
</s:dict>
</content>
</entry>
</feed>
data/props/lookups/{name} POST
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup -d overwrite=1 -d transform=other_transform -d lookup.field.input.bar= -d lookup.field.output.buzz=
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>props-lookup</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/lookups</id>
<updated>2011-08-01T20:44:21-07:00</updated>
<generator version="105049"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/lookups/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>my_sourcetype : LOOKUP-my_lookup</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup</id>
<updated>2011-08-01T20:44:21-07:00</updated>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="list"/>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="attribute">LOOKUP-my_lookup</s:key>
... eai:acl node elided ...
<s:key name="lookup.field.input.bar"/>
<s:key name="lookup.field.output.buzz"/>
<s:key name="overwrite">1</s:key>
<s:key name="stanza">my_sourcetype</s:key>
<s:key name="transform">other_transform</s:key>
<s:key name="type">LOOKUP</s:key>
<s:key name="value">other_transform bar OUTPUT buzz</s:key>
</s:dict>
</content>
</entry>
</feed>
data/props/sourcetype-rename GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>sourcetype-rename</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename</id>
<updated>2011-07-12T15:40:53-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>hardware</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware</id>
<updated>2011-07-12T15:40:53-07:00</updated>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="list"/>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="attribute">rename</s:key>
... eai:acl node elided ...
<s:key name="stanza">hardware</s:key>
<s:key name="type">rename</s:key>
<s:key name="value">hw</s:key>
</s:dict>
</content>
</entry>
</feed>
data/props/sourcetype-rename POST
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename -d name=hardware -d value=hw
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>sourcetype-rename</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename</id>
<updated>2011-07-12T15:39:57-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>hardware</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware</id>
<updated>2011-07-12T15:39:57-07:00</updated>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="list"/>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="attribute">rename</s:key>
... eai:acl node elided ...
<s:key name="stanza">hardware</s:key>
<s:key name="type">rename</s:key>
<s:key name="value">hw</s:key>
</s:dict>
</content>
</entry>
</feed>
data/props/sourcetype-rename/{name} DELETE
XML
XML Request
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>sourcetype-rename</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename</id>
<updated>2011-07-12T15:49:16-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
data/props/sourcetype-rename/{name} GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>sourcetype-rename</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename</id>
<updated>2011-07-12T15:44:47-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>hardware</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware</id>
<updated>2011-07-12T15:44:47-07:00</updated>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="list"/>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="attribute">rename</s:key>
... eai:acl node elided ...
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list/>
</s:key>
<s:key name="requiredFields">
<s:list>
<s:item>value</s:item>
</s:list>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="stanza">hardware</s:key>
<s:key name="type">rename</s:key>
<s:key name="value">hw</s:key>
</s:dict>
</content>
</entry>
</feed>
data/props/sourcetype-rename/{name} POST
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware -d value=hrdwr
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>sourcetype-rename</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename</id>
<updated>2011-07-12T15:46:58-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>hardware</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware</id>
<updated>2011-07-12T15:46:58-07:00</updated>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="list"/>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="attribute">rename</s:key>
... eai:acl node elided ...
<s:key name="stanza">hardware</s:key>
<s:key name="type">rename</s:key>
<s:key name="value">hrdwr</s:key>
</s:dict>
</content>
</entry>
</feed>
data/transforms/extractions GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/extractions
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>transforms-extract</title>
<id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions</id>
<updated>2011-07-21T20:28:03-07:00</updated>
<generator version="104309"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/transforms/extractions/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>access-extractions</title>
<id>https://localhost:8089/servicesNS/nobody/system/data/transforms/extractions/access-extractions</id>
<updated>2011-07-21T20:28:03-07:00</updated>
<link href="/servicesNS/nobody/system/data/transforms/extractions/access-extractions" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/nobody/system/data/transforms/extractions/access-extractions" rel="list"/>
<link href="/servicesNS/nobody/system/data/transforms/extractions/access-extractions/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/transforms/extractions/access-extractions" rel="edit"/>
<link href="/servicesNS/nobody/system/data/transforms/extractions/access-extractions/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="CAN_OPTIMIZE">1</s:key>
<s:key name="CLEAN_KEYS">1</s:key>
<s:key name="DEFAULT_VALUE"/>
<s:key name="DEST_KEY"/>
<s:key name="FORMAT"/>
<s:key name="KEEP_EMPTY_VALS">0</s:key>
<s:key name="LOOKAHEAD">4096</s:key>
<s:key name="MV_ADD">0</s:key>
<s:key name="REGEX">
<![CDATA[^[[nspaces:clientip]]\s++[[nspaces:ident]]\s++[[nspaces:user]]\s++[[sbstring:req_time]]\s++[[access-request]]\s++[[nspaces:status]]\s++[[nspaces:bytes]](?:\s++"(?<referer>[[bc_domain:referer_]]?+[^"]*+)"(?:\s++[[qstring:useragent]](?:\s++[[qstring:cookie]])?+)?+)?[[all:other]]]]> </s:key>
<s:key name="SOURCE_KEY">_raw</s:key>
<s:key name="WRITE_META">0</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:userName">admin</s:key>
</s:dict>
</content>
</entry>
</feed>
data/transforms/extractions POST
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/extractions -d REGEX="(?<_KEY_1>[a-z]*),(?<_VAL_1>[a-z]*)" -d SOURCE_KEY=_raw -d name=my_transform
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>transforms-extract</title>
<id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions</id>
<updated>2011-07-21T20:25:20-07:00</updated>
<generator version="104309"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/transforms/extractions/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>my_transform</title>
<id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions/my_transform</id>
<updated>2011-07-21T20:25:20-07:00</updated>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="list"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="edit"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="remove"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/move" rel="move"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="CAN_OPTIMIZE">1</s:key>
<s:key name="CLEAN_KEYS">1</s:key>
<s:key name="DEFAULT_VALUE"/>
<s:key name="DEST_KEY"/>
<s:key name="FORMAT"/>
<s:key name="KEEP_EMPTY_VALS">0</s:key>
<s:key name="LOOKAHEAD">4096</s:key>
<s:key name="MV_ADD">0</s:key>
<s:key name="REGEX">(?<_KEY_1>[a-z]*),(?<_VAL_1>[a-z]*)</s:key>
<s:key name="SOURCE_KEY">_raw</s:key>
<s:key name="WRITE_META">0</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:userName">admin</s:key>
</s:dict>
</content>
</entry>
</feed>
data/transforms/extractions/{name} DELETE
XML
XML Request
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/data/transforms/extractions/my_transform
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>transforms-extract</title>
<id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions</id>
<updated>2011-07-21T20:34:30-07:00</updated>
<generator version="104309"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/transforms/extractions/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
data/transforms/extractions/{name} GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/extractions/my_transform
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>transforms-extract</title>
<id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions</id>
<updated>2011-07-21T20:29:00-07:00</updated>
<generator version="104309"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/transforms/extractions/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>my_transform</title>
<id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions/my_transform</id>
<updated>2011-07-21T20:29:00-07:00</updated>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="list"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="edit"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="remove"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/move" rel="move"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="CAN_OPTIMIZE">1</s:key>
<s:key name="CLEAN_KEYS">1</s:key>
<s:key name="DEFAULT_VALUE"/>
<s:key name="DEST_KEY"/>
<s:key name="FORMAT"/>
<s:key name="KEEP_EMPTY_VALS">0</s:key>
<s:key name="LOOKAHEAD">4096</s:key>
<s:key name="MV_ADD">0</s:key>
<s:key name="REGEX">(?<_KEY_1>[a-z]*),(?<_VAL_1>[a-z]*)</s:key>
<s:key name="SOURCE_KEY">_raw</s:key>
<s:key name="WRITE_META">0</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>CAN_OPTIMIZE</s:item>
<s:item>CLEAN_KEYS</s:item>
<s:item>FORMAT</s:item>
<s:item>KEEP_EMPTY_VALS</s:item>
<s:item>MV_ADD</s:item>
<s:item>disabled</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list>
<s:item>REGEX</s:item>
<s:item>SOURCE_KEY</s:item>
</s:list>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="eai:userName">admin</s:key>
</s:dict>
</content>
</entry>
</feed>
data/transforms/extractions/{name} POST
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/extractions/my_transform -d REGEX="(?<_KEY_1>[a-z]*),(?<_VAL_1>[a-z]*)" -d SOURCE_KEY=_raw -d CLEAN_KEYS=false
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>transforms-extract</title>
<id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions</id>
<updated>2011-07-21T20:33:13-07:00</updated>
<generator version="104309"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/transforms/extractions/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>my_transform</title>
<id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions/my_transform</id>
<updated>2011-07-21T20:33:13-07:00</updated>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="list"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="edit"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="remove"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/move" rel="move"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="CAN_OPTIMIZE">1</s:key>
<s:key name="CLEAN_KEYS">0</s:key>
<s:key name="DEFAULT_VALUE"/>
<s:key name="DEST_KEY"/>
<s:key name="FORMAT"/>
<s:key name="KEEP_EMPTY_VALS">0</s:key>
<s:key name="LOOKAHEAD">4096</s:key>
<s:key name="MV_ADD">0</s:key>
<s:key name="REGEX">(?<_KEY_1>[a-z]*),(?<_VAL_1>[a-z]*)</s:key>
<s:key name="SOURCE_KEY">_raw</s:key>
<s:key name="WRITE_META">0</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:userName">admin</s:key>
</s:dict>
</content>
</entry>
</feed>
data/transforms/lookups GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/lookups
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>transforms-lookup</title>
<id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups</id>
<updated>2011-08-01T21:10:44-07:00</updated>
<generator version="105049"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/transforms/lookups/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>dnslookup</title>
<id>https://localhost:8089/servicesNS/nobody/system/data/transforms/lookups/dnslookup</id>
<updated>2011-08-01T21:10:44-07:00</updated>
<link href="/servicesNS/nobody/system/data/transforms/lookups/dnslookup" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/transforms/lookups/dnslookup" rel="list"/>
<link href="/servicesNS/nobody/system/data/transforms/lookups/dnslookup/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/transforms/lookups/dnslookup" rel="edit"/>
<link href="/servicesNS/nobody/system/data/transforms/lookups/dnslookup/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="CAN_OPTIMIZE">1</s:key>
<s:key name="CLEAN_KEYS">1</s:key>
<s:key name="DEFAULT_VALUE"/>
<s:key name="DEST_KEY"/>
<s:key name="FORMAT"/>
<s:key name="KEEP_EMPTY_VALS">0</s:key>
<s:key name="LOOKAHEAD">4096</s:key>
<s:key name="MV_ADD">0</s:key>
<s:key name="REGEX"/>
<s:key name="SOURCE_KEY">_raw</s:key>
<s:key name="WRITE_META">0</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="external_cmd">external_lookup.py clienthost clientip</s:key>
<s:key name="fields_list">clienthost clientip</s:key>
<s:key name="type">external</s:key>
</s:dict>
</content>
</entry>
</feed>
data/transforms/lookups POST
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/lookups -d name=my_lookup -d filename=lookup.csv
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>transforms-lookup</title>
<id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups</id>
<updated>2011-08-01T21:10:33-07:00</updated>
<generator version="105049"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/transforms/lookups/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>my_lookup</title>
<id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups/my_lookup</id>
<updated>2011-08-01T21:10:33-07:00</updated>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="list"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="edit"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="remove"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/move" rel="move"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="CAN_OPTIMIZE">1</s:key>
<s:key name="CLEAN_KEYS">1</s:key>
<s:key name="DEFAULT_VALUE"/>
<s:key name="DEST_KEY"/>
<s:key name="FORMAT"/>
<s:key name="KEEP_EMPTY_VALS">0</s:key>
<s:key name="LOOKAHEAD">4096</s:key>
<s:key name="MV_ADD">0</s:key>
<s:key name="REGEX"/>
<s:key name="SOURCE_KEY">_raw</s:key>
<s:key name="WRITE_META">0</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="filename">lookup.csv</s:key>
<s:key name="type">file</s:key>
</s:dict>
</content>
</entry>
</feed>
data/transforms/lookups/{name} DELETE
XML
XML Request
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/data/transforms/lookups/my_lookup
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>transforms-lookup</title>
<id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups</id>
<updated>2011-07-21T20:03:24-07:00</updated>
<generator version="104309"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/transforms/lookups/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
data/transforms/lookups/{name} GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/lookups/my_lookup
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>transforms-lookup</title>
<id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups</id>
<updated>2011-08-01T21:11:01-07:00</updated>
<generator version="105049"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/transforms/lookups/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>my_lookup</title>
<id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups/my_lookup</id>
<updated>2011-08-01T21:11:01-07:00</updated>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="list"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="edit"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="remove"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/move" rel="move"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="CAN_OPTIMIZE">1</s:key>
<s:key name="CLEAN_KEYS">1</s:key>
<s:key name="DEFAULT_VALUE"/>
<s:key name="DEST_KEY"/>
<s:key name="FORMAT"/>
<s:key name="KEEP_EMPTY_VALS">0</s:key>
<s:key name="LOOKAHEAD">4096</s:key>
<s:key name="MV_ADD">0</s:key>
<s:key name="REGEX"/>
<s:key name="SOURCE_KEY">_raw</s:key>
<s:key name="WRITE_META">0</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>default_match</s:item>
<s:item>disabled</s:item>
<s:item>external_cmd</s:item>
<s:item>fields_list</s:item>
<s:item>filename</s:item>
<s:item>max_matches</s:item>
<s:item>max_offset_secs</s:item>
<s:item>min_matches</s:item>
<s:item>min_offset_secs</s:item>
<s:item>time_field</s:item>
<s:item>time_format</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="filename">lookup.csv</s:key>
<s:key name="type">file</s:key>
</s:dict>
</content>
</entry>
</feed>
data/transforms/lookups/{name} POST
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/lookups/my_lookup -d external_cmd=myscript.py -d fields_list=a,b,c
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>transforms-lookup</title>
<id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups</id>
<updated>2011-07-21T20:00:07-07:00</updated>
<generator version="104309"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/transforms/lookups/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>my_lookup</title>
<id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups/my_lookup</id>
<updated>2011-07-21T20:00:07-07:00</updated>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="list"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="edit"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="remove"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/move" rel="move"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="CAN_OPTIMIZE">1</s:key>
<s:key name="CLEAN_KEYS">1</s:key>
<s:key name="DEFAULT_VALUE"/>
<s:key name="DEST_KEY"/>
<s:key name="FORMAT"/>
<s:key name="KEEP_EMPTY_VALS">0</s:key>
<s:key name="LOOKAHEAD">4096</s:key>
<s:key name="MV_ADD">0</s:key>
<s:key name="REGEX"/>
<s:key name="SOURCE_KEY">_raw</s:key>
<s:key name="WRITE_META">0</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="external_cmd">myscript.py</s:key>
<s:key name="fields_list">a,b,c</s:key>
<s:key name="type">external</s:key>
</s:dict>
</content>
</entry>
</feed>
data/ui/views POST
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/ui/views -d "name=new_dashboard&eai:data=<dashboard><label>the_new_label</label></dashboard>"
XML Response
<title>views</title>
<id>https://localhost:8089/servicesNS/admin/search/data/ui/views</id>
<updated>2015-10-08T15:50:01-07:00</updated>
<generator build="a1c9b18fdcfc" version="6.3.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/ui/views/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/ui/views/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/data/ui/views/_acl" rel="_acl"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>new_dashboard</title>
<id>https://localhost:8089/servicesNS/admin/search/data/ui/views/new_dashboard</id>
<updated>2015-10-08T15:50:01-07:00</updated>
<link href="/servicesNS/admin/search/data/ui/views/new_dashboard" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/ui/views/new_dashboard" rel="list"/>
<link href="/servicesNS/admin/search/data/ui/views/new_dashboard/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/data/ui/views/new_dashboard" rel="edit"/>
<link href="/servicesNS/admin/search/data/ui/views/new_dashboard" rel="remove"/>
<link href="/servicesNS/admin/search/data/ui/views/new_dashboard/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">admin</s:key>
<s:key name="perms"/>
<s:key name="removable">1</s:key>
<s:key name="sharing">user</s:key>
</s:dict>
</s:key>
<s:key name="eai:appName">search</s:key>
<s:key name="eai:data"><![CDATA[<dashboard><label> the_new_label </label></dashboard>]]></s:key>
<s:key name="eai:digest">533c60e648b7c4733321ae205d2627d8</s:key>
<s:key name="eai:type">views</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="isDashboard">1</s:key>
<s:key name="isVisible">1</s:key>
<s:key name="label">the_new_label</s:key>
<s:key name="rootNode">dashboard</s:key>
</s:dict>
</content>
</entry>
data/ui/views/{name} GET
XML
XML Request
curl -k -u username:password https://localhost:8089/servicesNS/admin/search/data/ui/views/my_dashboard
XML Response
<div class="samplecode">
<title>views</title>
<id>https://localhost:8089/servicesNS/admin/search/data/ui/views</id>
<updated>2015-10-08T16:17:03-07:00</updated>
<generator build="a1c9b18fdcfc" version="6.3.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/ui/views/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/ui/views/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/data/ui/views/_acl" rel="_acl"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title> my_dashboard </title>
<id>https://localhost:8089/servicesNS/admin/search/data/ui/views/my_dashboard</id>
<updated>2015-10-08T16:17:03-07:00</updated>
<link href="/servicesNS/admin/search/data/ui/views/my_dashboard" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/ui/views/my_dashboard" rel="list"/>
<link href="/servicesNS/admin/search/data/ui/views/my_dashboard/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/data/ui/views/my_dashboard" rel="edit"/>
<link href="/servicesNS/admin/search/data/ui/views/my_dashboard" rel="remove"/>
<link href="/servicesNS/admin/search/data/ui/views/my_dashboard/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">admin</s:key>
<s:key name="perms"/>
<s:key name="removable">1</s:key>
<s:key name="sharing">user</s:key>
</s:dict>
</s:key>
<s:key name="eai:appName">search</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>eai:type</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list>
<s:item>eai:data</s:item>
</s:list>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="eai:data"><![CDATA[<dashboard><label>my_dashboard_label</label></dashboard>]]></s:key>
<s:key name="eai:digest">01778119e0d9352ca0c6eb0aa7f00950</s:key>
<s:key name="eai:type">views</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="isDashboard">1</s:key>
<s:key name="isVisible">1</s:key>
<s:key name="label">my_dashboard_label</s:key>
<s:key name="rootNode">dashboard</s:key>
</s:dict>
</content>
</entry>
data/ui/views/{name} POST
XML
XML Request
curl -k -u username:password https://localhost:8089/servicesNS/admin/search/data/ui/views/my_dashboard -d "eai:data=<dashboard><label>new_label</label></dashboard>"
XML Response
<title>views</title>
<id>https://localhost:8089/servicesNS/admin/search/data/ui/views</id>
<updated>2015-10-08T16:38:23-07:00</updated>
<generator build="a1c9b18fdcfc" version="6.4.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/ui/views/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/ui/views/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/data/ui/views/_acl" rel="_acl"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title> my_dashboard </title>
<id>https://localhost:8089/servicesNS/admin/search/data/ui/views/my_dashboard </id>
<updated>2015-10-08T16:38:23-07:00</updated>
<link href="/servicesNS/admin/search/data/ui/views/my_dashboard" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/ui/views/my_dashboard" rel="list"/>
<link href="/servicesNS/admin/search/data/ui/views/my_dashboard/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/data/ui/views/my_dashboard" rel="edit"/>
<link href="/servicesNS/admin/search/data/ui/views/my_dashboard" rel="remove"/>
<link href="/servicesNS/admin/search/data/ui/views/my_dashboard/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">admin</s:key>
<s:key name="perms"/>
<s:key name="removable">1</s:key>
<s:key name="sharing">user</s:key>
</s:dict>
</s:key>
<s:key name="eai:appName">search</s:key>
<s:key name="eai:data"><![CDATA[<dashboard><label>new_label</label></dashboard>]]></s:key>
<s:key name="eai:digest">31513ad6cce14b5c792f175cc1691e5e</s:key>
<s:key name="eai:type">views</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="isDashboard">1</s:key>
<s:key name="isVisible">1</s:key>
<s:key name="label">new_label</s:key>
<s:key name="rootNode">dashboard</s:key>
</s:dict>
</content>
</entry>
data/ui/views/{name} DELETE
XML
XML Request
curl -k -u username:password --request DELETE https://localhost:8089/servicesNS/admin/search/data/ui/views/my_dashboard
XML Response
<title>views</title>
<id>https://localhost:8089/servicesNS/admin/search/data/ui/views</id>
<updated>2015-10-08T17:07:12-07:00</updated>
<generator build="a1c9b18fdcfc" version="6.3.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/ui/views/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/ui/views/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/data/ui/views/_acl" rel="_acl"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
datamodel/acceleration GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/datamodel/acceleration
XML Response
feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title></title>
<id>https://myserver-centos62x64-4:8789/services/datamodel/acceleration</id>
<updated>2013-08-24T12:45:20-07:00</updated>
<generator build="178272" version="6.0"/>
<author>
<name>Splunk</name>
</author>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>simpleMyAppModel</title>
<id>https://myserver-centos62x64-4:8789/servicesNS/nobody/search/datamodel/acceleration/simpleMyAppModel</id>
<updated>2013-08-24T12:45:20-07:00</updated>
<link href="/servicesNS/nobody/search/datamodel/acceleration/simpleMyAppModel" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/datamodel/acceleration/simpleMyAppModel" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="acceleration">1</s:key>
<s:key name="acceleration.earliest_time">-1mon</s:key>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:digest">9a9dba7c96b3f81554e3773b8d8fe45e</s:key>
<s:key name="eai:type">datamodels</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="search"><![CDATA[uri=* status=* clientip=* referer=* useragent=* (sourcetype=access_*) (status < 600) |
. . . elided . . .
"HTTP_Request.HTTP_Success.is_not_Pageview", "HTTP_Request.HTTP_Success.Pageview.myevalfield2"]]>
</s:key>
</s:dict>
</content>
</entry>
</feed>
datamodel/acceleration/{name} GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/datamodel/acceleration/simpleMyAppModel
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title></title>
<id>https://myserver-centos62x64-4:8789/services/datamodel/acceleration</id>
<updated>2013-08-24T12:55:07-07:00</updated>
<generator build="178272" version="6.0"/>
<author>
<name>Splunk</name>
</author>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>simpleMyAppModel</title>
<id>https://myserver-centos62x64-4:8789/servicesNS/nobody/search/datamodel/acceleration/simpleMyAppModel</id>
<updated>2013-08-24T12:55:07-07:00</updated>
<link href="/servicesNS/nobody/search/datamodel/acceleration/simpleMyAppModel" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/datamodel/acceleration/simpleMyAppModel" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="acceleration">1</s:key>
<s:key name="acceleration.earliest_time">-1mon</s:key>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list/>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="eai:digest">9a9dba7c96b3f81554e3773b8d8fe45e</s:key>
<s:key name="eai:type">datamodels</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="search"><![CDATA[uri=* status=* clientip=* referer=* useragent=* (sourcetype=access_*) (status < 600) |
. . . elided . . .
"HTTP_Request.HTTP_Success.is_not_Pageview", "HTTP_Request.HTTP_Success.Pageview.myevalfield2"]]>
</s:key>
</s:dict>
</content>
</entry>
</feed>
datamodel/model GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/datamodel/model
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title></title>
<id>https://myserver-centos62x64-4:8789/services/datamodel/model</id>
<updated>2013-08-15T11:42:06-07:00</updated>
<generator build="176231" version="6.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/datamodel/model/_new" rel="create"/>
<link href="/services/datamodel/model/desc" rel="desc"/>
<link href="/services/datamodel/model/report" rel="report"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>MyApp</title>
<id>https://myserver-centos62x64-4:8789/servicesNS/nobody/search/datamodel/model/MyApp</id>
<updated>2013-08-23T15:03:13-07:00</updated>
<link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="list"/>
<link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="acceleration">{"enabled": false}</s:key>
<s:key name="description"><![CDATA[{"objects": [{"lineage": "HTTP_Request", "previewSearch": " | search (sourcetype=access_* OR sourcetype=iis*)
. . . elided . . .
"modelName": "MyApp", "displayName": "Web Intelligence"}]]>
</s:key>
<s:key name="displayName">Web Intelligence</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>power</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="eai:appName">search</s:key>
<s:key name="eai:digest">b8ebd9315dddf8a5e572187f57ddc9de</s:key>
<s:key name="eai:type">models</s:key>
<s:key name="eai:userName">admin</s:key>
</s:dict>
</content>
</entry>
. . . elided . . .
</feed>
datamodel/model POST
XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/datamodel/model -d name=Debugger --data-urlencode description='{"modelName":"Debugger","displayName":"Debugger", "description": "A data model for debugging purposes". . . elided . . . }'
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title></title>
<id>https://qa-sv-rh61x64-10:8089/services/datamodel/model</id>
<updated>2013-10-16T11:19:24-07:00</updated>
<generator build="183095" version="6.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/datamodel/model/_new" rel="create"/>
<link href="/services/datamodel/model/desc" rel="desc"/>
<link href="/services/datamodel/model/report" rel="report"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>Debugger</title>
<id>https://qa-sv-rh61x64-10:8089/servicesNS/admin/search/datamodel/model/Debugger</id>
<updated>2013-10-16T11:19:24-07:00</updated>
<link href="/servicesNS/admin/search/datamodel/model/Debugger" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/datamodel/model/Debugger" rel="list"/>
<link href="/servicesNS/admin/search/datamodel/model/Debugger" rel="edit"/>
<link href="/servicesNS/admin/search/datamodel/model/Debugger" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="acceleration">{"enabled": false}</s:key>
<s:key name="description">
<![CDATA[{"displayName": "Debugger", "modelName": "Debugger", "objectSummary": \
...
"autoextractSearch": " (index = _internal) "}]}]]>
</s:key>
<s:key name="displayName">Debugger</s:key>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:attributes">
{'optionalFields': ['acceleration', 'acceleration.cron_schedule', \
'acceleration.earliest_time', 'eai:data'], 'requiredFields': [], 'wildcardFields': []}
</s:key>
<s:key name="eai:digest">05ca1a193365a3b613b919c6401591e3</s:key>
<s:key name="eai:type">models</s:key>
<s:key name="eai:userName">admin</s:key>
</s:dict>
</content>
</entry>
</feed>
datamodel/model/{name} DELETE
XML
XML Request
curl -k -u admin:pass --request DELETE https://localhost:8089/services/datamodel/model/MyApp
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title></title>
<id>https://myserver-centos62x64-4:8789/services/datamodel/model</id>
<updated>2013-08-24T15:00:54-07:00</updated>
<generator build="178272" version="6.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/datamodel/model/_new" rel="create"/>
<link href="/services/datamodel/model/desc" rel="desc"/>
<link href="/services/datamodel/model/report" rel="report"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
</feed>
datamodel/model/{name} GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/datamodel/model/MyApp
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title></title>
<id>https://myserver-centos62x64-4:8789/services/datamodel/model</id>
<updated>2013-08-24T13:07:36-07:00</updated>
<generator build="178272" version="6.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/datamodel/model/_new" rel="create"/>
<link href="/services/datamodel/model/desc" rel="desc"/>
<link href="/services/datamodel/model/report" rel="report"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>MyApp</title>
<id>https://myserver-centos62x64-4:8789/servicesNS/nobody/search/datamodel/model/MyApp</id>
<updated>2013-08-24T13:07:36-07:00</updated>
<link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="list"/>
<link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="acceleration">{"enabled": false}</s:key>
<s:key name="description"><![CDATA[{"modelName": "MyApp", "objectNameList": ["HTTP_Request", "ApacheAccessSearch", "IISAccessSearch",
. . . elided . . .
"Interface Implementations": 0, "Search-Based": 1}, "description": "Data model for web analytics.", "displayName": "Web Intelligence"}]]>
</s:key>
<s:key name="displayName">Web Intelligence</s:key>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>acceleration</s:item>
<s:item>concise</s:item>
<s:item>description</s:item>
<s:item>provisional</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="eai:digest">b8ebd9315dddf8a5e572187f57ddc9de</s:key>
<s:key name="eai:type">models</s:key>
<s:key name="eai:userName">admin</s:key>
</s:dict>
</content>
</entry>
</feed>
datamodel/model/{name} POST
XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/datamodel/model/MyApp -d concise=true
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title></title>
<id>https://myserver-centos62x64-4:8789/services/datamodel/model</id>
<updated>2013-08-24T13:35:54-07:00</updated>
<generator build="178272" version="6.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/datamodel/model/_new" rel="create"/>
<link href="/services/datamodel/model/desc" rel="desc"/>
<link href="/services/datamodel/model/report" rel="report"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>MyApp</title>
<id>https://myserver-centos62x64-4:8789/servicesNS/nobody/search/datamodel/model/MyApp</id>
<updated>2013-08-24T13:35:54-07:00</updated>
<link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="list"/>
<link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="acceleration">{"enabled": false, "earliest_time": "-1mon"}</s:key>
<s:key name="description"><![CDATA[{"modelName": "MyApp", "objects": [{"constraints": [{"search": "sourcetype=access_* OR
. . . elided . . .
"PodcastDownload", "WebSession", "User"], "description": "Data model for web analytics."}]]>
</s:key>
<s:key name="displayName">Web Intelligence</s:key>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:attributes">{'wildcardFields': [], 'requiredFields': [], 'optionalFields': ['acceleration', 'acceleration.cron_schedule', 'acceleration.earliest_time', 'eai:data']}</s:key>
<s:key name="eai:digest">d73ff2d833e3104eed99a8fd258dbae1</s:key>
<s:key name="eai:type">datamodels</s:key>
<s:key name="eai:userName">admin</s:key>
</s:dict>
</content>
</entry>
</feed>
datamodel/pivot GET
XML
XML Request
curl -k -u admin:pass -G https://localhost:8089/services/datamodel/pivot/Authentication --data-urlencode pivot_search='| pivot Authentication Untagged_Authentication count(Untagged_Authentication) AS "Count of Untagged Authentication (S.o.S)"'
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title></title>
<id>https://localhost:8089/services/datamodel/pivot</id>
<updated>2013-08-26T15:07:57-07:00</updated>
<generator build="178683" version="20130826"/>
<author>
<name>Splunk</name>
</author>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>Authentication</title>
<id>https://localhost:8089/servicesNS/nobody/search/datamodel/pivot/Authentication</id>
<updated>2013-08-26T15:07:57-07:00</updated>
<link href="/servicesNS/nobody/search/datamodel/pivot/Authentication" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/datamodel/pivot/Authentication" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="drilldown_search">| search (login OR "log in" OR authenticated) sourcetype!=stash NOT tag=authentication | stats count AS "Count of Untagged Authentication (S.o.S)" | fields , "Count of Untagged Authentication (S.o.S)"| fillnull "Count of Untagged Authentication (S.o.S)"</s:key>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>is_pivot_command</s:item>
<s:item>namespace</s:item>
<s:item>pivot_json</s:item>
<s:item>pivot_search</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="eai:digest">e74d56a3b4a25256028f3a236e3d2cbc</s:key>
<s:key name="eai:type">models</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="open_in_search">| search (login OR "log in" OR authenticated) sourcetype!=stash NOT tag=authentication | stats count AS "Count of Untagged Authentication (S.o.S)" | fields , "Count of Untagged Authentication (S.o.S)"| fillnull "Count of Untagged Authentication (S.o.S)"</s:key>
<s:key name="pivot_json"><![CDATA[{"rowFormat": {"showSummary": false}, "cells": [{"label": "Count of Untagged Authentication (S.o.S)", "value": "count", "fieldName": "Untagged_Authentication", "type": "objectCount", "owner": "Untagged_Authentication"}], "filters": [], "modelName": "Authentication", "baseClass": "Untagged_Authentication", "rows": [], "columns": [], "colFormat": {"showSummary": false, "showOther": true}}]]></s:key>
<s:key name="pivot_search">| pivot Authentication Untagged_Authentication count(Untagged_Authentication) AS "Count of Untagged Authentication (S.o.S)"</s:key>
<s:key name="search">| search (login OR "log in" OR authenticated) sourcetype!=stash NOT tag=authentication | stats count AS "Count of Untagged Authentication (S.o.S)" | fields , "Count of Untagged Authentication (S.o.S)"| fillnull "Count of Untagged Authentication (S.o.S)"</s:key>
<s:key name="tstats_search"></s:key>
</s:dict>
</content>
</entry>
</feed>
directory GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/directory
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>directory</title>
<id>https://localhost:8089/services/directory</id>
<updated>2011-05-16T19:03:40-0700</updated>
<generator version="98144"/>
<author>
<name>Splunk</name>
</author>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>_admin</title>
<id>https://localhost:8089/servicesNS/nobody/system/data/ui/views/_admin</id>
<updated>2011-05-16T19:03:40-0700</updated>
<link href="/servicesNS/nobody/system/data/ui/views/_admin" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/ui/views/_admin" rel="list"/>
<link href="/servicesNS/nobody/system/data/ui/views/_admin/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/ui/views/_admin" rel="edit"/>
<content type="text/xml">
<s:dict>
... eai:acl node elided ...
<s:key name="eai:type">views</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>abc</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/ui/views/abc</id>
<updated>2011-05-16T19:03:40-0700</updated>
<link href="/servicesNS/nobody/search/data/ui/views/abc" rel="alternate"/>
<author>
<name>ssorkin</name>
</author>
<link href="/servicesNS/nobody/search/data/ui/views/abc" rel="list"/>
<link href="/servicesNS/nobody/search/data/ui/views/abc/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/ui/views/abc" rel="edit"/>
<content type="text/xml">
<s:dict>
... eai:acl node elided ...
<s:key name="eai:type">views</s:key>
</s:dict>
</content>
</entry>
</feed>
directory/{name} GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/directory/dashboard_live
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>directory</title>
<id>https://localhost:8089/services/directory</id>
<updated>2011-05-16T19:09:59-0700</updated>
<generator version="98144"/>
<author>
<name>Splunk</name>
</author>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>dashboard_live</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/ui/views/dashboard_live</id>
<updated>2011-05-16T19:09:59-0700</updated>
<link href="/servicesNS/nobody/search/data/ui/views/dashboard_live" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/ui/views/dashboard_live" rel="list"/>
<link href="/servicesNS/nobody/search/data/ui/views/dashboard_live/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/ui/views/dashboard_live" rel="edit"/>
<content type="text/xml">
<s:dict>
... eai:acl node elided ...
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list/>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="eai:type">views</s:key>
</s:dict>
</content>
</entry>
</feed>
saved/eventtypes GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/eventtypes
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>eventtypes</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes</id>
<updated>2011-07-10T23:46:52-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/saved/eventtypes/_new" rel="create"/>
<link href="/servicesNS/admin/search/saved/eventtypes/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>internal_search_terms</title>
<id>https://localhost:8089/servicesNS/nobody/system/saved/eventtypes/internal_search_terms</id>
<updated>2011-07-10T23:46:52-07:00</updated>
<link href="/servicesNS/nobody/system/saved/eventtypes/internal_search_terms" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/saved/eventtypes/internal_search_terms" rel="list"/>
<link href="/servicesNS/nobody/system/saved/eventtypes/internal_search_terms/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/saved/eventtypes/internal_search_terms" rel="edit"/>
<link href="/servicesNS/nobody/system/saved/eventtypes/internal_search_terms/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="description"/>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="priority">1</s:key>
<s:key name="search">
<![CDATA[( "After evaluating args" OR "Before evaluating args" OR "context dispatched for search=" OR "SearchParser - PARSING" OR "got search" OR "_dispatchNewSearch - search" OR "search:* - q" OR ( decomposition fullsearch ) OR "PAAAAAARSER! - search" OR "view:* - DECOMPOSITION" OR "Splunk.Module.SearchBar .setInputField" OR ( typeahead prefix ) OR "DEBUG HTTPServer - Deleting request=GET" OR /en-US/api/search/typeahead )]]> </s:key>
<s:key name="tags">
<s:list/>
</s:key>
</s:dict>
</content>
</entry>
</feed>
saved/eventtypes POST
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/eventtypes -d name="client-errors" --data-urlencode search=search="http client error NOT (403 OR 404)"
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>eventtypes</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes</id>
<updated>2011-07-10T23:47:10-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/saved/eventtypes/_new" rel="create"/>
<link href="/servicesNS/admin/search/saved/eventtypes/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>client-errors</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes/client-errors</id>
<updated>2011-07-10T23:47:10-07:00</updated>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="list"/>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="edit"/>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="remove"/>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors/move" rel="move"/>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="description"/>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="priority">1</s:key>
<s:key name="search">search</s:key>
<s:key name="tags">
<s:list/>
</s:key>
</s:dict>
</content>
</entry>
</feed>
saved/eventtypes/{name} DELETE
XML
XML Request
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/saved/eventtypes/client-errors
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>eventtypes</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes</id>
<updated>2011-07-10T23:48:29-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/saved/eventtypes/_new" rel="create"/>
<link href="/servicesNS/admin/search/saved/eventtypes/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
saved/eventtypes/{name} GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/eventtypes/client-errors
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>eventtypes</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes</id>
<updated>2011-07-10T23:47:17-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/saved/eventtypes/_new" rel="create"/>
<link href="/servicesNS/admin/search/saved/eventtypes/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>client-errors</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes/client-errors</id>
<updated>2011-07-10T23:47:17-07:00</updated>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="list"/>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="edit"/>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="remove"/>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors/move" rel="move"/>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="description"/>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>description</s:item>
<s:item>disabled</s:item>
<s:item>priority</s:item>
<s:item>tags</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list>
<s:item>search</s:item>
</s:list>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="priority">1</s:key>
<s:key name="search">search</s:key>
<s:key name="tags">
<s:list/>
</s:key>
</s:dict>
</content>
</entry>
</feed>
saved/eventtypes/{name} POST
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/eventtypes/client-errors -d description="HTTP Client Errors" --data-urlencode search=search="http client error NOT (403 OR 404)"
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>eventtypes</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes</id>
<updated>2011-07-10T23:48:22-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/saved/eventtypes/_new" rel="create"/>
<link href="/servicesNS/admin/search/saved/eventtypes/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>client-errors</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes/client-errors</id>
<updated>2011-07-10T23:48:22-07:00</updated>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="list"/>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="edit"/>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="remove"/>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors/move" rel="move"/>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="description">HTTP Client Errors</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="priority">1</s:key>
<s:key name="search">search</s:key>
<s:key name="tags">
<s:list/>
</s:key>
</s:dict>
</content>
</entry>
</feed>
search/fields GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/fields
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>Fields</title>
<id>/servicesNS/admin/search/search/fields</id>
<updated>2011-07-11T10:04:51-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<entry>
<title>_indextime</title>
<id>/servicesNS/admin/search/search/fields/_indextime</id>
<updated>2011-07-11T10:04:51-07:00</updated>
<link href="/servicesNS/admin/search/search/fields/_indextime" rel="alternate"/>
</entry>
<entry>
<title>_sourcetype</title>
<id>/servicesNS/admin/search/search/fields/_sourcetype</id>
<updated>2011-07-11T10:04:51-07:00</updated>
<link href="/servicesNS/admin/search/search/fields/_sourcetype" rel="alternate"/>
</entry>
<entry>
<title>date_hour</title>
<id>/servicesNS/admin/search/search/fields/date_hour</id>
<updated>2011-07-11T10:04:51-07:00</updated>
<link href="/servicesNS/admin/search/search/fields/date_hour" rel="alternate"/>
</entry>
. . . elided . . .
<entry>
<title>splunk_server</title>
<id>/servicesNS/admin/search/search/fields/splunk_server</id>
<updated>2011-07-11T10:04:51-07:00</updated>
<link href="/servicesNS/admin/search/search/fields/splunk_server" rel="alternate"/>
</entry>
<entry>
<title>timeendpos</title>
<id>/servicesNS/admin/search/search/fields/timeendpos</id>
<updated>2011-07-11T10:04:51-07:00</updated>
<link href="/servicesNS/admin/search/search/fields/timeendpos" rel="alternate"/>
</entry>
<entry>
<title>timestartpos</title>
<id>/servicesNS/admin/search/search/fields/timestartpos</id>
<updated>2011-07-11T10:04:51-07:00</updated>
<link href="/servicesNS/admin/search/search/fields/timestartpos" rel="alternate"/>
</entry>
</feed>
search/fields/{field_name} GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/fields/sourcetype
XML Response
<entry xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest"> <title>sourcetype</title> <id>/servicesNS/admin/search/search/fields/sourcetype</id> <updated>2011-07-11T10:08:54-07:00</updated> <link href="/servicesNS/admin/search/search/fields/sourcetype" rel="alternate"/> <content type="text"> Attr:INDEXED True Attr:INDEXED_VALUE False Attr:TOKENIZER </content> </entry>
search/fields/{field_name}/tags GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/fields/host/tags
XML Response
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest">
<title>Tags for the host field</title>
<id>/servicesNS/admin/search/search/fields/host/tags</id>
<updated>2011-07-11T10:41:46-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<entry>
<title>location::sfo</title>
<id>/servicesNS/admin/search/search/fields/host/tags#location::sfo</id>
<updated>2011-07-11T10:41:46-07:00</updated>
<link href="/servicesNS/admin/search/search/fields/host/tags#location::sfo" rel="alternate"/>
</entry>
</feed>
search/fields/{field_name}/tags POST
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/fields/host/tags -d add=sfo -d delete=nyc -d value=location
XML Response
<response>
<messages>
<msg type='INFO'>Successfully processed adds/deletes for field host</msg>
</messages>
</response>
search/tags GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/tags
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>Tags</title>
<id>/servicesNS/admin/search/search/tags</id>
<updated>2011-07-08T01:35:09-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<entry>
<title>machine</title>
<id>/servicesNS/admin/search/search/tags/machine</id>
<updated>2011-07-08T01:35:09-07:00</updated>
<link href="/servicesNS/admin/search/search/tags/machine" rel="alternate"/>
</entry>
<entry>
<title>user</title>
<id>/servicesNS/admin/search/search/tags/user</id>
<updated>2011-07-08T01:35:09-07:00</updated>
<link href="/servicesNS/admin/search/search/tags/user" rel="alternate"/>
</entry>
</feed>
search/tags/{tag_name} DELETE
XML
XML Request
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/search/tags/user
XML Response
<response>
<messages>
<msg type="INFO">Tag successfully deleted</msg>
</messages>
</response>
search/tags/{tag_name} GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/tags/user
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>Field::Value pairs with tag user</title>
<id>/servicesNS/admin/search/search/tags/user</id>
<updated>2011-07-08T01:35:28-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<entry>
<title>eventtype::userupdate</title>
<id>/servicesNS/admin/search/search/tags/user#eventtype::userupdate</id>
<updated>2011-07-08T01:35:28-07:00</updated>
<link href="/servicesNS/admin/search/search/tags/user#eventtype::userupdate" rel="alternate"/>
</entry>
</feed>
search/tags/{tag_name} POST
XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/tags/user -d add=eventtype::userupdate -d delete=eventtype::useradd-suse
XML Response
<response>
<messages>
<msg type="INFO">Processed adds/deletes for tag</msg>
</messages>
</response>
services/admin/summarization GET
XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/admin/summarization/?by_tstats=1
XML Response
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>summarization</title>
<id>https://localhost:8089/services/admin/summarization</id>
<updated>2015-06-01T15:21:20-07:00</updated>
<generator build="e343948e242181aa7b94257ede83830605c853d9" version="20150526"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/admin/summarization/_acl" rel="_acl"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>tstats:DM_search_mydatamodel</title>
<id>https://localhost:8089/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_mydatamodel</id>
<updated>2015-06-01T15:21:20-07:00</updated>
<link href="/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_mydatamodel" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_mydatamodel" rel="list"/>
<link href="/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_mydatamodel" rel="remove"/>
<link href="/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_mydatamodel/details" rel="details"/>
<link href="/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_mydatamodel/reschedule" rel="reschedule"/>
<link href="/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_mydatamodel/touch" rel="touch"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms"/>
<s:key name="removable">0</s:key>
<s:key name="sharing">user</s:key>
</s:dict>
</s:key>
<s:key name="search"><![CDATA[search search (index=* OR index=_*) (index=_internal) | eval nodename = "rootevent"| eval is_Age=if(searchmatch("(avg_age)"),1,0), is_not_Age=1-is_Age | eval nodename = if(nodename == "rootevent" AND searchmatch("(avg_age)"), mvappend(nodename, "rootevent.Age"), nodename) | rename abandoned_channels AS rootevent.abandoned_channels average_kbps AS rootevent.average_kbps avg_age AS rootevent.avg_age bytes AS rootevent.bytes clientip AS rootevent.clientip color AS rootevent.color component AS rootevent.component cookie AS rootevent.cookie cpu_seconds AS rootevent.cpu_seconds cumulative_hits AS rootevent.cumulative_hits current_queue_size AS rootevent.current_queue_size current_size AS rootevent.current_size current_size_kb AS rootevent.current_size_kb date_hour AS rootevent.date_hour is_Age AS rootevent.is_Age is_not_Age AS rootevent.is_not_Age | fields nodename, _time, host, source, sourcetype, rootevent.abandoned_channels, rootevent.average_kbps, rootevent.avg_age, rootevent.bytes, rootevent.clientip, rootevent.color, rootevent.component, rootevent.cookie, rootevent.cpu_seconds, rootevent.cumulative_hits, rootevent.current_queue_size, rootevent.current_size, rootevent.current_size_kb, rootevent.date_hour, rootevent.is_Age, rootevent.is_not_Age]]></s:key>
<s:key name="summary.access_count">0</s:key>
<s:key name="summary.access_time">0</s:key>
<s:key name="summary.buckets">22</s:key>
<s:key name="summary.buckets_size">273</s:key>
<s:key name="summary.complete">1.000000</s:key>
<s:key name="summary.earliest_time">1432174156</s:key>
<s:key name="summary.id">DM_search_mydatamodel</s:key>
<s:key name="summary.is_inprogress">0</s:key>
<s:key name="summary.last_error"></s:key>
<s:key name="summary.last_sid">scheduler__nobody__search__RMD5692d85674596d683_at_1433197200_18815</s:key>
<s:key name="summary.latest_time">1432684089</s:key>
<s:key name="summary.mod_time">1433196908</s:key>
<s:key name="summary.size">61153280</s:key>
<s:key name="summary.time_range">604800</s:key>
</s:dict>
</content>
</entry>
</feed>
Last modified on 21 April, 2017
|
PREVIOUS Knowledge endpoint descriptions |
NEXT KV store endpoint descriptions |
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10
Feedback submitted, thanks!