
Access requirements and limitations for the Splunk Cloud REST API
After you request access, you can use a limited subset of the Splunk Enterprise REST API endpoints with your Splunk Cloud deployment.
Accessing the Splunk Cloud REST API
To access your Splunk Cloud deployment using the Splunk REST API and SDKs, submit a case requesting access using the Splunk Support Portal. For managed deployments, Splunk Support opens port 8089 for REST access. You can specify a range of IP addresses to control who can access the REST API. For self-service deployments, Splunk Support defines a dedicated user and sends you credentials that enable that user to access the REST API.
Using a local account, non-SAML account, you can make calls with the REST API.
Managed Splunk Cloud deployments
Use the following URL for managed deployments. If necessary, submit a support case to open port 8089 on your deployment.
https://<deployment-name>.splunkcloud.com:8089
Self-service Splunk Cloud deployments
Use the following URL for self-service deployments. To get the required non-SAML user credentials, submit a support case.
https://api-<deployment-name>.cloud.splunk.com:8089
Administrative role limitations
The Splunk Cloud administrative role sc_admin
is restricted from performing the following types of tasks using Splunk Web, the command line interface, or the REST API:
- Modifying configuration of deployment servers, client configuration, and distributed components, such as indexers, search heads, and clustering.
- Restarting a Splunk Cloud deployment
- Executing debug commands
- Installing apps and modifying app configurations
REST API access limitations
As a Splunk Cloud user, you are restricted to interacting with the search tier only with the REST API. You cannot access other tiers by using the REST API. Splunk Support manages all tiers other than the search tier.
To access to endpoints and REST operations, you need to authenticate with your username and password.
Refer to the following table to see which resource groups have full, partial, or no support in Splunk Cloud. In groups with partial support, typically the endpoints that are not supported are those that interact with a tier other than the search tier.
Category | Support level | Description |
---|---|---|
Access control | Partial | Authorize and authenticate users. |
Applications | None | Install applications and application templates. |
Clusters | None | Configure and manage indexer clusters and search head clusters. |
Configuration | Partial | Manage configuration files and settings. |
Deployment | None | Manage deployment servers and clients. |
Inputs | None | Manage data input. |
Introspection | None | Access system properties. |
Knowledge | Full | Define indexed and searched data configurations. |
KV store | None | Manage app key-value store (KV store). |
Licensing | None | Manage licensing configurations. |
Metrics | Partial | Enumerate metrics. |
Outputs | None | Manage forwarder data configuration. |
Search | Full | Manage searches and search-generated alerts and view objects. |
System | Partial | Manage server configuration. |
Workload management | Partial | Manage system resources for search workloads. |
Use cases and examples
Refer to the following use cases and examples to complete tasks with the Splunk Cloud REST API.
The URLs in these examples are formatted for a managed Splunk Cloud deployment. See URL for accessing the REST API for information about formatting your requests for your type of deployment.
Create indexes
Use the /services/cluster_blaster_indexes/sh_indexes_manager
endpoint to create an index.
curl -k -u admin:pass https://<deployment-name>.splunkcloud.com:8089/services/cluster_blaster_indexes/sh_indexes_manager -d name=$INDEX_NAME_2 -d maxTotalDataSizeMB=$INDEX_SIZE_MB_2 -d frozenTimePeriodInSecs=$RETENTION_SECONDS_2
Create roles mapped to new indexes
Complete the following steps to create new roles and map them to new indexes.
1. Create index roles:
curl -k -u admin:pass https://<deployment-name>.splunkcloud.com:8089/services/authorization/roles -d name=$INDEX_ROLE_2 -d srchIndexesAllowed=$INDEX_NAME_2 -d srchIndexesDefault=$INDEX_NAME_2
2. Map the index roles to SAML groups:
curl -k -u admin:pass https://<deployment-name>.splunkcloud.com:8089/services/admin/SAML-groups -d name=$SAML_INDEX_ROLE_2 -d roles=$INDEX_ROLE_2
Create empty apps to store knowledge objects
Complete the following steps to create empty apps to store knowledge objects, create new roles that are mapped to those empty apps, and then map the app roles to SAML groups.
1. Create empty apps with Splunk Web.
This action causes an immediate rolling restart of your Splunk Cloud deployment.
2. From the command line, create roles that map to your empty apps:
curl -k -u admin:pass https://<deployment-name>.splunkcloud.com:8089/services/authorization/roles -d name=$APP_ROLE_2
3. Map the app roles to SAML groups:
curl -k -u admin:pass https://<deployment-name>.splunkcloud.com:8089/services/admin/SAML-groups -d name=$SAML_APP_ROLE_2 -d roles=$APP_ROLE_2
NEXT Accessing and updating Splunk Enterprise configurations |
This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 8.0.0, 8.0.1
Comments
Thanks for the doc feedback, Aladda! I've updated the note with your suggestion.
Rest endpoint access to cloud stacks secured by SAML can be done using a local account, if we want to update that in this docs link
How do we access splunk API using oauth device flow? https://tools.ietf.org/html/draft-ietf-oauth-device-flow-07
This will be really useful, we can use a jupyter notebook with splunk using python SDK.
does splunk support this?
What's the alternative?