Splunk® Enterprise

REST API Reference Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Knowledge endpoint examples

data/lookup-table-files GET

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/lookup-table-files
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>lookup-table-files</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files</id>
  <updated>2011-07-21T19:26:11-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/lookup-table-files/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/lookup-table-files/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>lookup.csv</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv</id>
    <updated>2011-07-21T19:26:11-07:00</updated>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="list"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="edit"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="remove"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        ... eai:acl nodes elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:data">
<![CDATA[/opt/splunk/etc/users/admin/search/lookups/lookup.csv]]>        </s:key>
        <s:key name="eai:userName">admin</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/lookup-table-files POST

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/lookup-table-files -d eai:data=/opt/splunk/var/run/splunk/lookup_tmp/lookup-in-staging-dir.csv -d name=lookup.csv
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>lookup-table-files</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files</id>
  <updated>2011-07-21T18:26:35-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/lookup-table-files/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/lookup-table-files/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>lookup.csv</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv</id>
    <updated>2011-07-21T18:26:35-07:00</updated>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="list"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="edit"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="remove"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:data">
<![CDATA[/opt/splunk/etc/users/admin/search/lookups/lookup.csv]]>        </s:key>
        <s:key name="eai:userName">admin</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/lookup-table-files/{name} DELETE

XML
XML Request
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>lookup-table-files</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files</id>
  <updated>2011-07-21T18:43:11-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/lookup-table-files/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/lookup-table-files/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>

data/lookup-table-files/{name} GET

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>lookup-table-files</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files</id>
  <updated>2011-07-21T18:37:25-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/lookup-table-files/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/lookup-table-files/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>lookup.csv</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv</id>
    <updated>2011-07-21T18:37:25-07:00</updated>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="list"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="edit"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="remove"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list/>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>eai:data</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:data">
<![CDATA[/opt/splunk/etc/users/admin/search/lookups/lookup.csv]]>        </s:key>
        <s:key name="eai:userName">admin</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/lookup-table-files/{name} POST

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv -d eai:data=/opt/splunk/var/run/splunk/lookup_tmp/another-lookup-in-staging-dir.csv
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>lookup-table-files</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files</id>
  <updated>2011-07-21T18:41:52-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/lookup-table-files/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/lookup-table-files/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>lookup.csv</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv</id>
    <updated>2011-07-21T18:41:52-07:00</updated>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="list"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="edit"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="remove"/>
    <link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:data">
<![CDATA[/opt/splunk/etc/users/admin/search/lookups/lookup.csv]]>        </s:key>
        <s:key name="eai:userName">admin</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/calcfields GET

XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/data/props/calcfields
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>props-eval</title>
  <id>https://localhost:8089/services/data/props/calcfields</id>
  <updated>2012-10-01T15:01:50-07:00</updated>
  <generator build="138753" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/props/calcfields/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title><access_common> : EVAL-response_time</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time</id>
    <updated>2012-10-01T15:01:50-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">EVAL-response_time</s:key>
        ... eai:acl node elided ...
        <s:key name="field.name">response_time</s:key>
        <s:key name="stanza"><access_common></s:key>
        <s:key name="type">EVAL</s:key>
        <s:key name="value">response_time/1000</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/calcfields POST

XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/data/props/calcfields -d name=response_time -d stanza=%3Caccess_common%3E -d value=response_time/1000
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>props-eval</title>
  <id>https://localhost:8089/services/data/props/calcfields</id>
  <updated>2012-10-01T14:58:45-07:00</updated>
  <generator build="138753" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/props/calcfields/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title><access_common> : EVAL-response_time</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time</id>
    <updated>2012-10-01T14:58:45-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">EVAL-response_time</s:key>
        ... eai:acl node elided ...
        <s:key name="field.name">response_time</s:key>
        <s:key name="stanza"><access_common></s:key>
        <s:key name="type">EVAL</s:key>
        <s:key name="value">response_time/1000</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/calcfields/{name} DELETE

XML
XML Request
curl -k -u admin:pass --request DELETE https://localhost:8089/services/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time
XML Response
<feed xmlns="http://www.w3.org/2005/Atom" 
      xmlns:s="http://dev.splunk.com/ns/rest" 
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>props-eval</title>
  <id>https://localhost:8089/services/data/props/calcfields</id>
  <updated>2012-10-01T15:33:06-07:00</updated>
  <generator build="138753" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/props/calcfields/_new" rel="create"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
</feed>

data/props/calcfields/{name} GET

XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>props-eval</title>
  <id>https://localhost:8089/services/data/props/calcfields</id>
  <updated>2012-10-01T15:05:09-07:00</updated>
  <generator build="138753" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/props/calcfields/_new" rel="create"/>
  ... opensearch nodes elided ...
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title><access_common> : EVAL-response_time</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time</id>
    <updated>2012-10-01T15:05:09-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">EVAL-response_time</s:key>
	... eai:acl node elided ...
	... eai:attributes node elided ...
        <s:key name="field.name">response_time</s:key>
        <s:key name="stanza"><access_common></s:key>
        <s:key name="type">EVAL</s:key>
        <s:key name="value">response_time/1000</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/calcfields/{name} POST

XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time -d value=response_time/100
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>props-eval</title>
  <id>https://localhost:8089/services/data/props/calcfields</id>
  <updated>2012-10-01T15:14:19-07:00</updated>
  <generator build="138753" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/props/calcfields/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title><access_common> : EVAL-response_time</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time</id>
    <updated>2012-10-01T15:14:19-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">EVAL-response_time</s:key>
        ... eai:acl node elided ...
        <s:key name="field.name">response_time</s:key>
        <s:key name="stanza"><access_common></s:key>
        <s:key name="type">EVAL</s:key>
        <s:key name="value">response_time/100</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/extractions GET

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/extractions
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>props-extract</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/extractions</id>
  <updated>2011-07-10T22:55:04-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/extractions/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>access_combined : REPORT-access</title>
    <id>https://localhost:8089/servicesNS/nobody/system/data/props/extractions/access_combined%20%3A%20REPORT-access</id>
    <updated>2011-07-10T22:55:04-07:00</updated>
    <link href="/servicesNS/nobody/system/data/props/extractions/access_combined%20%3A%20REPORT-access" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/props/extractions/access_combined%20%3A%20REPORT-access" rel="list"/>
    <link href="/servicesNS/nobody/system/data/props/extractions/access_combined%20%3A%20REPORT-access" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">REPORT-access</s:key>
        ... eai:acl node elided ...
        <s:key name="stanza">access_combined</s:key>
        <s:key name="type">Uses transform</s:key>
        <s:key name="value">access-extractions</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/extractions POST

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/extractions -d name=port -d stanza=ftp_log -d type=EXTRACT -d "value=port (?<port_number>\d+)"
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>props-extract</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/extractions</id>
  <updated>2011-07-10T22:56:17-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/extractions/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>ftp_log : EXTRACT-port</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port</id>
    <updated>2011-07-10T22:56:17-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">EXTRACT-port</s:key>
        ... eai:acl node elided ...
        <s:key name="stanza">ftp_log</s:key>
        <s:key name="type">Inline</s:key>
        <s:key name="value">port (?<port_number>\d )</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/extractions/{name} DELETE

XML
XML Request
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>props-extract</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/extractions</id>
  <updated>2011-07-10T23:05:42-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/extractions/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>

data/props/extractions/{name} GET

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>props-extract</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/extractions</id>
  <updated>2011-07-10T23:02:31-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/extractions/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>ftp_log : EXTRACT-port</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port</id>
    <updated>2011-07-10T23:02:31-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">EXTRACT-port</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list/>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>value</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="stanza">ftp_log</s:key>
        <s:key name="type">Inline</s:key>
        <s:key name="value">connection on port (?<port_number>\d )</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/extractions/{name} POST

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port -d "value=connection on port (?<port_number>\d+)"
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>props-extract</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/extractions</id>
  <updated>2011-07-10T23:05:05-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/extractions/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>ftp_log : EXTRACT-port</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port</id>
    <updated>2011-07-10T23:05:05-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">EXTRACT-port</s:key>
        ... eai:acl node elided ...
        <s:key name="stanza">ftp_log</s:key>
        <s:key name="type">Inline</s:key>
        <s:key name="value">connection on port (?<port_number>\d )</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/fieldaliases GET

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>fieldaliases</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases</id>
  <updated>2011-07-21T19:31:41-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/fieldaliases/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>my_sourcetype : FIELDALIAS-alias_name</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name</id>
    <updated>2011-07-21T19:31:41-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="alias.foo">bar</s:key>
        <s:key name="attribute">FIELDALIAS-alias_name</s:key>
        ... eai:acl node elided ...
        <s:key name="stanza">my_sourcetype</s:key>
        <s:key name="type">FIELDALIAS</s:key>
        <s:key name="value">foo AS bar</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/fieldaliases POST

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases -d name=alias_name -d stanza=my_sourcetype -d alias.foo=bar
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>fieldaliases</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases</id>
  <updated>2011-07-21T19:30:17-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/fieldaliases/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>my_sourcetype : FIELDALIAS-alias_name</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name</id>
    <updated>2011-07-21T19:30:17-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="alias.foo">bar</s:key>
        <s:key name="attribute">FIELDALIAS-alias_name</s:key>
        ... eai:acl node elided ...
        <s:key name="stanza">my_sourcetype</s:key>
        <s:key name="type">FIELDALIAS</s:key>
        <s:key name="value">foo AS bar</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/fieldaliases/{name} DELETE

XML
XML Request
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>fieldaliases</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases</id>
  <updated>2011-07-21T19:37:45-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/fieldaliases/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>

data/props/fieldaliases/{name} GET

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>fieldaliases</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases</id>
  <updated>2011-07-21T19:33:00-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/fieldaliases/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>my_sourcetype : FIELDALIAS-alias_name</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name</id>
    <updated>2011-07-21T19:33:00-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="alias.foo">bar</s:key>
        <s:key name="attribute">FIELDALIAS-alias_name</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list/>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list>
                <s:item>alias\..*</s:item>
              </s:list>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="stanza">my_sourcetype</s:key>
        <s:key name="type">FIELDALIAS</s:key>
        <s:key name="value">foo AS bar</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/fieldaliases/{name} POST

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name -d alias.hi=hello -d alias.bye=goodbye
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>fieldaliases</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases</id>
  <updated>2011-07-21T19:34:36-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/fieldaliases/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>my_sourcetype : FIELDALIAS-alias_name</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name</id>
    <updated>2011-07-21T19:34:36-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="alias.bye">goodbye</s:key>
        <s:key name="alias.hi">hello</s:key>
        <s:key name="attribute">FIELDALIAS-alias_name</s:key>
        ... eai:acl node elided ...
        <s:key name="stanza">my_sourcetype</s:key>
        <s:key name="type">FIELDALIAS</s:key>
        <s:key name="value">bye AS goodbye hi AS hello</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/lookups GET

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/lookups
XML Response
 <feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>props-lookup</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/lookups</id>
  <updated>2011-08-01T20:43:53-07:00</updated>
  <generator version="105049"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/lookups/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>my_sourcetype : LOOKUP-my_lookup</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup</id>
    <updated>2011-08-01T20:43:53-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">LOOKUP-my_lookup</s:key>
        ... eai:acl node elided ...
        <s:key name="lookup.field.input.foo"/>
        <s:key name="lookup.field.output.fuzz"/>
        <s:key name="overwrite">1</s:key>
        <s:key name="stanza">my_sourcetype</s:key>
        <s:key name="transform">my_transform</s:key>
        <s:key name="type">LOOKUP</s:key>
        <s:key name="value">my_transform foo OUTPUT fuzz</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/lookups POST

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/lookups -d name=my_lookup -d overwrite=1 -d stanza=my_sourcetype -d transform=my_transform -d lookup.field.input.foo= -d lookup.field.output.fuzz=
    
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>props-lookup</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/lookups</id>
  <updated>2011-08-01T20:43:31-07:00</updated>
  <generator version="105049"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/lookups/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>my_sourcetype : LOOKUP-my_lookup</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup</id>
    <updated>2011-08-01T20:43:31-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">LOOKUP-my_lookup</s:key>
        ... eai:acl node elided ...
        <s:key name="lookup.field.input.foo"/>
        <s:key name="lookup.field.output.fuzz"/>
        <s:key name="overwrite">1</s:key>
        <s:key name="stanza">my_sourcetype</s:key>
        <s:key name="transform">my_transform</s:key>
        <s:key name="type">LOOKUP</s:key>
        <s:key name="value">my_transform foo OUTPUT fuzz</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/lookups/{name} DELETE

XML
XML Request
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>props-lookup</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/lookups</id>
  <updated>2011-08-01T20:44:32-07:00</updated>
  <generator version="105049"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/lookups/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>

data/props/lookups/{name} GET

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>props-lookup</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/lookups</id>
  <updated>2011-08-01T20:44:06-07:00</updated>
  <generator version="105049"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/lookups/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>my_sourcetype : LOOKUP-my_lookup</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup</id>
    <updated>2011-08-01T20:44:06-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">LOOKUP-my_lookup</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list/>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>overwrite</s:item>
                <s:item>transform</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list>
                <s:item>lookup\.field\.input\..*</s:item>
                <s:item>lookup\.field\.output\..*</s:item>
              </s:list>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="lookup.field.input.foo"/>
        <s:key name="lookup.field.output.fuzz"/>
        <s:key name="overwrite">1</s:key>
        <s:key name="stanza">my_sourcetype</s:key>
        <s:key name="transform">my_transform</s:key>
        <s:key name="type">LOOKUP</s:key>
        <s:key name="value">my_transform foo OUTPUT fuzz</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/lookups/{name} POST

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup -d overwrite=1 -d transform=other_transform -d lookup.field.input.bar= -d lookup.field.output.buzz=
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>props-lookup</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/lookups</id>
  <updated>2011-08-01T20:44:21-07:00</updated>
  <generator version="105049"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/lookups/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>my_sourcetype : LOOKUP-my_lookup</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup</id>
    <updated>2011-08-01T20:44:21-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">LOOKUP-my_lookup</s:key>
        ... eai:acl node elided ...
        <s:key name="lookup.field.input.bar"/>
        <s:key name="lookup.field.output.buzz"/>
        <s:key name="overwrite">1</s:key>
        <s:key name="stanza">my_sourcetype</s:key>
        <s:key name="transform">other_transform</s:key>
        <s:key name="type">LOOKUP</s:key>
        <s:key name="value">other_transform bar OUTPUT buzz</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/sourcetype-rename GET

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>sourcetype-rename</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename</id>
  <updated>2011-07-12T15:40:53-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/sourcetype-rename/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>hardware</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware</id>
    <updated>2011-07-12T15:40:53-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">rename</s:key>
        ... eai:acl node elided ...
        <s:key name="stanza">hardware</s:key>
        <s:key name="type">rename</s:key>
        <s:key name="value">hw</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/sourcetype-rename POST

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename -d name=hardware -d value=hw
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>sourcetype-rename</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename</id>
  <updated>2011-07-12T15:39:57-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/sourcetype-rename/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>hardware</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware</id>
    <updated>2011-07-12T15:39:57-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">rename</s:key>
        ... eai:acl node elided ...
        <s:key name="stanza">hardware</s:key>
        <s:key name="type">rename</s:key>
        <s:key name="value">hw</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/sourcetype-rename/{name} DELETE

XML
XML Request
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>sourcetype-rename</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename</id>
  <updated>2011-07-12T15:49:16-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/sourcetype-rename/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>

data/props/sourcetype-rename/{name} GET

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>sourcetype-rename</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename</id>
  <updated>2011-07-12T15:44:47-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/sourcetype-rename/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>hardware</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware</id>
    <updated>2011-07-12T15:44:47-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">rename</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list/>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>value</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="stanza">hardware</s:key>
        <s:key name="type">rename</s:key>
        <s:key name="value">hw</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/props/sourcetype-rename/{name} POST

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware -d value=hrdwr
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>sourcetype-rename</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename</id>
  <updated>2011-07-12T15:46:58-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/props/sourcetype-rename/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>hardware</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware</id>
    <updated>2011-07-12T15:46:58-07:00</updated>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="list"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="edit"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="remove"/>
    <link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="attribute">rename</s:key>
        ... eai:acl node elided ...
        <s:key name="stanza">hardware</s:key>
        <s:key name="type">rename</s:key>
        <s:key name="value">hrdwr</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/transforms/extractions GET

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/extractions
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>transforms-extract</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions</id>
  <updated>2011-07-21T20:28:03-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/transforms/extractions/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/transforms/extractions/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>access-extractions</title>
    <id>https://localhost:8089/servicesNS/nobody/system/data/transforms/extractions/access-extractions</id>
    <updated>2011-07-21T20:28:03-07:00</updated>
    <link href="/servicesNS/nobody/system/data/transforms/extractions/access-extractions" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/nobody/system/data/transforms/extractions/access-extractions" rel="list"/>
    <link href="/servicesNS/nobody/system/data/transforms/extractions/access-extractions/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/transforms/extractions/access-extractions" rel="edit"/>
    <link href="/servicesNS/nobody/system/data/transforms/extractions/access-extractions/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="CAN_OPTIMIZE">1</s:key>
        <s:key name="CLEAN_KEYS">1</s:key>
        <s:key name="DEFAULT_VALUE"/>
        <s:key name="DEST_KEY"/>
        <s:key name="FORMAT"/>
        <s:key name="KEEP_EMPTY_VALS">0</s:key>
        <s:key name="LOOKAHEAD">4096</s:key>
        <s:key name="MV_ADD">0</s:key>
        <s:key name="REGEX">
<![CDATA[^[[nspaces:clientip]]\s++[[nspaces:ident]]\s++[[nspaces:user]]\s++[[sbstring:req_time]]\s++[[access-request]]\s++[[nspaces:status]]\s++[[nspaces:bytes]](?:\s++"(?<referer>[[bc_domain:referer_]]?+[^"]*+)"(?:\s++[[qstring:useragent]](?:\s++[[qstring:cookie]])?+)?+)?[[all:other]]]]>        </s:key>
        <s:key name="SOURCE_KEY">_raw</s:key>
        <s:key name="WRITE_META">0</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:userName">admin</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/transforms/extractions POST

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/extractions -d REGEX="(?<_KEY_1>[a-z]*),(?<_VAL_1>[a-z]*)" -d SOURCE_KEY=_raw -d name=my_transform
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>transforms-extract</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions</id>
  <updated>2011-07-21T20:25:20-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/transforms/extractions/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/transforms/extractions/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>my_transform</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions/my_transform</id>
    <updated>2011-07-21T20:25:20-07:00</updated>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="list"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="edit"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="remove"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/move" rel="move"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="CAN_OPTIMIZE">1</s:key>
        <s:key name="CLEAN_KEYS">1</s:key>
        <s:key name="DEFAULT_VALUE"/>
        <s:key name="DEST_KEY"/>
        <s:key name="FORMAT"/>
        <s:key name="KEEP_EMPTY_VALS">0</s:key>
        <s:key name="LOOKAHEAD">4096</s:key>
        <s:key name="MV_ADD">0</s:key>
        <s:key name="REGEX">(?<_KEY_1>[a-z]*),(?<_VAL_1>[a-z]*)</s:key>
        <s:key name="SOURCE_KEY">_raw</s:key>
        <s:key name="WRITE_META">0</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:userName">admin</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/transforms/extractions/{name} DELETE

XML
XML Request
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/data/transforms/extractions/my_transform
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>transforms-extract</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions</id>
  <updated>2011-07-21T20:34:30-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/transforms/extractions/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/transforms/extractions/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>

data/transforms/extractions/{name} GET

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/extractions/my_transform
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>transforms-extract</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions</id>
  <updated>2011-07-21T20:29:00-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/transforms/extractions/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/transforms/extractions/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>my_transform</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions/my_transform</id>
    <updated>2011-07-21T20:29:00-07:00</updated>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="list"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="edit"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="remove"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/move" rel="move"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="CAN_OPTIMIZE">1</s:key>
        <s:key name="CLEAN_KEYS">1</s:key>
        <s:key name="DEFAULT_VALUE"/>
        <s:key name="DEST_KEY"/>
        <s:key name="FORMAT"/>
        <s:key name="KEEP_EMPTY_VALS">0</s:key>
        <s:key name="LOOKAHEAD">4096</s:key>
        <s:key name="MV_ADD">0</s:key>
        <s:key name="REGEX">(?<_KEY_1>[a-z]*),(?<_VAL_1>[a-z]*)</s:key>
        <s:key name="SOURCE_KEY">_raw</s:key>
        <s:key name="WRITE_META">0</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>CAN_OPTIMIZE</s:item>
                <s:item>CLEAN_KEYS</s:item>
                <s:item>FORMAT</s:item>
                <s:item>KEEP_EMPTY_VALS</s:item>
                <s:item>MV_ADD</s:item>
                <s:item>disabled</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>REGEX</s:item>
                <s:item>SOURCE_KEY</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:userName">admin</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/transforms/extractions/{name} POST

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/extractions/my_transform -d REGEX="(?<_KEY_1>[a-z]*),(?<_VAL_1>[a-z]*)" -d SOURCE_KEY=_raw -d CLEAN_KEYS=false
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>transforms-extract</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions</id>
  <updated>2011-07-21T20:33:13-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/transforms/extractions/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/transforms/extractions/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>my_transform</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions/my_transform</id>
    <updated>2011-07-21T20:33:13-07:00</updated>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="list"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="edit"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="remove"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/move" rel="move"/>
    <link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="CAN_OPTIMIZE">1</s:key>
        <s:key name="CLEAN_KEYS">0</s:key>
        <s:key name="DEFAULT_VALUE"/>
        <s:key name="DEST_KEY"/>
        <s:key name="FORMAT"/>
        <s:key name="KEEP_EMPTY_VALS">0</s:key>
        <s:key name="LOOKAHEAD">4096</s:key>
        <s:key name="MV_ADD">0</s:key>
        <s:key name="REGEX">(?<_KEY_1>[a-z]*),(?<_VAL_1>[a-z]*)</s:key>
        <s:key name="SOURCE_KEY">_raw</s:key>
        <s:key name="WRITE_META">0</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:userName">admin</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/transforms/lookups GET

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/lookups
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>transforms-lookup</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups</id>
  <updated>2011-08-01T21:10:44-07:00</updated>
  <generator version="105049"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/transforms/lookups/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/transforms/lookups/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>dnslookup</title>
    <id>https://localhost:8089/servicesNS/nobody/system/data/transforms/lookups/dnslookup</id>
    <updated>2011-08-01T21:10:44-07:00</updated>
    <link href="/servicesNS/nobody/system/data/transforms/lookups/dnslookup" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/transforms/lookups/dnslookup" rel="list"/>
    <link href="/servicesNS/nobody/system/data/transforms/lookups/dnslookup/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/transforms/lookups/dnslookup" rel="edit"/>
    <link href="/servicesNS/nobody/system/data/transforms/lookups/dnslookup/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="CAN_OPTIMIZE">1</s:key>
        <s:key name="CLEAN_KEYS">1</s:key>
        <s:key name="DEFAULT_VALUE"/>
        <s:key name="DEST_KEY"/>
        <s:key name="FORMAT"/>
        <s:key name="KEEP_EMPTY_VALS">0</s:key>
        <s:key name="LOOKAHEAD">4096</s:key>
        <s:key name="MV_ADD">0</s:key>
        <s:key name="REGEX"/>
        <s:key name="SOURCE_KEY">_raw</s:key>
        <s:key name="WRITE_META">0</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="external_cmd">external_lookup.py clienthost clientip</s:key>
        <s:key name="fields_list">clienthost clientip</s:key>
        <s:key name="type">external</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/transforms/lookups POST

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/lookups -d name=my_lookup -d filename=lookup.csv
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>transforms-lookup</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups</id>
  <updated>2011-08-01T21:10:33-07:00</updated>
  <generator version="105049"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/transforms/lookups/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/transforms/lookups/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>my_lookup</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups/my_lookup</id>
    <updated>2011-08-01T21:10:33-07:00</updated>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="list"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="edit"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="remove"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/move" rel="move"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="CAN_OPTIMIZE">1</s:key>
        <s:key name="CLEAN_KEYS">1</s:key>
        <s:key name="DEFAULT_VALUE"/>
        <s:key name="DEST_KEY"/>
        <s:key name="FORMAT"/>
        <s:key name="KEEP_EMPTY_VALS">0</s:key>
        <s:key name="LOOKAHEAD">4096</s:key>
        <s:key name="MV_ADD">0</s:key>
        <s:key name="REGEX"/>
        <s:key name="SOURCE_KEY">_raw</s:key>
        <s:key name="WRITE_META">0</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="filename">lookup.csv</s:key>
        <s:key name="type">file</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/transforms/lookups/{name} DELETE

XML
XML Request
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/data/transforms/lookups/my_lookup
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>transforms-lookup</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups</id>
  <updated>2011-07-21T20:03:24-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/transforms/lookups/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/transforms/lookups/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>

data/transforms/lookups/{name} GET

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/lookups/my_lookup
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>transforms-lookup</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups</id>
  <updated>2011-08-01T21:11:01-07:00</updated>
  <generator version="105049"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/transforms/lookups/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/transforms/lookups/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>my_lookup</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups/my_lookup</id>
    <updated>2011-08-01T21:11:01-07:00</updated>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="list"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="edit"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="remove"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/move" rel="move"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="CAN_OPTIMIZE">1</s:key>
        <s:key name="CLEAN_KEYS">1</s:key>
        <s:key name="DEFAULT_VALUE"/>
        <s:key name="DEST_KEY"/>
        <s:key name="FORMAT"/>
        <s:key name="KEEP_EMPTY_VALS">0</s:key>
        <s:key name="LOOKAHEAD">4096</s:key>
        <s:key name="MV_ADD">0</s:key>
        <s:key name="REGEX"/>
        <s:key name="SOURCE_KEY">_raw</s:key>
        <s:key name="WRITE_META">0</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>default_match</s:item>
                <s:item>disabled</s:item>
                <s:item>external_cmd</s:item>
                <s:item>fields_list</s:item>
                <s:item>filename</s:item>
                <s:item>max_matches</s:item>
                <s:item>max_offset_secs</s:item>
                <s:item>min_matches</s:item>
                <s:item>min_offset_secs</s:item>
                <s:item>time_field</s:item>
                <s:item>time_format</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="filename">lookup.csv</s:key>
        <s:key name="type">file</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/transforms/lookups/{name} POST

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/lookups/my_lookup -d external_cmd=myscript.py -d fields_list=a,b,c
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>transforms-lookup</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups</id>
  <updated>2011-07-21T20:00:07-07:00</updated>
  <generator version="104309"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/transforms/lookups/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/transforms/lookups/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>my_lookup</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups/my_lookup</id>
    <updated>2011-07-21T20:00:07-07:00</updated>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="list"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="edit"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="remove"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/move" rel="move"/>
    <link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="CAN_OPTIMIZE">1</s:key>
        <s:key name="CLEAN_KEYS">1</s:key>
        <s:key name="DEFAULT_VALUE"/>
        <s:key name="DEST_KEY"/>
        <s:key name="FORMAT"/>
        <s:key name="KEEP_EMPTY_VALS">0</s:key>
        <s:key name="LOOKAHEAD">4096</s:key>
        <s:key name="MV_ADD">0</s:key>
        <s:key name="REGEX"/>
        <s:key name="SOURCE_KEY">_raw</s:key>
        <s:key name="WRITE_META">0</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="external_cmd">myscript.py</s:key>
        <s:key name="fields_list">a,b,c</s:key>
        <s:key name="type">external</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/ui/views POST

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/ui/views -d "name=new_dashboard&eai:data=<dashboard><label>the_new_label</label></dashboard>"
XML Response
<title>views</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/ui/views</id>
  <updated>2015-10-08T15:50:01-07:00</updated>
  <generator build="a1c9b18fdcfc" version="6.3.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/ui/views/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/ui/views/_reload" rel="_reload"/>
  <link href="/servicesNS/admin/search/data/ui/views/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>new_dashboard</title>
    <id>https://localhost:8089/servicesNS/admin/search/data/ui/views/new_dashboard</id>
    <updated>2015-10-08T15:50:01-07:00</updated>
    <link href="/servicesNS/admin/search/data/ui/views/new_dashboard" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/ui/views/new_dashboard" rel="list"/>
    <link href="/servicesNS/admin/search/data/ui/views/new_dashboard/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/ui/views/new_dashboard" rel="edit"/>
    <link href="/servicesNS/admin/search/data/ui/views/new_dashboard" rel="remove"/>
    <link href="/servicesNS/admin/search/data/ui/views/new_dashboard/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">search</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">admin</s:key>
            <s:key name="perms"/>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">user</s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:data"><![CDATA[<dashboard><label> the_new_label </label></dashboard>]]></s:key>
        <s:key name="eai:digest">533c60e648b7c4733321ae205d2627d8</s:key>
        <s:key name="eai:type">views</s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="isDashboard">1</s:key>
        <s:key name="isVisible">1</s:key>
        <s:key name="label">the_new_label</s:key>
        <s:key name="rootNode">dashboard</s:key>
      </s:dict>
    </content>
  </entry>


data/ui/views/{name} GET

XML
XML Request
curl -k -u username:password 
https://localhost:8089/servicesNS/admin/search/data/ui/views/my_dashboard
XML Response
<div class="samplecode">
 <title>views</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/ui/views</id>
  <updated>2015-10-08T16:17:03-07:00</updated>
  <generator build="a1c9b18fdcfc" version="6.3.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/ui/views/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/ui/views/_reload" rel="_reload"/>
  <link href="/servicesNS/admin/search/data/ui/views/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title> my_dashboard </title>
    <id>https://localhost:8089/servicesNS/admin/search/data/ui/views/my_dashboard</id>
    <updated>2015-10-08T16:17:03-07:00</updated>
    <link href="/servicesNS/admin/search/data/ui/views/my_dashboard" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/ui/views/my_dashboard" rel="list"/>
    <link href="/servicesNS/admin/search/data/ui/views/my_dashboard/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/ui/views/my_dashboard" rel="edit"/>
    <link href="/servicesNS/admin/search/data/ui/views/my_dashboard" rel="remove"/>
    <link href="/servicesNS/admin/search/data/ui/views/my_dashboard/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">search</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">admin</s:key>
            <s:key name="perms"/>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">user</s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>eai:type</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>eai:data</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:data"><![CDATA[<dashboard><label>my_dashboard_label</label></dashboard>]]></s:key>
        <s:key name="eai:digest">01778119e0d9352ca0c6eb0aa7f00950</s:key>
        <s:key name="eai:type">views</s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="isDashboard">1</s:key>
        <s:key name="isVisible">1</s:key>
        <s:key name="label">my_dashboard_label</s:key>
        <s:key name="rootNode">dashboard</s:key>
      </s:dict>
    </content>
  </entry>


data/ui/views/{name} POST

XML
XML Request
curl -k -u username:password https://localhost:8089/servicesNS/admin/search/data/ui/views/my_dashboard -d "eai:data=<dashboard><label>new_label</label></dashboard>"
XML Response
  <title>views</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/ui/views</id>
  <updated>2015-10-08T16:38:23-07:00</updated>
  <generator build="a1c9b18fdcfc" version="6.4.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/ui/views/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/ui/views/_reload" rel="_reload"/>
  <link href="/servicesNS/admin/search/data/ui/views/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title> my_dashboard </title>
    <id>https://localhost:8089/servicesNS/admin/search/data/ui/views/my_dashboard </id>
    <updated>2015-10-08T16:38:23-07:00</updated>
    <link href="/servicesNS/admin/search/data/ui/views/my_dashboard" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/data/ui/views/my_dashboard" rel="list"/>
    <link href="/servicesNS/admin/search/data/ui/views/my_dashboard/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/ui/views/my_dashboard" rel="edit"/>
    <link href="/servicesNS/admin/search/data/ui/views/my_dashboard" rel="remove"/>
    <link href="/servicesNS/admin/search/data/ui/views/my_dashboard/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">search</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">admin</s:key>
            <s:key name="perms"/>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">user</s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:data"><![CDATA[<dashboard><label>new_label</label></dashboard>]]></s:key>
        <s:key name="eai:digest">31513ad6cce14b5c792f175cc1691e5e</s:key>
        <s:key name="eai:type">views</s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="isDashboard">1</s:key>
        <s:key name="isVisible">1</s:key>
        <s:key name="label">new_label</s:key>
        <s:key name="rootNode">dashboard</s:key>
      </s:dict>
    </content>
  </entry>

data/ui/views/{name} DELETE

XML
XML Request
curl -k -u username:password --request DELETE https://localhost:8089/servicesNS/admin/search/data/ui/views/my_dashboard 
XML Response
 <title>views</title>
  <id>https://localhost:8089/servicesNS/admin/search/data/ui/views</id>
  <updated>2015-10-08T17:07:12-07:00</updated>
  <generator build="a1c9b18fdcfc" version="6.3.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/data/ui/views/_new" rel="create"/>
  <link href="/servicesNS/admin/search/data/ui/views/_reload" rel="_reload"/>
  <link href="/servicesNS/admin/search/data/ui/views/_acl" rel="_acl"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>


datamodel/acceleration GET

XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/datamodel/acceleration
XML Response
feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title></title>
  <id>https://myserver-centos62x64-4:8789/services/datamodel/acceleration</id>
  <updated>2013-08-24T12:45:20-07:00</updated>
  <generator build="178272" version="6.0"/>
  <author>
    <name>Splunk</name>
  </author>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>simpleMyAppModel</title>
    <id>https://myserver-centos62x64-4:8789/servicesNS/nobody/search/datamodel/acceleration/simpleMyAppModel</id>
    <updated>2013-08-24T12:45:20-07:00</updated>
    <link href="/servicesNS/nobody/search/datamodel/acceleration/simpleMyAppModel" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/datamodel/acceleration/simpleMyAppModel" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="acceleration">1</s:key>
        <s:key name="acceleration.earliest_time">-1mon</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:digest">9a9dba7c96b3f81554e3773b8d8fe45e</s:key>
        <s:key name="eai:type">datamodels</s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="search"><![CDATA[uri=*  status=*  clientip=*  referer=*  useragent=*  (sourcetype=access_*)  (status < 600)  |
        . . . elided . . .
        "HTTP_Request.HTTP_Success.is_not_Pageview", "HTTP_Request.HTTP_Success.Pageview.myevalfield2"]]>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>

datamodel/acceleration/{name} GET

XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/datamodel/acceleration/simpleMyAppModel
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title></title>
  <id>https://myserver-centos62x64-4:8789/services/datamodel/acceleration</id>
  <updated>2013-08-24T12:55:07-07:00</updated>
  <generator build="178272" version="6.0"/>
  <author>
    <name>Splunk</name>
  </author>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>simpleMyAppModel</title>
    <id>https://myserver-centos62x64-4:8789/servicesNS/nobody/search/datamodel/acceleration/simpleMyAppModel</id>
    <updated>2013-08-24T12:55:07-07:00</updated>
    <link href="/servicesNS/nobody/search/datamodel/acceleration/simpleMyAppModel" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/datamodel/acceleration/simpleMyAppModel" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="acceleration">1</s:key>
        <s:key name="acceleration.earliest_time">-1mon</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list/>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:digest">9a9dba7c96b3f81554e3773b8d8fe45e</s:key>
        <s:key name="eai:type">datamodels</s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="search"><![CDATA[uri=*  status=*  clientip=*  referer=*  useragent=*  (sourcetype=access_*)  (status < 600)  |
        . . . elided . . .
        "HTTP_Request.HTTP_Success.is_not_Pageview", "HTTP_Request.HTTP_Success.Pageview.myevalfield2"]]>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>

datamodel/model GET

XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/datamodel/model
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title></title>
  <id>https://myserver-centos62x64-4:8789/services/datamodel/model</id>
  <updated>2013-08-15T11:42:06-07:00</updated>
  <generator build="176231" version="6.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/datamodel/model/_new" rel="create"/>
  <link href="/services/datamodel/model/desc" rel="desc"/>
  <link href="/services/datamodel/model/report" rel="report"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>MyApp</title>
    <id>https://myserver-centos62x64-4:8789/servicesNS/nobody/search/datamodel/model/MyApp</id>
    <updated>2013-08-23T15:03:13-07:00</updated>
    <link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="list"/>
    <link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="acceleration">{"enabled": false}</s:key>
        <s:key name="description"><![CDATA[{"objects": [{"lineage": "HTTP_Request", "previewSearch": " | search  (sourcetype=access_* OR sourcetype=iis*)
        . . . elided . . .
         "modelName": "MyApp", "displayName": "Web Intelligence"}]]>
        </s:key>
        <s:key name="displayName">Web Intelligence</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">search</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>power</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">app</s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:digest">b8ebd9315dddf8a5e572187f57ddc9de</s:key>
        <s:key name="eai:type">models</s:key>
        <s:key name="eai:userName">admin</s:key>
      </s:dict>
    </content>
  </entry>
  . . . elided . . .
</feed>

datamodel/model POST

XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/datamodel/model -d name=Debugger --data-urlencode description='{"modelName":"Debugger","displayName":"Debugger", "description": "A data model for debugging purposes". . . elided . . . }'

XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title></title>
  <id>https://qa-sv-rh61x64-10:8089/services/datamodel/model</id>
  <updated>2013-10-16T11:19:24-07:00</updated>
  <generator build="183095" version="6.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/datamodel/model/_new" rel="create"/>
  <link href="/services/datamodel/model/desc" rel="desc"/>
  <link href="/services/datamodel/model/report" rel="report"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>Debugger</title>
    <id>https://qa-sv-rh61x64-10:8089/servicesNS/admin/search/datamodel/model/Debugger</id>
    <updated>2013-10-16T11:19:24-07:00</updated>
    <link href="/servicesNS/admin/search/datamodel/model/Debugger" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/datamodel/model/Debugger" rel="list"/>
    <link href="/servicesNS/admin/search/datamodel/model/Debugger" rel="edit"/>
    <link href="/servicesNS/admin/search/datamodel/model/Debugger" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="acceleration">{"enabled": false}</s:key>
        <s:key name="description">
          <![CDATA[{"displayName": "Debugger", "modelName": "Debugger", "objectSummary": \
        ...
        "autoextractSearch": " (index = _internal) "}]}]]>
        </s:key>
        <s:key name="displayName">Debugger</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:attributes">
          {'optionalFields': ['acceleration', 'acceleration.cron_schedule', \
           'acceleration.earliest_time', 'eai:data'], 'requiredFields': [], 'wildcardFields': []}
        </s:key>
        <s:key name="eai:digest">05ca1a193365a3b613b919c6401591e3</s:key>
        <s:key name="eai:type">models</s:key>
        <s:key name="eai:userName">admin</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

datamodel/model/{name} DELETE

XML
XML Request
curl -k -u admin:pass --request DELETE https://localhost:8089/services/datamodel/model/MyApp
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title></title>
  <id>https://myserver-centos62x64-4:8789/services/datamodel/model</id>
  <updated>2013-08-24T15:00:54-07:00</updated>
  <generator build="178272" version="6.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/datamodel/model/_new" rel="create"/>
  <link href="/services/datamodel/model/desc" rel="desc"/>
  <link href="/services/datamodel/model/report" rel="report"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
</feed>

datamodel/model/{name} GET

XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/datamodel/model/MyApp
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title></title>
  <id>https://myserver-centos62x64-4:8789/services/datamodel/model</id>
  <updated>2013-08-24T13:07:36-07:00</updated>
  <generator build="178272" version="6.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/datamodel/model/_new" rel="create"/>
  <link href="/services/datamodel/model/desc" rel="desc"/>
  <link href="/services/datamodel/model/report" rel="report"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>MyApp</title>
    <id>https://myserver-centos62x64-4:8789/servicesNS/nobody/search/datamodel/model/MyApp</id>
    <updated>2013-08-24T13:07:36-07:00</updated>
    <link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="list"/>
    <link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="acceleration">{"enabled": false}</s:key>
        <s:key name="description"><![CDATA[{"modelName": "MyApp", "objectNameList": ["HTTP_Request", "ApacheAccessSearch", "IISAccessSearch",
        . . . elided . . .
        "Interface Implementations": 0, "Search-Based": 1}, "description": "Data model for web analytics.", "displayName": "Web Intelligence"}]]>
        </s:key>
        <s:key name="displayName">Web Intelligence</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>acceleration</s:item>
                <s:item>concise</s:item>
                <s:item>description</s:item>
                <s:item>provisional</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:digest">b8ebd9315dddf8a5e572187f57ddc9de</s:key>
        <s:key name="eai:type">models</s:key>
        <s:key name="eai:userName">admin</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

datamodel/model/{name} POST

XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/datamodel/model/MyApp -d concise=true
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title></title>
  <id>https://myserver-centos62x64-4:8789/services/datamodel/model</id>
  <updated>2013-08-24T13:35:54-07:00</updated>
  <generator build="178272" version="6.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/datamodel/model/_new" rel="create"/>
  <link href="/services/datamodel/model/desc" rel="desc"/>
  <link href="/services/datamodel/model/report" rel="report"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>MyApp</title>
    <id>https://myserver-centos62x64-4:8789/servicesNS/nobody/search/datamodel/model/MyApp</id>
    <updated>2013-08-24T13:35:54-07:00</updated>
    <link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="list"/>
    <link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="acceleration">{"enabled": false, "earliest_time": "-1mon"}</s:key>
        <s:key name="description"><![CDATA[{"modelName": "MyApp", "objects": [{"constraints": [{"search": "sourcetype=access_* OR
        . . . elided . . .
        "PodcastDownload", "WebSession", "User"], "description": "Data model for web analytics."}]]>
        </s:key>
        <s:key name="displayName">Web Intelligence</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:attributes">{'wildcardFields': [], 'requiredFields': [], 'optionalFields': ['acceleration', 'acceleration.cron_schedule', 'acceleration.earliest_time', 'eai:data']}</s:key>
        <s:key name="eai:digest">d73ff2d833e3104eed99a8fd258dbae1</s:key>
        <s:key name="eai:type">datamodels</s:key>
        <s:key name="eai:userName">admin</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

datamodel/pivot GET

XML
XML Request
curl -k -u admin:pass -G https://localhost:8089/services/datamodel/pivot/Authentication --data-urlencode pivot_search='| pivot Authentication Untagged_Authentication count(Untagged_Authentication) AS "Count of Untagged Authentication (S.o.S)"'
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title></title>
  <id>https://localhost:8089/services/datamodel/pivot</id>
  <updated>2013-08-26T15:07:57-07:00</updated>
  <generator build="178683" version="20130826"/>
  <author>
    <name>Splunk</name>
  </author>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>Authentication</title>
    <id>https://localhost:8089/servicesNS/nobody/search/datamodel/pivot/Authentication</id>
    <updated>2013-08-26T15:07:57-07:00</updated>
    <link href="/servicesNS/nobody/search/datamodel/pivot/Authentication" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/datamodel/pivot/Authentication" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="drilldown_search">| search (login OR "log in" OR authenticated) sourcetype!=stash NOT tag=authentication | stats count AS "Count of Untagged Authentication (S.o.S)"  | fields , "Count of Untagged Authentication (S.o.S)"| fillnull "Count of Untagged Authentication (S.o.S)"</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>is_pivot_command</s:item>
                <s:item>namespace</s:item>
                <s:item>pivot_json</s:item>
                <s:item>pivot_search</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:digest">e74d56a3b4a25256028f3a236e3d2cbc</s:key>
        <s:key name="eai:type">models</s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="open_in_search">| search (login OR "log in" OR authenticated) sourcetype!=stash NOT tag=authentication | stats count AS "Count of Untagged Authentication (S.o.S)"  | fields , "Count of Untagged Authentication (S.o.S)"| fillnull "Count of Untagged Authentication (S.o.S)"</s:key>
        <s:key name="pivot_json"><![CDATA[{"rowFormat": {"showSummary": false}, "cells": [{"label": "Count of Untagged Authentication (S.o.S)", "value": "count", "fieldName": "Untagged_Authentication", "type": "objectCount", "owner": "Untagged_Authentication"}], "filters": [], "modelName": "Authentication", "baseClass": "Untagged_Authentication", "rows": [], "columns": [], "colFormat": {"showSummary": false, "showOther": true}}]]></s:key>
        <s:key name="pivot_search">| pivot Authentication Untagged_Authentication count(Untagged_Authentication) AS "Count of Untagged Authentication (S.o.S)"</s:key>
        <s:key name="search">| search (login OR "log in" OR authenticated) sourcetype!=stash NOT tag=authentication | stats count AS "Count of Untagged Authentication (S.o.S)"  | fields , "Count of Untagged Authentication (S.o.S)"| fillnull "Count of Untagged Authentication (S.o.S)"</s:key>
        <s:key name="tstats_search"></s:key>
      </s:dict>
    </content>
  </entry>
</feed>

directory GET

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/directory
XML Response
<feed xmlns="http://www.w3.org/2005/Atom" 
  xmlns:s="http://dev.splunk.com/ns/rest" 
  xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>directory</title>
  <id>https://localhost:8089/services/directory</id>
  <updated>2011-05-16T19:03:40-0700</updated>
  <generator version="98144"/>
  <author>
    <name>Splunk</name>
  </author>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>_admin</title>
    <id>https://localhost:8089/servicesNS/nobody/system/data/ui/views/_admin</id>
    <updated>2011-05-16T19:03:40-0700</updated>
    <link href="/servicesNS/nobody/system/data/ui/views/_admin" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/ui/views/_admin" rel="list"/>
    <link href="/servicesNS/nobody/system/data/ui/views/_admin/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/ui/views/_admin" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        ... eai:acl node elided ...
        <s:key name="eai:type">views</s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>abc</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/ui/views/abc</id>
    <updated>2011-05-16T19:03:40-0700</updated>
    <link href="/servicesNS/nobody/search/data/ui/views/abc" rel="alternate"/>
    <author>
      <name>ssorkin</name>
    </author>
    <link href="/servicesNS/nobody/search/data/ui/views/abc" rel="list"/>
    <link href="/servicesNS/nobody/search/data/ui/views/abc/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/ui/views/abc" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        ... eai:acl node elided ...
        <s:key name="eai:type">views</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

directory/{name} GET

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/directory/dashboard_live
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>directory</title>
  <id>https://localhost:8089/services/directory</id>
  <updated>2011-05-16T19:09:59-0700</updated>
  <generator version="98144"/>
  <author>
    <name>Splunk</name>
  </author>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>dashboard_live</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/ui/views/dashboard_live</id>
    <updated>2011-05-16T19:09:59-0700</updated>
    <link href="/servicesNS/nobody/search/data/ui/views/dashboard_live" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/ui/views/dashboard_live" rel="list"/>
    <link href="/servicesNS/nobody/search/data/ui/views/dashboard_live/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/ui/views/dashboard_live" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        ... eai:acl node elided ...
        <s:key name="eai:attributes">
            <s:dict>
                <s:key name="optionalFields">
                    <s:list/>
                </s:key>
                <s:key name="requiredFields">
                    <s:list/>
                </s:key>
                <s:key name="wildcardFields">
                    <s:list/>
                </s:key>
            </s:dict>
        </s:key>
        <s:key name="eai:type">views</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

saved/eventtypes GET

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/eventtypes
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>eventtypes</title>
  <id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes</id>
  <updated>2011-07-10T23:46:52-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/saved/eventtypes/_new" rel="create"/>
  <link href="/servicesNS/admin/search/saved/eventtypes/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>internal_search_terms</title>
    <id>https://localhost:8089/servicesNS/nobody/system/saved/eventtypes/internal_search_terms</id>
    <updated>2011-07-10T23:46:52-07:00</updated>
    <link href="/servicesNS/nobody/system/saved/eventtypes/internal_search_terms" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/saved/eventtypes/internal_search_terms" rel="list"/>
    <link href="/servicesNS/nobody/system/saved/eventtypes/internal_search_terms/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/saved/eventtypes/internal_search_terms" rel="edit"/>
    <link href="/servicesNS/nobody/system/saved/eventtypes/internal_search_terms/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="description"/>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="priority">1</s:key>
        <s:key name="search">
<![CDATA[( "After evaluating args" OR "Before evaluating args" OR "context dispatched for search=" OR "SearchParser - PARSING" OR "got search" OR "_dispatchNewSearch - search" OR "search:* - q" OR ( decomposition fullsearch ) OR "PAAAAAARSER! - search" OR "view:* - DECOMPOSITION" OR "Splunk.Module.SearchBar .setInputField" OR ( typeahead prefix ) OR "DEBUG HTTPServer - Deleting request=GET" OR /en-US/api/search/typeahead )]]>        </s:key>
        <s:key name="tags">
          <s:list/>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>

saved/eventtypes POST

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/eventtypes -d name="client-errors" --data-urlencode search=search="http client error NOT (403 OR 404)"
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>eventtypes</title>
  <id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes</id>
  <updated>2011-07-10T23:47:10-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/saved/eventtypes/_new" rel="create"/>
  <link href="/servicesNS/admin/search/saved/eventtypes/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>client-errors</title>
    <id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes/client-errors</id>
    <updated>2011-07-10T23:47:10-07:00</updated>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="list"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="edit"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="remove"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors/move" rel="move"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="description"/>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="priority">1</s:key>
        <s:key name="search">search</s:key>
        <s:key name="tags">
          <s:list/>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>

saved/eventtypes/{name} DELETE

XML
XML Request
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/saved/eventtypes/client-errors
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>eventtypes</title>
  <id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes</id>
  <updated>2011-07-10T23:48:29-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/saved/eventtypes/_new" rel="create"/>
  <link href="/servicesNS/admin/search/saved/eventtypes/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>

saved/eventtypes/{name} GET

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/eventtypes/client-errors
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>eventtypes</title>
  <id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes</id>
  <updated>2011-07-10T23:47:17-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/saved/eventtypes/_new" rel="create"/>
  <link href="/servicesNS/admin/search/saved/eventtypes/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>client-errors</title>
    <id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes/client-errors</id>
    <updated>2011-07-10T23:47:17-07:00</updated>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="list"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="edit"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="remove"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors/move" rel="move"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="description"/>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>description</s:item>
                <s:item>disabled</s:item>
                <s:item>priority</s:item>
                <s:item>tags</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>search</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="priority">1</s:key>
        <s:key name="search">search</s:key>
        <s:key name="tags">
          <s:list/>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>

saved/eventtypes/{name} POST

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/eventtypes/client-errors -d description="HTTP Client Errors" --data-urlencode search=search="http client error NOT (403 OR 404)"
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>eventtypes</title>
  <id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes</id>
  <updated>2011-07-10T23:48:22-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/saved/eventtypes/_new" rel="create"/>
  <link href="/servicesNS/admin/search/saved/eventtypes/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>client-errors</title>
    <id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes/client-errors</id>
    <updated>2011-07-10T23:48:22-07:00</updated>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="list"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="edit"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="remove"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors/move" rel="move"/>
    <link href="/servicesNS/admin/search/saved/eventtypes/client-errors/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="description">HTTP Client Errors</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:userName">admin</s:key>
        <s:key name="priority">1</s:key>
        <s:key name="search">search</s:key>
        <s:key name="tags">
          <s:list/>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>

search/fields GET

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/fields
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>Fields</title>
  <id>/servicesNS/admin/search/search/fields</id>
  <updated>2011-07-11T10:04:51-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <entry>
    <title>_indextime</title>
    <id>/servicesNS/admin/search/search/fields/_indextime</id>
    <updated>2011-07-11T10:04:51-07:00</updated>
    <link href="/servicesNS/admin/search/search/fields/_indextime" rel="alternate"/>
  </entry>
  <entry>
    <title>_sourcetype</title>
    <id>/servicesNS/admin/search/search/fields/_sourcetype</id>
    <updated>2011-07-11T10:04:51-07:00</updated>
    <link href="/servicesNS/admin/search/search/fields/_sourcetype" rel="alternate"/>
  </entry>
  <entry>
    <title>date_hour</title>
    <id>/servicesNS/admin/search/search/fields/date_hour</id>
    <updated>2011-07-11T10:04:51-07:00</updated>
    <link href="/servicesNS/admin/search/search/fields/date_hour" rel="alternate"/>
  </entry>

  . . . elided . . .

  <entry>
    <title>splunk_server</title>
    <id>/servicesNS/admin/search/search/fields/splunk_server</id>
    <updated>2011-07-11T10:04:51-07:00</updated>
    <link href="/servicesNS/admin/search/search/fields/splunk_server" rel="alternate"/>
  </entry>
  <entry>
    <title>timeendpos</title>
    <id>/servicesNS/admin/search/search/fields/timeendpos</id>
    <updated>2011-07-11T10:04:51-07:00</updated>
    <link href="/servicesNS/admin/search/search/fields/timeendpos" rel="alternate"/>
  </entry>
  <entry>
    <title>timestartpos</title>
    <id>/servicesNS/admin/search/search/fields/timestartpos</id>
    <updated>2011-07-11T10:04:51-07:00</updated>
    <link href="/servicesNS/admin/search/search/fields/timestartpos" rel="alternate"/>
  </entry>
</feed>

search/fields/{field_name} GET

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/fields/sourcetype
XML Response
<entry xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest">
  <title>sourcetype</title>
  <id>/servicesNS/admin/search/search/fields/sourcetype</id>
  <updated>2011-07-11T10:08:54-07:00</updated>
  <link href="/servicesNS/admin/search/search/fields/sourcetype" rel="alternate"/>
  <content type="text">	Attr:INDEXED	True
	Attr:INDEXED_VALUE	False
	Attr:TOKENIZER	
</content>
</entry>

search/fields/{field_name}/tags GET

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/fields/host/tags
XML Response
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest">
  <title>Tags for the host field</title>
  <id>/servicesNS/admin/search/search/fields/host/tags</id>
  <updated>2011-07-11T10:41:46-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <entry>
    <title>location::sfo</title>
    <id>/servicesNS/admin/search/search/fields/host/tags#location::sfo</id>
    <updated>2011-07-11T10:41:46-07:00</updated>
    <link href="/servicesNS/admin/search/search/fields/host/tags#location::sfo" rel="alternate"/>
  </entry>
</feed>

search/fields/{field_name}/tags POST

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/fields/host/tags -d add=sfo -d delete=nyc -d value=location
XML Response
<response>
  <messages>
    <msg type='INFO'>Successfully processed adds/deletes for field host</msg>
  </messages>
</response>

search/tags GET

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/tags
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>Tags</title>
  <id>/servicesNS/admin/search/search/tags</id>
  <updated>2011-07-08T01:35:09-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <entry>
    <title>machine</title>
    <id>/servicesNS/admin/search/search/tags/machine</id>
    <updated>2011-07-08T01:35:09-07:00</updated>
    <link href="/servicesNS/admin/search/search/tags/machine" rel="alternate"/>
  </entry>
  <entry>
    <title>user</title>
    <id>/servicesNS/admin/search/search/tags/user</id>
    <updated>2011-07-08T01:35:09-07:00</updated>
    <link href="/servicesNS/admin/search/search/tags/user" rel="alternate"/>
  </entry>
</feed>

search/tags/{tag_name} DELETE

XML
XML Request
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/search/tags/user
XML Response
<response>
  <messages>
    <msg type="INFO">Tag successfully deleted</msg>
  </messages>
</response>

search/tags/{tag_name} GET

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/tags/user
XML Response
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>Field::Value pairs with tag user</title>
  <id>/servicesNS/admin/search/search/tags/user</id>
  <updated>2011-07-08T01:35:28-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <entry>
    <title>eventtype::userupdate</title>
    <id>/servicesNS/admin/search/search/tags/user#eventtype::userupdate</id>
    <updated>2011-07-08T01:35:28-07:00</updated>
    <link href="/servicesNS/admin/search/search/tags/user#eventtype::userupdate" rel="alternate"/>
  </entry>
</feed>

search/tags/{tag_name} POST

XML
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/tags/user -d add=eventtype::userupdate -d delete=eventtype::useradd-suse
XML Response
<response>
  <messages>
    <msg type="INFO">Processed adds/deletes for tag</msg>
  </messages>
</response>


services/admin/summarization GET

XML
XML Request
curl -k -u admin:pass https://localhost:8089/services/admin/summarization/?by_tstats=1
XML Response
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>summarization</title>
  <id>https://localhost:8089/services/admin/summarization</id>
  <updated>2015-06-01T15:21:20-07:00</updated>
  <generator build="e343948e242181aa7b94257ede83830605c853d9" version="20150526"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/admin/summarization/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>tstats:DM_search_mydatamodel</title>
    <id>https://localhost:8089/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_mydatamodel</id>
    <updated>2015-06-01T15:21:20-07:00</updated>
    <link href="/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_mydatamodel" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_mydatamodel" rel="list"/>
    <link href="/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_mydatamodel" rel="remove"/>
    <link href="/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_mydatamodel/details" rel="details"/>
    <link href="/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_mydatamodel/reschedule" rel="reschedule"/>
    <link href="/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_mydatamodel/touch" rel="touch"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">search</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms"/>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">user</s:key>
          </s:dict>
        </s:key>
        <s:key name="search"><![CDATA[search search (index=* OR index=_*) (index=_internal) | eval nodename = "rootevent"| eval is_Age=if(searchmatch("(avg_age)"),1,0), is_not_Age=1-is_Age | eval nodename = if(nodename == "rootevent" AND searchmatch("(avg_age)"), mvappend(nodename, "rootevent.Age"), nodename) | rename abandoned_channels AS rootevent.abandoned_channels average_kbps AS rootevent.average_kbps avg_age AS rootevent.avg_age bytes AS rootevent.bytes clientip AS rootevent.clientip color AS rootevent.color component AS rootevent.component cookie AS rootevent.cookie cpu_seconds AS rootevent.cpu_seconds cumulative_hits AS rootevent.cumulative_hits current_queue_size AS rootevent.current_queue_size current_size AS rootevent.current_size current_size_kb AS rootevent.current_size_kb date_hour AS rootevent.date_hour is_Age AS rootevent.is_Age is_not_Age AS rootevent.is_not_Age | fields nodename, _time, host, source, sourcetype, rootevent.abandoned_channels, rootevent.average_kbps, rootevent.avg_age, rootevent.bytes, rootevent.clientip, rootevent.color, rootevent.component, rootevent.cookie, rootevent.cpu_seconds, rootevent.cumulative_hits, rootevent.current_queue_size, rootevent.current_size, rootevent.current_size_kb, rootevent.date_hour, rootevent.is_Age, rootevent.is_not_Age]]></s:key>
        <s:key name="summary.access_count">0</s:key>
        <s:key name="summary.access_time">0</s:key>
        <s:key name="summary.buckets">22</s:key>
        <s:key name="summary.buckets_size">273</s:key>
        <s:key name="summary.complete">1.000000</s:key>
        <s:key name="summary.earliest_time">1432174156</s:key>
        <s:key name="summary.id">DM_search_mydatamodel</s:key>
        <s:key name="summary.is_inprogress">0</s:key>
        <s:key name="summary.last_error"></s:key>
        <s:key name="summary.last_sid">scheduler__nobody__search__RMD5692d85674596d683_at_1433197200_18815</s:key>
        <s:key name="summary.latest_time">1432684089</s:key>
        <s:key name="summary.mod_time">1433196908</s:key>
        <s:key name="summary.size">61153280</s:key>
        <s:key name="summary.time_range">604800</s:key>
      </s:dict>
    </content>
  </entry>
</feed>
PREVIOUS
Knowledge endpoint descriptions
  NEXT
KV Store endpoint descriptions

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters