
rest
Description
The rest
command reads a Splunk REST API endpoint and returns the resource data as a search result.
Syntax
| rest <rest-uri> [count=<int>] [splunk_server=<wc-string>] [splunk_server_group=<wc-string>]... [timeout=<int>] (<get-arg-name>=<get-arg-value>)...
Required arguments
- rest-uri
- Syntax: <uri>
- Description: URI path to the Splunk REST API endpoint.
- get-arg-name
- Syntax: <string>
- Description: REST argument name.
- get-arg-value
- Syntax: <string>
- Description: REST argument value.
Optional arguments
- count
- Syntax: count=<int>
- Description: Limits the number of results returned from each REST call. For example, you have four indexers and one search head. You set the limit to
count=25000
. This results in a total limit of 125000, which is 25000 x 5. - When count=0, there is no limit.
- Default: 0
- splunk_server
- Syntax: splunk_server=<wc-string>
- Description: Specifies the distributed search peer from which to return results. You can specify only one
splunk_server
argument, However, you can use a wildcard character when you specify the server name to indicate multiple servers. For example, you can specifysplunk_server=peer01
orsplunk_server=peer*
. Uselocal
to refer to the search head. - Default: All configured search peers return information
- splunk_server_group
- Syntax: splunk_server_group=<wc-string>...
- Description: Limits the results to one or more server groups. You can specify a wildcard character in the string to indicate multiple server groups.
- timeout
- Syntax: timeout=<int>
- Description: Specify the timeout in seconds when waiting for the REST endpoint to respond.
- Default: 60
Usage
The rest
command authenticates using the ID of the person that runs the command.
For more information, see the REST API User Manual.
Examples
Example 1: Access saved search jobs.
| rest /services/search/jobs count=0 splunk_server=local | search isSaved=1
Example 2: Add current search user to all events (useful for creating reports that only show events associated with logged in user).
* | head 10 | join [ | rest splunk_server=local /services/authentication/current-context | rename username as auth_user_id | fields auth_user_id ]
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has about using the rest command.
PREVIOUS replace |
NEXT return |
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4
Feedback submitted, thanks!