Splunk® Enterprise

Search Reference

Download manual as PDF

Download topic as PDF

rest

Description

The rest command reads a Splunk REST API endpoint and returns the resource data as a search result.

Syntax

| rest <rest-uri> [count=<int>] [splunk_server=<wc-string>] [splunk_server_group=<wc-string>]... [timeout=<int>] [<get-arg-name>=<get-arg-value>]...

Required arguments

rest-uri
Syntax: <uri>
Description: URI path to the Splunk REST API endpoint.

Optional arguments

count
Syntax: count=<int>
Description: Limits the number of results returned from each REST call. For example, you have four indexers and one search head. You set the limit to count=25000. This results in a total limit of 125000, which is 25000 x 5.
When count=0, there is no limit.
Default: 0
get-arg-name
Syntax: <string>
Description: REST argument name.
get-arg-value
Syntax: <string>
Description: REST argument value.
splunk_server
Syntax: splunk_server=<wc-string>
Description: Specifies the distributed search peer from which to return results. You can specify only one splunk_server argument, However, you can use a wildcard character when you specify the server name to indicate multiple servers. For example, you can specify splunk_server=peer01 or splunk_server=peer*. Use local to refer to the search head.
Default: All configured search peers return information
splunk_server_group
Syntax: splunk_server_group=<wc-string>...
Description: Limits the results to one or more server groups. You can specify a wildcard character in the string to indicate multiple server groups.
timeout
Syntax: timeout=<int>
Description: Specify the timeout in seconds when waiting for the REST endpoint to respond.
Default: 60

Usage

The rest command authenticates using the ID of the person that runs the command.

For more information, see the REST API User Manual.

Examples

Example 1: Access saved search jobs.

| rest /services/search/jobs count=0 splunk_server=local | search isSaved=1

Example 2: Find all saved searches with search strings that include the speccsv sourcetype.

| rest /services/saved/searches splunk_server=local | rename search AS saved_search | fields author, title, saved_search | search saved_search=*speccsv*

Example 3: Add current search user to all events (useful for creating reports that only show events associated with logged in user).

* | head 10 | join [ | rest splunk_server=local /services/authentication/current-context | rename username as auth_user_id | fields auth_user_id ]

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has about using the rest command.

Retrieved from "https://docs.splunk.com/index.php?title=Documentation:Splunk:SearchReference:Rest:6.3.0beta&oldid=960611"
PREVIOUS
replace 		  NEXT
return

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters