Splunk® Enterprise

Search Reference

Download manual as PDF

Splunk Enterprise version 7.0 is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Download topic as PDF

rest

Description

The rest command reads a Splunk REST API endpoint and returns the resource data as a search result.

For information about the REST API, see the REST API User Manual.

Syntax

| rest <rest-uri> [count=<int>] [splunk_server=<wc-string>] [splunk_server_group=<wc-string>]... [timeout=<int>] [<get-arg-name>=<get-arg-value>]...

Required arguments

rest-uri
Syntax: <uri>
Description: URI path to the Splunk REST API endpoint.

Optional arguments

count
Syntax: count=<int>
Description: Limits the number of results returned from each REST call. For example, you have four indexers and one search head. You set the limit to count=25000. This results in a total limit of 125000, which is 25000 x 5.
When count=0, there is no limit.
Default: 0
get-arg-name
Syntax: <string>
Description: REST argument name.
get-arg-value
Syntax: <string>
Description: REST argument value.
splunk_server
Syntax: splunk_server=<wc-string>
Description: Specifies the distributed search peer from which to return results. You can specify only one splunk_server argument, However, you can use a wildcard character when you specify the server name to indicate multiple servers. For example, you can specify splunk_server=peer01 or splunk_server=peer*. Use local to refer to the search head.
Default: All configured search peers return information
splunk_server_group
Syntax: splunk_server_group=<wc-string>...
Description: Limits the results to one or more server groups. You can specify a wildcard character in the string to indicate multiple server groups.
timeout
Syntax: timeout=<int>
Description: Specify the timeout, in seconds, to wait for the REST endpoint to respond. Specify timeout=0 to indicate no limit on the time to wait for the REST endpoint to respond.
Default: 60

Usage

The rest command authenticates using the ID of the person that runs the command.

Examples

1. Access saved search jobs

| rest /services/search/jobs count=0 splunk_server=local | search isSaved=1

2. Find all saved searches with searches that include a specific sourcetype

Find all saved searches with search strings that include the speccsv sourcetype.

| rest /services/saved/searches splunk_server=local | rename search AS saved_search | fields author, title, saved_search | search saved_search=*speccsv*

3. Add the current search user to all events

Add current search user to all events. This is useful for creating reports that only show events associated with the logged in user.

* | head 10 | join [ | rest splunk_server=local /services/authentication/current-context | rename username as auth_user_id | fields auth_user_id ]

4. Use the GET method pagination and filtering parameters

Most GET methods support a set of pagination and filtering parameters.

To determine if an endpoint supports these parameters, find the endpoint in the REST API Reference manual. Click Expand on the GET method and look for a link to the Pagination and filtering parameters topic. For more information about the Pagination and filtering parameters, see the Request and response details in the REST API Reference manual.

The following example uses the search parameter to identify if a search is scheduled and if a search is disabled. The search looks for scheduled searches on Splunk servers that match the Monitoring Console role of "search heads".

| rest /servicesNS/-/-/saved/searches splunk_server_group=dmc_group_search_head timeout=0 search="is_scheduled=1" search="disabled=0"

Here is an explanation for each part of this search:

Description Part of the search
The name of the REST call. 
|rest /servicesNS/-/-/saved/searches
Look only at Splunk servers that match the Monitoring Console role of "search heads". 
splunk_server_group=dmc_group_search_head
Don't time out waiting for the REST call to finish. 
timeout=0
Look only for scheduled searches. 
search="is_scheduled=1"
Look only for active searches (not disabled). 
search="disabled=0"

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has about using the rest command.

Last modified on 08 October, 2019
PREVIOUS
replace 		  NEXT
return

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 8.0.0, 8.0.1, 8.0.2, 8.0.3

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters