Skip to main content
Splunk® Enterprise

REST API Reference Manual

Splunk® Enterprise
7.1.3
Splunk Enterprise version 7.1 is no longer supported as of October 31, 2020. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Introspection endpoint descriptions

Access server and instance information.

Usage details

Review ACL information for an endpoint

To check Access Control List (ACL) properties for an endpoint, append /acl to the path. For more information see Access Control List in the REST API User Manual.

Authentication and Authorization

Username and password authentication is required for access to endpoints and REST operations.

Splunk users must have role and/or capability-based authorization to use REST endpoints. Users with an administrative role, such as admin, can access authorization information in Splunk Web. To view the roles assigned to a user, select Settings > Access controls and click Users. To determine the capabilities assigned to a role, select Settings > Access controls and click Roles.

App and user context

Typically, knowledge objects, such as saved searches or event types, have an app/user context that is the namespace. For more information about specifying a namespace, see Namespace in the REST API User Manual.

Splunk Cloud URL for REST API access

Splunk Cloud has a different host and management port syntax than Splunk Enterprise. Depending on your deployment type, use one of the following options to access REST API resources.

Managed Splunk Cloud deployments

https://<deployment-name>.splunkcloud.com:8089

Self-service Splunk Cloud deployments
To get the required credentials, submit a support case on the Support Portal. After installing the credentials, use the following URL.

https://input-<deployment-name>.cloud.splunk.com:8089


See Using the REST API in Splunk Cloud in the the Splunk REST API Tutorials for more information.


data/index-volumes

https://<host>:<mPort>/services/data/index-volumes

Get information about the volume (logical drives) in use by the Splunk deployment.


GET

Expand

List the Splunk deployment volumes.


data/index-volumes/{name}

https://<host>:<mPort>/services/data/index-volumes/{name}

Get information about the {name} volume (logical drive).


GET

Expand

List {name} volume properties.


data/indexes

https://<host>:<mPort>/services/data/indexes

Create and manage data indexes.

Authorization and authentication
By default, all users can list all indexes. However, if the indexes_list_all capability is enabled in authorize.conf, access to all indexes is limited to only those roles with this capability.

To enable indexes_list_all capability restrictions on the data/indexes endpoint, create a [capability::indexes_list_all] stanza in authorize.conf. Specify indexes_list_all=enabled for any role permitted to list all indexes from this endpoint.

For more information, see the authorize.conf spec file in the Admin Manual.


GET

Expand

List the recognized indexes on the server.

POST

Expand

Create a new index.


data/indexes/{name}

https://<host>:<mPort>/services/data/indexes/{name}

Access, update, or delete the {name} index.


DELETE

Expand

Removes the {name} index and the data contained in it.


GET

Expand

Access information about the {name} index.


POST

Expand

Updates the {name} index.



data/indexes-extended

https://<host>:<mPort>/services/data/indexes-extended


Access index bucket-level information. There are three bucket super-directories per index.

  • home
  • cold
  • thawed


GET

Expand

List bucket attributes for all indexes.


data/indexes-extended/{name}

https://<host>:<mPort>/services/data/indexes-extended/{name}


Access bucket-level information for the {name} index. There are three bucket super-directories per index.

  • home
  • cold
  • thawed


GET

Expand

Get {name} bucket information.


data/summaries

https://<host>:<mPort>/services/data/summaries

Get disk usage information about all summaries in an indexer.


GET

Expand

Gets current summary disk usage information.


data/summaries/{summary_name}

https://<host>:<mPort>/services/data/summaries/{summary_name}

Get disk usage information about the {name} indexer summary.


GET

Expand

Get disk usage information for the {name} summary.


server/health/splunkd

https://<host>:<mPort>/services/server/health/splunkd

Shows the overall health of splunkd. The health of splunkd can be red, yellow, or green. The health of splunkd is based on the health of all features reporting to it.

Authentication and Authorization

Requires the admin role or list_health capability.


GET

Expand

Get the health status of splunkd.


server/health/splunkd/details

https://<host>:<mPort>/services/server/health/splunkd/details

Shows the overall health of the splunkd health status tree, as well as each feature node and its respective color. For unhealthy nodes (non-green), the output includes reasons, indicators, thresholds, messages, and so on.

Authentication and Authorization

Requires the admin role or list_health capability.


GET

Expand

Get health status of splunkd features.


server/health-config/{feature_name}

https://<host>:<mPort>/services/server/health-config/{feature_name}

Endpoint to configure splunkd health report features.

Authentication and Authorization

Requires the admin role or edit_health capability.


POST

Expand

Configure splunkd health report features.


server/info

https://<host>:<mPort>/services/server/info


Access information about the currently running Splunk instance.

Note: This endpoint provides information on the currently running Splunk instance. Some values returned in the GET response reflect server status information. However, this endpoint is meant to provide information on the currently running instance, not the machine where the instance is running. Server status values returned by this endpoint should be considered deprecated and might not continue to be accessible from this endpoint. Use server/sysinfo to access server status instead. For more information, see server/sysinfo.


GET

Expand

Get Splunk instance information.


server/introspection

https://<host>:<mPort>/services/server/introspection

Access system introspection artifacts.

See also the following associated endpoints.


GET

Expand

List introspection resources.


server/introspection/indexer

https://<host>:<mPort>/services/server/introspection/indexer

Access the current indexer status.

See also server/introspection.


GET

Expand

Get indexer status information.


server/introspection/kvstore

https://<host>:<mPort>/services/server/introspection/kvstore


Access app KV store resources.

See also server/introspection.


GET

Expand

List app KV store resources.


server/introspection/kvstore/collectionstats

https://<host>:<mPort>/services/server/introspection/kvstore/collectionstats


Get storage statistics for a collection.

See also the following associated endpoints.


GET

Expand

Get collection storage statistics.


server/introspection/kvstore/replicasetstats

https://<host>:<mPort>/services/server/introspection/kvstore/replicasetstats


Get the status of the replica set from the point of view of the current server.

See also the following associated endpoints.


GET

Expand

Get the status of the replica set from the point of view of the current server.


server/introspection/kvstore/serverstatus

https://<host>:<mPort>/services/server/introspection/kvstore/serverstatus

Get an overview of the database process state.

Monitoring applications periodically run this command to get statistical information about the database instance.

See also the following associated endpoints.


GET

Expand

Get an overview of the database process state.


server/introspection/search/dispatch

https://<host>:<mPort>/services/server/introspection/search/dispatch 

Provides vital statistics for distributed search framework, including details on search peer performance.


GET

Expand

Enumerate scheduled search details.


server/introspection/search/dispatch/Bundle_Directory_Reaper

https://<host>:<mPort>/services/server/introspection/search/dispatch/Bundle_Directory_Reaper

Get average and maximum time for the dispatch reaper to walk the search peer directory and reap obsolete bundles.


GET

Expand

Enumerate routine distributed search method execution times for each peer.


server/introspection/search/dispatch/Compute_User_Search_Quota

https://<host>:<mPort>/services/server/introspection/search/dispatch/Compute_User_Search_Quota

Provides average and maximum time for computing user search quotas.


GET

Expand

Enumerate average and maximum time for user search quota computation.


server/introspection/search/dispatch/Dispatch_Directory_Reaper

https://<host>:<mPort>/services/server/introspection/search/dispatch/Dispatch_Directory_Reaper


Get average and maximum time for the dispatch reaper to walk the dispatch directory and reap stale artifacts.


GET

Expand

Show dispatch directory reaper times for reaping stale artifacts.


server/introspection/search/dispatch/Search_StartUp_Time

https://<host>:<mPort>/services/server/introspection/search/dispatch/Search_StartUp_Time

Get average and maximum time for search preprocessing before startup.

Startup time indicates that parsing is complete and the distributed search infrastructure is set up. At startup, Splunk software is ready to wait for responses from indexers.


GET

Expand

Enumerate average and maximum time for search preprocessing before startup.


server/introspection/search/distributed

https://<host>:<mPort>/services/server/introspection/search/distributed

Get information about the search knowledge bundle replication, if the current instance is the search head. Provides details about maximum and average time to execute routine distributed search methods, including peer info, peer bundles list, and authentication token requests from search heads.


GET

Expand

Enumerate routine distributed search method execution times for each peer.


server/introspection/search/saved

https://<host>:<mPort>/services/server/introspection/search/saved

Access most recent scheduled search priority scores and score calculation adjustments.


GET

Expand

Enumerate scheduled search details.


server/status

https://<host>:<mPort>/services/server/status

List server/status child resources.


GET

Expand

Enumerate server/status endpoints.


server/status/dispatch-artifacts

https://<host>:<mPort>/services/server/status/dispatch-artifacts

Access search job information.


GET

Expand

Get information about dispatched search jobs.


server/status/fishbucket

https://<host>:<mPort>/services/server/status/fishbucket

Access information about the private BTree database.


GET

Expand

Access private BTree database information.


server/status/installed-file-integrity

Check for system file irregularities.

https://<host>:<mPort>/services/server/status/installed-file-integrity


GET

Expand

Check file integrity status.


server/status/limits/search-concurrency

https://<host>:<mPort>/services/server/status/limits/search-concurrency

Access search concurrency metrics for a standalone Splunk Enterprise instance.


GET

Expand

Get search concurrency limits for a standalone Splunk Enterprise instance.


server/status/partitions-space

https://<host>:<mPort>/services/server/status/partitions-space


Access disk utilization information for filesystems that have Splunk objects, such as indexes, volumes, and logs. A filesystem can span multiple physical disk partitions.


GET

Expand

Get disk utilization information.


server/status/resource-usage

https://<host>:<mPort>/services/server/status/resource-usage

Get current resource (CPU, RAM, VM, I/O, file handle) utilization for entire host, and per Splunk-related processes.


GET

Expand

Get resource utilization information.


server/status/resource-usage/hostwide

https://<host>:<mPort>/services/server/status/resource-usage/hostwide

Access host-level dynamic CPU utilization and paging information.


GET

Expand

Get host-level, dynamic CPU utilization and paging information.


server/status/resource-usage/iostats

https://<host>:<mPort>/services/server/status/resource-usage/iostats


Access the most recent disk I/O statistics for each disk. This endpoint is currently supported for Linux, Windows, and Solaris. By default this endpoint is updated every 60s seconds.


GET

Expand

Get disk I/O statistics.


server/status/resource-usage/splunk-processes

https://<host>:<mPort>/services/server/status/resource-usage/splunk-processes

Access operating system resource utilization information.


GET

Expand

Get process operating system resource utilization information.


server/sysinfo

https://<host>:<mPort>/services/server/sysinfo

Exposes relevant information about the resources and OS settings of the machine where Splunk Enterprise is running.


Usage details
This endpoint provides status information for the server where the current Splunk instance is running. The GET request response includes Kernel Transparent Huge Pages (THP) and ulimit status.


Note: Some properties returned by this endpoint are also returned by server/info. However, the server/info endpoint is meant to provide information on the currently running Splunk instance and not the machine where the instance is running. Server status values returned by server/info should be considered deprecated and might not continue to be accessible from this endpoint. Use the server/sysinfo endpoint for server information instead.


GET

Expand

Access server details.


Last modified on 16 January, 2019
Input endpoint descriptions   Knowledge endpoint descriptions

This documentation applies to the following versions of Splunk® Enterprise: 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters