Splunk® Enterprise

REST API Reference Manual

Splunk Enterprise version 7.1 is no longer supported as of October 31, 2020. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Output endpoint descriptions

Manage data from forwarders.

Usage details

Review ACL information for an endpoint

To check Access Control List (ACL) properties for an endpoint, append /acl to the path. For more information see Access Control List in the REST API User Manual.

Authentication and Authorization

Username and password authentication is required for access to endpoints and REST operations.

Splunk users must have role and/or capability-based authorization to use REST endpoints. Users with an administrative role, such as admin, can access authorization information in Splunk Web. To view the roles assigned to a user, select Settings > Access controls and click Users. To determine the capabilities assigned to a role, select Settings > Access controls and click Roles.

App and user context

Typically, knowledge objects, such as saved searches or event types, have an app/user context that is the namespace. For more information about specifying a namespace, see Namespace in the REST API User Manual.

Splunk Cloud Platform limitations

As a Splunk Cloud Platform user, you are restricted to interacting with the search tier only with the REST API. Output endpoints are generally not accessible in Splunk Cloud Platform.

See Access requirements and limitations for the Splunk Cloud Platform REST API in the the REST API Tutorials manual for more information.


data/outputs/tcp/default

https://<host>:<mPort>/services/data/outputs/tcp/default

Access to global tcpout properties.


GET

Returns the current tcpout properties.


Request parameters
Pagination and filtering parameters can be used with this method.


Returned values

Name Description
autoLB Specifies whether Auto Load balance method is used.
defaultGroup Target group names. The forwarder sends all data to the specified groups.

Starting with 4.2, this attribute is no longer required.

disabled Indicates if tcpout settings are disabled.
forwardedindex.0.whitelist Specifies 0th whitelist filter.

forwardedindex.<n>.whitelist decides which events get forwarded based on the indexes they belong to.

forwardedindex.1.blacklist Specifies 1st blacklist filter. forwardedindex.<n>.blacklist specifies index for which events are not forwarded.
forwardedindex.2.whitelist Specifies 2nd whitelist filter.

forwardedindex.<n>.whitelist decides which events get forwarded based on the indexes they belong to.

forwardedindex.filter.disable Specifies whether filtering of forwarded data based on index is diasbled.
indexAndForward Specifies whether to index all data locally, in addition to forwarding it. Defaults to false.

This is known as an "index-and-forward" configuration. This attribute is only available for heavy forwarders. It is available only at the top level [tcpout] stanza in outputs.conf. It cannot be overridden in a target group.

maxQueueSize Sets the maximum size of the forwarder output queue. It also sets the maximum size of the wait queue to 3x this value, if you have enabled indexer acknowledgment (useACK=true).

See the parmeter description for the POST operation for more information.

Example request and response


XML Request

curl -k -u admin:changeme https://localhost:8089/services/data/outputs/tcp/default

XML Response

...
 <title>tcpout-default</title>
 <id>https://localhost:8089/services/data/outputs/tcp/default</id>
 <updated>2011-07-10T22:38:23-07:00</updated>
 <generator version="102807"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/data/outputs/tcp/default/_new" rel="create"/>
 <link href="/services/data/outputs/tcp/default/_reload" rel="_reload"/>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>tcpout</title>
   <id>https://localhost:8089/servicesNS/nobody/system/data/outputs/tcp/default/tcpout</id>
   <updated>2011-07-10T22:38:23-07:00</updated>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/default/tcpout" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/default/tcpout" rel="list"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/default/tcpout/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/default/tcpout" rel="edit"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/default/tcpout" rel="remove"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/default/tcpout/disable" rel="disable"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="autoLB">1</s:key>
       <s:key name="defaultGroup">spacecake_9998</s:key>
       <s:key name="disabled">0</s:key>
       ... eai:acl nodes elided ...
       <s:key name="forwardedindex.0.whitelist">.*</s:key>
       <s:key name="forwardedindex.1.blacklist">_.*</s:key>
       <s:key name="forwardedindex.2.whitelist">_audit</s:key>
       <s:key name="forwardedindex.filter.disable">0</s:key>
       <s:key name="indexAndForward">0</s:key>
       <s:key name="maxQueueSize">500KB</s:key>
     </s:dict>
   </content>
 </entry>



POST

Configure global tcpout properties.


Request parameters

Name Type Default Description
defaultGroup String Comma-separated list of one or more target group names, specified later in [tcpout:<target_group>] stanzas of outputs.conf.spec file.

The forwarder sends all data to the specified groups. If you do not want to forward data automatically, do not set this attribute. Can be overridden by an inputs.conf _TCP_ROUTING setting, which in turn can be overridden by a props.conf/transforms.conf modifier.

Starting with 4.2, this attribute is no longer required.

disabled Boolean Disables default tcpout settings
dropEventsOnQueueFull Number If set to a positive number, wait the specified number of seconds before throwing out all new events until the output queue has space. Defaults to -1 (do not drop events).

CAUTION: Do not set this value to a positive integer if you are monitoring files.

Setting this to -1 or 0 causes the output queue to block when it gets full, which causes further blocking up the processing chain. If any target group queue is blocked, no more data reaches any other target group.

Using auto load-balancing is the best way to minimize this condition, because, in that case, multiple receivers must be down (or jammed up) before queue blocking can occur.

heartbeatFrequency Number How often (in seconds) to send a heartbeat packet to the receiving server.

Heartbeats are only sent if sendCookedData=true. Defaults to 30 seconds.

indexAndForward Boolean Specifies whether to index all data locally, in addition to forwarding it. Defaults to false.

This is known as an "index-and-forward" configuration. This attribute is only available for heavy forwarders. It is available only at the top level [tcpout] stanza in outputs.conf. It cannot be overridden in a target group.

maxQueueSize Number Specify an integer or integer[KB|MB|GB].

Sets the maximum size of the forwarder output queue. It also sets the maximum size of the wait queue to 3x this value, if you have enabled indexer acknowledgment (useACK=true).

Although the wait queue and the output queues are both configured by this attribute, they are separate queues. The setting determines the maximum size of the queue in-memory (RAM) buffer.

For heavy forwarders sending parsed data, maxQueueSize is the maximum number of events. Since events are typically much shorter than data blocks, the memory consumed by the queue on a parsing forwarder is likely to be much smaller than on a non-parsing forwarder, if you use this version of the setting.

If specified as a lone integer (for example, maxQueueSize=100), maxQueueSize indicates the maximum number of queued events (for parsed data) or blocks of data (for unparsed data). A block of data is approximately 64KB. For non-parsing forwarders, such as universal forwarders, that send unparsed data, maxQueueSize is the maximum number of data blocks.

If specified as an integer followed by KB, MB, or GB (for example, maxQueueSize=100MB), maxQueueSize indicates the maximum RAM allocated to the queue buffer. Defaults to 500KB (which means a maximum size of 500KB for the output queue and 1500KB for the wait queue, if any).

name
required
String Configuration to be edited. The only valid value is "tcpout".
sendCookedData Boolean If true, events are cooked (processed by Splunk software). If false, events are raw and untouched prior to sending. Defaults to true.

Set to false if you are sending to a third-party system.


Returned values
None

Example request and response


XML Request

curl -k -u admin:changeme https://localhost:8089/services/data/outputs/tcp/default/tcpout -d 'defaultGroup=myIndexers'

XML Response

...
 <title>tcpout-default</title>
 <id>https://localhost:8089/services/data/outputs/tcp/default</id>
 <updated>2011-07-10T22:43:53-07:00</updated>
 <generator version="102807"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/data/outputs/tcp/default/_new" rel="create"/>
 <link href="/services/data/outputs/tcp/default/_reload" rel="_reload"/>
 ... opensearch nodes elided ...
 <s:messages/>



data/outputs/tcp/default/{name}

https://<host>:<mPort>/services/data/outputs/tcp/default/{name}

Manage forwarder settings.


DELETE

Disable the default forwarding settings.


Request parameters
None


Returned values
None

Example request and response


XML Request

curl -k -u admin:changeme --request DELETE https://localhost:8089/services/data/outputs/tcp/default/tcpout

XML Response

...
<title>tcpout-default</title>
 <id>https://localhost:8085/services/data/outputs/tcp/default</id>
 <updated>2011-07-19T20:09:02-07:00</updated>
 <generator version="102807"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/data/outputs/tcp/default/_new" rel="create"/>
 <link href="/services/data/outputs/tcp/default/_reload" rel="_reload"/>
 ... opensearch nodes elided ...
 <s:messages/>



GET

Retrieve the named configuration.

Usage details
The only valid {name} here is "tcpout".

Request parameters
None

Returned values
None


Example request and response


XML Request

curl -k -u admin:changeme https://localhost:8089/services/data/outputs/tcp/default/tcpout

XML Response

...
<title>tcpout-default</title>
 <id>https://localhost:8089/services/data/outputs/tcp/default</id>
 <updated>2011-07-10T22:38:23-07:00</updated>
 <generator version="102807"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/data/outputs/tcp/default/_new" rel="create"/>
 <link href="/services/data/outputs/tcp/default/_reload" rel="_reload"/>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>tcpout</title>
   <id>https://localhost:8089/servicesNS/nobody/system/data/outputs/tcp/default/tcpout</id>
   <updated>2011-07-10T22:38:23-07:00</updated>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/default/tcpout" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/default/tcpout" rel="list"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/default/tcpout/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/default/tcpout" rel="edit"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/default/tcpout" rel="remove"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/default/tcpout/disable" rel="disable"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="autoLB">1</s:key>
       <s:key name="defaultGroup">spacecake_9998</s:key>
       <s:key name="disabled">0</s:key>
       ... eai:acl nodes elided ...
       <s:key name="forwardedindex.0.whitelist">.*</s:key>
       <s:key name="forwardedindex.1.blacklist">_.*</s:key>
       <s:key name="forwardedindex.2.whitelist">_audit</s:key>
       <s:key name="forwardedindex.filter.disable">0</s:key>
       <s:key name="indexAndForward">0</s:key>
       <s:key name="maxQueueSize">500KB</s:key>
     </s:dict>
   </content>
 </entry>


POST

Configure global forwarding properties.


Request parameters

Name Type Default Description
defaultGroup String Comma-separated list of one or more target group names, specified later in [tcpout:<target_group>] stanzas of outputs.conf.spec file.

The forwarder sends all data to the specified groups. If you do not want to forward data automatically, do not set this attribute. Can be overridden by an inputs.conf _TCP_ROUTING setting, which in turn can be overridden by a props.conf/transforms.conf modifier.

Starting with 4.2, this attribute is no longer required.

disabled Boolean Disables default tcpout settings
dropEventsOnQueueFull Number If set to a positive number, wait the specified number of seconds before throwing out all new events until the output queue has space. Defaults to -1 (do not drop events).

Caution: Do not set this value to a positive integer if you are monitoring files.

Setting this to -1 or 0 causes the output queue to block when it gets full, which causes further blocking up the processing chain. If any target group queue is blocked, no more data reaches any other target group.

Using auto load-balancing is the best way to minimize this condition, because, in that case, multiple receivers must be down (or jammed up) before queue blocking can occur.

heartbeatFrequency Number How often (in seconds) to send a heartbeat packet to the receiving server.

Heartbeats are only sent if sendCookedData=true. Defaults to 30 seconds.

indexAndForward Boolean Specifies whether to index all data locally, in addition to forwarding it. Defaults to false.

This is known as an "index-and-forward" configuration. This attribute is only available for heavy forwarders. It is available only at the top level [tcpout] stanza in outputs.conf. It cannot be overridden in a target group.

maxQueueSize Number Specify an integer or integer[KB|MB|GB].

Sets the maximum size of the forwarder output queue. It also sets the maximum size of the wait queue to 3x this value, if you have enabled indexer acknowledgment (useACK=true).

Although the wait queue and the output queues are both configured by this attribute, they are separate queues. The setting determines the maximum size of the queue in-memory (RAM) buffer.

For heavy forwarders sending parsed data, maxQueueSize is the maximum number of events. Since events are typically much shorter than data blocks, the memory consumed by the queue on a parsing forwarder is likely to be much smaller than on a non-parsing forwarder, if you use this version of the setting.

If specified as a lone integer (for example, maxQueueSize=100), maxQueueSize indicates the maximum number of queued events (for parsed data) or blocks of data (for unparsed data). A block of data is approximately 64KB. For non-parsing forwarders, such as universal forwarders, that send unparsed data, maxQueueSize is the maximum number of data blocks.

If specified as an integer followed by KB, MB, or GB (for example, maxQueueSize=100MB), maxQueueSize indicates the maximum RAM allocated to the queue buffer. Defaults to 500KB (which means a maximum size of 500KB for the output queue and 1500KB for the wait queue, if any).

sendCookedData Boolean If true, events are cooked (processed by Splunk software). If false, events are raw and untouched prior to sending. Defaults to true.

Set to false if you are sending to a third-party system.

Returned values
None


XML Request

curl -k -u admin:changeme https://localhost:8089/services/data/outputs/tcp/default/tcpout -d heartbeatFrequency=60

XML Response

...
 <title>tcpout-default</title>
 <id>https://localhost:8089/services/data/outputs/tcp/default</id>
 <updated>2011-07-10T22:43:53-07:00</updated>
 <generator version="102807"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/data/outputs/tcp/default/_new" rel="create"/>
 <link href="/services/data/outputs/tcp/default/_reload" rel="_reload"/>
 ... opensearch nodes elided ...
 <s:messages/>



data/outputs/tcp/group

https://<host>:<mPort>/services/data/outputs/tcp/group

Access to the configuration of a group of one or more data forwarding destinations.

Authentication and Authorization

  • GET requires list_forwarders capability.
  • POST requires edit_forwarders capability.


GET

Get configuration information about target groups.


Request parameters
Pagination and filtering parameters can be used with this method.


Returned values

Name Description
disabled Indicates if tcpout is disabled for this group.
method Specifies the type of output processor.

Valid values: (tcpout | syslog)

servers Servers included in this group.


Example request and response


XML Request

curl -k -u admin:changeme https://localhost:8089/services/data/outputs/tcp/group

XML Response

...
<title>tcpout-group</title>
 <id>https://localhost:8089/services/data/outputs/tcp/group</id>
 <updated>2011-07-10T22:21:07-07:00</updated>
 <generator version="102807"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/data/outputs/tcp/group/_new" rel="create"/>
 <link href="/services/data/outputs/tcp/group/_reload" rel="_reload"/>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>spacecake_9998</title>
   <id>https://localhost:8089/servicesNS/nobody/system/data/outputs/tcp/group/spacecake_9998</id>
   <updated>2011-07-10T22:21:07-07:00</updated>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/group/spacecake_9998" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/group/spacecake_9998" rel="list"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/group/spacecake_9998/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/group/spacecake_9998" rel="edit"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/group/spacecake_9998" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="disabled">0</s:key>
       ... eai:acl nodes elided ...
       <s:key name="method">autobalance</s:key>
       <s:key name="servers">
         <s:list>
           <s:item>spacecake:9998</s:item>
         </s:list>
       </s:key>
     </s:dict>
   </content>
 </entry>



POST

Configure a group of one or more data forwarding destinations.


Request parameters

Name Type Default Description
compressed Boolean false If true, forwarder sends compressed data.

If set to true, the receiver port must also have compression turned on.

disabled Boolean false If true, disables the group.
dropEventsOnQueueFull Number -1 If set to a positive number, wait the specified number of seconds before throwing out all new events until the output queue has space. Defaults to -1 (do not drop events).

Caution: Do not set this value to a positive integer if you are monitoring files.

Setting this to -1 or 0 causes the output queue to block when it gets full, which causes further blocking up the processing chain. If any target group queue is blocked, no more data reaches any other target group.

Using auto load-balancing is the best way to minimize this condition, because, in that case, multiple receivers must be down (or jammed up) before queue blocking can occur.

heartbeatFrequency Number 30 How often (in seconds) to send a heartbeat packet to the group.

Heartbeats are only sent if sendCookedData=true. Defaults to 30 seconds.

maxQueueSize Number auto Specify either an integer or integer[KB|MB|GB].

Sets the maximum size of the forwarder output queue. It also sets the maximum size of the wait queue to 3x this value, if you have enabled indexer acknowledgment (useACK=true).

Although the wait queue and the output queues are both configured by this attribute, they are separate queues. The setting determines the maximum size of the queue in-memory (RAM) buffer.

For heavy forwarders sending parsed data, maxQueueSize is the maximum number of events. Since events are typically much shorter than data blocks, the memory consumed by the queue on a parsing forwarder is likely to be much smaller than on a non-parsing forwarder, if you use this version of the setting.

If specified as a lone integer (for example, maxQueueSize=100), maxQueueSize indicates the maximum number of queued events (for parsed data) or blocks of data (for unparsed data). A block of data is approximately 64KB. For non-parsing forwarders, such as universal forwarders, that send unparsed data, maxQueueSize is the maximum number of data blocks.

If specified as an integer followed by KB, MB, or GB (for example, maxQueueSize=100MB), maxQueueSize indicates the maximum RAM allocated to the queue buffer. Defaults to 500KB (which means a maximum size of 500KB for the output queue and 1500KB for the wait queue, if any).

method Enum Valid values: (tcpout | syslog)

Specifies the type of output processor.

name
required
String The name of the group of receivers.
sendCookedData Boolean true If true, send cooked events (events processed by Splunk software).

If false, events are raw and untouched prior to sending. Set to false if you are sending to a third-party system.

Defaults to true.

servers
required
String Comma-separated list of servers to include in the group.
token GUID Token value generated by the indexer after configuration.


Returned values
None

Example request and response


XML Request

curl -k -u admin:changeme https://localhost:8089/services/data/outputs/tcp/group -d name=lan_receivers -d method=autobalance -d servers=10.3.3.3:9997,10.4.4.4:9997

XML Response

...
 <title>tcpout-group</title>
 <id>https://localhost:8089/services/data/outputs/tcp/group</id>
 <updated>2011-07-10T22:21:23-07:00</updated>
 <generator version="102807"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/data/outputs/tcp/group/_new" rel="create"/>
 <link href="/services/data/outputs/tcp/group/_reload" rel="_reload"/>
 ... opensearch nodes elided ...
 <s:messages/>



data/outputs/tcp/group/{name}

https://<host>:<mPort>/services/data/outputs/tcp/group/{name}

Manage the {name} target group.

Authentication and Authorization

  • GET requires list_forwarders capability.
  • POST and DELETE require edit_forwarders capability.


DELETE

Deletes the target group specified by {name}.


Request parameters
None

Returned values
None

Example request and response


XML Request

curl -k -u admin:changeme --request DELETE https://localhost:8089/services/data/outputs/tcp/group/lan_receivers

XML Response

...
 <title>tcpout-group</title>
 <id>https://localhost:8089/services/data/outputs/tcp/group</id>
 <updated>2011-07-10T22:32:47-07:00</updated>
 <generator version="102807"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/data/outputs/tcp/group/_new" rel="create"/>
 <link href="/services/data/outputs/tcp/group/_reload" rel="_reload"/>
 ... opensearch nodes elided ...
 <s:messages/>



GET

Get configuration information about the target group specified by {name}.

Request parameters
None

Returned values

Name Description
autoLB Indicates if the forwarder performs automatic load balancing.

See the description for the autoLB parameter in POST data/outputs/tcp/group for details.

disabled Indicates if tcpout is disabled for this group.
method Specifies the type of output processor.

Valid values: (tcpout | syslog)

servers Servers included in this group.

Example request and response


XML Request

curl -k -u admin:changeme https://localhost:8089/services/data/outputs/tcp/group/lan_receivers

XML Response

...
<title>tcpout-group</title>
 <id>https://localhost:8089/services/data/outputs/tcp/group</id>
 <updated>2011-07-10T22:23:10-07:00</updated>
 <generator version="102807"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/data/outputs/tcp/group/_new" rel="create"/>
 <link href="/services/data/outputs/tcp/group/_reload" rel="_reload"/>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>lan_receivers</title>
   <id>https://localhost:8089/servicesNS/nobody/system/data/outputs/tcp/group/lan_receivers</id>
   <updated>2011-07-10T22:23:10-07:00</updated>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/group/lan_receivers" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/group/lan_receivers" rel="list"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/group/lan_receivers/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/group/lan_receivers" rel="edit"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/group/lan_receivers" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="autoLB">1</s:key>
       <s:key name="disabled">0</s:key>
       ... eai:acl nodes elided ...
       <s:key name="eai:attributes">
         <s:dict>
           <s:key name="optionalFields">
             <s:list>
               <s:item>autoLB</s:item>
               <s:item>blockOnQueueFull</s:item>
               <s:item>compressed</s:item>
               <s:item>disabled</s:item>
               <s:item>dropEventsOnQueueFull</s:item>
               <s:item>heartbeatFrequency</s:item>
               <s:item>maxPersistentQueueSizeInMegs</s:item>
               <s:item>maxQueueSize</s:item>
               <s:item>method</s:item>
               <s:item>persistentQueuePath</s:item>
               <s:item>sendCookedData</s:item>
               <s:item>usePersistentQueue</s:item>
             </s:list>
           </s:key>
           <s:key name="requiredFields">
             <s:list>
               <s:item>servers</s:item>
             </s:list>
           </s:key>
           <s:key name="wildcardFields">
             <s:list/>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="method">autobalance</s:key>
       <s:key name="servers">
         <s:list>
           <s:item>10.3.3.3:9997</s:item>
           <s:item>10.4.4.4:9997</s:item>
         </s:list>
       </s:key>
     </s:dict>
   </content>
 </entry>



POST

Update the configuration of the target group.


Request parameters

Name Type Default Description
compressed Boolean false If true, forwarder sends compressed data.

If set to true, the receiver port must also have compression turned on.

disabled Boolean false If true, disables the group.
dropEventsOnQueueFull Number -1 If set to a positive number, wait the specified number of seconds before throwing out all new events until the output queue has space. Defaults to -1 (do not drop events).

Caution: Do not set this value to a positive integer if you are monitoring files.

Setting this to -1 or 0 causes the output queue to block when it gets full, which causes further blocking up the processing chain. If any target group queue is blocked, no more data reaches any other target group.

Using auto load-balancing is the best way to minimize this condition, because, in that case, multiple receivers must be down (or jammed up) before queue blocking can occur.

heartbeatFrequency Number 30 How often (in seconds) to send a heartbeat packet to the group.

Heartbeats are only sent if sendCookedData=true. Defaults to 30 seconds.

maxQueueSize Number auto Specify either an integer or integer[KB|MB|GB].

Sets the maximum size of the forwarder output queue. It also sets the maximum size of the wait queue to 3x this value, if you have enabled indexer acknowledgment (useACK=true).

Although the wait queue and the output queues are both configured by this attribute, they are separate queues. The setting determines the maximum size of the queue in-memory (RAM) buffer.

For heavy forwarders sending parsed data, maxQueueSize is the maximum number of events. Since events are typically much shorter than data blocks, the memory consumed by the queue on a parsing forwarder is likely to be much smaller than on a non-parsing forwarder, if you use this version of the setting.

If specified as a lone integer (for example, maxQueueSize=100), maxQueueSize indicates the maximum number of queued events (for parsed data) or blocks of data (for unparsed data). A block of data is approximately 64KB. For non-parsing forwarders, such as universal forwarders, that send unparsed data, maxQueueSize is the maximum number of data blocks.

If specified as an integer followed by KB, MB, or GB (for example, maxQueueSize=100MB), maxQueueSize indicates the maximum RAM allocated to the queue buffer. Defaults to 500KB (which means a maximum size of 500KB for the output queue and 1500KB for the wait queue, if any).

method Enum Valid values: (tcpout | syslog)

Specifies the type of output processor.

sendCookedData Boolean true If true, send cooked events (events processed by Splunk software).

If false, events are raw and untouched prior to sending. Set to false if you are sending to a third-party system.

Defaults to true.

servers
required
String Comma-separated list of servers to include in the group.
token GUID Token value generated by indexer after configuration.


Returned values
None

Example request and response


XML Request

curl -k -u admin:changeme https://localhost:8089/services/data/outputs/tcp/group/lan_receivers -d maxQueueSize=1024KB -d servers=10.3.3.3:9997,10.4.4.4:9997

XML Response

...
 <title>tcpout-group</title>
 <id>https://localhost:8089/services/data/outputs/tcp/group</id>
 <updated>2011-07-10T22:26:02-07:00</updated>
 <generator version="102807"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/data/outputs/tcp/group/_new" rel="create"/>
 <link href="/services/data/outputs/tcp/group/_reload" rel="_reload"/>
 ... opensearch nodes elided ...
 <s:messages/>



data/outputs/tcp/server

https://<host>:<mPort>/services/data/outputs/tcp/server

Access data forwarding configurations.


GET

List existing forwarded servers.

Request parameters
Pagination and filtering parameters can be used with this method.


Returned values

Name Description
destHost DNS name of the destination server.
destIp IP address of the destination server.
destPort Port on which the destination server is listening.
disabled Indicates if the outputs to the destination server is disabled.
method The data distribution method used when two or more servers exist in the same forwarder group.

Valid values: (clone | balance | autobalance)

sourcePort Port on destination server where data is forwarded.
status Indicates the status of the connection to the server.


Example request and response


XML Request

curl -k -u admin:changeme https://localhost:8089/services/data/outputs/tcp/server

XML Response

...
<title>tcpout-server</title>
 <id>https://localhost:8089/services/data/outputs/tcp/server</id>
 <updated>2011-07-10T21:34:59-07:00</updated>
 <generator version="102807"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/data/outputs/tcp/server/_new" rel="create"/>
 <link href="/services/data/outputs/tcp/server/_reload" rel="_reload"/>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>spacecake:9998</title>
   <id>https://localhost:8089/servicesNS/nobody/system/data/outputs/tcp/server/spacecake%3A9998</id>
   <updated>2011-07-10T21:34:59-07:00</updated>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/server/spacecake%3A9998" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/server/spacecake%3A9998" rel="list"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/server/spacecake%3A9998/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/server/spacecake%3A9998" rel="edit"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/server/spacecake%3A9998" rel="remove"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/server/spacecake%3A9998/allconnections" rel="allconnections"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/server/spacecake%3A9998/disable" rel="disable"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="destHost">spacecake.splunk.com</s:key>
       <s:key name="destIp">10.1.1.73</s:key>
       <s:key name="destPort">9998</s:key>
       <s:key name="disabled">0</s:key>
       ... eai:acl nodes elided ...
       <s:key name="method">autobalance</s:key>
       <s:key name="sourcePort">8085</s:key>
       <s:key name="status">connect_fail</s:key>
     </s:dict>
   </content>
 </entry>


POST

Creates a new forwarder output.


Request parameters

Name Type Default Description
disabled Boolean If true, disables the forwarder.
method Enum Valid values: (clone | balance | autobalance)

The data distribution method used when two or more servers exist in the same forwarder group.

name
required
String <host>:<port> of the Splunk receiver. <host> can be either an ip address or server name. <port> is the that port that the Splunk receiver is listening on.
sslAltNameToCheck String The alternate name to match in the remote server's SSL certificate.
sslCertPath String Path to the client certificate. If specified, connection uses SSL.
sslCipher String SSL Cipher in the form ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
sslCommonNameToCheck String Check the common name of the server's certificate against this name.

If there is no match, assume that Splunk Enterprise is not authenticated against this server. You must specify this setting if sslVerifyServerCert is true.

sslPassword String The password associated with the CAcert.

The default Splunk Enterprise CAcert uses the password "password."

sslRootCAPath String The path to the root certificate authority file (optional).
sslVerifyServerCert Boolean If true, make sure that the server you are connecting to is a valid one (authenticated). Both the common name and the alternate name of the server are then checked for a match.


Returned values

None

Example request and response


XML Request

curl -k -u admin:changeme https://localhost:8089/services/data/outputs/tcp/server -d name=tiny:9997

XML Response

  <title>tcpout-server</title>
 <id>https://localhost:8089/services/data/outputs/tcp/server</id>
 <updated>2011-07-10T21:35:13-07:00</updated>
 <generator version="102807"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/data/outputs/tcp/server/_new" rel="create"/>
 <link href="/services/data/outputs/tcp/server/_reload" rel="_reload"/>
 ... opensearch nodes elided ...
 <s:messages/>



data/outputs/tcp/server/{name}

https://<host>:<mPort>/services/data/outputs/tcp/server/{name}

Manage the {name} forwarder.


DELETE

Deletes the configuration for the {name} forwarded server.

Request parameters
None

Returned values
None

Example request and response


XML Request

curl -k -u admin:changeme --request DELETE https://localhost:8089/services/data/outputs/tcp/server/tiny:9997

XML Response

...
 <title>tcpout-server</title>
 <id>https://localhost:8089/services/data/outputs/tcp/server</id>
 <updated>2011-07-10T21:35:41-07:00</updated>
 <generator version="102807"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/data/outputs/tcp/server/_new" rel="create"/>
 <link href="/services/data/outputs/tcp/server/_reload" rel="_reload"/>
 ... opensearch nodes elided ...
 <s:messages/>



GET

Lists information for the {name} forwarded server.


Request parameters
None


Returned values

Name Description
disabled Indicates if the outputs to the destination server is disabled.
method The data distribution method used when two or more servers exist in the same forwarder group.

Valid values: (clone | balance | autobalance)


Example request and response


XML Request

curl -k -u admin:changeme https://localhost:8089/services/data/outputs/tcp/server/tiny:9997

XML Response

...
<title>tcpout-server</title>
 <id>https://localhost:8089/services/data/outputs/tcp/server</id>
 <updated>2011-07-10T21:35:24-07:00</updated>
 <generator version="102807"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/data/outputs/tcp/server/_new" rel="create"/>
 <link href="/services/data/outputs/tcp/server/_reload" rel="_reload"/>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>tiny:9997</title>
   <id>https://localhost:8089/servicesNS/nobody/system/data/outputs/tcp/server/tiny%3A9997</id>
   <updated>2011-07-10T21:35:24-07:00</updated>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/server/tiny%3A9997" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/server/tiny%3A9997" rel="list"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/server/tiny%3A9997/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/server/tiny%3A9997" rel="edit"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/server/tiny%3A9997" rel="remove"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/server/tiny%3A9997/allconnections" rel="allconnections"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/server/tiny%3A9997/disable" rel="disable"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="disabled">0</s:key>
       ... eai:acl nodes elided ...
       <s:key name="eai:attributes">
         <s:dict>
           <s:key name="optionalFields">
             <s:list>
               <s:item>backoffAtStartup</s:item>
               <s:item>disabled</s:item>
               <s:item>initialBackoff</s:item>
               <s:item>maxBackoff</s:item>
               <s:item>maxNumberOfRetriesAtHighestBackoff</s:item>
               <s:item>method</s:item>
               <s:item>sslAltNameToCheck</s:item>
               <s:item>sslCertPath</s:item>
               <s:item>sslCipher</s:item>
               <s:item>sslCommonNameToCheck</s:item>
               <s:item>sslPassword</s:item>
               <s:item>sslRootCAPath</s:item>
               <s:item>sslVerifyServerCert</s:item>
             </s:list>
           </s:key>
           <s:key name="requiredFields">
             <s:list/>
           </s:key>
           <s:key name="wildcardFields">
             <s:list/>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="method">autobalance</s:key>
     </s:dict>
   </content>
 </entry>



POST

Configures the forwarded server specified by {name}.


Request parameters

Name Type Default Description
disabled Boolean If true, disables the forwarder.
method Enum Valid values: (clone | balance | autobalance)

The data distribution method used when two or more servers exist in the same forwarder group.

sslAltNameToCheck String The alternate name to match in the remote server's SSL certificate.
sslCertPath String Path to the client certificate. If specified, connection uses SSL.
sslCipher String SSL Cipher in the form ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
sslCommonNameToCheck String Check the common name of the server's certificate against this name.

If there is no match, assume that Splunk Enterprise is not authenticated against this server. You must specify this setting if sslVerifyServerCert is true.

sslPassword String The password associated with the CAcert.

The default Splunk Enterprise CAcert uses the password "password."

sslRootCAPath String The path to the root certificate authority file (optional).
sslVerifyServerCert Boolean If true, make sure that the server you are connecting to is a valid one (authenticated). Both the common name and the alternate name of the server are then checked for a match.


Returned values
None

Example request and response


XML Request

curl -k -u admin:changeme https://localhost:8089/services/data/outputs/tcp/server/tiny:9997 -d initialBackoff=10

XML Response

...
 <title>tcpout-server</title>
 <id>https://localhost:8089/services/data/outputs/tcp/server</id>
 <updated>2011-07-10T21:35:33-07:00</updated>
 <generator version="102807"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/data/outputs/tcp/server/_new" rel="create"/>
 <link href="/services/data/outputs/tcp/server/_reload" rel="_reload"/>
 ... opensearch nodes elided ...
 <s:messages/>



data/outputs/tcp/server/{name}/allconnections

https://<host>:<mPort>/services/data/outputs/tcp/server/{name}/allconnections


Get {name} forwarder connections.


GET

List current connections to the {name} forwarded server.


Request parameters
None


Returned values

Name Description
destHost DNS name of the destination server.
destIp IP address of the destination server.
destPort Port on which the destination server is listening.
sourcePort Port on destination server where data is forwarded.
status Indicates the status of the connection to the server.

Example request and response


XML Request

curl -k -u admin:changeme https://localhost:8089/services/data/outputs/tcp/server/localhost%3A9997/allconnections

XML Response

...
<title>tcpout-server</title>
 <id>https://localhost:8089/services/data/outputs/tcp/server</id>
 <updated>2011-07-15T15:15:12-0700</updated>
 <generator version="101277"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/data/outputs/tcp/server/_new" rel="create"/>
 <link href="/services/data/outputs/tcp/server/_reload" rel="_reload"/>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>localhost:9997</title>
   <id>https://localhost:8089/services/data/outputs/tcp/server/localhost%3A9997</id>
   <updated>2011-07-15T15:15:12-0700</updated>
   <link href="/services/data/outputs/tcp/server/localhost%3A9997" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/data/outputs/tcp/server/localhost%3A9997" rel="list"/>
   <link href="/services/data/outputs/tcp/server/localhost%3A9997/_reload" rel="_reload"/>
   <link href="/services/data/outputs/tcp/server/localhost%3A9997" rel="edit"/>
   <link href="/services/data/outputs/tcp/server/localhost%3A9997" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="destHost">localhost</s:key>
       <s:key name="destIp">127.0.0.1</s:key>
       <s:key name="destPort">9997</s:key>
       ... eai:acl nodes elided ...
       <s:key name="sourcePort">8089</s:key>
       <s:key name="status">connect_done</s:key>
     </s:dict>
   </content>
 </entry>



data/outputs/tcp/syslog

https://<host>:<mPort>/services/data/outputs/tcp/syslog

Access the configuration of a forwarded server configured to provide data in standard syslog format.


GET

Provides access to syslog data forwarding configurations.

Request parameters
Pagination and filtering parameters can be used with this method.


Returned values

Name Description
disabled Specifies whether global syslog configuration is disabled.
server Specifies server:port where data is forwarded.
type Specifies whether tcp or udp is used to forward data. If unspecified, udp is used. Valid values : (tcp | udp).


Example request and response


XML Request

curl -k -u admin:changeme https://localhost:8089/services/data/outputs/tcp/syslog

XML Response

...
<title>syslog</title>
 <id>https://localhost:8089/services/data/outputs/tcp/syslog</id>
 <updated>2011-07-21T22:16:11-0700</updated>
 <generator version="101277"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/data/outputs/tcp/syslog/_new" rel="create"/>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>myServers</title>
   <id>https://localhost:8089/servicesNS/nobody/system/data/outputs/tcp/syslog/myServers</id>
   <updated>2011-07-21T22:16:11-0700</updated>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/syslog/myServers" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/syslog/myServers" rel="list"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/syslog/myServers" rel="edit"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/syslog/myServers" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="disabled">1</s:key>
       ... eai:acl nodes elided ...
       <s:key name="server">syslogservers.splunk.com:514</s:key>
       <s:key name="type">tcp</s:key>
     </s:dict>
   </content>
 </entry>



POST

Configures a forwarder to send data in standard syslog format

Request parameters

Name Type Default Description
disabled Boolean If true, disables global syslog settings.
name
required
String Name of the syslog output group. This is name used when creating syslog configuration in outputs.conf.
priority Number Sets syslog priority value.

The priority value should specified as an integer. See $SPLUNK_HOME/etc/system/README/outputs.conf.spec for details.

server String host:port of the server where syslog data should be sent
syslogSourceType String Specifies a rule for handling data in addition to that provided by the "syslog" sourcetype. By default, there is no value for syslogSourceType.

This string is used as a substring match against the sourcetype key. For example, if the string is set to 'syslog', then all source types containing the string "syslog" receives this special treatment.

To match a source type explicitly, use the pattern "sourcetype::sourcetype_name." For example

syslogSourcetype = sourcetype::apache_common

Data that is "syslog" or matches this setting is assumed to already be in syslog format.

Data that does not match the rules has a header, potentially a timestamp, and a hostname added to the front of the event. This is how Splunk software causes arbitrary log data to match syslog expectations.

timestampformat String Format of timestamp to add at start of the events to be forwarded.

The format is a strftime-style timestamp formatting string. See $SPLUNK_HOME/etc/system/README/outputs.conf.spec for details.

type String Protocol to use to send syslog data. Valid values: (tcp | udp ).


Returned values
None


Example request and response


XML Request

curl -k -u admin:changeme https://localhost:8089/services/data/outputs/tcp/syslog -d myServers -d server=my.server.com:514

XML Response

...
<title>syslog</title>
 <id>https://localhost:22090/services/data/outputs/tcp/syslog</id>
 <updated>2011-07-21T23:00:26-07:00</updated>
 <generator version="104359"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/data/outputs/tcp/syslog/_new" rel="create"/>
 <opensearch:totalResults>0</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>



data/outputs/tcp/syslog/{name}

https://<host>:<mPort>/services/data/outputs/tcp/syslog/{name}

Manage configuration for the {name} forwarder.


DELETE

Deletes the configuration for the {name} forwarder.


Request parameters
None

Returned values
None


Example request and response


XML Request

curl -k -u admin:changeme --request DELETE https://localhost:8089/services/data/outputs/tcp/syslog/myServers

XML Response

...
 <title>syslog</title>
 <id>https://localhost:8089/services/data/outputs/tcp/syslog</id>
 <updated>2011-07-21T22:20:52-0700</updated>
 <generator version="101277"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/data/outputs/tcp/syslog/_new" rel="create"/>
 <opensearch:totalResults>0</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>


GET

Returns configuration information for the {name} forwarder.

Request parameters
None

Returned values

Name Description
disabled Specifies whether global syslog configuration is disabled.
server Specifies server:port where data is forwarded.
type Specifies whether tcp or udp is used to forward data. If unspecified, udp is used. Valid values : (tcp | udp).


Example request and response


XML Request

curl -k -u admin:changeme https://localhost:8089/services/data/outputs/tcp/syslog/myServers

XML Response

...
<title>syslog</title>
 <id>https://localhost:8089/services/data/outputs/tcp/syslog</id>
 <updated>2011-07-21T22:30:33-0700</updated>
 <generator version="101277"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/data/outputs/tcp/syslog/_new" rel="create"/>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>myServers</title>
   <id>https://localhost:8089/servicesNS/nobody/system/data/outputs/tcp/syslog/myServers</id>
   <updated>2011-07-21T22:30:33-0700</updated>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/syslog/myServers" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/syslog/myServers" rel="list"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/syslog/myServers" rel="edit"/>
   <link href="/servicesNS/nobody/system/data/outputs/tcp/syslog/myServers" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="disabled">1</s:key>
       ... eai:acl nodes elided ...
       <s:key name="eai:attributes">
         <s:dict>
           <s:key name="optionalFields">
             <s:list/>
           </s:key>
           <s:key name="requiredFields">
             <s:list/>
           </s:key>
           <s:key name="wildcardFields">
             <s:list/>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="server">syslogservers.splunk.com:514</s:key>
       <s:key name="type">tcp</s:key>
     </s:dict>
   </content>
 </entry>



POST

Updates the configuration of the {name} forwarder.

Request parameters

Name Type Default Description
disabled Boolean If true, disables global syslog settings.
priority Number Sets syslog priority value.

The priority value should specified as an integer. See $SPLUNK_HOME/etc/system/README/outputs.conf.spec for details.

server String host:port of the server where syslog data should be sent
syslogSourceType String Specifies a rule for handling data in addition to that provided by the "syslog" sourcetype. By default, there is no value for syslogSourceType.

This string is used as a substring match against the sourcetype key. For example, if the string is set to 'syslog', then all source types containing the string "syslog" receives this special treatment.

To match a source type explicitly, use the pattern "sourcetype::sourcetype_name." For example

syslogSourcetype = sourcetype::apache_common

Data that is "syslog" or matches this setting is assumed to already be in syslog format.

Data that does not match the rules has a header, potentially a timestamp, and a hostname added to the front of the event. This is how Splunk software causes arbitrary log data to match syslog expectations.

timestampformat String Format of timestamp to add at start of the events to be forwarded.

The format is a strftime-style timestamp formatting string. See $SPLUNK_HOME/etc/system/README/outputs.conf.spec for details.

type String Protocol to use to send syslog data. Valid values: (tcp | udp ).


Returned values
None

Example request and response


XML Request

curl -k -u admin:changeme https://localhost:8089/services/data/outputs/tcp/syslog/myServers -d type=udp

XML Response

...
 <title>syslog</title>
 <id>https://localhost:8089/services/data/outputs/tcp/syslog</id>
 <updated>2011-07-21T22:53:23-07:00</updated>
 <generator version="104359"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/data/outputs/tcp/syslog/_new" rel="create"/>
 <opensearch:totalResults>0</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>



Last modified on 12 October, 2021
Metrics Catalog endpoint descriptions   Search endpoint descriptions

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters