Splunk Enterprise version 7.3 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise.
For documentation on the most recent version, go to the latest release.
Metrics Catalog endpoint descriptions
Use the Metrics Catalog REST API to enumerate metrics and the dimensions and dimension values associated with metrics.
Usage details
Review ACL information for an endpoint
To check Access Control List (ACL) properties for an endpoint, append /acl to the path. For more information see Access Control List in the REST API User Manual.
Authentication and Authorization
Username and password authentication are required for access to endpoints and REST operations.
Splunk users must have role and/or capability-based authorization to use REST endpoints, and must have the list_metrics_catalog capability to use the Metrics Catalog endpoint. Users with an administrative role, such as admin, can access authorization information in Splunk Web. To view the roles assigned to a user, select Settings > Access controls > Users. To determine the capabilities assigned to a role, select Settings > Access controls > Roles.
App and user context
Typically, knowledge objects, such as saved searches or event types, have an app/user context that is the namespace. For more information about specifying a namespace, see Namespace in the REST API User Manual.
Default indexes for Metrics Catalog endpoints
If no metric indexes are defined with the filter parameter, Metrics Catalog endpoints use the default indexes specified for the role of the user. To review or update the default indexes for specific roles, select Settings > Access controls > Roles, select a role, and review or update the Indexes searched by default field.
If the set of default indexes for a role includes a mix of metrics indexes and event indexes, the Metrics Catalog endpoints only use the metrics indexes.
If there are no metrics indexes, the Metrics Catalog endpoints display an empty list.
Splunk Cloud URL for REST API access
Splunk Cloud has a different host and management port syntax than Splunk Enterprise. Depending on your deployment type, use one of the following options to access REST API resources.
Managed Splunk Cloud deployments
https://<deployment-name>.splunkcloud.com:8089
Self-service Splunk Cloud deployments
To get the required credentials, submit a support case on the Support Portal. After installing the credentials, use the following URL.
https://input-<deployment-name>.cloud.splunk.com:8089
See Using the REST API in Splunk Cloud in the Splunk REST API Tutorials for more information.
catalog/metricstore/metrics
https://<host>:<mPort>/services/catalog/metricstore/metrics
Use this endpoint to list metric names.
GET
Returns metric names.
Request parameters
Pagination and filtering parameters can be used with this method.
| Name | Type | Description |
|---|---|---|
| earliest | String | Optional. A time string that specifies the earliest time for this search. Can be a relative or absolute time. The default value is -1d.
|
| filter | String | Optional. A URL-encoded set of one or more key-value pairs, where keys correspond to metric fields such as index or dimension. For example, to specify a dimension named app, use filter=app. To specify two index names and values such as index=index1 and index=index2, use index%3dindex1%26index%3dindex2.
|
| latest | String | Optional. A time string that specifies the latest time for this search. Can be a relative or absolute time. The default value is now.
|
| list_indexes | Boolean | Optional. When set to true, the endpoint returns the index or indexes associated with each metric. The default value is false.
|
Returned values
There are no returned values other than the metric names.
Example request and response
XML Request
List all metric names:
curl -k -u admin:passwd https://localhost:8089/services/catalog/metricstore/metrics
XML Response
...
<title>metricstore-metrics</title>
<id>https://epic-metriks-splk.sv.splunk.com:8089/services/catalog/metricstore/metrics</id>
<updated>2017-12-19T19:11:49+00:00</updated>
<generator build="31fcdba9ddc1" version="7.0.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/catalog/metricstore/metrics/_acl" rel="_acl"/>
<opensearch:totalResults>16</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>aws.ec2.CPUUtilization</title>
<id>https://epic-metriks-splk.sv.splunk.com:8089/services/catalog/metricstore/metrics/aws.ec2.CPUUtilization</id>
<updated>1970-01-01T00:00:00+00:00</updated>
<link href="/services/catalog/metricstore/metrics/aws.ec2.CPUUtilization" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/catalog/metricstore/metrics/aws.ec2.CPUUtilization" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">0</s:key>
<s:key name="can_write">0</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>bbuser</s:item>
<s:item>cat_read</s:item>
<s:item>power</s:item>
<s:item>splunk-system-role</s:item>
<s:item>statsd</s:item>
<s:item>user</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
</s:dict>
</content>
</entry>
<entry>
Example requests
- List all metric names that include the dimension field
dc:
curl -k -u admin:passwd https://localhost:8089/services/catalog/metricstore/metrics?filter=dc
- List all metric names that include either
dc=eastordc=westdimension fields:
curl -k -u admin:passwd https://localhost:8089/services/catalog/metricstore/metrics?filter=dc%3deast&filter=dc%3dwest
- List all metric names that are in
index1orindex2by their index:
curl -k -u admin:passwd https://localhost:8089/services/catalog/metricstore/metrics?filter=index%3dindex1%26index%3dindex2&list_indexes=t
catalog/metricstore/dimensions
https://<host>:<mPort>/services/catalog/metricstore/dimensions
Use this endpoint to list dimension names.
GET
Returns dimension names for a given metric.
Request parameters
Pagination and filtering parameters can be used with this method.
| Name | Type | Description |
|---|---|---|
| earliest | String | Optional. A time string that specifies the earliest time for this search. Can be a relative or absolute time. The default value is -1d.
|
| filter | String | Optional. A URL-encoded set of one or more key-value pairs, where keys correspond to metric fields such as index or dimension. For example, to specify a dimension named os, use filter=os. To specify two index names and values such asindex=index1 and index=index2, use index%3dindex1%26index%3dindex2.
|
| latest | String | Optional. A time string that specifies the latest time for this search. Can be a relative or absolute time. The default value is now.
|
| metric_name | String | Required. The name of a metric. |
Returned values
There are no returned values other than the dimension names.
Example request and response
XML Request
curl -k -u admin:passwd https://localhost:8089/services/catalog/metricstore/dimensions?metric_name=*
XML Response
...
<title>metricstore-dimensions</title>
<id>https://epic-metriks-splk.sv.splunk.com:8089/services/catalog/metricstore/dimensions</id>
<updated>2017-12-19T00:02:27+00:00</updated>
<generator build="31fcdba9ddc1" version="7.0.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/catalog/metricstore/dimensions/_acl" rel="_acl"/>
<opensearch:totalResults>7</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>App</title>
<id>https://epic-metriks-splk.sv.splunk.com:8089/services/catalog/metricstore/dimensions/App</id>
<updated>1970-01-01T00:00:00+00:00</updated>
<link href="/services/catalog/metricstore/dimensions/App" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/catalog/metricstore/dimensions/App" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">0</s:key>
<s:key name="can_write">0</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>bbuser</s:item>
<s:item>cat_read</s:item>
<s:item>power</s:item>
<s:item>splunk-system-role</s:item>
<s:item>statsd</s:item>
<s:item>user</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
</s:dict>
</content>
</entry>
Another example request'
List all the dimension fields for the os.mem.free metric when the dc dimension field is limited to a value of east:
curl -k -u admin:passwd https://localhost:8089/services/catalog/metricstore/dimensions?metric_name=os.mem.free&filter=dc%3deast
catalog/metricstore/dimensions/{dimension-name}/values
https://<host>:<mPort>/services/catalog/metricstore/dimensions/{dimension-name}/values
Use this endpoint to list values for a given {dimension-name}.
GET
Returns values of a {dimension-name} for a given metric.
Request parameters
Pagination and filtering parameters can be used with this method.
| Name | Type | Description |
|---|---|---|
| earliest | String | Optional. A time string that specifies the earliest time for this search. Can be a relative or absolute time. The default value is -1d.
|
| filter | String | Optional. A URL-encoded set of one or more key-value pairs, where keys correspond to metric fields such as index or dimension. For example, to specify a dimension named os, use filter=os. To specify two index names and values such asindex=index1 and index=index2, use index%3dindex1%26index%3dindex2.
|
| latest | String | Optional. A time string that specifies the latest time for this search. Can be a relative or absolute time. The default value is now.
|
| metric_name | String | Required. The name of a metric. |
Returned values
There are no returned values other than those of the selected {dimension-name}.
Example request and response
XML Request
List all values for the app dimension of the os.mem.free metric:
curl -k -u statsd:statsd https://localhost:8089/services/catalog/metricstore/dimensions/app/values?metric_name=os.mem.free
XML Response
...
<title>metricstore-dimensions</title>
<id>https://epic-metriks-splk.sv.splunk.com:8089/services/catalog/metricstore/dimensions</id>
<updated>2017-12-19T02:05:19+00:00</updated>
<generator build="31fcdba9ddc1" version="7.0.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/catalog/metricstore/dimensions/_acl" rel="_acl"/>
<opensearch:totalResults>7</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>accountmanagement</title>
<id>https://epic-metriks-splk.sv.splunk.com:8089/services/catalog/metricstore/dimensions/accountmanagement</id>
<updated>1970-01-01T00:00:00+00:00</updated>
<link href="/services/catalog/metricstore/dimensions/accountmanagement" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/catalog/metricstore/dimensions/accountmanagement" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">0</s:key>
<s:key name="can_write">0</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>bbuser</s:item>
<s:item>cat_read</s:item>
<s:item>power</s:item>
<s:item>splunk-system-role</s:item>
<s:item>statsd</s:item>
<s:item>user</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
</s:dict>
</content>
</entry>
More example requests
- List all values for the
dcdimension of theos.mem.freemetric, wheredcis limited to a value ofeast:
curl -k -u admin:passwd https://localhost:8089/services/catalog/metricstore/dimensions/dc/values?metric_name=os.mem.free&filter=dc%3deast
- List all values for the
dcdimension of themem.freemetric, where the recorded measurements also have anosdimension field:
curl -k -u admin:changeme https://localhost:8089/services/catalog/metricstore/rollup
catalog/metricstore/rollup
https://<host>:<mPort>/services/catalog/metricstore/rollup
Use this endpoint to retrieve lists of metric indexes and their rollup summaries and to create new rollup policies for a given metric index.
Authentication and authorization
Use of the GET operation for this endpoint is restricted to roles that have the list_metrics_catalog capability. Use of the POST operation for this endpoint is restricted to roles that have the edit_metrics_rollup capability.
GET
Returns rollup summaries and the metric indexes with which they are associated.
Request parameters
None specific to this method. This method can use pagination and filtering parameters.
Returned values
| Name | Description |
|---|---|
| name | The source index name. Rollup summaries are made up of aggregated metric data points that are derived from the metric data points in a source index. |
| summaries | A comma-separated list of the rollup summaries associated with the source metric index. Each summary configuration consists of a span and a rollup_index. The span is the interval by which the search head generates the aggregated rollup metric data points that make up the summary. The rollup_index is the target index for the rollup summary. The endpoint uses the following format when it lists summaries:
|
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8089/services/catalog/metricstore/rollup
XML response
...
<entry>
<title>index_s</title>
<id>https://localhost:8089/servicesNS/nobody/search/catalog/metricstore/rollup/index_s</id>
<updated>1969-12-31T16:00:00-08:00</updated>
<link href="/servicesNS/nobody/search/catalog/metricstore/rollup/index_s" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/catalog/metricstore/rollup/index_s" rel="list"/>
<link href="/servicesNS/nobody/search/catalog/metricstore/rollup/index_s/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/catalog/metricstore/rollup/index_s" rel="edit"/>
<link href="/servicesNS/nobody/search/catalog/metricstore/rollup/index_s" rel="remove"/>
<link href="/servicesNS/nobody/search/catalog/metricstore/rollup/index_s/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="aggregation.foo1">min</s:key>
<s:key name="aggregation.foo2">count</s:key>
<s:key name="defaultAggregation">avg</s:key>
<s:key name="dimensionList">app,region</s:key>
<s:key name="dimensionListType">included</s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms"/>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="minSpanAllowed">300</s:key>
<s:key name="summaries">
<s:dict>
<s:key name="0">
<s:dict>
<s:key name="rollupIndex">index_d</s:key>
<s:key name="span">1h</s:key>
</s:dict>
</s:key>
<s:key name="1">
<s:dict>
<s:key name="rollupIndex">index_d</s:key>
<s:key name="span">1d</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
</s:dict>
</content>
</entry>
</feed>
POST
Creates rollup policies for a specified metric index.
Request parameters
| Name | Type | Description |
|---|---|---|
| name | String | Required. Specify the name of the source metric index. This is the index from which the aggregated metric data points in the rollup summaries will be derived. |
| summaries | String | Required. Specify one or more rollup summaries, separated by commas. A rollup summary is a combination of a rollup metric index and a rollup period. The rollup period is the span. It is the interval on which the search head generates the aggregated rollup metric data points that make up the summary. The rollup index is the target index for the rollup summary. The endpoint uses the following format when it lists summaries:
|
| default_agg | [avg | count | max | median | min | perc<int> | sum] | Optional. An aggregation function. Provides the aggregation function that the rollup search uses when it aggregates the metric data points in the source metric index for a rollup summary. The defaultAggregation can be overruled for specific metrics by the aggregation.<metric_name> setting. Defaults to avg.
|
| dimension_list | String | Optional. A comma-separated list of dimensions that appear in the source index identified by the name parameter. This list corresponds to the dimension_list_type parameter, which determines whether this set of dimensions is included or excluded from the aggregated rollup metrics that the search head generates for the rollup summary.
|
| dimension_list_type | [included | excluded] | Optional. Identifies whether the dimensions specified in the dimension_list parameter are included or excluded from the rollup metrics that are generated by the rollup policies for the rollup summaries.
|
| metric_overrides | String | Optional. Provides a comma-separated list of exclusion rules for a set of rollup policies. Use this setting to override the default aggregation for one or more metrics. Each metric override pairs a metric name with an aggregation function using the following syntax: <metric_name>|<aggregation_function>. Only the following aggregation functions are allowed: avg, count, max, median, min, perc<int>, and sum.
|
Returned values
| Name | Description |
|---|---|
| aggregation.<metric_name> | Overrides the default aggregation for the specified metric and gives it a different aggregation instead. Defined by the metric_overrides argument.
|
| defaultAggregation | The default aggregation method for the rollup policy. |
| dimensionList | Comma-separated list of dimensions to be included or excluded from the aggregations, depending on the value of dimensionListType.
|
| dimensionListType | Indicates whether the dimensionList should be included or excluded from the rollup policy.
|
| rollup.<summary number>.rollupIndex | The target rollup index for a specific summary. Summaries are identified by the <summary number>.
|
| rollup.<summary number>.span | The rollup span for a specific summary. Summaries are identified by the <summary number>.
|
Example request and response
Place this stanza in metric_rollups.conf:
[index:index_s] aggregation.foo1 = min aggregation.foo2 = count defaultAggregation = avg dimensionList = app,region dimensionListType = included rollup.0.rollupIndex = index_d rollup.0.span = 1h rollup.1.rollupIndex = index_d rollup.1.span = 1d
XML Request
curl -k -u admin:changeme https://localhost:8089/services/catalog/metricstore/rollup -d name=index_s -d summaries="1h|index_d,1d|index_d" -d dimension_list="app,region" -d dimension_list_type=included -d metric_overrides="foo2|count,foo1|min"
XML response
...
<entry>
<title>index_s</title>
<id>https://localhost:8089/servicesNS/nobody/search/catalog/metricstore/rollup/index_s</id>
<updated>1969-12-31T16:00:00-08:00</updated>
<link href="/servicesNS/nobody/search/catalog/metricstore/rollup/index_s" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/catalog/metricstore/rollup/index_s" rel="list"/>
<link href="/servicesNS/nobody/search/catalog/metricstore/rollup/index_s/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/catalog/metricstore/rollup/index_s" rel="edit"/>
<link href="/servicesNS/nobody/search/catalog/metricstore/rollup/index_s" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="aggregation.foo1">min</s:key>
<s:key name="aggregation.foo2">count</s:key>
<s:key name="defaultAggregation">avg</s:key>
<s:key name="dimensionList">app,region</s:key>
<s:key name="dimensionListType">included</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms"/>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="minSpanAllowed">300</s:key>
<s:key name="summaries">
<s:dict>
<s:key name="0">
<s:dict>
<s:key name="rollupIndex">index_d</s:key>
<s:key name="span">1h</s:key>
</s:dict>
</s:key>
<s:key name="1">
<s:dict>
<s:key name="rollupIndex">index_d</s:key>
<s:key name="span">1d</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
</s:dict>
</content>
</entry>
</feed>
catalog/metricstore/rollup/{index}
https://<host>:<mPort>/services/catalog/metricstore/rollup/{index}
Use this endpoint to:
- Retrieve a list of the rollup summaries associated with a specific source
{index}. - Update a rollup policy for a specific specific source
{index}. - Delete a rollup policy for a specific specific source
{index}.
Authentication and Authorization
Use of the GET operation for this endpoint is restricted to roles that have the list_metrics_catalog capability. Usage of the POST and DELETE operations for this endpoint are restricted to roles that have the edit_metrics_rollup capability.
GET
Returns a list of the rollup summaries associated with a specific source {index}.
Request parameters
None specific to this method. This method can use pagination and filtering parameters.
Returned values
| Name | Description |
|---|---|
| summaries | Provides a comma-separated list of the rollup summaries associated with the source {index}. The summaries determine how the metric data in the {index} is aggregated and where the aggregated metric data points are stored. The endpoint uses the following format when it lists summaries:
|
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8089/services/catalog/metricstore/rollup/index_s
XML response
...
<entry>
<title>index_s</title>
<id>https://localhost:8089/servicesNS/nobody/search/catalog/metricstore/rollup/index_s</id>
<updated>1969-12-31T16:00:00-08:00</updated>
<link href="/servicesNS/nobody/search/catalog/metricstore/rollup/index_s" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/catalog/metricstore/rollup/index_s" rel="list"/>
<link href="/servicesNS/nobody/search/catalog/metricstore/rollup/index_s/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/catalog/metricstore/rollup/index_s" rel="edit"/>
<link href="/servicesNS/nobody/search/catalog/metricstore/rollup/index_s" rel="remove"/>
<link href="/servicesNS/nobody/search/catalog/metricstore/rollup/index_s/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="aggregation.foo1">min</s:key>
<s:key name="aggregation.foo2">count</s:key>
<s:key name="defaultAggregation">avg</s:key>
<s:key name="dimensionList">app,region</s:key>
<s:key name="dimensionListType">included</s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms"/>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>default_agg</s:item>
<s:item>dimension_list</s:item>
<s:item>dimension_list_type</s:item>
<s:item>isProxyRequest</s:item>
<s:item>metric_overrides</s:item>
<s:item>noProxy</s:item>
<s:item>summaries</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="minSpanAllowed">300</s:key>
<s:key name="summaries">
<s:dict>
<s:key name="0">
<s:dict>
<s:key name="rollupIndex">index_d</s:key>
<s:key name="span">1h</s:key>
</s:dict>
</s:key>
<s:key name="1">
<s:dict>
<s:key name="rollupIndex">index_d</s:key>
<s:key name="span">1d</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
</s:dict>
</content>
</entry>
</feed>
POST
Updates a rollup policy for a specific source {index}.
Request parameters
At least one argument is required.
| Name | Type | Description |
|---|---|---|
| dimension_list | string | Optional. A comma-separated list of dimensions that appear in the source index identified by the name parameter. This list corresponds to the dimension_list_type parameter, which determines whether this set of dimensions is included or excluded from the aggregated rollup metrics that the search head generates for the rollup summary..
|
| dimension_list_type | string | Optional. Identifies whether the dimensions specified in the dimension_list parameter are included or excluded from the rollup metrics that are generated by the rollup policies for the rollup summaries.
|
| metric_overrides | string | Optional. Provides a comma-separated list of exclusion rules for a set of rollup policies. Use this setting to override the default aggregation for one or more metrics. Each metric override should pair a metric name with an aggregation function using the following syntax: <metric_name>|<aggregation_function> Only the following aggregation functions are allowed: avg, count, max, median, min, perc<int>, and sum.
|
| summaries | string | Optional. Specify one or more rollup summaries, separated by commas. A rollup summary is a combination of a rollup metric index and a rollup period. The rollup period is the span. It is the interval on which the search head generates the aggregated rollup metric data points that make up the summary. The rollup index is the target index for the rollup summary. The endpoint uses the following format when it lists summaries:
|
Returned values
| Name | Description |
|---|---|
| aggregation.<metric_name> | Special default aggregation for the specified metric. Means all data points for this metric are aggregated using the indicated aggregation. |
| defaultAggregation | The default aggregation method for the rollup policy. |
| dimensionList | Comma-separated list of dimensions to be included or excluded from the aggregations, depending on the value of dimensionListType.
|
| dimensionListType | Indicates whether the dimensionList should be included or excluded from the rollup policy
|
| rollup.<summary number>.rollupIndex | The target rollup index for a specific summary. Summaries are identified by the <summary number>.
|
| rollup.<summary number>.span | The rollup span for a specific summary. Summaries are identified by the <summary number>.
|
Example request and response
Place this stanza in metric_rollups.conf:
[index:index_s] aggregation.foo1 = min aggregation.foo2 = count defaultAggregation = sum dimensionList = region dimensionListType = white numRollupPolicy = 1 rollup.0.rollupIndex = index_d rollup.0.span = 30m
XML Request
curl -k -u admin:changeme https://localhost:8089/services/catalog/metricstore/rollup/index_s -d summaries="30m|index_d"
XML response
...
<entry>
<title>index_s</title>
<id>https://localhost:8089/servicesNS/nobody/search/catalog/metricstore/rollup/index_s</id>
<updated>1969-12-31T16:00:00-08:00</updated>
<link href="/servicesNS/nobody/search/catalog/metricstore/rollup/index_s" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/catalog/metricstore/rollup/index_s" rel="list"/>
<link href="/servicesNS/nobody/search/catalog/metricstore/rollup/index_s/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/catalog/metricstore/rollup/index_s" rel="edit"/>
<link href="/servicesNS/nobody/search/catalog/metricstore/rollup/index_s" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="aggregation.foo1">min</s:key>
<s:key name="aggregation.foo2">count</s:key>
<s:key name="defaultAggregation">avg</s:key>
<s:key name="dimensionList">app,region</s:key>
<s:key name="dimensionListType">included</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms"/>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="minSpanAllowed">300</s:key>
<s:key name="summaries">
<s:dict>
<s:key name="0">
<s:dict>
<s:key name="rollupIndex">index_d</s:key>
<s:key name="span">30m</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
</s:dict>
</content>
</entry>
</feed>
DELETE
Deletes a rollup policy for a specific source {index}.
Request parameters
None specific to this method.
Returned values
None specific to this method.
Example request and response
Remove the [index:metric_x] stanza from metric_rollups.conf.
XML Request
curl -k -u admin:changeme -X DELETE https://localhost:8089/services/catalog/metricstore/rollup/metric_x
XML response
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>metricstore_rollup</title>
<id>https://localhost:8089/services/catalog/metricstore/rollup</id>
<updated>2019-03-20T16:40:00-07:00</updated>
<generator build="86a463dcd7353fbb093dddacb657f1314fff6529" version="20190319"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/catalog/metricstore/rollup/_new" rel="create"/>
<link href="/services/catalog/metricstore/rollup/_reload" rel="_reload"/>
<link href="/services/catalog/metricstore/rollup/_acl" rel="_acl"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
</feed>
Last modified on 23 July, 2019
| License endpoint descriptions | Output endpoint descriptions |
This documentation applies to the following versions of Splunk® Enterprise: 7.3.0
Download manual
Feedback submitted, thanks!