Splunk® Enterprise

REST API Tutorials

Download manual as PDF

Download topic as PDF

Using the REST API with Splunk Cloud

To access your Splunk Cloud deployment using the Splunk REST API and SDKs, submit a support case requesting access on the Support Portal. For managed deployments, Splunk Support opens port 8089 for REST access. You can specify a range of IP addresses to control who can access the REST API. For self-service deployments, Splunk Support defines a dedicated user and sends you credentials that enable that user to access the REST API.

Note: Using a local account, non-SAML account, you can make calls with the REST API.

URL for accessing the REST API

Managed Splunk Cloud deployments
Use the following URL for single-instance managed deployments.

https://<deployment-name>.cloud.splunk.com:8089

Use the following URL for clustered deployments. If necessary, submit a support case to open port 8089 on your deployment.

https://<deployment-name>.splunkcloud.com:8089

Self-service Splunk Cloud deployments
Use the following URL for self-service deployments. To get the required non-SAML user credentials, submit a support case.

https://input-<deployment-name>.cloud.splunk.com:8089

Administrative role limitations

To protect the integrity of Splunk Cloud deployments, the Splunk Cloud administrative role sc_admin is restricted from performing the following types of tasks using Splunk Web, the command line interface, or the REST API:  

  • Modifying configuration of deployment servers and client configurations and distributed components (indexers, search heads, clustering)
  • Restarting a Splunk Cloud deployment
  • Executing debug commands
  • Installing apps and modifying app configurations

REST API access limitations

Splunk Cloud users are restricted to interacting with the search tier only with the REST API. You cannot access other tiers by using the REST API. Splunk Support manages all tiers other than the search tier.

Username and password authentication is required for access to endpoints and REST operations.

Refer to the following chart to see which resource groups have full, partial, or no support in Splunk Cloud.

Category Support level Description
Access control Partial Authorize and authenticate users.
Applications None Install applications and application templates.
Clusters None Configure and manage indexer clusters and search head clusters.
Configuration Partial Manage configuration files and settings.
Deployment None Manage deployment servers and clients.
Inputs None Manage data input.
Introspection None Access system properties.
Knowledge Full Define indexed and searched data configurations.
KV store None Manage app key-value store.
Licensing None Manage licensing configurations.
Metrics Partial Enumerate metrics.
Outputs None Manage forwarder data configuration.
Search Full Manage searches and search-generated alerts and view objects.
System Partial Manage server configuration.
Workload management Partial Manage system resources for search workloads.

Use cases and examples

Use the following use cases and examples to complete tasks with the Splunk Cloud REST API.

The URLs in these examples are formated for a clustered managed Splunk Cloud deployment. See URL for accessing the REST API for information about formatting your requests for your type of deployment.

Create new indexes

Use the /services/cluster_blaster_indexes/sh_indexes_manager endpoint to create a new index.

curl -k -u admin:pass https://<deployment-name>.splunkcloud.com:8089/services/cluster_blaster_indexes/sh_indexes_manager -d name=$INDEX_NAME_2 -d maxTotalDataSizeMB=$INDEX_SIZE_MB_2 -d frozenTimePeriodInSecs=$RETENTION_SECONDS_2

Create new roles mapped to new indexes

Complete the following steps to create new roles and map them to new indexes.

1. Create new index roles:

curl -k -u admin:pass https://<deployment-name>.splunkcloud.com:8089/services/authorization/roles -d name=$INDEX_ROLE_2 -d srchIndexesAllowed=$INDEX_NAME_2 -d srchIndexesDefault=$INDEX_NAME_2

2. Map the index roles to SAML groups:

curl -k -u admin:pass https://<deployment-name>.splunkcloud.com:8089/services/admin/SAML-groups -d name=$SAML_INDEX_ROLE_2 -d roles=$INDEX_ROLE_2

Create new empty apps to store knowledge objects

Complete the following steps to create new empty apps to store knowledge objects, create new roles that are mapped to those empty apps, and then map the app roles to SAML groups.

1. Create empty apps with Splunk Web.

This action causes an immediate rolling restart.

2. Create new roles that map to your empty apps:

curl -k -u admin:pass https://<deployment-name>.splunkcloud.com:8089/services/authorization/roles -d name=$APP_ROLE_2

3. Map the app roles to SAML groups:

curl -k -u admin:pass https://<deployment-name>.splunkcloud.com:8089/services/admin/SAML-groups -d name=$SAML_APP_ROLE_2 -d roles=$APP_ROLE_2
PREVIOUS
Introduction
  NEXT
Managing knowledge objects

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.3.0


Comments

Thanks for the doc feedback, Aladda! I've updated the note with your suggestion.

Lkutch splunk, Splunker
November 1, 2018

Rest endpoint access to cloud stacks secured by SAML can be done using a local account, if we want to update that in this docs link

Aladda splunk, Splunker
July 19, 2018

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters