Splunk® Enterprise

REST API Reference Manual

Splunk Enterprise version 7.3 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Configuration endpoint descriptions

Manage configuration files and settings.

Usage details

Review ACL information for an endpoint

To check Access Control List (ACL) properties for an endpoint, append /acl to the path. For more information see Access Control List in the REST API User Manual.

Authentication and Authorization

Username and password authentication is required for access to endpoints and REST operations.

Splunk users must have role and/or capability-based authorization to use REST endpoints. Users with an administrative role, such as admin, can access authorization information in Splunk Web. To view the roles assigned to a user, select Settings > Access controls and click Users. To determine the capabilities assigned to a role, select Settings > Access controls and click Roles.

App and user context

Typically, knowledge objects, such as saved searches or event types, have an app/user context that is the namespace. For more information about specifying a namespace, see Namespace in the REST API User Manual.

Additional configuration file information

For details about working with configuration files, see the following topics in the Admin Manual.

Splunk Cloud Platform limitations

As a Splunk Cloud Platform user, you are restricted to interacting with the search tier only with the REST API. Configuration endpoints are generally not accessible in Splunk Cloud Platform.

See Access requirements and limitations for the Splunk Cloud Platform REST API in the the REST API Tutorials manual for more information.


configs/conf-{file}

https://<host>:<mPort>/services/configs/conf-{file}

Access and update a .conf configuration file.

For additional information, see the following resources.


GET

List {file} configuration file stanzas.

Namespace determines which instance of the file is retrieved.

Request parameters
Pagination and filtering parameters can be used with this method.

Response keys
None

Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/configs/conf-props

XML Response

.
.
.
 <title>conf-props</title>
 <id>https://localhost:8089/services/configs/conf-props</id>
 <updated>2011-07-08T01:01:26-07:00</updated>
 <generator version="102807"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/configs/conf-props/_new" rel="create"/>
 <link href="/services/configs/conf-props/_reload" rel="_reload"/>
 <!-- opensearch nodes elided for brevity. -->
 <s:messages/>
 <entry>
   <title>(?i)source::....zip(.\d+)?</title>
   <id>https://localhost:8089/servicesNS/nobody/system/configs/conf-props/%28%3Fi%29source%3A%3A....zip%28.%5Cd%2B%29%3F</id>
   <updated>2011-07-08T01:01:26-07:00</updated>
   <link href="/servicesNS/nobody/system/configs/conf-props/%28%3Fi%29source%3A%3A....zip%28.%5Cd%2B%29%3F" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/system/configs/conf-props/%28%3Fi%29source%3A%3A....zip%28.%5Cd%2B%29%3F" rel="list"/>
   <link href="/servicesNS/nobody/system/configs/conf-props/%28%3Fi%29source%3A%3A....zip%28.%5Cd%2B%29%3F/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/system/configs/conf-props/%28%3Fi%29source%3A%3A....zip%28.%5Cd%2B%29%3F" rel="edit"/>
   <link href="/servicesNS/nobody/system/configs/conf-props/%28%3Fi%29source%3A%3A....zip%28.%5Cd%2B%29%3F/disable" rel="disable"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="ANNOTATE_PUNCT">1</s:key>
       <s:key name="BREAK_ONLY_BEFORE"/>
       <s:key name="BREAK_ONLY_BEFORE_DATE">1</s:key>
       <s:key name="CHARSET">UTF-8</s:key>
       <s:key name="DATETIME_CONFIG">/etc/datetime.xml</s:key>
       <s:key name="HEADER_MODE"/>
       <s:key name="LEARN_SOURCETYPE">1</s:key>
       <s:key name="LINE_BREAKER_LOOKBEHIND">100</s:key>
       <s:key name="MAX_DAYS_AGO">2000</s:key>
       <s:key name="MAX_DAYS_HENCE">2</s:key>
       <s:key name="MAX_DIFF_SECS_AGO">3600</s:key>
       <s:key name="MAX_DIFF_SECS_HENCE">604800</s:key>
       <s:key name="MAX_EVENTS">256</s:key>
       <s:key name="MAX_TIMESTAMP_LOOKAHEAD">128</s:key>
       <s:key name="MUST_BREAK_AFTER"/>
       <s:key name="MUST_NOT_BREAK_AFTER"/>
       <s:key name="MUST_NOT_BREAK_BEFORE"/>
       <s:key name="NO_BINARY_CHECK">1</s:key>
       <s:key name="SEGMENTATION">indexing</s:key>
       <s:key name="SEGMENTATION-all">full</s:key>
       <s:key name="SEGMENTATION-inner">inner</s:key>
       <s:key name="SEGMENTATION-outer">outer</s:key>
       <s:key name="SEGMENTATION-raw">none</s:key>
       <s:key name="SEGMENTATION-standard">standard</s:key>
       <s:key name="SHOULD_LINEMERGE">1</s:key>
       <s:key name="TRANSFORMS"/>
       <s:key name="TRUNCATE">10000</s:key>
       <s:key name="disabled">0</s:key>
       <!-- eai:acl nodes elided for brevity. -->
       <s:key name="eai:appName">search</s:key>
       <s:key name="eai:userName">admin</s:key>
       <s:key name="maxDist">100</s:key>
       <s:key name="sourcetype">preprocess-zip</s:key>
       <s:key name="unarchive_cmd">_auto</s:key>
     </s:dict>
   </content>
 </entry>


POST

Add stanza to {file} configuration file.

Namespace determines which instance of the file is updated.

Authorization
Requires admin_all_objects capability.

Request parameters

Name Type Description
name String Required. Stanza name in {file} configuration file.
<variable> String Arbritrary number of key/value pairs.

Response keys
None


Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/configs/conf-props -d name=myblog

XML Response


<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>conf-props</title>
  <id>https://localhost:8089/servicesNS/nobody/search/configs/conf-props</id>
  <updated>2015-07-17T10:50:13+08:00</updated>
  <generator build="ab1a3707c875" version="6.3.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/configs/conf-props/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/configs/conf-props/_reload" rel="_reload"/>
  <link href="/servicesNS/nobody/search/configs/conf-props/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>myblog</title>
    <id>https://localhost:8089/servicesNS/nobody/search/configs/conf-props/myblog</id>
    <updated>2015-07-17T10:50:13+08:00</updated>
    <link href="/servicesNS/nobody/search/configs/conf-props/myblog" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/nobody/search/configs/conf-props/myblog" rel="list"/>
    <link href="/servicesNS/nobody/search/configs/conf-props/myblog/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/configs/conf-props/myblog" rel="edit"/>
    <link href="/servicesNS/nobody/search/configs/conf-props/myblog" rel="remove"/>
    <link href="/servicesNS/nobody/search/configs/conf-props/myblog/move" rel="move"/>
    <link href="/servicesNS/nobody/search/configs/conf-props/myblog/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="ANNOTATE_PUNCT">1</s:key>
        <s:key name="AUTO_KV_JSON">1</s:key>
        <s:key name="BREAK_ONLY_BEFORE"></s:key>
        <s:key name="BREAK_ONLY_BEFORE_DATE">1</s:key>
        <s:key name="CHARSET">UTF-8</s:key>
        <s:key name="DATETIME_CONFIG">/etc/datetime.xml</s:key>
        <s:key name="HEADER_MODE"></s:key>
        <s:key name="LEARN_SOURCETYPE">1</s:key>
        <s:key name="LINE_BREAKER_LOOKBEHIND">100</s:key>
        <s:key name="MAX_DAYS_AGO">2000</s:key>
        <s:key name="MAX_DAYS_HENCE">2</s:key>
        <s:key name="MAX_DIFF_SECS_AGO">3600</s:key>
        <s:key name="MAX_DIFF_SECS_HENCE">604800</s:key>
        <s:key name="MAX_EVENTS">256</s:key>
        <s:key name="MAX_TIMESTAMP_LOOKAHEAD">128</s:key>
        <s:key name="MUST_BREAK_AFTER"></s:key>
        <s:key name="MUST_NOT_BREAK_AFTER"></s:key>
        <s:key name="MUST_NOT_BREAK_BEFORE"></s:key>
        <s:key name="SEGMENTATION">indexing</s:key>
        <s:key name="SEGMENTATION-all">full</s:key>
        <s:key name="SEGMENTATION-inner">inner</s:key>
        <s:key name="SEGMENTATION-outer">outer</s:key>
        <s:key name="SEGMENTATION-raw">none</s:key>
        <s:key name="SEGMENTATION-standard">standard</s:key>
        <s:key name="SHOULD_LINEMERGE">1</s:key>
        <s:key name="TRANSFORMS"></s:key>
        <s:key name="TRUNCATE">10000</s:key>
        <s:key name="detect_trailing_nulls">0</s:key>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">search</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">admin</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>power</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">global</s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:userName">nobody</s:key>
        <s:key name="maxDist">100</s:key>
        <s:key name="priority"></s:key>
        <s:key name="sourcetype"></s:key>
      </s:dict>
    </content>
  </entry>
</feed>

configs/conf-{file}/{stanza}

https://<host>:<mPort>/services/configs/conf-{file}/{stanza}


Manage configuration file stanzas.


DELETE

Delete {stanza} in {file} configuration file.


Request parameters
None

Response keys
None

Example request and response


XML Request

curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/nobody/search/configs/conf-props/myweblogs

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"

     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
     xmlns:s="http://dev.splunk.com/ns/rest">
 <title>conf-props</title>
 <id>https://localhost:8089/servicesNS/nobody/search/configs/conf-props</id>
 <updated>2011-07-08T01:01:27-07:00</updated>
 <generator version="102807"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/servicesNS/nobody/search/configs/conf-props/_new" rel="create"/>
 <link href="/servicesNS/nobody/search/configs/conf-props/_reload" rel="_reload"/>
 <!-- opensearch nodes elided for brevity. -->
 <s:messages/>
</feed>


GET

Get {stanza} in {file} configuration file.

Request parameters
None

Response keys
None


Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/configs/conf-eventtypes/splunkd_message

XML Response

.
.
.
 <title>conf-eventtypes</title>
 <id>https://localhost:8089/servicesNS/nobody/search/configs/conf-eventtypes</id>
 <updated>2014-07-01T13:08:45-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/servicesNS/nobody/search/configs/conf-eventtypes/_new" rel="create"/>
 <link href="/servicesNS/nobody/search/configs/conf-eventtypes/_reload" rel="_reload"/>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>splunkd_message</title>
   <id>https://localhost:8089/servicesNS/nobody/search/configs/conf-eventtypes/splunkd_message</id>
   <updated>2014-07-01T13:08:45-07:00</updated>
   <link href="/servicesNS/nobody/search/configs/conf-eventtypes/splunkd_message" rel="alternate"/>
   <author>
     <name>admin</name>
   </author>
   <link href="/servicesNS/nobody/search/configs/conf-eventtypes/splunkd_message" rel="list"/>
   <link href="/servicesNS/nobody/search/configs/conf-eventtypes/splunkd_message/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/search/configs/conf-eventtypes/splunkd_message" rel="edit"/>
   <link href="/servicesNS/nobody/search/configs/conf-eventtypes/splunkd_message" rel="remove"/>
   <link href="/servicesNS/nobody/search/configs/conf-eventtypes/splunkd_message/move" rel="move"/>
   <link href="/servicesNS/nobody/search/configs/conf-eventtypes/splunkd_message/disable" rel="disable"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="CHARSET">UTF-8</s:key>
       <s:key name="description"></s:key>
       <s:key name="disabled">0</s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app">search</s:key>
           <s:key name="can_change_perms">1</s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_share_app">1</s:key>
           <s:key name="can_share_global">1</s:key>
           <s:key name="can_share_user">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">1</s:key>
           <s:key name="owner">admin</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>power</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">1</s:key>
           <s:key name="sharing">global</s:key>
         </s:dict>
       </s:key>
       <s:key name="eai:appName">search</s:key>
       <s:key name="eai:attributes">
         <s:dict>
           <s:key name="optionalFields">
             <s:list/>
           </s:key>
           <s:key name="requiredFields">
             <s:list/>
           </s:key>
           <s:key name="wildcardFields">
             <s:list>
               <s:item>.*</s:item>
             </s:list>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="eai:userName">nobody</s:key>
       <s:key name="priority">1</s:key>
       <s:key name="search"></s:key>
       <s:key name="tags"></s:key>
     </s:dict>
   </content>
 </entry>


POST

Update or add property to {stanza} in {file} configuration file.


Request parameters

Name Type Description
<variable> String Arbitrary number of key/value pairs to update.

Response keys
None

Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/configs/conf-props/myweblogs -d SHOULD_LINEMERGE=true

XML Response

.
.
.
 <title>conf-props</title>
 <id>https://localhost:8089/servicesNS/nobody/search/configs/conf-props</id>
 <updated>2011-07-08T01:01:26-07:00</updated>
 <generator version="102807"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/servicesNS/nobody/search/configs/conf-props/_new" rel="create"/>
 <link href="/servicesNS/nobody/search/configs/conf-props/_reload" rel="_reload"/>
 <!-- opensearch nodes elided for brevity. -->
 <s:messages/>
 <entry>
   <title>myweblogs</title>
   <id>https://localhost:8089/servicesNS/nobody/search/configs/conf-props/myweblogs</id>
   <updated>2011-07-08T01:01:26-07:00</updated>
   <link href="/servicesNS/nobody/search/configs/conf-props/myweblogs" rel="alternate"/>
   <author>
     <name>admin</name>
   </author>
   <link href="/servicesNS/nobody/search/configs/conf-props/myweblogs" rel="list"/>
   <link href="/servicesNS/nobody/search/configs/conf-props/myweblogs/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/search/configs/conf-props/myweblogs" rel="edit"/>
   <link href="/servicesNS/nobody/search/configs/conf-props/myweblogs" rel="remove"/>
   <link href="/servicesNS/nobody/search/configs/conf-props/myweblogs/move" rel="move"/>
   <link href="/servicesNS/nobody/search/configs/conf-props/myweblogs/disable" rel="disable"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="ANNOTATE_PUNCT">1</s:key>
       <s:key name="BREAK_ONLY_BEFORE"/>
       <s:key name="BREAK_ONLY_BEFORE_DATE">1</s:key>
       <s:key name="CHARSET">UTF-8</s:key>
       <s:key name="DATETIME_CONFIG">/etc/datetime.xml</s:key>
       <s:key name="HEADER_MODE"/>
       <s:key name="LEARN_SOURCETYPE">1</s:key>
       <s:key name="LINE_BREAKER_LOOKBEHIND">100</s:key>
       <s:key name="MAX_DAYS_AGO">2000</s:key>
       <s:key name="MAX_DAYS_HENCE">2</s:key>
       <s:key name="MAX_DIFF_SECS_AGO">3600</s:key>
       <s:key name="MAX_DIFF_SECS_HENCE">604800</s:key>
       <s:key name="MAX_EVENTS">256</s:key>
       <s:key name="MAX_TIMESTAMP_LOOKAHEAD">128</s:key>
       <s:key name="MUST_BREAK_AFTER"/>
       <s:key name="MUST_NOT_BREAK_AFTER"/>
       <s:key name="MUST_NOT_BREAK_BEFORE"/>
       <s:key name="SEGMENTATION">indexing</s:key>
       <s:key name="SEGMENTATION-all">full</s:key>
       <s:key name="SEGMENTATION-inner">inner</s:key>
       <s:key name="SEGMENTATION-outer">outer</s:key>
       <s:key name="SEGMENTATION-raw">none</s:key>
       <s:key name="SEGMENTATION-standard">standard</s:key>
       <s:key name="SHOULD_LINEMERGE">1</s:key>
       <s:key name="TRANSFORMS"/>
       <s:key name="TRUNCATE">10000</s:key>
       <s:key name="disabled">0</s:key>
       <!-- eai:acl nodes elided for brevity. -->
       <s:key name="eai:appName">search</s:key>
       <s:key name="eai:userName">admin</s:key>
       <s:key name="maxDist">100</s:key>
     </s:dict>
   </content>
 </entry>

properties

https://<host>:<mPort>/services/properties


Manage .conf configuration files.


GET

List all system and app configuration files.

Request parameters
None

Response keys
None


Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/properties

XML Response

.
.
.
 <title>properties</title>
 <id>https://localhost:8089/services/properties</id>
 <updated>2014-07-01T13:17:36-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <entry>
   <title>alert_actions</title>
   <id>https://localhost:8089/services/properties/alert_actions</id>
   <updated>2014-07-01T13:17:36-07:00</updated>
   <link href="/services/properties/alert_actions" rel="alternate"/>
 </entry>
 <entry>
   <title>app</title>
   <id>https://localhost:8089/services/properties/app</id>
   <updated>2014-07-01T13:17:36-07:00</updated>
   <link href="/services/properties/app" rel="alternate"/>
 </entry>
 <entry>
   <title>audit</title>
   <id>https://localhost:8089/services/properties/audit</id>
   <updated>2014-07-01T13:17:36-07:00</updated>
   <link href="/services/properties/audit" rel="alternate"/>
 </entry>
       .
       .
       .
     elided
       .
       .
       .
 <entry>
   <title>viewstates</title>
   <id>https://localhost:8089/services/properties/viewstates</id>
   <updated>2014-07-01T13:17:36-07:00</updated>
   <link href="/services/properties/viewstates" rel="alternate"/>
 </entry>
 <entry>
   <title>web</title>
   <id>https://localhost:8089/services/properties/web</id>
   <updated>2014-07-01T13:17:36-07:00</updated>
   <link href="/services/properties/web" rel="alternate"/>
 </entry>
 <entry>
   <title>workflow_actions</title>
   <id>https://localhost:8089/services/properties/workflow_actions</id>
   <updated>2014-07-01T13:17:36-07:00</updated>
   <link href="/services/properties/workflow_actions" rel="alternate"/>
 </entry>


POST

Create a configuration file.

Usage details
The namespace specified in the URL determines where the configuration file is created. For example, /services/properties creates the file in the $SPLUNK_BASE/etc/system/local directory and servicesNS/nobody/search creates the file in the $SPLUNK_BASE/etc/apps/search/local directory.

Authentication and Authorization
Requires the admin_all_objects capability.

Request parameters

Name Type Description
__conf String Required. Name of the configuration file to create. (Note double underscore prefix.

Response keys
None


Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/properties -d __conf=myAppConfigFile

XML Response

No response body.

Returns: HTTP status = 201 (created)


properties/{file}

https://<host>:<mPort>/services/properties/{file}

Access stanzas in specified configuration file.

Usage details
The URL namespace determines the scope of visible stanzas. The endpoint returns all stanzas of the specified configuration file, for all configuration files and stanzas visible in the namespace.


GET

List stanzas in {file} configuration file.


Request parameters
None

Response keys

This endpoint returns an <entry> for each stanza in addition to <default> stanzas.


Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/properties/eventtypes

XML Response

.
.
.
 <title>eventtypes</title>
 <id>https://localhost:8089/servicesNS/nobody/search/properties/eventtypes</id>
 <updated>2014-07-17T10:24:53-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <entry>
   <title>default</title>
   <id>https://localhost:8089/servicesNS/nobody/search/properties/eventtypes/default</id>
   <updated>2014-07-17T10:24:53-07:00</updated>
   <link href="/servicesNS/nobody/search/properties/eventtypes/default" rel="alternate"/>
 </entry>
 <entry>
   <title>internal_search_terms</title>
   <id>https://localhost:8089/servicesNS/nobody/search/properties/eventtypes/internal_search_terms</id>
   <updated>2014-07-17T10:24:53-07:00</updated>
   <link href="/servicesNS/nobody/search/properties/eventtypes/internal_search_terms" rel="alternate"/>
 </entry>
 <entry>
   <title>proxylogs</title>
   <id>https://localhost:8089/servicesNS/nobody/search/properties/eventtypes/proxylogs</id>
   <updated>2014-07-17T10:24:53-07:00</updated>
   <link href="/servicesNS/nobody/search/properties/eventtypes/proxylogs" rel="alternate"/>
 </entry>
 <entry>
   <title>splunkd-access</title>
   <id>https://localhost:8089/servicesNS/nobody/search/properties/eventtypes/splunkd-access</id>
   <updated>2014-07-17T10:24:53-07:00</updated>
   <link href="/servicesNS/nobody/search/properties/eventtypes/splunkd-access" rel="alternate"/>
 </entry>
 <entry>
   <title>splunkd-log</title>
   <id>https://localhost:8089/servicesNS/nobody/search/properties/eventtypes/splunkd-log</id>
   <updated>2014-07-17T10:24:53-07:00</updated>
   <link href="/servicesNS/nobody/search/properties/eventtypes/splunkd-log" rel="alternate"/>
 </entry>
 <entry>
   <title>splunkd_message</title>
   <id>https://localhost:8089/servicesNS/nobody/search/properties/eventtypes/splunkd_message</id>
   <updated>2014-07-17T10:24:53-07:00</updated>
   <link href="/servicesNS/nobody/search/properties/eventtypes/splunkd_message" rel="alternate"/>
 </entry>
</feed>


POST

Add stanza to {file} configuration file.


Request parameters

Name Type Description
__stanza String Required. The key/value pair of the stanza to add. Note double underscore prefix.

Response keys
None


Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/properties/eventtypes -d __stanza=proxylogs

XML Response

No data returned in body.

Returns: HTTP status 201 (created)


properties/{file}/{stanza}

https://<host>:<mPort>/services/properties/{file}/{stanza}


Access and update key/value pair(s) of the specified configuration file and stanza.


GET

List {stanza} key/value pair(s) of {file} configuration file.

Usage details
The URL namespace determines the scope of visible stanzas. This endpoint returns all stanzas of the specified configuration file for all configuration files and stanzas visible in the namespace.

Request parameters
None

Response keys
Each <entry> is a {stanza} key with a <content> value.


Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/properties/props/proxylogs

XML Response

.
.
.
 <title>proxylogs</title>
 <id>https://localhost:8089/services/properties/props/proxylogs</id>
 <updated>2011-07-08T12:08:52-07:00</updated>
 <generator version="102807"/>
 <author>
   <name>Splunk</name>
 </author>
 <entry>
   <title>ANNOTATE_PUNCT</title>
   <id>https://localhost:8089/services/properties/props/proxylogs/ANNOTATE_PUNCT</id>
   <updated>2011-07-08T12:08:52-07:00</updated>
   <link href="/services/properties/props/proxylogs/ANNOTATE_PUNCT" rel="alternate"/>
   <content type="text">True</content>
 </entry>
 <entry>
   <title>BREAK_ONLY_BEFORE</title>
   <id>https://localhost:8089/services/properties/props/proxylogs/BREAK_ONLY_BEFORE</id>
   <updated>2011-07-08T12:08:52-07:00</updated>
   <link href="/services/properties/props/proxylogs/BREAK_ONLY_BEFORE" rel="alternate"/>
   <content type="text"/>
 </entry>
 <entry>
   <title>BREAK_ONLY_BEFORE_DATE</title>
   <id>https://localhost:8089/services/properties/props/proxylogs/BREAK_ONLY_BEFORE_DATE</id>
   <updated>2011-07-08T12:08:52-07:00</updated>
   <link href="/services/properties/props/proxylogs/BREAK_ONLY_BEFORE_DATE" rel="alternate"/>
   <content type="text">True</content>
 </entry>
       .
       .
       .
     elided
       .
       .
       .
 <entry>
   <title>TRANSFORMS</title>
   <id>https://localhost:8089/services/properties/props/proxylogs/TRANSFORMS</id>
   <updated>2011-07-08T12:08:52-07:00</updated>
   <link href="/services/properties/props/proxylogs/TRANSFORMS" rel="alternate"/>
   <content type="text"/>
 </entry>
 <entry>
   <title>TRUNCATE</title>
   <id>https://localhost:8089/services/properties/props/proxylogs/TRUNCATE</id>
   <updated>2011-07-08T12:08:52-07:00</updated>
   <link href="/services/properties/props/proxylogs/TRUNCATE" rel="alternate"/>
   <content type="text">10000</content>
 </entry>
 <entry>
   <title>maxDist</title>
   <id>https://localhost:8089/services/properties/props/proxylogs/maxDist</id>
   <updated>2011-07-08T12:08:52-07:00</updated>
   <link href="/services/properties/props/proxylogs/maxDist" rel="alternate"/>
   <content type="text">100</content>
 </entry>


POST

Add or update one or more key/value pair(s) in {stanza} of {file} configuration file.


Request parameters

Name Type Description
<variable> String Required. One or more key/value pair(s).

Response keys
A response <message> indicates update success or failure.


Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/properties/props/proxylogs -d NO_BINARY_CHECK=true -d CHARSET=UTF-8

XML Response

<response>
 <messages>
   <msg type="INFO">Successfully modified 2 key(s)</msg>
 </messages>
</response>

properties/{file}/{stanza}/{key}

https://<host>:<mPort>/services/properties/{file}/{stanza}/{key}

Access and update values for the specified configuration file, stanza, and key.


GET

Get a plaintext {key} value for a configuration file stanza and key.

Request parameters
None

Response keys

Name Description
<variable> Plaintext value.


Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/properties/props/proxylogs/SHOULD_LINEMERGE

XML Response

True


POST

Update a plaintext {key} value for a configuration file stanza and key.


Request parameters

Name Type Description
<variable> String Required. Plaintext value.

Response keys
Message indicates update success or failure.

Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/services/properties/props/proxylogs/SHOULD_LINEMERGE -d value=false

XML Response

<response>
 <messages>
   <msg type="INFO">Successfully modified 1 key(s)</msg>
 </messages>
</response>

Last modified on 12 October, 2021
Cluster endpoint descriptions   Deployment endpoint descriptions

This documentation applies to the following versions of Splunk® Enterprise: 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.3.0, 9.3.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters