Access endpoint descriptions - Splunk Documentation Skip to main content
Splunk® Enterprise

REST API Reference Manual

Splunk® Enterprise
8.0.0
Splunk Enterprise version 8.0 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Access endpoint descriptions

Access and manage user credentials.

Usage details

Review ACL information for an endpoint

To check Access Control List (ACL) properties for an endpoint, append /acl to the path. For more information see Access Control List in the REST API User Manual.

Authentication and Authorization

Username and password authentication is required for access to endpoints and REST operations.

Splunk users must have role and/or capability-based authorization to use REST endpoints. Users with an administrative role, such as admin, can access authorization information in Splunk Web. To view the roles assigned to a user, select Settings > Access controls and click Users. To determine the capabilities assigned to a role, select Settings > Access controls and click Roles.

App and user context

Typically, knowledge objects, such as saved searches or event types, have an app/user context that is the namespace. For more information about specifying a namespace, see Namespace in the REST API User Manual.

Splunk Cloud URL for REST API access

Splunk Cloud has a different host and management port syntax than Splunk Enterprise. Use the following URL for Splunk Cloud deployments. If necessary, submit a support case using the Splunk Support Portal to open port 8089 on your deployment.

https://<deployment-name>.splunkcloud.com:8089

Free trial Splunk Cloud accounts cannot access the REST API.

See Using the REST API in Splunk Cloud in the the Splunk REST API Tutorials for more information.


admin/Duo-MFA

Configure Duo Multifactor authentication.

Authentication and Authorization
Requires the change_authentication capability.

Usage details
Disable any SSO configurations, such as SAML, before enabling Duo authentication for the first time. Duo only works with local auth types.


GET

Expand

List Duo Multifactor configuration settings.

POST

Expand

Create a Duo Multifactor configuration.

admin/Duo-MFA/{name}

Access and manage the {name} Duo Multifactor configuration.

Authentication and Authorization
Requires the change_authentication capability.


GET

Expand

List the {name} Duo Multifactor configuration settings.

POST

Expand

Update the {name} Duo Multifactor configuration.


DELETE

Expand

Delete the {name} Duo Multifactor configuration.



RSA multifactor authentication REST API usage details

Splunk Enterprise users can configure RSA user authentication using the REST API.

You can use the RSA multifactor authentication REST API to configure RSA authentication and to verify that the authentication is configured correctly.

  • To configure multifactor authentication for Splunk Web, you use the /services/admin/Rsa-MFA endpoint. To enable CLI and management port, set the parameter enableMfaAuthRest to true.
  • To verify the authentication, you use the /services/admin/Rsa-MFA-config-verify/ endpoint.

Authentication and Authorization

Requires the change_authentication capability.

To learn more about using RSA multifactor authentication, see About multifactor authentication with RSA Authentication Manager in Securing Splunk Enterprise.

admin/Rsa-MFA

Configure RSA multifactor authentication.

GET

Expand

List the RSA Authentication Manager configuration settings.

POST

Expand

Edit the RSA Authentication Manager configuration.

DELETE

Expand

Delete the RSA Authentication Manager configuration.



admin/Rsa-MFA-config-verify/<rsa-stanza-name>

Verify RSA multifactor authentication.

POST

Expand

Verify the RSA mutifactor authentication.

LDAP REST API usage details

Splunk Enterprise users can configure LDAP user authentication using the REST API. If you are using Splunk Cloud, contact Support for assistance with setting up LDAP authentication.

LDAP user authentication lets you specify configurations, user groups, and group to role mappings to manage permissions in your Splunk deployment.

You can use the LDAP REST API for the following LDAP management tasks.

  • Configure an LDAP strategy for a server in your deployment.
  • Map LDAP groups to user roles in a server to manage group permissions.
  • Enable or disable an LDAP strategy.

To learn more about using LDAP authentication, see Set up user authentication with LDAP in Securing Splunk Enterprise.

admin/LDAP-groups

https://<host>:<mPort>/services/admin/LDAP-groups

Access and update LDAP group to role mappings.

Authentication and authorization
Requires the change_authentication capability for access.


GET

Expand

Access LDAP group mappings.

POST

Expand

Create an LDAP group.


authentication/providers/LDAP

https://<host>:<mPort>/services/authentication/providers/LDAP

Access or create LDAP authentication strategies on a server in your deployment.

Authentication and authorization
Requires the change_authentication capability for access.

GET

Expand

Access LDAP configurations strategies.

POST

Expand

Create an LDAP strategy.



authentication/providers/LDAP/{LDAP_strategy_name}

https://<host>:<mPort>/services/authentication/providers/LDAP/{LDAP_strategy_name}

Access, update, or delete the {LDAP_strategy_name} strategy.

Authentication and authorization
Requires the change_authentication capability for access.

POST

Expand

Update an existing LDAP strategy.

DELETE

Expand

Delete an existing LDAP strategy.



authentication/providers/LDAP/{LDAP_strategy_name}/enable

https://<host>:<mPort>/services/authentication/providers/LDAP/{LDAP_strategy_name}/enable


POST

Expand

Enable the {LDAP_strategy_name} LDAP strategy.


authentication/providers/LDAP/{LDAP_strategy_name}/disable

https://<host>:<mPort>/services/authentication/providers/LDAP/{LDAP_strategy_name}/disable


POST

Expand

Disable the {LDAP_strategy_name} LDAP strategy.


admin/metrics-reload/_reload

https://<host>:<mPort>/services/admin/metrics-reload/_reload

Use this endpoint to reload the metrics processor after updating a metrics-related configuration.

POST

Expand

Reload the metrics processor.


ProxySSO REST API usage details

SSO mode must be enabled before you can configure ProxySSO. If you are creating a new ProxySSO configuration for the first time, follow these steps.

  1. Locate the web.conf file in the etc/system/local directory.
  2. Make the following additions to the [settings] stanza of web.conf file. If the file does not already exist in this location, create a new file called web.conf and add only the [settings] stanza name and the following settings to it.
    [settings]
    SSOMode = strict
    trustedIP = <IP_address>
    remoteUser = <remote user>
    remoteGroups = <remote group>
    tools.proxy.on = False
    allowSsoWithoutChangingServerConf = 1
    
    
  3. Restart the Splunk deployment after updating web.conf.
  4. Use the admin/ProxySSO-auth/{proxy_name}/enable endpoint to enable the configuration that you are creating.
  5. Use the admin/ProxySSO-auth endpoint to add the new configuration.
  6. (Optional) Use the services/admin/auth-services endpoint to verify that the active_authmodule is set to ProxySSO.

admin/ProxySSO-auth

https://<host>:<mPort>/services/admin/ProxySSO-auth

Access or create a ProxySSO configuration.

GET

Expand

Review existing ProxySSO configurations.


POST

Expand

Add a new ProxySSO configuration.


admin/ProxySSO-auth/{proxy_name}

https://<host>:<mPort>/services/admin/ProxySSO-auth/{proxy_name} 

Access, update, or delete the {proxy_name} configuration.

GET

Expand

Access configuration details.


POST

Expand

Update a configuration.


DELETE

Expand

Delete a configuration.


admin/ProxySSO-auth/{proxy_name}/disable

https://<host>:<mPort>/services/admin/ProxySSO-auth/{proxy_name}/disable

Disable the {proxy_name} configuration.


GET

Expand

Disable the {proxy_name} configuration.


admin/ProxySSO-auth/{proxy_name}/enable

https://<host>:<mPort>/services/admin/ProxySSO-auth/{proxy_name}/enable

Use a GET request to create and enable the {proxy_name} authentication setting. Changes are made in the default app context.


GET

Expand

Enable the {proxy_name} configuration.

admin/ProxySSO-groups

https://<host>:<mPort>/services/admin/ProxySSO-groups

Access or create role to group ProxySSO mappings.


Authentication and authorization
Requires the change_authentication capability.

GET

Expand

Access ProxySSO role to group mappings.


POST

Expand

Create a new mapping.


admin/ProxySSO-groups/{group_name}

https://<host>:<mPort>/services/admin/ProxySSO-groups/{group_name} 

Access, create, and manage role to group mappings.

Authentication and authorization
Requires the change_authentication capability.

GET

Expand

Access role mappings for the {group_name} group.


POST

Expand

Create a new {group_name} mapping or update an existing one.


DELETE

Expand

Delete the {group_name} group mapping.


admin/ProxySSO-user-role-map

https://<host>:<mPort>/services/admin/ProxySSO-user-role-map

Access or create a user to role mapping.

Authentication and authorization
Requires the edit_user capability.

GET

Expand

Access user to role mappings


POST

Expand

Create a user to role mapping.


admin/ProxySSO-user-role-map/{user_name}

https://<host>:<mPort>/services/admin/ProxySSO-user-role-map/{user_name} 

Access or delete a user to role mapping.

Authentication and authorization
Requires the edit_user capability.

GET

Expand

Access role mappings for the {user_name} user.


DELETE

Expand

Delete the {user_name} user to role mapping.


SAML REST API usage details

Splunk Enterprise users can configure SAML authentication for single sign-on (SSO). If you are using Splunk Cloud, contact Support to request assistance.

You can use the REST API to make the following SAML configurations.

  • Manage group and user role mappings.
  • Access service and identity provider information.
  • Replicate SAML IdP certificates across a search head cluster.


For more information on using SAML for SSO, see Authentication using single sign-on with SAML in Securing Splunk Enterprise. You can also review the SAML settings stanza in authentication.conf in the Admin Manual.


admin/replicate-SAML-certs

https://<host>:<mPort>/services/admin/replicate-SAML-certs

Replicate SAML IdP certificates across a search head cluster.

Note: This endpoint is only available for use on search head clustered deployments with KV Store enabled.

Authentication and authorization
Requires the change_authentication capability for access.


POST

Usage details
After editing SAML IdP certificate files in $SPLUNK_HOME/etc/auth/idpCerts on one node in the cluster, you can POST to /replicate-SAML-certs to replicate the certificates across the cluster. This can be useful if there is an error in the certificate files from /SAML-idp-metadata and you need to edit them manually.

There are no request parameters or returned values.


admin/SAML-groups

https://<host>:<mPort>/services/admin/SAML-groups

Manage external groups in an IdP response to internal Splunk roles.

Authentication and authorization
Requires change_authentication capability for all operations.


GET

Expand

Access internal roles for this external group.


POST

Expand

Convert an external group to internal roles.


admin/SAML-groups/{group_name}

https://<host>:<mPort>/services/admin/SAML-groups/{group_name}

Delete the {group_name} group.

Authentication and authorization
Requires change_authentication capability for all operations.


DELETE

Expand

Delete the {group_name} particular group.


admin/SAML-idp-metadata

https://<host>:<mPort>/services/admin/SAML-idp-metadata

Access IdP SAML metadata attributes.


Authentication and authorization
Requires change_authentication capability for all operations.


GET

Expand

Access SAML user and role information for saved searches.


admin/SAML-sp-metadata

https://<host>:<mPort>/services/admin/SAML-sp-metadata

Access service provider SAML metadata attributes.


Authentication and authorization
Requires change_authentication capability for all operations.


GET

Expand

Access SAML metadata attributes.


admin/SAML-user-role-map

https://<host>:<mPort>/services/admin/SAML-user-role-map

Description

Access or create SAML user and role information for saved searches if your IdP does not support Attribute Query Requests. To delete a username, see admin/SAML-user-role-map/{name}.

Authentication and authorization
Requires edit_user capability for all operations.


GET

Expand

Access SAML user and role information for saved searches.


POST

Expand

Update SAML user and role information for saved searches.


DELETE

See admin/SAML-user-role-map/{name}


admin/SAML-user-role-map/{name}

https://<host>:<mPort>/services/admin/SAML-user-role-map/{name}

Delete SAML user and role information for saved searches if your IdP does not support Attribute Query Requests.

Authentication and authorization
Requires edit_user capability for all operations.


DELETE

Expand

Remove a username from SAML users for saved searches.


authentication/providers/SAML

https://<host>:<mPort>/services/authentication/providers/SAML

Access and create SAML configurations.

Authentication and authorization
Requires change_authentication capability for all operations.


GET

Expand

Access SAML configurations.

POST

Expand

Create a new SAML configuration.


authentication/providers/SAML/{stanza_name}

https://<host>:<mPort>/services/authentication/providers/SAML/{stanza_name}


GET

Expand

Access a SAML configuration.


POST

Expand

Update a SAML configuration.


authentication/providers/SAML/{stanza_name}/enable

https://<host>:<mPort>/services/authentication/providers/SAML/{stanza_name}/enable

POST

Expand

Enable a SAML strategy.


authentication/providers/SAML/{stanza_name}/disable

https://<host>:<mPort>/services/authentication/providers/SAML/{stanza_name}/disable

POST

Expand

Disable a SAML strategy.


auth/login

https://<host>:<mPort>/services/auth/login


Get a session ID for use in subsequent API calls that require authentication. Set up cookie-based authorization.

The splunkd server supports token-based authentication using the standard HTTP authorization header. Before you can access Splunk Enterprise resources, you must authenticate with the splunkd server using your username and password.

Use cookie-based authorization

To use cookie-based authorization, first ensure that the allowCookieAuth setting is enabled in server.conf. By default, this setting is enabled in Splunk software versions 6.2 and later.

If allowCookieAuth is enabled, you can pass a cookie=1 parameter to the POST request on auth/login. As noted in the Response data keys section below, a Set-Cookie header is returned. This header must be used in subsequent requests.

Any request authenticated using a cookie may include a new Set-Cookie header in its response. Use this new cookie value in any subsequent requests.

If you do not receive a Set-Cookie header in response to the auth/login POST request but login succeeded, you can use the standard Authorization:Splunk... header with the session key for authorization.


See also


POST

Expand

Get a session ID for use in subsequent API calls that require authentication. Optionally, use cookie-based authentication or multifactor authentication.


authentication/current-context

https://<host>:<mPort>/services/authentication/current-context

Get the authenticated session owner username.

For additional information, see the following resources.


GET

Expand

Get user information for the current context.


authentication/httpauth-tokens

https://<host>:<mPort>/services/authentication/httpauth-tokens

List currently active session IDs and users.

For additional information, see the following resources.


GET

Expand

List currently active session IDs/users.


authentication/httpauth-tokens/{name}

https://<host>:<mPort>/services/authentication/httpauth-tokens/<name>


Access or delete the {name} session, where {name} is the session ID returned by auth/login.

For additional information, see the following resources.


DELETE

Expand

Delete the session associated with this session ID.


GET

Expand

Get session information.



authentication/users

https://<host>:<mPort>/services/authentication/users


List current users and create new users.

For additional information about configuring users and roles, see the following resources in Securing Splunk Enterprise.

Authentication and authorization
Requires the edit_user capability.

GET

Expand

List current users.


POST

Expand

Create a user.



authentication/users/{name}

https://<host>:<mPort>/services/authentication/users/{name}

Access and update user information or delete the {name}> user.

Usage details
The /{name} username portion of the URL is not case sensitive.

For additional information about user capabiilties, see the following resource in Securing Splunk Enterprise.

Authentication and authorization
Requires the edit_user capability.

DELETE

Expand

Remove the specified user from the system.


GET

Expand

Return information for the specified user.


POST

Expand

Update the specified user.


authorization/capabilities

https://<host>:<mPort>/services/authorization/capabilities

Access system capabilities.

GET

Expand

List system capabiilities.


authorization/grantable_capabilities

https://<host>:<mPort>/services/authorization/grantable_capabilities

Get a list of all capabilities that the current user can grant.

Authorization
Capabilities listed depend on the current user authorization. If the current user has the edit_roles capability, the response lists all capabilities. Otherwise, depending on the current user's edit_user permissions and configured grantableRoles in authorize.conf, the response lists only the capabilities that the current user can grant.


GET

Expand

List capabilities that the current user can grant.


authorization/roles

https://<host>:<mPort>/services/authorization/roles


Create a role or get a list of defined roles with role permissions.

For additional information, see the following resources in Securing Splunk Enterprise.


GET

Expand

List all roles and the permissions for each role.


POST

Expand

Create a user role.


authorization/roles/{name}

https://<host>:<mPort>/services/authorization/roles/<name>

Access, create, or delete properties for the {name} role.

For additional information, see the following resource in Securing Splunk Enterprise. List of available capabilities


DELETE

Expand

Delete the specified role.

GET

Expand

Access the specified role.


POST

Expand

Update the specified role.


authorization/tokens

https://<host>:<mPort>/services/authorization/tokens


Create, get information on, or modify tokens for authentication.

For additional information, see the following resources in Securing Splunk Enterprise.


GET

Expand

List information on tokens.


POST

Expand

Change the status of one or more tokens.


authorization/tokens/{name}

https://<host>:<mPort>/services/authorization/tokens/name>


Get information on, modify, or delete authentication tokens for the {name} user.

For additional information, see the following resources in Securing Splunk Enterprise.


DELETE

Expand

Delete a token for the specified user.


POST

Expand

Create a token for the specified username.


storage/passwords

https://<host>:<mPort>/services/storage/passwords

Create or update user credentials, or list credentials for all users.

Authorization
The list_storage_passwords capability is required for the GET operation. The admin_all_objects capability is required for the POST operation.

Usage details
The password credential is the only part of the user credentials that is stored securely. It is encrypted with a secure key resident on the same server.


GET

Expand

List available credentials.


POST

Expand

Create/update new credentials.


storage/passwords/{name}

https://<host>:<mPort>/services/storage/passwords/<name>

Update, delete, or list credentials for the {name} user.

Authorization
The admin_all_objects capability is required for the DELETE and POST operations. The list_storage_passwords capability is required for the GET operation.


DELETE

Expand

Delete the specified user credentials.


GET

Expand

Access the specified user credentials.


POST

Expand

Update the specified user credentials.


Last modified on 12 July, 2021
Endpoints reference list   Application endpoint descriptions

This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters