Splunk Enterprise version 8.2 is no longer supported as of September 30, 2023. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise.
For documentation on the most recent version, go to the latest release.
Application endpoint descriptions
Manage applications.
Usage details
Review ACL information for an endpoint
To check Access Control List (ACL) properties for an endpoint, append /acl to the path. For more information see Access Control List in the REST API User Manual.
Authentication and Authorization
Username and password authentication is required for access to endpoints and REST operations.
Splunk users must have role and/or capability-based authorization to use REST endpoints. Users with an administrative role, such as admin, can access authorization information in Splunk Web. To view the roles assigned to a user, select Settings > Access controls and click Users. To determine the capabilities assigned to a role, select Settings > Access controls and click Roles.
App and user context
Typically, knowledge objects, such as saved searches or event types, have an app/user context that is the namespace. For more information about specifying a namespace, see Namespace in the REST API User Manual.
Splunk Cloud Platform limitations
As a Splunk Cloud Platform user, you are restricted to interacting with the search tier only with the REST API. Application endpoints are generally not accessible in Splunk Cloud Platform.
Authorized users can access and configure applications in the Splunk Cloud Platform user interface.
See Access requirements and limitations for the Splunk Cloud Platform REST API in the the REST API Tutorials manual for more information.
apps/apptemplates
https://<host>:<port>/services/apps/apptemplates
List installed app templates. You can use an app template as the template parameter in a POST to /services/apps/local.
For additional information, see apps/local.
GET
Expand
List installed app templates.
Request parameters
Pagination and filtering parameters can be used with this method.
Response keys
None
Each <entry> element includes a <link> reference to an app template. The barebones and sample_app templates are installed by default.
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8089/services/apps/apptemplates
XML Response
.
.
.
<title></title>
<id>https://localhost:8089/services/apps/apptemplates</id>
<updated>2014-07-01T09:50:36-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<opensearch:totalResults>2</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>barebones</title>
<id>https://localhost:8089/services/apps/apptemplates/barebones</id>
<updated>2014-07-01T09:50:36-07:00</updated>
<link href="/services/apps/apptemplates/barebones" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/apps/apptemplates/barebones" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="lol">wut</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>sample_app</title>
<id>https://localhost:8089/services/apps/apptemplates/sample_app</id>
<updated>2014-07-01T09:50:36-07:00</updated>
<link href="/services/apps/apptemplates/sample_app" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/apps/apptemplates/sample_app" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="lol">wut</s:key>
</s:dict>
</content>
</entry>
apps/apptemplates/{name}
https://<host>:<port>/services/apps/apptemplates/{name}
Get the {name} app template descriptor.
For additional information, see apps/apptemplates.
GET
Expand
Get the {name} app template descriptor.
Request parameters
Pagination and filtering parameters can be used with this method.
Response keys
None
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8089/services/apps/apptemplates/sample_app
XML Response
.
.
.
<title></title>
<id>https://localhost:8089/services/apps/apptemplates</id>
<updated>2014-07-01T09:54:23-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>sample_app</title>
<id>https://localhost:8089/services/apps/apptemplates/sample_app</id>
<updated>2014-07-01T09:54:23-07:00</updated>
<link href="/services/apps/apptemplates/sample_app" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/apps/apptemplates/sample_app" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list/>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="lol">wut</s:key>
</s:dict>
</content>
</entry>
apps/local
https://<host>:<port>/services/apps/local
Create an app or list installed apps and properties.
The capabilities that this endpoint requires change based on the enable_install_apps setting in limits.conf. If this setting is true, the install_apps and edit_local_apps settings are required. If this setting is false, the admin_all_objects capability is required. By default, this setting value is false but you can change it on your system to improve security.
GET
Expand
List installed apps and properties.
Request parameters
Pagination and filtering parameters can be used with this method.
Response keys
| Name | Description |
|---|---|
| author | App author and optional contact information. For apps deployed on Splunkbase, the Splunkbase account username. |
| check_for_updates | Indicates whether to check for updates. true = Check Splunkbase for app updates.false = Do not check Splunkbase for app updates.
|
| configured | Custom setup complete indication:true = Custom app setup complete.false = Custom app setup not complete.
|
| description | App description. |
| details | URL to use for detailed information about the app. |
| disabled | App state indication.true = App is disabled.false = App is enabled.
|
| label | App name. |
| state_change_requires_restart | Indicates whether to require restart on state change.true = App state change requires restart.false = App state change might not require restart depending on other restart requirements.
|
| version | App version. |
| visible | Indicates whether app is visible and navigable from Splunk Web. true = App is visible and navigable.false = App is not visible and navigable.
|
Application usage
Splunkbase can correlate locally-installed apps with the same app on Splunkbase for update notifications.
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8089/services/apps/local
XML Response
<title>localapps</title>
<id>https://localhost:17001/services/apps/local</id>
<updated>2015-10-13T17:53:03-07:00</updated>
<generator build="a1c9b18fdcfc" version="6.3.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/apps/local/_new" rel="create"/>
<link href="/services/apps/local/_reload" rel="_reload"/>
<link href="/services/apps/local/_acl" rel="_acl"/>
<opensearch:totalResults>16</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>alert_logevent</title>
<id>https://localhost:17001/servicesNS/nobody/system/apps/local/alert_logevent</id>
<updated>2015-10-13T17:53:03-07:00</updated>
<link href="/servicesNS/nobody/system/apps/local/alert_logevent" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/apps/local/alert_logevent" rel="list"/>
<link href="/servicesNS/nobody/system/apps/local/alert_logevent/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/apps/local/alert_logevent" rel="edit"/>
<link href="/servicesNS/nobody/system/apps/local/alert_logevent" rel="remove"/>
<link href="/servicesNS/nobody/system/apps/local/alert_logevent/disable" rel="disable"/>
<link href="/servicesNS/nobody/system/apps/local/alert_logevent/package" rel="package"/>
<content type="text/xml">
<s:dict>
<s:key name="author">Splunk</s:key>
<s:key name="check_for_updates">1</s:key>
<s:key name="configured">1</s:key>
<s:key name="core">1</s:key>
<s:key name="description">Log Event Alert Action</s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="label">Log Event Alert Action</s:key>
<s:key name="managed_by_deployment_client">0</s:key>
<s:key name="show_in_nav">1</s:key>
<s:key name="state_change_requires_restart">0</s:key>
<s:key name="version">6.4.0</s:key>
<s:key name="visible">0</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>alert_webhook</title>
<id>https://localhost:17001/servicesNS/nobody/system/apps/local/alert_webhook</id>
<updated>2015-10-13T17:53:03-07:00</updated>
<link href="/servicesNS/nobody/system/apps/local/alert_webhook" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/apps/local/alert_webhook" rel="list"/>
<link href="/servicesNS/nobody/system/apps/local/alert_webhook/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/apps/local/alert_webhook" rel="edit"/>
<link href="/servicesNS/nobody/system/apps/local/alert_webhook" rel="remove"/>
<link href="/servicesNS/nobody/system/apps/local/alert_webhook/disable" rel="disable"/>
<link href="/servicesNS/nobody/system/apps/local/alert_webhook/package" rel="package"/>
<content type="text/xml">
<s:dict>
<s:key name="author">Splunk</s:key>
<s:key name="check_for_updates">1</s:key>
<s:key name="configured">1</s:key>
<s:key name="core">1</s:key>
<s:key name="description">Webhook Alert Action</s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="label">Webhook Alert Action</s:key>
<s:key name="managed_by_deployment_client">0</s:key>
<s:key name="show_in_nav">1</s:key>
<s:key name="state_change_requires_restart">0</s:key>
<s:key name="version">6.4.0</s:key>
<s:key name="visible">0</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>appsbrowser</title>
<id>https://localhost:17001/servicesNS/nobody/system/apps/local/appsbrowser</id>
<updated>2015-10-13T17:53:03-07:00</updated>
<link href="/servicesNS/nobody/system/apps/local/appsbrowser" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/apps/local/appsbrowser" rel="list"/>
<link href="/servicesNS/nobody/system/apps/local/appsbrowser/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/apps/local/appsbrowser" rel="edit"/>
<link href="/servicesNS/nobody/system/apps/local/appsbrowser/package" rel="package"/>
<content type="text/xml">
<s:dict>
<s:key name="author">Splunk</s:key>
<s:key name="check_for_updates">1</s:key>
<s:key name="configured">1</s:key>
<s:key name="core">1</s:key>
<s:key name="description">Browse apps available to install.</s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>power</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="label">Apps Browser</s:key>
<s:key name="managed_by_deployment_client">0</s:key>
<s:key name="show_in_nav">0</s:key>
<s:key name="state_change_requires_restart">0</s:key>
<s:key name="version">6.4.0</s:key>
<s:key name="visible">1</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>framework</title>
<id>https://localhost:17001/servicesNS/nobody/system/apps/local/framework</id>
<updated>2015-10-13T17:53:03-07:00</updated>
<link href="/servicesNS/nobody/system/apps/local/framework" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/apps/local/framework" rel="list"/>
<link href="/servicesNS/nobody/system/apps/local/framework/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/apps/local/framework" rel="edit"/>
<link href="/servicesNS/nobody/system/apps/local/framework" rel="remove"/>
<link href="/servicesNS/nobody/system/apps/local/framework/disable" rel="disable"/>
<link href="/servicesNS/nobody/system/apps/local/framework/package" rel="package"/>
<content type="text/xml">
<s:dict>
<s:key name="check_for_updates">1</s:key>
<s:key name="configured">0</s:key>
<s:key name="core">1</s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="label">framework</s:key>
<s:key name="managed_by_deployment_client">0</s:key>
<s:key name="show_in_nav">1</s:key>
<s:key name="state_change_requires_restart">0</s:key>
<s:key name="visible">0</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>gettingstarted</title>
<id>https://localhost:17001/servicesNS/nobody/system/apps/local/gettingstarted</id>
<updated>2015-10-13T17:53:03-07:00</updated>
<link href="/servicesNS/nobody/system/apps/local/gettingstarted" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/apps/local/gettingstarted" rel="list"/>
<link href="/servicesNS/nobody/system/apps/local/gettingstarted/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/apps/local/gettingstarted" rel="edit"/>
<link href="/servicesNS/nobody/system/apps/local/gettingstarted" rel="remove"/>
<link href="/servicesNS/nobody/system/apps/local/gettingstarted/enable" rel="enable"/>
<link href="/servicesNS/nobody/system/apps/local/gettingstarted/package" rel="package"/>
<content type="text/xml">
<s:dict>
<s:key name="author">Splunk</s:key>
<s:key name="check_for_updates">1</s:key>
<s:key name="configured">1</s:key>
<s:key name="core">1</s:key>
<s:key name="description">Get started with Splunk. This app introduces you to many of Splunk's features. You'll learn how to use Splunk to index data, search and investigate, add knowledge, monitor and alert, report and analyze.</s:key>
<s:key name="disabled">1</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>power</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="label">Getting started</s:key>
<s:key name="managed_by_deployment_client">0</s:key>
<s:key name="show_in_nav">1</s:key>
<s:key name="state_change_requires_restart">0</s:key>
<s:key name="version">1.0</s:key>
<s:key name="visible">1</s:key>
</s:dict>
</content>
</entry>
.
.
.
POST
Expand
Create an app.
Usage details
- Splunkbase can correlate locally installed apps with the same app on Splunkbase for update notifications.
- The app folder name cannot include spaces or special characters.
Request parameters
| Name | Type | Description |
|---|---|---|
| auth | String | Splunkbase session token for operations like install and update that require login. Use auth or session when installing or updating an app through Splunkbase. |
| author | String | For apps posted to Splunkbase, use your Splunk account username. For internal apps, include your name and contact information. |
| configured | Boolean | Custom setup complete indication:true = Custom app setup complete.false = Custom app setup not complete.
|
| description | String | Short app description also displayed below the app title in Splunk Web Launcher. |
| explicit_appname | String | Custom app name. Overrides name when installing an app from a file where filename is set to true. See also filename.
|
| filename | Boolean | Indicates whether to use the name value as the app source location. true indicates that name is a path to a file to install.false indicates that name is the literal app name and that the app is created from Splunkbase using a template.
|
| label | String | App name displayed in Splunk Web, from five to eighty characters excluding the prefix "Splunk for". |
| name | String | Required. Literal app name or path for the file to install, depending on the value of filename. filename = false indicates that name is the literal app name and that the app is created from Splunkbase using a template.filename = true indicates that name is the URL or path to the local .tar, .tgz or .spl file. If name is the Splunkbase URL, set auth or session to authenticate the request.
The app folder name cannot include spaces or special characters. |
| session | String | Login session token for installing or updating an app on Splunkbase. Alternatively, use auth. |
| template | Enum | App template to use when creating the app"barebones - [Default] Basic app framework.sample_app - Example views and searches.Any custom app template. |
| update | Boolean | File-based update indication:true specifies that filename should be used to update an existing app. If not specified, update defaults to false, which indicates that filename should not be used to update an existing app.
|
| version | String | App version. |
| visible | Boolean | Indicates whether the app is visible and navigable from Splunk Web. true = App is visible and navigable.false = App is not visible or navigable.
|
Response keys
| Name | Description |
|---|---|
| author | For apps posted to Splunkbase, your Splunk account username. For internal apps, your full name and contact information. |
| check_for_updates | true = Check Splunkbase for app updates.false = Do not check Splunkbase for app updates.
|
| configured | Custom setup completeness indication.true = Custom app setup complete.false = Custom app setup not complete.
|
| description | Brief app description, displayed below the app title in Splunk Web. |
| disabled | App state indication.true = App is disabled.false = App is enabled.
|
| label | App name displayed in Splunk Web. |
| name | Installed app name, which might differ from the POST name parameter. |
| state_change_requires_restart | Indicates whether restart required on state change. true = App state change requires restart.false = App state change might not require restart, depending on other restart requirements.
|
| version | App version. |
| visible | Indicates whether app is visible and navigable from Splunk Web.true = App is visible and navigable.false = App is not visible or navigable.
|
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8089/services/apps/local -d name=restDemo
XML Response
<title></title>
<id>https://localhost:8089/services/apps/local</id>
<updated>2014-07-01T10:09:37-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/apps/local/_new" rel="create"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>restDemo</title>
<id>https://localhost:8089/servicesNS/nobody/system/apps/local/restDemo</id>
<updated>2014-07-01T10:09:37-07:00</updated>
<link href="/servicesNS/nobody/system/apps/local/restDemo" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/apps/local/restDemo" rel="list"/>
<link href="/servicesNS/nobody/system/apps/local/restDemo" rel="edit"/>
<link href="/servicesNS/nobody/system/apps/local/restDemo/package" rel="package"/>
<content type="text/xml">
<s:dict>
<s:key name="author"></s:key>
<s:key name="check_for_updates">1</s:key>
<s:key name="configured">0</s:key>
<s:key name="description"></s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>power</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="label">restDemo</s:key>
<s:key name="name">restDemo</s:key>
<s:key name="state_change_requires_restart">0</s:key>
<s:key name="version">1.0</s:key>
<s:key name="visible">1</s:key>
</s:dict>
</content>
</entry>
apps/local/{name}
https://<host>:<port>/services/apps/local/{name}
Manage {name} app. For additional information, see "Uninstall an app" in the Admin Manual.
DELETE
Expand
Delete the {name} app.
Usage details
- Use the /apps/local GET method to confirm that the app is no longer installed.
- See "Uninstall an app" for additional manual cleanup that might be needed after deleting an app.
Request parameters
None
Response keys
A message is displayed that might indicate a restart is required.
Specifying the name of a non-existent app returns an error message, as shown below.
In handler 'localapps': Could not find object id=<app_name>.
Example request and response
XML Request
curl -k -u admin:changeme --request DELETE https://localhost:8089/services/apps/local/sample_app
XML Response
. . . <title>localapps</title> <id>https://localhost:8089/services/apps/local</id> <updated>2014-07-15T10:24:35-07:00</updated> <generator build="200839" version="6.1"/> <author> <name>Splunk</name> </author> <link href="/services/apps/local/_new" rel="create"/> <link href="/services/apps/local/_reload" rel="_reload"/> <opensearch:totalResults>0</opensearch:totalResults> <opensearch:itemsPerPage>30</opensearch:itemsPerPage> <opensearch:startIndex>0</opensearch:startIndex> <s:messages> <s:msg type="INFO">Restart required by: indexes</s:msg> </s:messages>
GET
Expand
List information about the {name} app.
Request parameters
| Name | Type | Description |
|---|---|---|
| refresh | Boolean | Indicates whether to reload any objects associated with the {name} app indication:true = Reload objects.false = Do not reload objects.
|
Response keys
| Name | Description |
|---|---|
| author | For apps posted to Splunkbase, your Splunk account username. For internal apps, your full name and contact information. |
| check_for_updates | Indicates whether to check for updates. true = Check Splunkbase for app updates.false = Do not check Splunkbase for app updates.
|
| configured | Custom setup completeness indication. true = Custom app setup complete.false = Custom app setup not complete.
|
| description | Brief app description also displayed below the app title in Splunk Web. |
| disabled | App state indication:true = App is disabled.false = App is enabled.
|
| label | App name displayed in Splunk Web, from five to 80 characters and excluding the prefix "Splunk For". |
| state_change_requires_restart | Indicates whether restart is required on state change indication:true = App state change requires restart.false = App state change might not require restart, depending on other restart requirements.
|
| version | App version. |
| visible | App is visible and navigable from Splunk Web indication:true = App is visible and navigable.false = App is not visible or navigable.
|
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8089/services/apps/local/dashboard_examples
XML Response
.
.
.
<title>localapps</title>
<id>https://localhost:8089/services/apps/local</id>
<updated>2014-07-01T10:23:46-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/apps/local/_new" rel="create"/>
<link href="/services/apps/local/_reload" rel="_reload"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>dashboard_examples</title>
<id>https://localhost:8089/servicesNS/nobody/system/apps/local/dashboard_examples</id>
<updated>2014-07-01T10:23:46-07:00</updated>
<link href="/servicesNS/nobody/system/apps/local/dashboard_examples" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/apps/local/dashboard_examples" rel="list"/>
<link href="/servicesNS/nobody/system/apps/local/dashboard_examples/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/apps/local/dashboard_examples" rel="edit"/>
<link href="/servicesNS/nobody/system/apps/local/dashboard_examples" rel="remove"/>
<link href="/servicesNS/nobody/system/apps/local/dashboard_examples/disable" rel="disable"/>
<link href="/servicesNS/nobody/system/apps/local/dashboard_examples/package" rel="package"/>
<content type="text/xml">
<s:dict>
<s:key name="author">Splunk, Inc.</s:key>
<s:key name="check_for_updates">1</s:key>
<s:key name="configured">0</s:key>
<s:key name="description"><![CDATA[Example dashboards, forms, and views for Splunk 5+. This is the succesor app to UI Examples 4.1+. Splunk Dashboard Examples contains over 50 examples updated for Splunk 5. Each example contains inline documenation to help get you started building Splunk dashboards.]]></s:key>
<s:key name="details">https://splunkbase.splunk.com/apps/id/dashboard_examples</s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>author</s:item>
<s:item>check_for_updates</s:item>
<s:item>configured</s:item>
<s:item>description</s:item>
<s:item>label</s:item>
<s:item>version</s:item>
<s:item>visible</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="label">Splunk Dashboard Examples</s:key>
<s:key name="state_change_requires_restart">0</s:key>
<s:key name="version">5.0</s:key>
<s:key name="visible">1</s:key>
</s:dict>
</content>
</entry>
POST
Expand
Update the {name} app properties. Append /enable or /disable to enable or disable the app. See Enable and disable endpoint for more information.
Request parameters
| Name | Type | Description |
|---|---|---|
| author | String | For apps posted to Splunkbase, use your Splunk account username. For internal apps, use your full name and contact information. |
| check_for_updates | Boolean | Check for updates indicator. true = Check Splunkbase for app updates.false = Do not check Splunkbase for app updates.
|
| configured | Boolean | Custom setup completion indicator. true = Custom app setup complete.false = Custom app setup not complete.
|
| description | String | Short app description also displayed below the app title in Splunk Web. |
| label | String | App name displayed in Splunk Web, from five to 80 characters and excluding the prefix "Splunk For". |
| version | String | App version. |
| visible | Boolean | Indicates whether app is visible and navigable from Splunk Web. true = App is visible and navigable.false = App is not visible and navigable.
|
Response keys
| Name | Description |
|---|---|
| author | For apps posted to Splunkbase, your Splunk account username. For internal apps, your full name and contact information. |
| check_for_updates | Check for updates indication:true = Check Splunkbase for app updates.false = Do not check Splunkbase for app updates.
|
| configured | Custom setup completion indicator. true = Custom app setup complete.false = Custom app setup not complete.
|
| description | App description also displayed below the app title in Splunk Web. |
| disabled | App state indication. true = App is disabled.false = App is enabled.
|
| label | App name displayed in Splunk Web, from five to 80 characters and excluding the prefix "Splunk For". |
| state_change_requires_restart | Restart required on state change indication:true = App state change requires restart.false = App state change might not require restart, depending on other restart requirements.
|
| version | App version. |
| visible | Indicator of whether app is visible and navigable from Splunk Web. true = App is visible and navigable.false = App is not visible or navigable.
|
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8089/services/apps/local/restDemo -d version=1.1
XML Response
.
.
.
<title>localapps</title>
<id>https://localhost:8089/services/apps/local</id>
<updated>2014-07-01T10:28:35-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/apps/local/_new" rel="create"/>
<link href="/services/apps/local/_reload" rel="_reload"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>restDemo</title>
<id>https://localhost:8089/servicesNS/nobody/system/apps/local/restDemo</id>
<updated>2014-07-01T10:28:35-07:00</updated>
<link href="/servicesNS/nobody/system/apps/local/restDemo" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/apps/local/restDemo" rel="list"/>
<link href="/servicesNS/nobody/system/apps/local/restDemo/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/apps/local/restDemo" rel="edit"/>
<link href="/servicesNS/nobody/system/apps/local/restDemo" rel="remove"/>
<link href="/servicesNS/nobody/system/apps/local/restDemo/package" rel="package"/>
<content type="text/xml">
<s:dict>
<s:key name="author"></s:key>
<s:key name="check_for_updates">1</s:key>
<s:key name="configured">0</s:key>
<s:key name="description"></s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>power</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="label">restDemo</s:key>
<s:key name="state_change_requires_restart">0</s:key>
<s:key name="version">1.1</s:key>
<s:key name="visible">1</s:key>
</s:dict>
</content>
</entry>
apps/local/{name}/package
https://<host>:<port>/services/apps/local/{name}/package
Archive the {name} app as a .spl file in the $SPLUNK_HOME/etc/system/static/app-packages directory.
GET
Expand
Archive the {name}.spl app.
Usage details
Download the archived app using the following URL:
https://host:<port>/static/app-packages/{name}.spl
Request parameters
None
Response keys
| Name | Description |
|---|---|
| name | App name and name of the folder containing the app. |
| path | Local path to an archive of the app. |
| url | App download URL. |
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8089/services/apps/local/restDemo/package
XML Response
.
.
.
<title></title>
<id>https://localhost:8089/services/apps/local</id>
<updated>2014-07-01T10:46:43-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/apps/local/_new" rel="create"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>Package</title>
<id>https://localhost:8089/services/apps/local/Package</id>
<updated>2014-07-01T10:46:43-07:00</updated>
<link href="/services/apps/local/Package" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/apps/local/Package/setup" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="name">restDemo</s:key>
<s:key name="path">C:\Program Files\Splunk\etc\system\static\app-packages\restDemo.spl</s:key>
<s:key name="url">https://localhost:8089/static/app-packages/restDemo.spl</s:key>
</s:dict>
</content>
</entry>
apps/local/{name}/setup
https://<host>:<port>/services/apps/local/{name}/setup
Get the {name} app setup information.
GET
Expand
Get setup information for the {name} app.
Usage details
Some apps contain setup scripts that must be run before the app is enabled. For those apps, the setup.xml file must exist in the $SPLUNK_BASE\etc\apps\<appname>\default directory.
Request parameters
None
Response keys
| Name | Description |
|---|---|
| <script location> | TBD |
| eai:setup | CDATA setup script location. |
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8089/services/apps/local/unix/setup
XML Response
.
.
.
<title>localapps</title>
<id>https://localhost:8089/services/apps/local</id>
<updated>2011-07-13T11:24:35-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/apps/local/_new" rel="create"/>
... opensearch elements elided ...
<s:messages/>
<entry>
<title>unix</title>
<id>https://localhost:8089/servicesNS/nobody/unix/apps/local/unix</id>
<updated>2011-07-13T11:24:35-07:00</updated>
<link href="/servicesNS/nobody/unix/apps/local/unix" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/unix/apps/local/unix/setup" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="/admin/script/.%252Fbin%252Fcpu.sh/enabled">1</s:key>
<s:key name="/admin/script/.%252Fbin%252Fcpu.sh/interval">30</s:key>
<s:key name="/admin/script/.%252Fbin%252Fdf.sh/enabled">1</s:key>
<s:key name="/admin/script/.%252Fbin%252Fdf.sh/interval">300</s:key>
... elided ...
<s:key name="/admin/script/.%252Fbin%252Fwho.sh/enabled">1</s:key>
<s:key name="/admin/script/.%252Fbin%252Fwho.sh/interval">150</s:key>
... eai:acl element elided ...
... eai:attributes element elided ...
<s:key name="eai:setup">
<![CDATA[<?xml version="1.0" encoding="UTF-8"?> <SetupInfo> <block title="Welcome to the Splunk for nix App"> <text>The Splunk for nix app provides some sample searches and reports to boot-strap your use of Splunk for Unix host management. To work, it needs certain inputs enabled. These system metrics drive the sample dashboards. Please review and confirm the inputs below before proceeding.</text> </block> <block title="CPU Stats (sar / mpstat / etc.)" endpoint="admin/script" entity=".%252Fbin%252Fcpu.sh"> <input field="interval" id="/admin/script/.%252Fbin%252Fcpu.sh/interval"> <label>Polling Interval (sec)</label> <type>text</type> </input> <input field="enabled" id="/admin/script/.%252Fbin%252Fcpu.sh/enabled"> <label>Enable</label> <type>bool</type> </input> </block>
. . .
<block title="Time Query (date, ntpdate -q)" endpoint="admin/script" entity=".%252Fbin%252Ftime.sh"> <input field="interval" id="/admin/script/.%252Fbin%252Ftime.sh/interval"> <label>Polling Interval (sec)</label> <type>text</type> </input> <input field="enabled" id="/admin/script/.%252Fbin%252Ftime.sh/enabled"> <label>Enable</label> <type>bool</type> </input> </block> <block title="Linux Audit Log (/var/log/audit/audit.log | ausearch)" endpoint="admin/script" entity=".%252Fbin%252Frlog.sh"> <input field="interval" id="/admin/script/.%252Fbin%252Frlog.sh/interval"> <label>Polling Interval (sec)</label> <type>text</type> </input> <input field="enabled" id="/admin/script/.%252Fbin%252Frlog.sh/enabled"> <label>Enable</label> <type>bool</type> </input> </block> <block title="Warning"> <text>Submitting this form can take a long time. Please be patient and wait for it to complete before navigating away from this page.</text> </block> </SetupInfo> ]]> </s:key>
</s:dict>
</content>
</entry>
apps/local/{name}/update
https://<host>:<port>/services/apps/local/{name}/update
Get eai:acl information for the {name} app.
GET
Expand
Get {name} app eai:acl information.
Request parameters
None
Response keys
The eai:acl key of the {name} app.
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8089/services/apps/local/gettingstarted/update
XML Response
.
.
.
<title>localapps</title>
<id>https://localhost:8089/services/apps/local</id>
<updated>2014-07-15T10:34:13-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/apps/local/_new" rel="create"/>
<link href="/services/apps/local/_reload" rel="_reload"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>gettingstarted</title>
<id>https://localhost:8089/services/apps/local/gettingstarted</id>
<updated>2014-07-15T10:34:13-07:00</updated>
<link href="/services/apps/local/gettingstarted" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/apps/local/gettingstarted" rel="list"/>
<link href="/services/apps/local/gettingstarted/_reload" rel="_reload"/>
<link href="/services/apps/local/gettingstarted" rel="edit"/>
<link href="/services/apps/local/gettingstarted" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
</s:dict>
</content>
</entry>
Last modified on 12 October, 2021
| Access endpoint descriptions | Cluster endpoint descriptions |
This documentation applies to the following versions of Splunk® Enterprise: 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12
Download manual
Feedback submitted, thanks!