REST API Reference Manual

Splunk Enterprise version 8.2 is no longer supported as of September 30, 2023. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Deployment endpoint descriptions

Manage deployment servers and clients.

A deployment server configures a deployment client. Deployment clients and servers can reside on separate, distributed, Splunk instances or can reside on the same instance.

Usage details

Review ACL information for an endpoint

To check Access Control List (ACL) properties for an endpoint, append /acl to the path. For more information see Access Control List in the REST API User Manual.

Authentication and Authorization

Username and password authentication is required for access to endpoints and REST operations.

Splunk users must have role and/or capability-based authorization to use REST endpoints. Users with an administrative role, such as admin, can access authorization information in Splunk Web. To view the roles assigned to a user, select Settings > Access controls and click Users. To determine the capabilities assigned to a role, select Settings > Access controls and click Roles.

App and user context

Typically, knowledge objects, such as saved searches or event types, have an app/user context that is the namespace. For more information about specifying a namespace, see Namespace in the REST API User Manual.

Splunk Cloud Platform limitations

As a Splunk Cloud Platform user, you are restricted to interacting with the search tier only with the REST API. Deployment endpoints are generally not accessible in Splunk Cloud Platform.

See Access requirements and limitations for the Splunk Cloud Platform REST API in the the REST API Tutorials manual for more information.



List deployment client configuration and status.


Get deployment client list with enabled status, server class, and host and port number of each.

Request parameters
Pagination and filtering parameters can be used with this method.

Returned values

For each deployment client, the following values are returned.

Name Description
disabled Disabled status:
0 = Enabled
1 = Disabled
serverClasses List of member server classes for app download authorization.
targetUri Host and port number (<host>:<port>).

Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/deployment/client

XML Response

 <generator version="102807"/>
 ... opensearch nodes elided ...
   <link href="/services/deployment/client/deployment-client" rel="alternate"/>
   <link href="/services/deployment/client/deployment-client" rel="list"/>
   <link href="/services/deployment/client/deployment-client" rel="edit"/>
   <link href="/services/deployment/client/deployment-client/reload" rel="reload"/>
   <content type="text/xml">
       <s:key name="disabled">0</s:key>
       ... eai:acl node elided ...
       <s:key name="serverClasses">
       <s:key name="targetUri">essplunk:8089</s:key>



Get deployment client configuration and status.


Get deployment client enabled status, server class for app distribution, and host and port number.

Request parameters
Pagination and filtering parameters can be used with this method.

Returned values

Name Description
disabled Disabled status:
0 = Enabled
1 = Disabled
serverClasses List of member server classes for app download authorization.
targetUri Host and port number (<host>:<port>).

Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/deployment/client/config

XML Response

 <generator build="172889" version="6.0"/>
 <link href="/services/deployment/client/listIsDisabled" rel="listIsDisabled"/>
 ... opensearch nodes elided ...
   <link href="/services/deployment/client/config" rel="alternate"/>
   <link href="/services/deployment/client/config" rel="list"/>
   <link href="/services/deployment/client/config" rel="edit"/>
   <link href="/services/deployment/client/config/reload" rel="reload"/>
   <content type="text/xml">
       <s:key name="disabled">0</s:key>
       ... eai:acl node elided ...
       ... eai:attributes node elided ...
       <s:key name="serverClasses">
       <s:key name="targetUri">localhost:8089</s:key>



Get deployment client status.


Get deployment client disabled status.

Request parameters

Returned values

Name Description
disabled Disabled status:
0 = Enabled
1 = Disabled

Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/deployment/client/config/listIsDisabled

XML Response

 <generator build="172889" version="6.0"/>
 <link href="/services/deployment/client/listIsDisabled" rel="listIsDisabled"/>
 ... opensearch nodes elided ...
   <link href="/services/deployment/client/default" rel="alternate"/>
   <link href="/services/deployment/client/default" rel="list"/>
   <link href="/services/deployment/client/default" rel="edit"/>
   <content type="text/xml">
       <s:key name="disabled">0</s:key>
       ... eai:acl node elided ...


Access information on reloading the named client.


Access client reload information.

Request parameters
No parameters for this request.

Returned values

Status Code Description
200 Endpoint returned successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to access resource.
404 Specified resoruce does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Example request and response

XML Request

curl -k -u admin:pass -X POST https://localhost:8089/services/deployment/client/config/reload

XML Response

 <generator build="182462" version="6.0"/>
 <link href="/services/deployment/client/listIsDisabled" rel="listIsDisabled"/>
   <link href="/services/deployment/client/config" rel="alternate"/>
   <link href="/services/deployment/client/config" rel="list"/>
   <link href="/services/deployment/client/config" rel="edit"/>
   <content type="text/xml">
       <s:key name="disabled">1</s:key>
       ... eai:acl node elided ...



Restart and reload the {name} deployment client.


Restart and reload {name} deployment client.

Request parameters

Returned values

Name Description
disabled Disabled status:
0 = Enabled
1 = Disabled
serverClasses List of member server classes for app download authorization.
targetUri Host and port number (<host>:<port>).

Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/deployment/client/deployment-client/reload

XML Response

 <generator version="102807"/>
 ... opensearch nodes elided ...
   <link href="/services/deployment/client/deployment-client" rel="alternate"/>
   <link href="/services/deployment/client/deployment-client" rel="list"/>
   <link href="/services/deployment/client/deployment-client" rel="edit"/>
   <link href="/services/deployment/client/deployment-client/reload" rel="reload"/>
   <content type="text/xml">
       <s:key name="disabled">0</s:key>
       ... eai:acl node elided ...
       <s:key name="serverClasses">
       <s:key name="targetUri">tiny:8089</s:key>



List distributed apps.


List distributed apps, including distributed state information.

Request parameters

Name Type Default Description
clientId String Select apps that match clientId.
hasDeploymentError Boolean Select apps according to deployment fault status:
0 = Do not include apps with a deployment fault indication.
1 = Include apps with a deployment fault indication.

Pagination and filtering parameters can be used with this method.

Returned values
The response includes these values for each app listed.

Name Description
archive Disk location of the archived version of the app.
clientId Deployment client ID associated with the app, an MD5 hash value of serialized (catenated) client attributes.
hasDeploymentError Indicates deployment fault status on at least one deployment client:
0 = Do not include apps with a deployment fault indication.
1 = Include apps with a deployment fault indication.
loadtime Last deployment server app loaded or reloaded date and time. An application not mapped to serverclasses is not loaded so loadtime is 0.
restartSplunkWeb Restart Splunk Web indication:
0 = Do not restart Splunk Web.
1 = Restart Splunk Web.
restartSplunkd Restart splunkd indication:
0 = Do not restart splunkd.
1 = Restart splunkd.
serverclasses List of server classes associated with the application.
size Size on disk of the compressed app (bundle), in bytes.
stateOnClient App enablement status:
0 = Not enabled.
1 = Enabled.

Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/deployment/server/applications

XML Response

 <generator build="172889" version="6.0"/>
 <link href="/services/deployment/server/applications/_new" rel="create"/>
 ... opensearch nodes elided ...
   <link href="/services/deployment/server/applications/wma-app2" rel="alternate"/>
   <content type="text/xml">
       <s:key name="archive">/opt/cluster/peer1/splunk/var/run/tmp/sc_new/wma-app2-1375305443.bundle</s:key>
       ... eai:acl node elided ...
       <s:key name="loadtime">Wed Jul 31 14:17:23 2013</s:key>
       <s:key name="restartSplunkWeb">0</s:key>
       <s:key name="restartSplunkd">0</s:key>
       <s:key name="serverclasses">
       <s:key name="size">112640</s:key>
       <s:key name="stateOnClient">enabled</s:key>
   <link href="/services/deployment/server/applications/wma-app_test1" rel="alternate"/>
   <content type="text/xml">
       <s:key name="archive">/opt/cluster/peer1/splunk/var/run/tmp/sc_new/wma-app1-1375305443.bundle</s:key>
       ... eai:acl node elided ...
       <s:key name="loadtime">Wed Jul 31 14:17:23 2013</s:key>
       <s:key name="restartSplunkWeb">0</s:key>
       <s:key name="restartSplunkd">0</s:key>
       <s:key name="serverclasses">
       <s:key name="size">112640</s:key>
       <s:key name="stateOnClient">enabled</s:key>



Get or update distribution information for {name} app.


Get {name} app distribution information.

Request parameters

Returned values

Name Description
archive Disk location of archived version of the app.
clientId Deployment client ID associated with the app, an MD5 hash value of serialized (catenated) client attributes.
hasDeploymentError Indicates deployment fault status on at least one deployment client:
0 = Do not include apps with a deployment fault indication.
1 = Include apps with a deployment fault indication.
loadtime Last deployment server app loaded or reloaded date and time. An application not mapped to serverclasses is not loaded so loadtime is 0.
restartSplunkWeb Restart Splunk Web indication:
0 = Do not restart Splunk Web.
1 = Restart Splunk Web.
restartSplunkd Restart splunkd indication:
0 = Do not restart splunkd.
1 = Restart splunkd.
serverclasses List of server classes associated with the application.
size Size on disk of the compressed app (bundle), in bytes.
stateOnClient App enablement status:
0 = Not enabled.
1 = Enabled.

Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/deployment/server/applications/wma-app1

XML Response

 <generator build="172889" version="6.0"/>
 <link href="/services/deployment/server/applications/_new" rel="create"/>
 ... opensearch nodes elided ...
   <link href="/services/deployment/server/applications/wma-app1" rel="alternate"/>
   <content type="text/xml">
       <s:key name="archive">/opt/cluster/peer1/splunk/var/run/tmp/sc_new/wma-app1-1375467593.bundle</s:key>
       ... eai:acl node elided ...
       <s:key name="eai:attributes">... elided ...</s:key>
       <s:key name="loadtime">Fri Aug  2 11:19:53 2013</s:key>
       <s:key name="restartSplunkWeb">0</s:key>
       <s:key name="restartSplunkd">0</s:key>
       <s:key name="serverclasses">
       <s:key name="size">112640</s:key>
       <s:key name="stateOnClient">enabled</s:key>


Update {name} app distribution information.

Usage details
When continueMatching is true, matching is in the order in which server classes are defined.

The whitelist setting indicates a filtering strategy that includes a subset.

  • Items are not considered to match the server class by default.
  • Items that match any whitelist entry, and do not match any blacklist entry, are considered to match the server class.
  • Items that match any blacklist entry are not considered to match the server class, regardless of whitelist.

The blacklist setting indicates a filtering strategy that excludes a subset.

  • Items are considered to match the server class by default.
  • Items that match any blacklist entry, and do not match any whitelist entry, are considered to not match the server class.
  • Items that match any whitelist entry are considered to match the server class.

That is,

whitelist: default no-match -> whitelists enable -> blacklists disable
blacklist: default match -> blacklists disable-> whitelists enable

If you specify whitelist at the global level, and then specify blacklist for an individual server class, the setting becomes blacklist for that server class, and you have to provide another filter in that server class definition to replace the one you overrode.

Request parameters

Name Type Default Description
blacklist.* String List of hosts to exclude when mapping application to a server class. For each blacklist, replace the wildcard (*) with an ordinal number to specify additional blacklists. Filter ordinals must start at 0 and be consecutive.
continueMatching Boolean Configuration layering indication, across classes and server-specific settings:
true = [Default] Configuration lookups continue matching server classes after the first match.
false = Use the first match, only.
deinstall Boolean Remove mapping indication:
true = Remove mapping of {name} from all server classes and delete it from client target repositories.
false = Do not remove mapping of {name}.
filterType Enum Filter execution order:
whitelist = Whitelist filters are applied before blacklist filters.
blacklist = Blacklist filters are applied before whitelist filters.
machineTypesFilter String Comma-separated list of filters to be used in Boolean and logic with whitelist and blacklist filters.

Only clients that match the white/blacklist filters AND that match this machineTypesFilter are included.

Thus the match is an intersection of the matches for the white/blacklist and the matches for MachineTypesFilter.

The patterns are PCRE regular expressions, with the following aids for easier entry:

  • You can specify '.' to mean '\\.'
  • You can specify '*' to mean '.*'
  • Matches are always case-insensitive; you do not need to specify the '(?i)' prefix.
repositoryLocation String The location on the deployment server to store the content that is to be deployed for this server class.

For example: $SPLUNK_HOME/etc/deployment-apps

restartSplunkWeb Boolean Indicates whether to restart SplunkWeb on the client when a member app or a directly configured app is updated.

Defaults to false

restartSplunkd Boolean Indicates whether to restart splunkd on the client when a member app or a directly configured app is updated.

Defaults to false

serverclass String The name of the server class to which the application is mapped.

Do not specify this parameter if deinstall is true.

stateOnClient Enum Valid values are (enabled | disabled | noop).
  • enabled: Default value. Sets the application state to enabled on the client, regardless of state on the deployment server.
  • disabled: Sets the application state to disabled on the client, regardless of state on the deployment server.
  • noop: The state on the client is the same as on the deployment server.
targetRepositoryLocation String The location on the deployment client to install the apps defined for this Deployment Server.

If unset, or set to empty, the repositoryLocation path is used. That is, defaults to:

$SPLUNK_HOME/etc/apps (the live configuration directory for a Splunk deployment)

Useful only with complex (for example, tiered) deployment strategies.

tmpFolder String Working folder used by deployment server.

Defaults to $SPLUNK_HOME/var/run/tmp

unmap Boolean Indicates whether to remove the mapping of the application to the specified server class.
whitelist.* String List of hosts to accept for this server class.

For each whitelist, replace * with an ordinal number to specify additional whitelists. Filter ordinals must start at 0 and be consecutive.

Returned values

Name Description
archive Specifies the location of the compressed version (bundle) of the app.
blacklist.* Regular expressions used to exclude, when mapping this application to a client.

If a client matches any of the blacklist regular expressions, it does not receive the application. The * is replaced by an integral ordinal number.

continueMatching If true, configuration lookups continue matching server classes, beyond the first match. If false, only the first match is used.
filterType blacklist)

Determines the order of execution of filters. If filterType is whitelist, all whitelist filters are applied first, followed by blacklist filters. If filterType is blacklist, all blacklist filters are applied first, followed by whitelist filters.

See description for the filterType POST parameter for more information.

loadtime Specifies the date and time the application was last loaded (or reloaded) by the deployment server.

An application not mapped to any serverclasses does not get loaded, thus its loadtime attribute is 0; in epoch terms, which is 01 Jan 1970 at midnight GMT.

machineTypesFilter List of filters to be used in Boolean and logic with whitelist and blacklist filters.
repositoryLocation The location on the deployment server to store the content that is to be deployed for this server class.
restartSplunkWeb Indicates whether to restart Splunk Web.
restartSplunkd Indicates whether to restart splunkd.
serverclass The name of the server class to which the application is mapped.
serverclasses List of server classes associated with the application.
size Indicates in bytes the size on disk of the compressed version (bundle) of the application.
stateOnClient Specifies whether the deployment client is enabled or disabled.
targetRepositoryLocation The location on the deployment client to install the apps defined for this Deployment Server.

If unset, or set to empty, the repositoryLocation path is used.

tmpFolder Working folder used by deployment server.
whitelist.* Regular expressions used to accept, when mapping this application to a client.

If a client matches any of the whitelist regular expressions, it accepts the application. The * is replaced by an integral ordinal number.

Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/deployment/server/applications/wma-app3 -d serverclass=sc_apps_wma

XML Response

 <generator build="176231" version="6.0"/>
 <link href="/services/deployment/server/applications/_new" rel="create"/>
 ... opensearch nodes elided ...
   <link href="/services/deployment/server/applications/wma-app3" rel="alternate"/>
   <content type="text/xml">
       <s:key name="archive">/opt/cluster/peer1/splunk/var/run/tmp/sc_mach_type/wma-app3-1376164259.bundle</s:key>
       ... eai:acl node elided ...
       <s:key name="loadtime">Sat Aug 10 12:50:59 2013</s:key>
       <s:key name="restartSplunkWeb">0</s:key>
       <s:key name="restartSplunkd">0</s:key>
       <s:key name="serverclasses">
       <s:key name="size">112640</s:key>
       <s:key name="stateOnClient">enabled</s:key>



Provides access to information about clients to a deployment server.


Access information about clients to a deployment server.

Request parameters

Name Type Default Description
action String Use one of the following values:
  • phonehome: deployment client is verifying app status (typical state)
  • unknown: app state on deployment client restart
  • download: deployment client is downloading the app or app update
  • install: deployment client is installing or updating the app
  • uninstall app removed from deployment server, marked for uninstall on the deployment client

The GET response includes all clients with an app that has the specified action.

application String Lists clients to the deployment server that have attempted to download the named application.
hasDeploymentError Boolean False Indicates whether to list only clients that have a deployment error.
maxPhonehome_latency_to_avgInterval_ratio Number List clients to the deployment server when the ratio of the phone home latency to the average phone home interval is less than the value supplied to this parameter.
minLatestPhonehomeTime Number Lists clients for which there is a phone home message at the specified time or later, in epoch seconds. That is, list the client for the following condition:

  client latency ? (now?minLatestPhonehomeTime)

minPhonehome_latency_to_avgInterval_ratio Number List clients to the deployment server when the ratio of the phone home latency to the average phone home interval is greater than the value supplied with this parameter.
serverclasses String Comma-separated list of serverclasses. List clients that are configured to receive an application to a listed serverclass.

The match is a logical OR of, for each Si, include C if C is sent an app A that maps to Si in serverclass.conf, if such an app existed.

The "would have" is per blacklist.n or whitelist.n/machineTypesFilter in serverclass.conf

Pagination and filtering parameters can be used with this method.

Returned values

Name Description
applications List of applications deployed to the deployment client.
averagePhoneHomeInterval The average phone home interval, in seconds.
build The build number for the Splunk instance on the deployment client.
dns The DNS lookup name of the deployment client server.
guid Identifier for the deployment server client.
hasDeploymentError Specifies whether to check for clients with a deployment error.
hostname The host name of the deployment client server.
id ID for the client based on client name and IP address.
ip The IP address of the client to the deployment server.
lastPhoneHomeTime The last time the deployment client phones home to the deployment server, in epoch time.
mgmt The managment port for the deployment client.
minLatestPhonehomeTime Specifies in epoch seconds the minimum latency for a client to contact the deployment server.
minPhonehome_latency_to_avgInterval_ratio The minimum value specified for the ratio of the phone home latency to the average phone home interval.
name The name of the deployment client server.
serverclasses List of server classes for the deployment client.
utsname Machine type for the deployment server client.

Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/deployment/server/clients

XML Response

 <generator build="172889" version="6.0"/>
 <link href="/services/deployment/server/clients/countClients_by_machineType" rel="countClients_by_machineType"/>
 <link href="/services/deployment/server/clients/countRecentDownloads" rel="countRecentDownloads"/>
 <link href="/services/deployment/server/clients/getMatchingAppsForClient_dryRun" rel="getMatchingAppsForClient_dryRun"/>
 <link href="/services/deployment/server/clients/preview" rel="preview"/>
 ... opensearch nodes elided ...
   <link href="/services/deployment/server/clients/dc95537d0e8fdadc44d00c50fc431e25" rel="alternate"/>
   <link href="/services/deployment/server/clients/dc95537d0e8fdadc44d00c50fc431e25" rel="list"/>
   <link href="/services/deployment/server/clients/dc95537d0e8fdadc44d00c50fc431e25" rel="remove"/>
   <content type="text/xml">
       <s:key name="applications">
           <s:key name="wma-app-test2">
               <s:key name="action">Install</s:key>
               <s:key name="archive">/opt/cluster/peer1/splunk/var/run/tmp/sc_new/wma-app2-1375305443.bundle</s:key>
               <s:key name="restartSplunkWeb">0</s:key>
               <s:key name="restartSplunkd">0</s:key>
               <s:key name="result">Ok</s:key>
               <s:key name="serverclasses">
               <s:key name="size">112640</s:key>
               <s:key name="stateOnClient">enabled</s:key>
               <s:key name="timestamp">Wed Jul 31 14:11:23 2013</s:key>
           <s:key name="wma-app_test1">
               <s:key name="action">Install</s:key>
               <s:key name="archive">/opt/cluster/peer1/splunk/var/run/tmp/sc_new/wma-app1-1375305443.bundle</s:key>
               <s:key name="restartSplunkWeb">0</s:key>
               <s:key name="restartSplunkd">0</s:key>
               <s:key name="result">Ok</s:key>
               <s:key name="serverclasses">
               <s:key name="size">112640</s:key>
               <s:key name="stateOnClient">enabled</s:key>
               <s:key name="timestamp">Wed Jul 31 14:17:23 2013</s:key>
       <s:key name="averagePhoneHomeInterval">60</s:key>
       <s:key name="build">172889</s:key>
       <s:key name="dns">localhost.sv.splunk.com</s:key>
       ... eai:acl node elided ...
       <s:key name="guid">dc95537d0e8fdadc44d00c50fc431e25</s:key>
       <s:key name="hostname">localhost.sv.splunk.com</s:key>
       <s:key name="id">connection_10.160.24.187_8089_localhost.sv.splunk.com_localhost.sv.splunk.com_Ombra</s:key>
       <s:key name="ip"></s:key>
       <s:key name="lastPhoneHomeTime">1375375291</s:key>
       <s:key name="mgmt">8089</s:key>
       <s:key name="name">Ombra</s:key>
       <s:key name="serverClasses">
           <s:key name="sc_apps_wma">
               <s:key name="loadTime">1375305443</s:key>
               <s:key name="repositoryLocation">/opt/cluster/peer1/splunk/etc/deployment-apps</s:key>
               <s:key name="restartSplunkWeb">0</s:key>
               <s:key name="restartSplunkd">0</s:key>
               <s:key name="stateOnClient">enabled</s:key>
           <s:key name="sc_mach_type">
               <s:key name="loadTime">1375305443</s:key>
               <s:key name="repositoryLocation">/opt/cluster/peer1/splunk/etc/deployment-apps</s:key>
               <s:key name="restartSplunkWeb">0</s:key>
               <s:key name="restartSplunkd">0</s:key>
               <s:key name="stateOnClient">enabled</s:key>
           <s:key name="sc_new">
               <s:key name="loadTime">1375305443</s:key>
               <s:key name="repositoryLocation">/opt/cluster/peer1/splunk/etc/deployment-apps</s:key>
               <s:key name="restartSplunkWeb">0</s:key>
               <s:key name="restartSplunkd">0</s:key>
               <s:key name="stateOnClient">enabled</s:key>
       <s:key name="utsname">linux-x86_64</s:key>



Access information about deployment clients to this server according to the machine type of the client.


List the count of deployment clients for this server by machine type.

Request parameters

Returned values

Name Description
counts The list of machine types for this deployment client, showing the count of each machine type.

Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/deployment/server/clients/countClients_by_machineType

XML Response

 <generator build="172889" version="6.0"/>
 <link href="/services/deployment/server/clients/countClients_by_machineType" rel="countClients_by_machineType"/>
 <link href="/services/deployment/server/clients/countRecentDownloads" rel="countRecentDownloads"/>
 <link href="/services/deployment/server/clients/getMatchingAppsForClient_dryRun" rel="getMatchingAppsForClient_dryRun"/>
 <link href="/services/deployment/server/clients/preview" rel="preview"/>
 ... opensearch nodes elided ...
   <link href="/services/deployment/server/clients/default" rel="alternate"/>
   <link href="/services/deployment/server/clients/default" rel="list"/>
   <link href="/services/deployment/server/clients/default" rel="remove"/>
   <content type="text/xml">
       <s:key name="counts">
           <s:key name="linux-x86_64">3</s:key>
       ... eai:acl node elided ...



Access the count of the number of downloads from this client to the deployment server during the last specified time period.


Return the count of the number of downloads from this client to the deployment server during the last specified time period.

Request parameters

Name Type Default Description
Number Age of the downloads to count, in seconds.

Returned values

Name Description
count The number of recent downloads.

Example request and response

XML Request

curl -k -u admin:pass -d maxAgeSecs=1 -G https://localhost:8089/services/deployment/server/clients/countRecentDownloads

XML Response

 <generator build="172889" version="6.0"/>
 <link href="/services/deployment/server/clients/countClients_by_machineType" rel="countClients_by_machineType"/>
 <link href="/services/deployment/server/clients/countRecentDownloads" rel="countRecentDownloads"/>
 <link href="/services/deployment/server/clients/getMatchingAppsForClient_dryRun" rel="getMatchingAppsForClient_dryRun"/>
 <link href="/services/deployment/server/clients/preview" rel="preview"/>
 ... opensearch nodes elided ...
   <link href="/services/deployment/server/clients/default" rel="alternate"/>
   <link href="/services/deployment/server/clients/default" rel="list"/>
   <link href="/services/deployment/server/clients/default" rel="remove"/>
   <content type="text/xml">
       <s:key name="count">6</s:key>
       ... eai:acl node elided ...



Get client information or remove a client.


Remove the specified client from the deployment server registry. The next time the client "phones home" the record is re-created.

Request parameters

Returned values

Example request and response

XML Request

curl -k -u admin:pass --request DELETE https://localhost:8089/services/deployment/server/clients/1d3de43af2aae61139c367044127f44a

XML Response

 <generator build="182785" version="6.0"/>
 <link href="/services/deployment/server/clients/countClients_by_machineType" rel="countClients_by_machineType"/>
 <link href="/services/deployment/server/clients/countRecentDownloads" rel="countRecentDownloads"/>
 <link href="/services/deployment/server/clients/getMatchingAppsForClient_dryRun" rel="getMatchingAppsForClient_dryRun"/>
 <link href="/services/deployment/server/clients/preview" rel="preview"/>
 ... opensearch nodes elided ...
   <link href="/services/deployment/server/clients/149685cb3e39898fbd15be6604672a31" rel="alternate"/>
   <link href="/services/deployment/server/clients/149685cb3e39898fbd15be6604672a31" rel="list"/>
   <link href="/services/deployment/server/clients/149685cb3e39898fbd15be6604672a31" rel="remove"/>
   <content type="text/xml">
       <s:key name="averagePhoneHomeInterval">60</s:key>
       <s:key name="build">177748</s:key>
       <s:key name="clientName">4D4EA12E-FDBA-41D3-99CD-2A61CC1DAB29</s:key>
       <s:key name="dns">qa-sv-rh61x64-10.sv.splunk.com</s:key>
       ... eai:acl node elided ...
       <s:key name="guid">149685cb3e39898fbd15be6604672a31</s:key>
       <s:key name="hostname">qa-sv-rh61x64-10</s:key>
       <s:key name="id">connection_10.160.24.224_8097_qa-sv-rh61x64-10.sv.splunk.com_qa-sv-rh61x64-10_4D4EA12E-FDBA-41D3-99CD-2A61CC1DAB29</s:key>
       <s:key name="ip"></s:key>
       <s:key name="lastPhoneHomeTime">1382396628</s:key>
       <s:key name="mgmt">8097</s:key>
       <s:key name="name">4D4EA12E-FDBA-41D3-99CD-2A61CC1DAB29</s:key>
       <s:key name="serverClasses"/>
       <s:key name="utsname">linux-x86_64</s:key>
 . . . elided ...


Lists information about the named client to the deployment server.

Request parameters

Name Type Default Description
application String Lists information about this client with respect to the named application.
hasDeploymentError Boolean Indicates whether to list this client if has a deployment error.
maxPhonehome_latency_to_avgInterval_ratio Number List clients to the deployment server when the ratio of the phone home latency to the average phone home interval is less than the value supplied to this parameter.
minLatestPhonehomeTime Number Specifies in epoch seconds the minimum latency for a client to contact the deployment server. This endpoint lists information about the named client if it has a latency equal to or greater than specified by this parameter.
minPhonehome_latency_to_avgInterval_ratio Number List information about the named client to the deployment server when the ratio of the phone home latency to the average phone home interval is greater than the value supplied with this parameter.
serverclasses String Comma-separated list of serverclasses. Lists information about this client if it is configured to send an application to a listed serverclass.

Returned values

Name Description
application The name of the application specified to filter the results of this call.
applications List of applications deployed to the deployment client.
averagePhoneHomeInterval The average phone home interval, in seconds.
build The build number for the Splunk instance on the deployment client.
dns The DNS lookup name of the deployment client server.
guid Identifier for the deployment server client.
hasDeploymentError Specifies whether to check for clients with a deployment error.
hostname The host name of the deployment client server.
id ID for the client based on client name and IP address.
ip The IP address of the client to the deployment server.
lastPhoneHomeTime The last time the deployment client phones home to the deployment server, in epoch time.
maxPhonehome_latency_to_avgInterval_ratio The maximum value specified for the ratio of the phone home latency to the average phone home interval.
mgmt The managment port for the deployment client.
minLatestPhonehomeTime Specifies in epoch seconds the minimum latency for a client to contact the deployment server.
minPhonehome_latency_to_avgInterval_ratio The minimum value specified for the ratio of the phone home latency to the average phone home interval.
name The name of the deployment client server.
serverClasses The list of server classes to which the client belongs.
serverclasses List of server classes for the deployment client.
utsname Machine type for the deployment server client.

Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/deployment/server/clients/dc95537d0e8fdadc44d00c50fc431e25

XML Response

 <generator build="172889" version="6.0"/>
 <link href="/services/deployment/server/clients/countClients_by_machineType" rel="countClients_by_machineType"/>
 <link href="/services/deployment/server/clients/countRecentDownloads" rel="countRecentDownloads"/>
 <link href="/services/deployment/server/clients/getMatchingAppsForClient_dryRun" rel="getMatchingAppsForClient_dryRun"/>
 <link href="/services/deployment/server/clients/preview" rel="preview"/>
 ... opensearch nodes elided ...
   <link href="/services/deployment/server/clients/dc95537d0e8fdadc44d00c50fc431e25" rel="alternate"/>
   <link href="/services/deployment/server/clients/dc95537d0e8fdadc44d00c50fc431e25" rel="list"/>
   <link href="/services/deployment/server/clients/dc95537d0e8fdadc44d00c50fc431e25" rel="remove"/>
   <content type="text/xml">
       <s:key name="applications">
           <s:key name="wma-app2">
               <s:key name="action">Unknown</s:key>
               <s:key name="archive">/opt/cluster/peer1/splunk/var/run/tmp/sc_new/wma-app2-1375467593.bundle</s:key>
               <s:key name="restartSplunkWeb">0</s:key>
               <s:key name="restartSplunkd">0</s:key>
               <s:key name="result">Ok</s:key>
               <s:key name="serverclasses">
               <s:key name="size">112640</s:key>
               <s:key name="stateOnClient">enabled</s:key>
           <s:key name="wma-app1">
               <s:key name="action">Unknown</s:key>
               <s:key name="archive">/opt/cluster/peer1/splunk/var/run/tmp/sc_new/wma-app1-1375467593.bundle</s:key>
               <s:key name="restartSplunkWeb">0</s:key>
               <s:key name="restartSplunkd">0</s:key>
               <s:key name="result">Ok</s:key>
               <s:key name="serverclasses">
               <s:key name="size">112640</s:key>
               <s:key name="stateOnClient">enabled</s:key>
       <s:key name="averagePhoneHomeInterval">60</s:key>
       <s:key name="build">172889</s:key>
       <s:key name="dns">localhost.sv.splunk.com</s:key>
       ... eai:acl node elided ...
       ... eai:attribute node elided ...
       <s:key name="guid">dc95537d0e8fdadc44d00c50fc431e25</s:key>
       <s:key name="hostname">localhost.sv.splunk.com</s:key>
       <s:key name="id">connection_10.160.24.187_8089_localhost.sv.splunk.com_localhost.sv.splunk.com_Ombra</s:key>
       <s:key name="ip"></s:key>
       <s:key name="lastPhoneHomeTime">1375667964</s:key>
       <s:key name="mgmt">8089</s:key>
       <s:key name="name">Ombra</s:key>
       <s:key name="serverClasses">
           <s:key name="sc_apps_wma">
               <s:key name="loadTime">1375467593</s:key>
               <s:key name="repositoryLocation">/opt/cluster/peer1/splunk/etc/deployment-apps</s:key>
               <s:key name="restartSplunkWeb">0</s:key>
               <s:key name="restartSplunkd">0</s:key>
               <s:key name="stateOnClient">enabled</s:key>
           <s:key name="sc_mach_type">
               <s:key name="loadTime">1375467593</s:key>
               <s:key name="repositoryLocation">/opt/cluster/peer1/splunk/etc/deployment-apps</s:key>
               <s:key name="restartSplunkWeb">0</s:key>
               <s:key name="restartSplunkd">0</s:key>
               <s:key name="stateOnClient">enabled</s:key>
           <s:key name="sc_new">
               <s:key name="loadTime">1375467593</s:key>
               <s:key name="repositoryLocation">/opt/cluster/peer1/splunk/etc/deployment-apps</s:key>
               <s:key name="restartSplunkWeb">0</s:key>
               <s:key name="restartSplunkd">0</s:key>
               <s:key name="stateOnClient">enabled</s:key>
       <s:key name="utsname">linux-x86_64</s:key>



Access server configuration information for deployment servers.


List configuration information for all deployment servers.

Request parameters
Pagination and filtering parameters can be used with this method.

Returned values

Name Description
currentDownloads The number of current downloads for this deployment server.
disabled Indicates whether the deployment server is disabled.
loadTime The time, in epoch seconds, the serverclass for this server was loaded.
repositoryLocation The location on the deployment server to store the content that is to be deployed.
whitelist.0 Lists the contents of whitelist.0.

Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/deployment/server/config

XML Response

 <generator build="172889" version="6.0"/>
 <link href="/services/deployment/server/config/_reload" rel="_reload"/>
 <link href="/services/deployment/server/config/attributesUnsupportedInUI" rel="attributesUnsupportedInUI"/>
 <link href="/services/deployment/server/config/listIsDisabled" rel="listIsDisabled"/>
 ... opensearch nodes elided ...
   <link href="/servicesNS/nobody/system/deployment/server/config/config" rel="alternate"/>
   <link href="/servicesNS/nobody/system/deployment/server/config/config" rel="list"/>
   <link href="/servicesNS/nobody/system/deployment/server/config/config/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/system/deployment/server/config/config" rel="edit"/>
   <link href="/servicesNS/nobody/system/deployment/server/config/config/disable" rel="disable"/>
   <content type="text/xml">
       <s:key name="currentDownloads">0</s:key>
       <s:key name="disabled">0</s:key>
       ... eai:acl node elided ...
       <s:key name="loadTime">1375305443</s:key>
       <s:key name="repositoryLocation">$SPLUNK_HOME/etc/deployment-apps</s:key>
       <s:key name="whitelist.0">*</s:key>



Access deployment server attributes that cannot be configured from Splunk Web.


Lists deployment server attributes that cannot be configured from Splunk Web.

Request parameters

Returned values

Name Description
property The attribute that cannot be configured from Splunk Web.
reason The reason an attribute cannot be configured from Splunk Web.
stanza In Splunk Enterprise, the stanza in serverclass.conf that lists deployment server attributes that cannot be configured from Splunk Web.

Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/deployment/server/config/attributesUnsupportedInUI

XML Response

 <generator build="172889" version="6.0"/>
 <link href="/services/deployment/server/config/_reload" rel="_reload"/>
 <link href="/services/deployment/server/config/attributesUnsupportedInUI" rel="attributesUnsupportedInUI"/>
 <link href="/services/deployment/server/config/listIsDisabled" rel="listIsDisabled"/>
 ... eai:acl node elided ...
   <link href="/services/deployment/server/config/item_0" rel="alternate"/>
   <link href="/services/deployment/server/config/item_0" rel="list"/>
   <link href="/services/deployment/server/config/item_0/_reload" rel="_reload"/>
   <link href="/services/deployment/server/config/item_0" rel="edit"/>
   <content type="text/xml">
       ... opensearch nodes elided ...
       <s:key name="property">whitelist.0</s:key>
       <s:key name="reason">unsupported at this level</s:key>
       <s:key name="stanza">global</s:key>



Access deployment server enablement status.


Access deployment server enablement status.

Request parameters

Request parameters

Name Description
disabled Indicates if the deployment server is disabled.

Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/deployment/server/config/listIsDisabled

XML Response

 <generator build="176231" version="6.0"/>
 <link href="/services/deployment/server/config/_reload" rel="_reload"/>
 <link href="/services/deployment/server/config/attributesUnsupportedInUI" rel="attributesUnsupportedInUI"/>
 <link href="/services/deployment/server/config/listIsDisabled" rel="listIsDisabled"/>
 ... opensearch nodes elided ...
   <link href="/services/deployment/server/config/default" rel="alternate"/>
   <link href="/services/deployment/server/config/default" rel="list"/>
   <link href="/services/deployment/server/config/default/_reload" rel="_reload"/>
   <link href="/services/deployment/server/config/default" rel="edit"/>
   <content type="text/xml">
       <s:key name="disabled">0</s:key>
       ... eai:acl node elided ...



Access information about server classes.


List server classes for this deployment server.

Request parameters
Pagination and filtering parameters can be used with this method.

Returned values

Name Description
blacklist-size The number of entires in the blacklist for this serverclass.
clientId ID of deployment client for this server class.
currentDownloads Number of applications currently downloaded.
hasDeploymentError Indicates whether the serverclass has at least one deployment error.
loadTime The time, in epoch seconds, this serverclass was loaded.
machineTypesFilter List of filters to be used in Boolean and logic with whitelist and blacklist filters.
repositoryList List of applications stored at the location specified by repositoryLocation.
repositoryLocation The location on the deployment server to store the content that is to be deployed for this server class.
restartSplunkWeb Indicates whether to restart Splunk Web.
restartSplunkd Indicates whether to restart splunkd.
stateOnClient Indicates whether this server class is enabled or disabled.
whitelist-size Specifies the number of entries in the whitelist for this server class.
whitelist.0 List of servers for whitelist.0 for this server class.

Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/deployment/server/serverclasses

XML Response

 <generator build="172889" version="6.0"/>
 <link href="/services/deployment/server/serverclasses/_new" rel="create"/>
 <link href="/services/deployment/server/serverclasses/rename" rel="rename"/>
 ... opensearch nodes elided ...
   <link href="/servicesNS/nobody/system/deployment/server/serverclasses/sc_apps_wma" rel="alternate"/>
   <link href="/servicesNS/nobody/system/deployment/server/serverclasses/sc_apps_wma" rel="list"/>
   <link href="/servicesNS/nobody/system/deployment/server/serverclasses/sc_apps_wma" rel="edit"/>
   <link href="/servicesNS/nobody/system/deployment/server/serverclasses/sc_apps_wma" rel="remove"/>
   <link href="/servicesNS/nobody/system/deployment/serverclasses/sc_apps_wma/applications" rel="applications"/>
   <link href="/servicesNS/nobody/system/deployment/serverclasses/sc_apps_wma/clients" rel="clients"/>
   <link href="/servicesNS/nobody/system/deployment/serverclasses/sc_apps_wma/reload" rel="reload"/>
   <content type="text/xml">
       <s:key name="blacklist-size">0</s:key>
       <s:key name="currentDownloads">0</s:key>
       ... eai:acl node elided ...
       <s:key name="loadTime">1375305443</s:key>
       <s:key name="machineTypesFilter"></s:key>
       <s:key name="repositoryList">
           <s:key name="wma-app2"/>
           <s:key name="wma-app1"/>
       <s:key name="repositoryLocation">/opt/cluster/peer1/splunk/etc/deployment-apps</s:key>
       <s:key name="restartSplunkWeb">0</s:key>
       <s:key name="restartSplunkd">0</s:key>
       <s:key name="stateOnClient">enabled</s:key>
       <s:key name="whitelist-size">1</s:key>
       <s:key name="whitelist.0">Ombra*</s:key>
   <link href="/servicesNS/nobody/system/deployment/server/serverclasses/sc_mach_type" rel="alternate"/>
   <link href="/servicesNS/nobody/system/deployment/server/serverclasses/sc_mach_type" rel="list"/>
   <link href="/servicesNS/nobody/system/deployment/server/serverclasses/sc_mach_type" rel="edit"/>
   <link href="/servicesNS/nobody/system/deployment/server/serverclasses/sc_mach_type" rel="remove"/>
   <link href="/servicesNS/nobody/system/deployment/serverclasses/sc_mach_type/applications" rel="applications"/>
   <link href="/servicesNS/nobody/system/deployment/serverclasses/sc_mach_type/clients" rel="clients"/>
   <link href="/servicesNS/nobody/system/deployment/serverclasses/sc_mach_type/reload" rel="reload"/>
   <content type="text/xml">
       <s:key name="blacklist-size">0</s:key>
       <s:key name="currentDownloads">0</s:key>
       ... eai:acl node elided ...
       <s:key name="loadTime">1375305443</s:key>
       <s:key name="machineTypesFilter">linux-x86_64,</s:key>
       <s:key name="repositoryList">
           <s:key name="wma-app-test2"/>
           <s:key name="wma-app_test1"/>
       <s:key name="repositoryLocation">/opt/cluster/peer1/splunk/etc/deployment-apps</s:key>
       <s:key name="restartSplunkWeb">0</s:key>
       <s:key name="restartSplunkd">0</s:key>
       <s:key name="stateOnClient">enabled</s:key>
       <s:key name="whitelist-size">1</s:key>
       <s:key name="whitelist.0">Ombra*</s:key>


Create a server class.

Request parameters

Name Type Default Description
String The name of the server class.
blacklist.* String List of hosts to exclude for this server class.

For each blacklist, replace * with an ordinal number to specify additional blacklists. Filter ordinals must start at 0 and be consecutive.

continueMatching Boolen Controls how configuration is layered across classes and server-specific settings.

If true, configuration lookups continue matching server classes, beyond the first match. If false, only the first match is used. Matching is done in the order that server classes are defined. Defaults to true.

A serverClass can override this property and stop the matching.

filterType Enum Valid values: (whitelist | blacklist)

Determines the order of execution of filters. If filterType is whitelist, all whitelist filters are applied first, followed by blacklist filters. If filterType is blacklist, all blacklist filters are applied first, followed by whitelist filters.

The whitelist setting indicates a filtering strategy that pulls in a subset:

  • Items are not considered to match the server class by default.
  • Items that match any whitelist entry, and do not match any blacklist entry, are considered to match the server class.
  • Items that match any blacklist entry are not considered to match the server class, regardless of whitelist.

The blacklist setting indicates a filtering strategy that rules out a subset:

  • Items are considered to match the server class by default.
  • Items that match any blacklist entry, and do not match any whitelist entry, are considered to not match the server class.
  • Items that match any whitelist entry are considered to match the server class.

More briefly:

whitelist: default no-match -> whitelists enable -> blacklists disable
blacklist: default match -> blacklists disable-> whitelists enable

If you specify whitelist at the global level, and then specify blacklist for an individual server class, the setting becomes blacklist for that server class, and you have to provide another filter in that server class definition to replace the one you overrode.

machineTypesFilter String Comma-separated list of filters to be used in Boolean and logic with whitelist and blacklist filters.

Only clients that match the white/blacklist filters AND that match this machineTypesFilter are included.

Thus the match is an intersection of the matches for the white/blacklist and the matches for MachineTypesFilter.

The patterns are PCRE regular expressions, with the following aids for easier entry:

  • You can specify '.' to mean '\\.'
  • You can specify '*' to mean '.*'
  • Matches are always case-insensitive; you do not need to specify the '(?i)' prefix.
repositoryLocation String The location on the deployment server to store the content that is to be deployed for this server class.

For example: $SPLUNK_HOME/etc/deployment-apps

restartSplunkWeb Boolean Indicates whether to restart SplunkWeb on the client when a member app or a directly configured app is updated.

Defaults to false

restartSplunkd Boolean Indicates whether to restart splunkd on the client when a member app or a directly configured app is updated.

Defaults to false

stateOnClient Enum Valid values are (enabled | disabled | noop).
  • enabled: Default value. Sets the application state to enabled on the client, regardless of state on the deployment server.
  • disabled: Sets the application state to disabled on the client, regardless of state on the deployment server.
  • noop: The state on the client is the same as on the deployment server.
targetRepositoryLocation String The location on the deployment client to install the apps defined for this Deployment Server.

If unset, or set to empty, the repositoryLocation path is used. That is, defaults to:

$SPLUNK_HOME/etc/apps (the live configuration directory for a Splunk instance

Useful only with complex (for example, tiered) deployment strategies.

tmpFolder String Working folder used by deployment server.

Defaults to $SPLUNK_HOME/var/run/tmp

whitelist.* String List of hosts to accept for this server class.

For each whitelist, replace * with an ordinal number to specify additional whitelists. Filter ordinals must start at 0 and be consecutive.

Returned values

Name Description
blacklist-size The number of entries in the blacklist for this serverclass.
blacklist.* Regular expressions used to exclude for this server class.

If a client matches any of the blacklist regular expressions, it is not included in the server class. The * is replaced by an integral ordinal number.

continueMatching If true, configuration lookups continue matching server classes, beyond the first match. If false, only the first match is used.
currentDownloads Number of applications currently downloaded.
filterType blacklist)

Determines the order of execution of filters. If filterType is whitelist, all whitelist filters are applied first, followed by blacklist filters. If filterType is blacklist, all blacklist filters are applied first, followed by whitelist filters.

See description for the filterType POST parameter for more information.

loadTime The time, in epoch seconds, this serverclass was loaded.
machineTypesFilter List of filters to be used in Boolean and logic with whitelist and blacklist filters.
repositoryList List of applications stored at the location specified by repositoryLocation.
repositoryLocation The location on the deployment server to store the content that is to be deployed for this server class.
restartSplunkWeb Indicates whether to restart Splunk Web.
restartSplunkd Indicates whether to restart splunkd.
stateOnClient Specifies whether the deployment client is enabled or disabled.
targetRepositoryLocation The location on the deployment client to install the apps defined for this Deployment Server.

If unset, or set to empty, the repositoryLocation path is used.

That is, defaults to: $SPLUNK_HOME/etc/apps (the live configuration directory for a Splunk deployment.

Useful only with complex (for example, tiered) deployment strategies.

tmpFolder Working folder used by deployment server.

Defaults to $SPLUNK_HOME/var/run/tmp

whitelist-size Specifies the number of entries in the whitelist for this server class.
whitelist.* Regular expressions used to accept for this server class.

If a client matches any of the whitelist regular expressions, it is included in the server class. The * is replaced by an integral ordinal number.

Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/deployment/server/serverclasses -d name=sc_apps_ombra

XML Response

 <generator build="176231" version="6.0"/>
 <link href="/services/deployment/server/serverclasses/_new" rel="create"/>
 <link href="/services/deployment/server/serverclasses/rename" rel="rename"/>
 ... opensearch nodes elided ...
   <link href="/servicesNS/nobody/search/deployment/server/serverclasses/sc_apps_ombra" rel="alternate"/>
   <link href="/servicesNS/nobody/search/deployment/server/serverclasses/sc_apps_ombra" rel="list"/>
   <link href="/servicesNS/nobody/search/deployment/server/serverclasses/sc_apps_ombra" rel="edit"/>
   <link href="/servicesNS/nobody/search/deployment/server/serverclasses/sc_apps_ombra" rel="remove"/>
   <link href="/servicesNS/nobody/search/deployment/serverclasses/sc_apps_ombra/applications" rel="applications"/>
   <link href="/servicesNS/nobody/search/deployment/serverclasses/sc_apps_ombra/clients" rel="clients"/>
   <link href="/servicesNS/nobody/search/deployment/serverclasses/sc_apps_ombra/reload" rel="reload"/>
   <content type="text/xml">
       <s:key name="blacklist-size">0</s:key>
       <s:key name="currentDownloads">0</s:key>
       ... opensearch nodes elided ...
       <s:key name="loadTime">1376165908</s:key>
       <s:key name="machineTypesFilter"></s:key>
       <s:key name="repositoryList">
           <s:key name="wma-app-test2"/>
           <s:key name="wma-app3"/>
           <s:key name="wma-app_test1"/>
       <s:key name="repositoryLocation">/opt/cluster/peer1/splunk/etc/deployment-apps</s:key>
       <s:key name="restartSplunkWeb">0</s:key>
       <s:key name="restartSplunkd">0</s:key>
       <s:key name="stateOnClient">enabled</s:key>
       <s:key name="whitelist-size">0</s:key>



Rename a server class.


Specify a new name for a server class.

Request parameters

Name Type Default Description
String The new name of the server class.
String The current name of the server class.

Returned values

Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/deployment/server/serverclasses/rename -d oldName=sc_apps_ombra -d newName=sc_apps_shadow

XML Response

 <generator build="176231" version="6.0"/>
 <link href="/services/deployment/server/serverclasses/_new" rel="create"/>
 <link href="/services/deployment/server/serverclasses/rename" rel="rename"/>
 ... opensearch nodes elided ...
   <link href="/servicesNS/nobody/search/deployment/server/serverclasses/sc_apps_shadow" rel="alternate"/>
   <link href="/servicesNS/nobody/search/deployment/server/serverclasses/sc_apps_shadow" rel="list"/>
   <link href="/servicesNS/nobody/search/deployment/server/serverclasses/sc_apps_shadow" rel="edit"/>
   <link href="/servicesNS/nobody/search/deployment/server/serverclasses/sc_apps_shadow" rel="remove"/>
   <link href="/servicesNS/nobody/search/deployment/serverclasses/sc_apps_shadow/applications" rel="applications"/>
   <link href="/servicesNS/nobody/search/deployment/serverclasses/sc_apps_shadow/clients" rel="clients"/>
   <link href="/servicesNS/nobody/search/deployment/serverclasses/sc_apps_shadow/reload" rel="reload"/>
   <content type="text/xml">
       <s:key name="blacklist-size">0</s:key>
       <s:key name="currentDownloads">0</s:key>
       ... eai:acl node elided ...
       <s:key name="loadTime">1381334049</s:key>
       <s:key name="machineTypesFilter"></s:key>
       <s:key name="repositoryList">
           <s:key name="tmp"/>
           <s:key name="wma-app-test2"/>
           <s:key name="wma-app3"/>
           <s:key name="wma-app_test1"/>
       <s:key name="repositoryLocation">/opt/cluster/peer1/splunk/etc/deployment-apps</s:key>
       <s:key name="restartSplunkWeb">0</s:key>
       <s:key name="restartSplunkd">0</s:key>
       <s:key name="stateOnClient">enabled</s:key>
       <s:key name="whitelist-size">0</s:key>



Manage the {name} serverclass.


Remove the specfied server class from this deployment server.

Request parameters

Returned values

Example request and response

XML Request

curl -k -u admin:pass --request DELETE https://localhost:8089/services/deployment/server/serverclasses/sc_apps_shadow

XML Response

 <generator build="176231" version="6.0"/>
 <link href="/services/deployment/server/serverclasses/_new" rel="create"/>
 <link href="/services/deployment/server/serverclasses/rename" rel="rename"/>
 ... opensearch nodes elided ...
   <link href="/servicesNS/nobody/system/deployment/server/serverclasses/sc_apps_wma" rel="alternate"/>
   <link href="/servicesNS/nobody/system/deployment/server/serverclasses/sc_apps_wma" rel="list"/>
   <link href="/servicesNS/nobody/system/deployment/server/serverclasses/sc_apps_wma" rel="edit"/>
   <link href="/servicesNS/nobody/system/deployment/server/serverclasses/sc_apps_wma" rel="remove"/>
   <link href="/servicesNS/nobody/system/deployment/serverclasses/sc_apps_wma/applications" rel="applications"/>
   <link href="/servicesNS/nobody/system/deployment/serverclasses/sc_apps_wma/clients" rel="clients"/>
   <link href="/servicesNS/nobody/system/deployment/serverclasses/sc_apps_wma/reload" rel="reload"/>
   <content type="text/xml">
       <s:key name="blacklist-size">0</s:key>
       <s:key name="currentDownloads">0</s:key>
       ... eai:acl node elided ...
       <s:key name="loadTime">1381335207</s:key>
       <s:key name="machineTypesFilter"></s:key>
       <s:key name="repositoryList">
           <s:key name="tmp"/>
           <s:key name="wma-app-test2"/>
           <s:key name="wma-app3"/>
           <s:key name="wma-app_test1"/>
       <s:key name="repositoryLocation">/opt/cluster/peer1/splunk/etc/deployment-apps</s:key>
       <s:key name="restartSplunkWeb">0</s:key>
       <s:key name="restartSplunkd">0</s:key>
       <s:key name="stateOnClient">enabled</s:key>
       <s:key name="whitelist-size">1</s:key>
       <s:key name="whitelist.0">Ombra*</s:key>
 ... elided ...


List information about the named server class.

Request parameters

Name Type Default Description
clientId String GUID of a deployment client that is a member of the named server class. Lists information about the named server class with respect to this client.
hasDeploymentError Boolean Indicates whether to only list server classes that have a deployment error.

Returned values

Name Description
blacklist-size Specifies the size of the blacklist for the named server class.
clientId ID of deployment client for this server class.
currentDownloads The number of entires in the blacklist for this serverclass.
hasDeploymentError Indicates whether the serverclass has at least one deployment error.
loadTime The time, in epoch seconds, this serverclass was loaded.
machineTypesFilter List of filters to be used in Boolean and logic with whitelist and blacklist filters.
repositoryList List of applications stored at the location specified by repositoryLocation.
repositoryLocation The location on the deployment server to store the content that is to be deployed for this server class.
restartSplunkWeb Indicates whether to restart Splunk Web.
restartSplunkd Indicates whether to restart splunkd.
stateOnClient Indicates whether this server class is enabled or disabled.
whitelist-size Specifies the number of entries in the whitelist for this server class.
whitelist.0 List of servers for whitelist.0 for this server class.

Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/deployment/server/serverclasses/sc_mach_type

XML Response

 <generator build="172889" version="6.0"/>
 <link href="/services/deployment/server/serverclasses/_new" rel="create"/>
 <link href="/services/deployment/server/serverclasses/rename" rel="rename"/>
 ... opensearch nodes elided ...
   <link href="/servicesNS/nobody/system/deployment/server/serverclasses/sc_mach_type" rel="alternate"/>
   <link href="/servicesNS/nobody/system/deployment/server/serverclasses/sc_mach_type" rel="list"/>
   <link href="/servicesNS/nobody/system/deployment/server/serverclasses/sc_mach_type" rel="edit"/>
   <link href="/servicesNS/nobody/system/deployment/server/serverclasses/sc_mach_type" rel="remove"/>
   <link href="/servicesNS/nobody/system/deployment/serverclasses/sc_mach_type/applications" rel="applications"/>
   <link href="/servicesNS/nobody/system/deployment/serverclasses/sc_mach_type/clients" rel="clients"/>
   <link href="/servicesNS/nobody/system/deployment/serverclasses/sc_mach_type/reload" rel="reload"/>
   <content type="text/xml">
       <s:key name="blacklist-size">0</s:key>
       <s:key name="currentDownloads">0</s:key>
       ... eai:acl node elided ...
       <s:key name="eai:attributes">... elided ...</s:key>
       <s:key name="loadTime">1375467593</s:key>
       <s:key name="machineTypesFilter">linux-x86_64,</s:key>
       <s:key name="repositoryList">
           <s:key name="wma-app2"/>
           <s:key name="wma-app1"/>
       <s:key name="repositoryLocation">/opt/cluster/peer1/splunk/etc/deployment-apps</s:key>
       <s:key name="restartSplunkWeb">0</s:key>
       <s:key name="restartSplunkd">0</s:key>
       <s:key name="stateOnClient">enabled</s:key>
       <s:key name="whitelist-size">1</s:key>
       <s:key name="whitelist.0">Ombra*</s:key>


Update the named server class.

Request parameters

Name Type Default Description
blacklist.* String List of hosts to exclude for this server class.

For each blacklist, replace * with an ordinal number to specify additional blacklists. Filter ordinals must start at 0 and be consecutive.

continueMatching Boolen Controls how configuration is layered across classes and server-specific settings.

If true, configuration lookups continue matching server classes, beyond the first match. If false, only the first match is used. Matching is done in the order that server classes are defined. Defaults to true.

A serverClass can override this property and stop the matching.

filterType Enum Valid values: (whitelist | blacklist)

Determines the order of execution of filters. If filterType is whitelist, all whitelist filters are applied first, followed by blacklist filters. If filterType is blacklist, all blacklist filters are applied first, followed by whitelist filters.

The whitelist setting indicates a filtering strategy that pulls in a subset:

  • Items are not considered to match the server class by default.
  • Items that match any whitelist entry, and do not match any blacklist entry, are considered to match the server class.
  • Items that match any blacklist entry are not considered to match the server class, regardless of whitelist.

The blacklist setting indicates a filtering strategy that rules out a subset:

  • Items are considered to match the server class by default.
  • Items that match any blacklist entry, and do not match any whitelist entry, are considered to not match the server class.
  • Items that match any whitelist entry are considered to match the server class.

More briefly:

whitelist: default no-match -> whitelists enable -> blacklists disable
blacklist: default match -> blacklists disable-> whitelists enable

If you specify whitelist at the global level, and then specify blacklist for an individual server class, the setting becomes blacklist for that server class, and you have to provide another filter in that server class definition to replace the one you overrode.

machineTypesFilter String Comma-separated list of filters to be used in Boolean and logic with whitelist and blacklist filters.

Only clients that match the white/blacklist filters AND that match this machineTypesFilter are included.

Thus the match is an intersection of the matches for the white/blacklist and the matches for MachineTypesFilter.

The patterns are PCRE regular expressions, with the following aids for easier entry:

  • You can specify '.' to mean '\\.'
  • You can specify '*' to mean '.*'
  • Matches are always case-insensitive; you do not need to specify the '(?i)' prefix.
repositoryLocation String The location on the deployment server to store the content that is to be deployed for this server class.

For example: $SPLUNK_HOME/etc/deployment-apps

restartSplunkWeb Boolean Indicates whether to restart SplunkWeb on the client when a member app or a directly configured app is updated.

Defaults to false

restartSplunkd Boolean Indicates whether to restart splunkd on the client when a member app or a directly configured app is updated.

Defaults to false

stateOnClient Enum Valid values are (enabled | disabled | noop).
  • enabled: Default value. Sets the application state to enabled on the client, regardless of state on the deployment server.
  • disabled: Sets the application state to disabled on the client, regardless of state on the deployment server.
  • noop: The state on the client is the same as on the deployment server.
targetRepositoryLocation String The location on the deployment client to install the apps defined for this Deployment Server.

If unset, or set to empty, the repositoryLocation path is used. That is, defaults to:

$SPLUNK_HOME/etc/apps (the live configuration directory for a Splunk instance

Useful only with complex (for example, tiered) deployment strategies.

tmpFolder String Working folder used by deployment server.

Defaults to $SPLUNK_HOME/var/run/tmp

whitelist.* String List of hosts to accept for this server class.

For each whitelist, replace * with an ordinal number to specify additional whitelists. Filter ordinals must start at 0 and be consecutive.

Returned values

Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/deployment/server/serverclasses/sc_apps_ombra -d stateOnClient=noop

XML Response

 <generator build="176231" version="6.0"/>
 <link href="/services/deployment/server/serverclasses/_new" rel="create"/>
 <link href="/services/deployment/server/serverclasses/rename" rel="rename"/>
 ... opensearch nodes elided ...
   <link href="/services/deployment/server/serverclasses/sc_apps_ombra" rel="alternate"/>
   <link href="/services/deployment/server/serverclasses/sc_apps_ombra" rel="list"/>
   <link href="/services/deployment/server/serverclasses/sc_apps_ombra" rel="edit"/>
   <link href="/services/deployment/server/serverclasses/sc_apps_ombra" rel="remove"/>
   <content type="text/xml">
       ... opensearch nodes elided ...



Provides information on knowledge bundle replication configuration on a search head.

Authentication and Authorization
Requires the search capability.

Usage details
See Troubleshoot knowledge bundle replication in Distributed Search.


List knowledge bundle replication configuration settings.

Request parameters

Returned values

Name Description
concerningReplicatedFileSize A warning will be logged if the bundle lookup size exceeds this value
connectionTimeout Timeout value for establishing connection between search head and indexer
maxBundleSize Maximum allowable bundle size
receiveTimeout Timeout value for receiving data between search head and indexer
replicationPeriod Period during which the replicationThread checks whether bundle replication is required
replicationPolicy Bundle replication policy in use
sendTimeout Timeout value for sending data between search head and indexer
statusQueueSize Size of the cycles maintained in memory and available through the cycles endpoint

Example request and response

XML Request

curl -k -u admin:changeme https://ronnie:8089/services/search/distributed/bundle/replication/config

XML Response

 <feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <generator build="9f02da632403" version="8.0.0"/>
    <link href="/services/search/distributed/bundle/replication/config/bundleReplicationConfig" rel="alternate"/>
    <link href="/services/search/distributed/bundle/replication/config/bundleReplicationConfig" rel="list"/>
    <content type="text/xml">
        <s:key name="concerningReplicatedFileSize">524288000</s:key>
        <s:key name="connectionTimeout">60</s:key>
        <s:key name="eai:acl">
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
                <s:key name="read">
                <s:key name="write">
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
        <s:key name="maxBundleSize">2147483648</s:key>
        <s:key name="receiveTimeout">60</s:key>
        <s:key name="replicationPeriod">60</s:key>
        <s:key name="replicationPolicy">classic</s:key>
        <s:key name="replicationThreads">9</s:key>
        <s:key name="sendTimeout">60</s:key>
        <s:key name="statusQueueSize">5</s:key>



Provides information and status for knowledge bundle replication cycles on a search head.

Authentication and Authorization
Requires the search capability.

Usage details
See Troubleshoot knowledge bundle replication in Distributed Search.


List information and status for knowledge bundle replication cycles..

Request parameters

Name Type Description
latest Boolean Optional. If set to true, information about only the latest cycle is returned.

Returned values

Name Description
bundle_id Knowledge bundle unique identifier composed of hostname-creation_time
current_bundle Path to active knowledge bundle on disk
current_repl_start_time Start time of current replication cycle
cycle_id Bundle replication cycle unique identifier
delta_path Path to the delta knowledge bundle on disk, if a delta was created
is_repl_in_progress Boolean to indicate whether the replication cycle is in progress or completed
peers_status Entry for each peer with peer_name and replication state for each peer
replicationPolicy Bundle replication policy in use

Example request and response

XML Request

curl -k -u admin:changeme https://ronnie:8089/services/search/distributed/bundle/replication/cycles?latest=true

XML Response

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <generator build="9f02da632403" version="8.0.0"/>
    <link href="/services/search/distributed/bundle/replication/cycles/80CC124B-2D46-44A7-95C2-A92ECC32C050" rel="alternate"/>
    <link href="/services/search/distributed/bundle/replication/cycles/80CC124B-2D46-44A7-95C2-A92ECC32C050" rel="list"/>
    <content type="text/xml">
        <s:key name="bundle_id">qa-centos7x64-056-1566601784</s:key>
        <s:key name="current_bundle">/root/splunk_install/var/run/qa-centos7x64-056-1566601784.bundle</s:key>
        <s:key name="current_repl_start_time">1566602286</s:key>
        <s:key name="cycle_id">80CC124B-2D46-44A7-95C2-A92ECC32C050</s:key>
        <s:key name="delta_path">/root/splunk_install/var/run/qa-centos7x64-056-1566601708-1566601784.delta</s:key>
        <s:key name="eai:acl">
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
                <s:key name="read">
                <s:key name="write">
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
        <s:key name="is_repl_in_progress">0</s:key>
        <s:key name="peers_status">
            <s:key name="">
                <s:key name="classic_replication_state">succeeded</s:key>
                <s:key name="peer_name"></s:key>
            <s:key name="">
                <s:key name="classic_replication_state">succeeded</s:key>
                <s:key name="peer_name"></s:key>
            <s:key name="">
                <s:key name="classic_replication_state">succeeded</s:key>
                <s:key name="peer_name"></s:key>
        <s:key name="replicationPolicy">classic</s:key>



Access information for the most recent distributed search bundle.


List distributed search bundle replication files.

Request parameters
Pagination and filtering parameters can be used with this method.

Returned values

Name Description
checksum Common checksum for entities in the bundle.
filename Bundle file name
location Bundle file path
size Bundle size, in bytes
timestamp Bundle creation timestamp.

Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/search/distributed/bundle-replication-files

XML Response

 <generator build="176231" version="6.0"/>
 ... opensearch nodes elided ...
   <link href="/services/search/distributed/bundle-replication-files/13134207368020721783" rel="alternate"/>
   <link href="/services/search/distributed/bundle-replication-files/13134207368020721783" rel="list"/>
   <content type="text/xml">
       <s:key name="checksum">13134207368020721783</s:key>
       ... eai:acl node elided ...
       <s:key name="filename">localhost-1381336958.bundle</s:key>
       <s:key name="location">/opt/cluster/peer1/splunk/var/run/localhost-1381336958.bundle</s:key>
       <s:key name="timestamp">1381336958</s:key>



Get {name} bundle replication file information.


List information about the specified bundle replication file. For {name}, specify the checksum for the file.

Request parameters

Name Type Default Description
force_list_all Boolean Indicates whether to force a listing of the file.

Returned values

Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/search/distributed/bundle-replication-files/13134207368020721783

XML Response

 <generator build="176231" version="6.0"/>
 ... opensearch nodes elided ...
   <link href="/services/search/distributed/bundle-replication-files/13134207368020721783" rel="alternate"/>
   <link href="/services/search/distributed/bundle-replication-files/13134207368020721783" rel="list"/>
   <content type="text/xml">
       <s:key name="checksum">13134207368020721783</s:key>
       ... eai:acl node elided ...
       <s:key name="eai:attributes">... elided ...</s:key>
       <s:key name="filename">localhost-1381336958.bundle</s:key>
       <s:key name="location">/opt/cluster/peer1/splunk/var/run/localhost-1381336958.bundle</s:key>
       <s:key name="timestamp">1381336958</s:key>



Provides access to the Splunk Enterprise distributed search options. This option is not for adding search peers.


Lists the configuration options for the distributed search system.

Request parameters
Pagination and filtering parameters can be used with this method.

Returned values

Name Description
autoAddServers [Deprecated]
blacklistNames List of filenames that match the blacklist pattern, and are not replicated.
blacklistURLs List of URLs that are blacklisted, and thus is not replicated.
checkTimedOutServersFrequency Rechecks servers at the specified frequency (in seconds). If this is set to 0, then no recheck occurs. Defaults to 60.

This attribute is ONLY relevant if removeTimedOutServers is set to true. If removeTimedOutServers is false, this attribute is ignored.

connectionTimeout Connection timeout.
disabled Indicates if the distributed search is disabled.
dist_search_enabled Indicates if the distributed search is enabled.
heartbeatFrequency [Deprecated]
heartbeatMcastAddr [Deprecated]
heartbeatPort [Deprecated]
receiveTimeout Amount of time in seconds to use as a timeout while trying to read/receive data from a search peer.
removedTimedOutServers If true, removes a server connection that cannot be made within serverTimeout.

If false, every call to that server attempts to connect. This may result in a slow user interface.

sendTimeout Send timeout.
serverTimeout [Deprecated] Refer to connectionTimeout, sendTimeout, and receiveTimeout.
servers The initial list of servers.

If operating completely in autoAddServers mode (discovering all servers), there is no need to list any servers here.

shareBundles Indicates whether this server uses bundle replication to share search time configuration with search peers.

If set to false, the search head assumes that the search peers can access the correct bundles using an NFS share and have correctly configured the options listed under: "SEARCH HEAD BUNDLE MOUNTING OPTIONS."

skipOurselves [Deprecated]
statusTimeout Set connection timeout when gathering a search peer's basic info (/services/server/info). Read/write timeouts are automatically set to twice this value.
ttl [Deprecated]

Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/search/distributed/config

XML Response

 <generator version="102807"/>
 ... opensearch nodes elided ...
   <link href="/services/search/distributed/config/distributedSearch" rel="alternate"/>
   <link href="/services/search/distributed/config/distributedSearch" rel="list"/>
   <link href="/services/search/distributed/config/distributedSearch" rel="edit"/>
   <link href="/services/search/distributed/config/distributedSearch" rel="remove"/>
   <content type="text/xml">
       <s:key name="autoAddServers">0</s:key>
       <s:key name="blacklistNames"/>
       <s:key name="blacklistURLs"/>
       <s:key name="checkTimedOutServersFrequency">60</s:key>
       <s:key name="disabled">0</s:key>
       <s:key name="dist_search_enabled">1</s:key>
       ... eai:acl node elided ...
       <s:key name="heartbeatFrequency">0</s:key>
       <s:key name="heartbeatMcastAddr"></s:key>
       <s:key name="heartbeatPort">8888</s:key>
       <s:key name="removedTimedOutServers">0</s:key>
       <s:key name="serverTimeout">10</s:key>
       <s:key name="servers"/>
       <s:key name="shareBundles">1</s:key>
       <s:key name="skipOurselves">0</s:key>
       <s:key name="statusTimeout">10</s:key>
       <s:key name="ttl">1</s:key>



Provides distributed peer server management. A search peer is defined as a Splunk server to which another Splunk server distributes searches. The Splunk server where the search request originates is referred to as the search head.


Get configured search peers to which this search head is configured to distribute searches. This includes configured but disabled search peers.

Request parameters
Pagination and filtering parameters can be used with this method.

Returned values

Name Description
build The Splunk build number for this peer.
bundle_versions The IDs of the bundles (of this search head) that the peer has.

The IDs are sorted from latest to earliest.

disabled Indicates if the peer is disabled.
guid GUID of the peer.
is_https Inidcates if the management port is using SSL.
licenseSignature The license signature.
peerName The Splunk server name of the peer.
peerType Specifies whether the peer is configured or discovered.
replicationStatus The status of bundle replication to this peer. Can be any of the following values:
In progress
status The status of the peer.

Can be one of the following values:

Not a Splunk server
Free Splunk server
Authentication Failed
Duplicate License
Duplicate Servername
Inconsistent bundles
status_details Details of any errors encountered in the last heartbeat period.
version The Splunk software version string this peer is running.

Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/search/distributed/peers

XML Response

 <generator version="102807"/>
 <link href="/services/search/distributed/peers/_new" rel="create"/>
 ... opensearch nodes elided ...
   <link href="/services/search/distributed/peers/tiny%3A8090" rel="alternate"/>
   <link href="/services/search/distributed/peers/tiny%3A8090" rel="list"/>
   <link href="/services/search/distributed/peers/tiny%3A8090" rel="edit"/>
   <link href="/services/search/distributed/peers/tiny%3A8090" rel="remove"/>
   <link href="/services/search/distributed/peers/tiny%3A8090/disable" rel="disable"/>
   <content type="text/xml">
       <s:key name="build"/>
       <s:key name="bundle_versions">
       <s:key name="disabled">0</s:key>
       ... eai:acl node elided ...
       <s:key name="guid"/>
       <s:key name="is_https">1</s:key>
       <s:key name="licenseSignature"/>
       <s:key name="peerName">tiny:8090</s:key>
       <s:key name="peerType">configured</s:key>
       <s:key name="replicationStatus">Initial</s:key>
       <s:key name="status">Down</s:key>
       <s:key name="version"/>


Add a new distributed search peer.

Usage details
The distributed search must first be enabled using the search/distributed/config endpoint.

Request parameters

Name Type Required Default Description
name String
The name of the search peer.

Defined as hostname:port, where port is the management port.

remotePassword String
The password of the remote user.
remoteUsername String
The username of a user with admin privileges in the search peer server.

This is used to exchange certificates.

HTTP response codes

Status Code Description
201 Created successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to create specified resource.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned values
No values returned for this request.

Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/search/distributed/peers -d name=MrT:8092 -d remoteUsername=admin -d remotePassword=mypass

XML Response

 <generator version="102807"/>
 <link href="/services/search/distributed/peers/_new" rel="create"/>
 ... opensearch nodes elided ...



Manage distributed peer servers. A search peer is defined as a Splunk server to which another Splunk server distributes searches. The Splunk server where the search request originates is referred to as the search head.


Update a peer server.

Usage details
The distributed search must first be enabled using the search/distributed/config endpoint.

Request parameters

Name Type Required Default Description
remotePassword String
The password of the remote user.
remoteUsername String
The username of a user with admin privileges in the search peer server.

This is used to exchange certificates.

Returned values
See example.

Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/search/distributed/peers/MrT:8092  -d remoteUsername=admin -d remotePassword=mypass

XML Response

 <generator version="102807"/>
 <link href="/services/search/distributed/peers/_new" rel="create"/>
 ... opensearch nodes elided ...

