Splunk® Enterprise

REST API Reference Manual

Input endpoint descriptions

Manage and preview streaming and non-streaming and other input data.

Usage details

Review ACL information for an endpoint

To check Access Control List (ACL) properties for an endpoint, append /acl to the path. For more information see Access Control List in the REST API User Manual.

Authentication and Authorization

Username and password authentication is required for access to endpoints and REST operations.

Splunk users must have role and/or capability-based authorization to use REST endpoints. Users with an administrative role, such as admin, can access authorization information in Splunk Web. To view the roles assigned to a user, select Settings > Access controls and click Users. To determine the capabilities assigned to a role, select Settings > Access controls and click Roles.

App and user context

Typically, knowledge objects, such as saved searches or event types, have an app/user context that is the namespace. For more information about specifying a namespace, see Namespace in the REST API User Manual.

Splunk Cloud URL for REST API access

Splunk Cloud has a different host and management port syntax than Splunk Enterprise. Depending on your deployment type, use one of the following options to access REST API resources.

Managed Splunk Cloud deployments

https://<deployment-name>.splunkcloud.com:8089

Self-service Splunk Cloud deployments
To get the required credentials, submit a support case on the Support Portal. After installing the credentials, use the following URL.

https://input-<deployment-name>.cloud.splunk.com:8089


See Using the REST API in Splunk Cloud in the the Splunk REST API Tutorials for more information.


data/ingest/rfsdestinations

https://<host>:<mPort>/services/data/ingest/rfsdestinations

Create/configure, get, or delete an S3 destination for ingest action.

Authentication and authorization
Requires the capabilities list_ingest_rulesets and edit_ingest_rulesets.


DELETE

Deletes the S3 destination.

Request parameters

Name Description
name Name of the S3 destination to delete.

Returned values

Name Description
name Name of the S3 destination.
path Path (bucket and folder) of the destination.
remote.s3.access_key See indexes.conf.
remote.s3.secret_key See indexes.conf.
description Description of the destination (optional).
remote.s3.endpoint See indexes.conf.
remote.s3.encryption See indexes.conf.
remote.s3.kms.key_id: See indexes.conf.
remote.s3.kms.auth_region See indexes.conf.
remote.s3.signature_version See indexes.conf.
remote.s3.supports_versioning See indexes.conf.
remote.s3.url_version See indexes.conf.
compression See outputs.conf.
dropEventsOnUploadError See outputs.conf.
batchTimeout See outputs.conf.
batchSizeThresholdKB See outputs.conf.
target When provided, the request will be proxied to the host specified here (optional).

Example request and response


Request
To delete a destination named a3:

curl -v -k -u username:password -X DELETE https://host:port/services/data/ingest/rfsdestinations/a3

Response

*   Trying 10.140.178.120:9091...

* Connected to mrt (10.140.178.120) port 9091 (#0)

* ALPN, offering h2

* ALPN, offering http/1.1

* successfully set certificate verify locations:

*  CAfile: /etc/ssl/cert.pem

*  CApath: none

* (304) (OUT), TLS handshake, Client hello (1):

* (304) (IN), TLS handshake, Server hello (2):

* TLSv1.2 (IN), TLS handshake, Certificate (11):

* TLSv1.2 (IN), TLS handshake, Server key exchange (12):

* TLSv1.2 (IN), TLS handshake, Server finished (14):

* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):

* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):

* TLSv1.2 (OUT), TLS handshake, Finished (20):

* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):

* TLSv1.2 (IN), TLS handshake, Finished (20):

* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384

* ALPN, server did not agree to a protocol

* Server certificate:

*  subject: CN=SplunkServerDefaultCert; O=SplunkUser

*  start date: May 25 18:24:21 2022 GMT

*  expire date: May 24 18:24:21 2025 GMT

*  issuer: C=US; ST=CA; L=San Francisco; O=Splunk; CN=SplunkCommonCA; emailAddress=support@splunk.com

*  SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.

* Server auth using Basic with user 'admin'

> DELETE /services/data/ingest/rfsdestinations/a3 HTTP/1.1

> Host: mrt:9091

> Authorization: Basic YWRtaW46Y2hhbmdlbWU=

> User-Agent: curl/7.79.1

> Accept: */*

> 

* Mark bundle as not supporting multiuse

< HTTP/1.1 200 OK

< Date: Wed, 25 May 2022 20:55:25 GMT

< Expires: Thu, 26 Oct 1978 00:00:00 GMT

< Cache-Control: no-store, no-cache, must-revalidate, max-age=0

< Content-Type: text/xml; charset=UTF-8

< X-Content-Type-Options: nosniff

< Content-Length: 3783

< Vary: Cookie, Authorization

< Connection: Keep-Alive

< X-Frame-Options: SAMEORIGIN

< Server: Splunkd

< 

<?xml version="1.0" encoding="UTF-8"?>

<!--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-->

<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">

  <title>ingest-rfs-destinations</title>

  <id>https://mrt:9091/services/data/ingest/rfsdestinations</id>

  <updated>2022-05-25T20:55:25+00:00</updated>

  <generator build="fee4ee9be79e70f02f4d13d69c0688e981ab5120" version="20220525"/>

  <author>

    <name>Splunk</name>

  </author>

  <link href="/services/data/ingest/rfsdestinations/_new" rel="create"/>

  <link href="/services/data/ingest/rfsdestinations/_reload" rel="_reload"/>

  <opensearch:totalResults>1</opensearch:totalResults>

  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>

  <opensearch:startIndex>0</opensearch:startIndex>

  <s:messages/>

  <entry>

    <title>s3</title>

    <id>https://mrt:9091/services/data/ingest/rfsdestinations/s3</id>

    <updated>1970-01-01T00:00:00+00:00</updated>

    <link href="/services/data/ingest/rfsdestinations/s3" rel="alternate"/>

    <author>

      <name>system</name>

    </author>

    <link href="/services/data/ingest/rfsdestinations/s3" rel="list"/>

    <link href="/services/data/ingest/rfsdestinations/s3/_reload" rel="_reload"/>

    <link href="/services/data/ingest/rfsdestinations/s3" rel="edit"/>

    <link href="/services/data/ingest/rfsdestinations/s3" rel="remove"/>

    <content type="text/xml">

      <s:dict>

        <s:key name="eai:acl">

          <s:dict>

            <s:key name="app"></s:key>

            <s:key name="can_list">1</s:key>

            <s:key name="can_write">1</s:key>

            <s:key name="modifiable">0</s:key>

            <s:key name="owner">system</s:key>

            <s:key name="perms">

              <s:dict>

                <s:key name="read">

                  <s:list>

                    <s:item>admin</s:item>

                    <s:item>splunk-system-role</s:item>

                  </s:list>

                </s:key>

                <s:key name="write">

                  <s:list>

                    <s:item>admin</s:item>

                    <s:item>splunk-system-role</s:item>

                  </s:list>

                </s:key>

              </s:dict>

            </s:key>

            <s:key name="removable">0</s:key>

            <s:key name="sharing">system</s:key>

          </s:dict>

        </s:key>

        <s:key name="path">s3://s2-testing-infra/data-action1/sharun/</s:key>

        <s:key name="remote.s3.access_key"><hidden></s:key>

        <s:key name="remote.s3.endpoint">https://s3.us-west-2.amazonaws.com</s:key>

        <s:key name="remote.s3.secret_key"><hidden></s:key>

      </s:dict>

    </content>

  </entry>

</feed>


GET

Gets list of the s3 destination configuration values.

Request parameters

Name Description
name Name of the S3 destination. An empty name returns information for all S3 destinations.

Returned values

Name Description
name Name of the S3 destination.
path Path (bucket and folder) of the destination.
remote.s3.access_key See indexes.conf.
remote.s3.secret_key See indexes.conf.
description Description of the destination (optional).
remote.s3.endpoint See indexes.conf.
remote.s3.encryption See indexes.conf.
remote.s3.kms.key_id: See indexes.conf.
remote.s3.kms.auth_region See indexes.conf.
remote.s3.signature_version See indexes.conf.
remote.s3.supports_versioning See indexes.conf.
remote.s3.url_version See indexes.conf.
compression See outputs.conf.
dropEventsOnUploadError See outputs.conf.
batchTimeout See outputs.conf.
batchSizeThresholdKB See outputs.conf.
target When provided, the request will be proxied to the host specified here (optional).


Example request and response


Request
Gets information for destination named "s3":

curl -v -k -u username:password https://host:port/services/data/ingest/rfsdestinations/s3

Response


*   Trying 10.140.178.120:9091...

* Connected to mrt (10.140.178.120) port 9091 (#0)

* ALPN, offering h2

* ALPN, offering http/1.1

* successfully set certificate verify locations:

*  CAfile: /etc/ssl/cert.pem

*  CApath: none

* (304) (OUT), TLS handshake, Client hello (1):

* (304) (IN), TLS handshake, Server hello (2):

* TLSv1.2 (IN), TLS handshake, Certificate (11):

* TLSv1.2 (IN), TLS handshake, Server key exchange (12):

* TLSv1.2 (IN), TLS handshake, Server finished (14):

* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):

* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):

* TLSv1.2 (OUT), TLS handshake, Finished (20):

* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):

* TLSv1.2 (IN), TLS handshake, Finished (20):

* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384

* ALPN, server did not agree to a protocol

* Server certificate:

*  subject: CN=SplunkServerDefaultCert; O=SplunkUser

*  start date: May 25 18:24:21 2022 GMT

*  expire date: May 24 18:24:21 2025 GMT

*  issuer: C=US; ST=CA; L=San Francisco; O=Splunk; CN=SplunkCommonCA; emailAddress=support@splunk.com

*  SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.

* Server auth using Basic with user 'admin'

> GET /services/data/ingest/rfsdestinations/s3 HTTP/1.1

> Host: mrt:9091

> Authorization: Basic YWRtaW46Y2hhbmdlbWU=

> User-Agent: curl/7.79.1

> Accept: */*

> 

* Mark bundle as not supporting multiuse

< HTTP/1.1 200 OK

< Date: Wed, 25 May 2022 20:13:13 GMT

< Expires: Thu, 26 Oct 1978 00:00:00 GMT

< Cache-Control: no-store, no-cache, must-revalidate, max-age=0

< Content-Type: text/xml; charset=UTF-8

< X-Content-Type-Options: nosniff

< Content-Length: 5036

< Vary: Cookie, Authorization

< Connection: Keep-Alive

< X-Frame-Options: SAMEORIGIN

< Server: Splunkd

< 

<?xml version="1.0" encoding="UTF-8"?>

<!--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-->

<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">

  <title>ingest-rfs-destinations</title>

  <id>https://mrt:9091/services/data/ingest/rfsdestinations</id>

  <updated>2022-05-25T20:13:13+00:00</updated>

  <generator build="fee4ee9be79e70f02f4d13d69c0688e981ab5120" version="20220525"/>

  <author>

    <name>Splunk</name>

  </author>

  <link href="/services/data/ingest/rfsdestinations/_new" rel="create"/>

  <link href="/services/data/ingest/rfsdestinations/_reload" rel="_reload"/>

  <opensearch:totalResults>1</opensearch:totalResults>

  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>

  <opensearch:startIndex>0</opensearch:startIndex>

  <s:messages/>

  <entry>

    <title>s3</title>

    <id>https://mrt:9091/services/data/ingest/rfsdestinations/s3</id>

    <updated>1970-01-01T00:00:00+00:00</updated>

    <link href="/services/data/ingest/rfsdestinations/s3" rel="alternate"/>

    <author>

      <name>system</name>

    </author>

    <link href="/services/data/ingest/rfsdestinations/s3" rel="list"/>

    <link href="/services/data/ingest/rfsdestinations/s3/_reload" rel="_reload"/>

    <link href="/services/data/ingest/rfsdestinations/s3" rel="edit"/>

    <link href="/services/data/ingest/rfsdestinations/s3" rel="remove"/>

    <content type="text/xml">

      <s:dict>

        <s:key name="eai:acl">

          <s:dict>

            <s:key name="app"></s:key>

            <s:key name="can_list">1</s:key>

            <s:key name="can_write">1</s:key>

            <s:key name="modifiable">0</s:key>

            <s:key name="owner">system</s:key>

            <s:key name="perms">

              <s:dict>

                <s:key name="read">

                  <s:list>

                    <s:item>admin</s:item>

                    <s:item>splunk-system-role</s:item>

                  </s:list>

                </s:key>

                <s:key name="write">

                  <s:list>

                    <s:item>admin</s:item>

                    <s:item>splunk-system-role</s:item>

                  </s:list>

                </s:key>

              </s:dict>

            </s:key>

            <s:key name="removable">0</s:key>

            <s:key name="sharing">system</s:key>

          </s:dict>

        </s:key>

        <s:key name="eai:attributes">

          <s:dict>

            <s:key name="optionalFields">

              <s:list>

                <s:item>authMethod</s:item>

                <s:item>batchSizeThresholdKB</s:item>

                <s:item>batchTimeout</s:item>

                <s:item>compression</s:item>

                <s:item>description</s:item>

                <s:item>dropEventsOnUploadError</s:item>

                <s:item>path</s:item>

                <s:item>remote.s3.access_key</s:item>

                <s:item>remote.s3.encryption</s:item>

                <s:item>remote.s3.endpoint</s:item>

                <s:item>remote.s3.kms.auth_region</s:item>

                <s:item>remote.s3.kms.key_id</s:item>

                <s:item>remote.s3.secret_key</s:item>

                <s:item>remote.s3.signature_version</s:item>

                <s:item>remote.s3.supports_versioning</s:item>

                <s:item>remote.s3.url_version</s:item>

                <s:item>target</s:item>

              </s:list>

            </s:key>

            <s:key name="requiredFields">

              <s:list/>

            </s:key>

            <s:key name="wildcardFields">

              <s:list/>

            </s:key>

          </s:dict>

        </s:key>

        <s:key name="path">s3://s2-testing-infra/data-action1/sharun/</s:key>

        <s:key name="remote.s3.access_key"><hidden></s:key>

        <s:key name="remote.s3.endpoint">https://s3.us-west-2.amazonaws.com</s:key>

        <s:key name="remote.s3.secret_key"><hidden></s:key>

      </s:dict>

    </content>

  </entry>

</feed> 


POST

Creates and configures the S3 destination.

Request parameters

Name Description
name (Required) Name of the S3 destination.
path (Required) Path (bucket and folder) of the destination.
remote.s3.access_key (Optional) See indexes.conf.
remote.s3.secret_key (Optional) See indexes.conf.
description (Optional) Description of the destination.
remote.s3.endpoint (Optional) See indexes.conf.
remote.s3.encryption (Optional) See indexes.conf.
remote.s3.kms.key_id: (Optional) See indexes.conf.
remote.s3.kms.auth_region (Optional) See indexes.conf.
remote.s3.signature_version (Optional) See indexes.conf.
remote.s3.supports_versioning (Optional) See indexes.conf.
remote.s3.url_version (Optional) See indexes.conf.
compression (Optional) See outputs.conf.
dropEventsOnUploadError (Optional) See outputs.conf.
batchTimeout (Optional) See outputs.conf.
batchSizeThresholdKB (Optional) See outputs.conf.
target (Optional) When provided, the request will be proxied to the host specified here.

Returned values

Name Description
name Name of the S3 destination.
path Path (bucket and folder) of the destination.
remote.s3.access_key See indexes.conf.
remote.s3.secret_key See indexes.conf.
description Description of the destination.
remote.s3.endpoint See indexes.conf.
remote.s3.encryption See indexes.conf.
remote.s3.kms.key_id: See indexes.conf.
remote.s3.kms.auth_region See indexes.conf.
remote.s3.signature_version See indexes.conf.
remote.s3.supports_versioning See indexes.conf.
remote.s3.url_version See indexes.conf.
compression See outputs.conf.
dropEventsOnUploadError See outputs.conf.
batchTimeout See outputs.conf.
batchSizeThresholdKB See outputs.conf.
target When provided, the request will be proxied to the host specified here (optional).


Example requests and responses


Request
Create a destination with name=s3:

curl -v -k -u username:password https://host:port/services/data/ingest/rfsdestinations -d name=s3 -d path=s3://s2-testing-infra/data-action1/sharun/ -d remote.s3.access_key=ddd -d remote.s3.secret_key=ddd -d remote.s3.endpoint=https://s3.us-west-2.amazonaws.com

Response

*   Trying 10.140.178.120:9091...

* Connected to mrt (10.140.178.120) port 9091 (#0)

* ALPN, offering h2

* ALPN, offering http/1.1

* successfully set certificate verify locations:

*  CAfile: /etc/ssl/cert.pem

*  CApath: none

* (304) (OUT), TLS handshake, Client hello (1):

* (304) (IN), TLS handshake, Server hello (2):

* TLSv1.2 (IN), TLS handshake, Certificate (11):

* TLSv1.2 (IN), TLS handshake, Server key exchange (12):

* TLSv1.2 (IN), TLS handshake, Server finished (14):

* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):

* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):

* TLSv1.2 (OUT), TLS handshake, Finished (20):

* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):

* TLSv1.2 (IN), TLS handshake, Finished (20):

* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384

* ALPN, server did not agree to a protocol

* Server certificate:

*  subject: CN=SplunkServerDefaultCert; O=SplunkUser

*  start date: May 25 18:24:21 2022 GMT

*  expire date: May 24 18:24:21 2025 GMT

*  issuer: C=US; ST=CA; L=San Francisco; O=Splunk; CN=SplunkCommonCA; emailAddress=support@splunk.com

*  SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.

* Server auth using Basic with user 'admin'

> POST /services/data/ingest/rfsdestinations HTTP/1.1

> Host: mrt:9091

> Authorization: Basic YWRtaW46Y2hhbmdlbWU=

> User-Agent: curl/7.79.1

> Accept: */*

> Content-Length: 159

> Content-Type: application/x-www-form-urlencoded

> 

* Mark bundle as not supporting multiuse

< HTTP/1.1 201 Created

< Date: Wed, 25 May 2022 20:03:09 GMT

< Expires: Thu, 26 Oct 1978 00:00:00 GMT

< Cache-Control: no-store, no-cache, must-revalidate, max-age=0

< Content-Type: text/xml; charset=UTF-8

< X-Content-Type-Options: nosniff

< Content-Length: 3783

< Vary: Cookie, Authorization

< Connection: Keep-Alive

< X-Frame-Options: SAMEORIGIN

< Server: Splunkd

< 

<?xml version="1.0" encoding="UTF-8"?>

<!--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-->

<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">

  <title>ingest-rfs-destinations</title>

  <id>https://mrt:9091/services/data/ingest/rfsdestinations</id>

  <updated>2022-05-25T20:03:09+00:00</updated>

  <generator build="fee4ee9be79e70f02f4d13d69c0688e981ab5120" version="20220525"/>

  <author>

    <name>Splunk</name>

  </author>

  <link href="/services/data/ingest/rfsdestinations/_new" rel="create"/>

  <link href="/services/data/ingest/rfsdestinations/_reload" rel="_reload"/>

  <opensearch:totalResults>1</opensearch:totalResults>

  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>

  <opensearch:startIndex>0</opensearch:startIndex>

  <s:messages/>

  <entry>

    <title>s3</title>

    <id>https://mrt:9091/services/data/ingest/rfsdestinations/s3</id>

    <updated>1970-01-01T00:00:00+00:00</updated>

    <link href="/services/data/ingest/rfsdestinations/s3" rel="alternate"/>

    <author>

      <name>system</name>

    </author>

    <link href="/services/data/ingest/rfsdestinations/s3" rel="list"/>

    <link href="/services/data/ingest/rfsdestinations/s3/_reload" rel="_reload"/>

    <link href="/services/data/ingest/rfsdestinations/s3" rel="edit"/>

    <link href="/services/data/ingest/rfsdestinations/s3" rel="remove"/>

    <content type="text/xml">

      <s:dict>

        <s:key name="eai:acl">

          <s:dict>

            <s:key name="app"></s:key>

            <s:key name="can_list">1</s:key>

            <s:key name="can_write">1</s:key>

            <s:key name="modifiable">0</s:key>

            <s:key name="owner">system</s:key>

            <s:key name="perms">

              <s:dict>

                <s:key name="read">

                  <s:list>

                    <s:item>admin</s:item>

                    <s:item>splunk-system-role</s:item>

                  </s:list>

                </s:key>

                <s:key name="write">

                  <s:list>

                    <s:item>admin</s:item>

                    <s:item>splunk-system-role</s:item>

                  </s:list>

                </s:key>

              </s:dict>

            </s:key>

            <s:key name="removable">0</s:key>

            <s:key name="sharing">system</s:key>

          </s:dict>

        </s:key>

        <s:key name="path">s3://s2-testing-infra/data-action1/sharun/</s:key>

        <s:key name="remote.s3.access_key"><hidden></s:key>

        <s:key name="remote.s3.endpoint">https://s3.us-west-2.amazonaws.com</s:key>

        <s:key name="remote.s3.secret_key"><hidden></s:key>

      </s:dict>

    </content>

  </entry>

</feed>



===========================

Note also that this action will create an outputs.conf file with the following stanza:

[rfs:s3]

path = s3://s2-testing-infra/data-action1/sharun/

remote.s3.access_key = $7$F2Amvz3gXvMdCAX9p8RKwjdWKItSkSRakj9G2ZmULuWkccs= (encrypted)

remote.s3.endpoint = https://s3.us-west-2.amazonaws.com

remote.s3.secret_key = $7$AL6QuynbFGdNQu5dwh6puzt9dSFXDKdQn6ypEhVjxz0feAI= (encrypted)
 

Request
Edit a destination:


curl -v -k -u username:password https://host:port/services/data/ingest/rfsdestinations/s3 -d path=s3://s2-testing-infra/data-action1/sharun100/-d remote.s3.access_key=aaa -d remote.s3.secret_key=bbb -d remote.s3.endpoint=https://s3.us-west-2.amazonaws.com

Response

 *   Trying 10.140.178.120:9011...

* TCP_NODELAY set

* Connected to mrt (10.140.178.120) port 9011 (#0)

* ALPN, offering h2

* ALPN, offering http/1.1

* successfully set certificate verify locations:

*   CAfile: /etc/ssl/certs/ca-certificates.crt

  CApath: /etc/ssl/certs

* TLSv1.3 (OUT), TLS handshake, Client hello (1):

* TLSv1.3 (IN), TLS handshake, Server hello (2):

* TLSv1.2 (IN), TLS handshake, Certificate (11):

* TLSv1.2 (IN), TLS handshake, Server key exchange (12):

* TLSv1.2 (IN), TLS handshake, Server finished (14):

* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):

* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):

* TLSv1.2 (OUT), TLS handshake, Finished (20):

* TLSv1.2 (IN), TLS handshake, Finished (20):

* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384

* ALPN, server did not agree to a protocol

* Server certificate:

*  subject: CN=SplunkServerDefaultCert; O=SplunkUser

*  start date: May 10 22:10:51 2022 GMT

*  expire date: May  9 22:10:51 2025 GMT

*  issuer: C=US; ST=CA; L=San Francisco; O=Splunk; CN=SplunkCommonCA; emailAddress=support@splunk.com

*  SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.

* Server auth using Basic with user 'admin'

> POST /services/data/ingest/rfsdestinations/s3 HTTP/1.1

> Host: mrt:9011

> Authorization: Basic YWRtaW46Y2hhbmdlbWU=

> User-Agent: curl/7.68.0

> Accept: */*

> Content-Length: 208

> Content-Type: application/x-www-form-urlencoded

> 

* upload completely sent off: 208 out of 208 bytes

* Mark bundle as not supporting multiuse

< HTTP/1.1 200 OK

< Date: Tue, 31 May 2022 19:01:37 GMT

< Expires: Thu, 26 Oct 1978 00:00:00 GMT

< Cache-Control: no-store, no-cache, must-revalidate, max-age=0

< Content-Type: text/xml; charset=UTF-8

< X-Content-Type-Options: nosniff

< Content-Length: 3786

< Vary: Cookie, Authorization

< Connection: Keep-Alive

< X-Frame-Options: SAMEORIGIN

< Server: Splunkd

< 

<?xml version="1.0" encoding="UTF-8"?>

<!--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-->

<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">

  <title>ingest-rfs-destinations</title>

  <id>https://mrt:9011/services/data/ingest/rfsdestinations</id>

  <updated>2022-05-31T19:01:37+00:00</updated>

  <generator build="d7f338ee11f8c6ff9ba4e4d98ff6e9b1b8da6a9c" version="20220510"/>

  <author>

    <name>Splunk</name>

  </author>

  <link href="/services/data/ingest/rfsdestinations/_new" rel="create"/>

  <link href="/services/data/ingest/rfsdestinations/_reload" rel="_reload"/>

  <opensearch:totalResults>1</opensearch:totalResults>

  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>

  <opensearch:startIndex>0</opensearch:startIndex>

  <s:messages/>

  <entry>

    <title>s3</title>

    <id>https://mrt:9011/services/data/ingest/rfsdestinations/s3</id>

    <updated>1970-01-01T00:00:00+00:00</updated>

    <link href="/services/data/ingest/rfsdestinations/s3" rel="alternate"/>

    <author>

      <name>system</name>

    </author>

    <link href="/services/data/ingest/rfsdestinations/s3" rel="list"/>

    <link href="/services/data/ingest/rfsdestinations/s3/_reload" rel="_reload"/>

    <link href="/services/data/ingest/rfsdestinations/s3" rel="edit"/>

    <link href="/services/data/ingest/rfsdestinations/s3" rel="remove"/>

    <content type="text/xml">

      <s:dict>

        <s:key name="eai:acl">

          <s:dict>

            <s:key name="app"></s:key>

            <s:key name="can_list">1</s:key>

            <s:key name="can_write">1</s:key>

            <s:key name="modifiable">0</s:key>

            <s:key name="owner">system</s:key>

            <s:key name="perms">

              <s:dict>

                <s:key name="read">

                  <s:list>

                    <s:item>admin</s:item>

                    <s:item>splunk-system-role</s:item>

                  </s:list>

                </s:key>

                <s:key name="write">

                  <s:list>

                    <s:item>admin</s:item>

                    <s:item>splunk-system-role</s:item>

                  </s:list>

                </s:key>

              </s:dict>

            </s:key>

            <s:key name="removable">0</s:key>

            <s:key name="sharing">system</s:key>

          </s:dict>

        </s:key>

        <s:key name="path">s3://s2-testing-infra/data-action1/sharun100/</s:key>

        <s:key name="remote.s3.access_key"><hidden></s:key>

        <s:key name="remote.s3.endpoint">https://s3.us-west-2.amazonaws.com</s:key>

        <s:key name="remote.s3.secret_key"><hidden></s:key>

      </s:dict>

    </content>

  </entry>

</feed>

Request
Test connection to destination:

curl -v -k -u username:password https://host:port/services/data/ingest/rfsdestinations/a3/test -d path=s3://s2-testing-infra/data-action1/sharun/-d remote.s3.access_key=aaa -d remote.s3.secret_key=bbb -d remote.s3.endpoint=https://s3.us-west-2.amazonaws.com

Response


 *   Trying 10.140.178.120:9011...

* TCP_NODELAY set

* Connected to mrt (10.140.178.120) port 9011 (#0)

* ALPN, offering h2

* ALPN, offering http/1.1

* successfully set certificate verify locations:

*   CAfile: /etc/ssl/certs/ca-certificates.crt

  CApath: /etc/ssl/certs

* TLSv1.3 (OUT), TLS handshake, Client hello (1):

* TLSv1.3 (IN), TLS handshake, Server hello (2):

* TLSv1.2 (IN), TLS handshake, Certificate (11):

* TLSv1.2 (IN), TLS handshake, Server key exchange (12):

* TLSv1.2 (IN), TLS handshake, Server finished (14):

* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):

* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):

* TLSv1.2 (OUT), TLS handshake, Finished (20):

* TLSv1.2 (IN), TLS handshake, Finished (20):

* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384

* ALPN, server did not agree to a protocol

* Server certificate:

*  subject: CN=SplunkServerDefaultCert; O=SplunkUser

*  start date: May 10 22:10:51 2022 GMT

*  expire date: May  9 22:10:51 2025 GMT

*  issuer: C=US; ST=CA; L=San Francisco; O=Splunk; CN=SplunkCommonCA; emailAddress=support@splunk.com

*  SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.

* Server auth using Basic with user 'admin'

> POST /services/data/ingest/rfsdestinations/a3/test HTTP/1.1

> Host: mrt:9011

> Authorization: Basic YWRtaW46Y2hhbmdlbWU=

> User-Agent: curl/7.68.0

> Accept: */*

> Content-Length: 205

> Content-Type: application/x-www-form-urlencoded

> 

* upload completely sent off: 205 out of 205 bytes

* Mark bundle as not supporting multiuse

< HTTP/1.1 200 OK

< Date: Tue, 31 May 2022 19:07:32 GMT

< Expires: Thu, 26 Oct 1978 00:00:00 GMT

< Cache-Control: no-store, no-cache, must-revalidate, max-age=0

< Content-Type: text/xml; charset=UTF-8

< X-Content-Type-Options: nosniff

< Content-Length: 1998

< Vary: Cookie, Authorization

< Connection: Keep-Alive

< X-Frame-Options: SAMEORIGIN

< Server: Splunkd

< 

<?xml version="1.0" encoding="UTF-8"?>

<!--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-->

<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">

  <title>ingest-rfs-destinations</title>

  <id>https://mrt:9011/services/data/ingest/rfsdestinations</id>

  <updated>2022-05-31T19:07:32+00:00</updated>

  <generator build="d7f338ee11f8c6ff9ba4e4d98ff6e9b1b8da6a9c" version="20220510"/>

  <author>

    <name>Splunk</name>

  </author>

  <link href="/services/data/ingest/rfsdestinations/_new" rel="create"/>

  <link href="/services/data/ingest/rfsdestinations/_reload" rel="_reload"/>

  <opensearch:totalResults>0</opensearch:totalResults>

  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>

  <opensearch:startIndex>0</opensearch:startIndex>

  <s:messages>

    <s:msg type="INFO">The given s3/s3-supported destination and credentials are valid.</s:msg>

  </s:messages>

</feed>



data/ingest/rulesets

https://<host>:<mPort>/services/data/ingest/rulesets

Retrieve a list of your rulesets.


GET

Return a list of your deployed rulesets.

Request parameters
None

Returned values

Name Description
Name The name of the retrieved ruleset.
Sourcetype The sourcetype of the deployed ruleset.
Rules The rules for your deployed ruleset.

Example request and response.

JSON Request

curl -k -u admin:changeme https://localhost:8089/services/data/ingest/rulesets\?output_mode\=json

JSON Encoded Response

{"links":{},"entry":[{"name":"audittrail_to_s3","content":{"name":"audittrail_to_s3","description":"","sourcetype":"audittrail","rules":[{"name":"fgf5emvw","action":"filter_regex","field":"_raw","match":"lis"},{"name":"ripxbt8o","action":"route_regex","dest":"rfs:s3","field":"_raw","match":"acc"}]}},{"name":"ruleset1","content":{"name":"ruleset1","description":"","sourcetype":"foo1","rules":[]}},{"name":"ruleset_splunkd_ui_access","content":{"name":"ruleset_splunkd_ui_access","description":"x","sourcetype":"splunkd_ui_access","rules":[{"name":"f3kbymjc","action":"filter_regex","field":"_raw","match":"server/health"}]}}]}%

POST

Creates and updates a ruleset.

Request parameters

Name Description
Name The name of the retrieved ruleset.
Sourcetype The sourcetype of the deployed ruleset.
Rules The rules for your deployed ruleset.

Returned values

Name Description
Name The name of the retrieved ruleset.
Sourcetype The sourcetype of the deployed ruleset.
Rules The rules for your deployed ruleset.

Example request and response.

JSON Request

curl -k -u admin:changeme -X POST -d name=hello1 -d sourcetype=foobar1 -d 'rules=[{"name":"r1","action":"filter_regex","match":"hello"}]' https://localhost:8089/services/data/ingest/rulesets\?output_mode\=json

JSON Encoded Response

{"links":{},"entry":[{"name":"audittrail_to_s3","content":{"name":"audittrail_to_s3","description":"","sourcetype":"audittrail","rules":[{"name":"fgf5emvw","action":"filter_regex","field":"_raw","match":"lis"},{"name":"ripxbt8o","action":"route_regex","dest":"rfs:s3","field":"_raw","match":"acc"}]}},{"name":"ruleset1","content":{"name":"ruleset1","description":"","sourcetype":"foo1","rules":[]}},{"name":"ruleset_splunkd_ui_access","content":{"name":"ruleset_splunkd_ui_access","description":"x","sourcetype":"splunkd_ui_access","rules":[{"name":"f3kbymjc","action":"filter_regex","field":"_raw","match":"server/health"}]}}]}%



data/ingest/rulesets/{name}

https://<host>:<mPort>/services/data/ingest/rulesets/{name}

Retrieve a particular ruleset.


GET

Return a named deployed ruleset.

Request parameters
None

Returned values

Name Description
Name The name of the retrieved ruleset.
Sourcetype The sourcetype of the deployed ruleset.
Rules The rules for your deployed ruleset.

Example request and response.

JSON Request

GET /data/ingest/rulesets?output_mode=json

JSON Encoded Response

{
    name: "Drop security data",
    sourcetype: "syslog",
    rules: [
        { name: "Security - rarely important",
          match: "Kerberos service ticket was (requested|renewed)",
          action: "filter_regex"
        } ]
}

POST

Creates and updates a named ruleset.

Request parameters

Name Description
Name The name of the retrieved ruleset.
Match What your deployed ruleset matches.
Action The action that your deployed ruleset does.

Returned values

Name Description
Name The name of the retrieved ruleset.
Match What your deployed ruleset matches.
Action The action that your deployed ruleset does.

Example request and response.

JSON Request

curl -k -u admin:changeme -X POST -d 'rules=[{"name":"r1","action":"filter_regex","match":"hello"}]' https://localhost:8089/services/data/ingest/rulesets/hello1\?output_mode\=json

JSON Encoded Response


{
  "links": {},
  "entry": [
    {
      "name": "hello1",
      "content": {
        "name": "hello1",
        "description": "",
        "sourcetype": "foobar1",
        "rules": [
          {
            "name": "r1",
            "action": "filter_regex",
            "field": "_raw",
            "match": "hello"
          }
        ]
      }
    }
  ]
}




data/ingest/rulesets/publish

https://<host>:<mPort>/services/data/ingest/rulesets/publish

Publish ruleset changes on the indexer cluster manager.


POST

Push the ruleset changes into deployment.


Request parameters
None

Returned values

Name Description
Name The name of the retrieved ruleset.
Match What your deployed ruleset matches.
Action The action that your deployed ruleset does.

Example request and response.

JSON Request

curl -k -u admin:changeme -X POST -d 'rules=[{"name":"r1","action":"filter_regex","match":"hello"}]' https://localhost:8089/services/data/ingest/rulesets/hello1\?output_mode\=json

JSON Encoded Response

{
  "messages": [
    {
      "status": "succeeded",
      "new_checksum": "B4D4DB74DD2BF50AD9D51F999E3EBBAD"
    }
  ]
}




data/inputs/ad

https://<host>:<mPort>/services/data/inputs/ad

Access and configure the active directory monitoring input.


GET

Get the current active directory monitoring configuration.

Request parameters
Pagination and filtering parameters can be used with this method.

Returned values

Name Description
disabled Indicates whether this input is disabled.
index The index in which to store the gathered data.

If no value is present, sends data to the default index.

monitorSubtree Indicates whether or not to monitor the subtrees of a given Active Directory tree path.
startingNode Tells Splunk software where in the Active Directory directory tree to start monitoring.

If not specified, Splunk software attempts to start at the root of the directory tree.

The user as which you configure Splunk to run at installation determines where Splunk software starts monitoring.

targetDc Fully qualified domain name of a valid, network-accessible Active Directory domain controller.

If not specified, Splunk software obtains the local computer DC by default, and binds to its root Distinguished Name (DN).

Example request and response


XML Request

curl -u admin:pass https://localhost:8089/services/data/inputs/ad

XML Response

...
  <title>win-admon</title>
  <id>https://10.1.5.157:8089/services/data/inputs/ad</id>
  <updated>2011-07-29T19:13:28-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/ad/_new" rel="create"/>
  <link href="/services/data/inputs/ad/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>NearestDC</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/ad/NearestDC</id>
    <updated>2011-07-29T19:13:28-07:00</updated>
    <link href="/servicesNS/nobody/windows/data/inputs/ad/NearestDC" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/windows/data/inputs/ad/NearestDC" rel="list"/>
    <link href="/servicesNS/nobody/windows/data/inputs/ad/NearestDC/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/windows/data/inputs/ad/NearestDC" rel="edit"/>
    <link href="/servicesNS/nobody/windows/data/inputs/ad/NearestDC/enable" rel="enable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">1</s:key>
        ... eai:acl node elided ...
        <s:key name="index">default</s:key>
        <s:key name="monitorSubtree">1</s:key>
        <s:key name="startingNode"/>
        <s:key name="targetDc"/>
      </s:dict>
    </content>
  </entry>


POST

Create or modify performance monitoring settings.

Request parameters

Name Datatype Default Description
baseline Boolean Indicates whether to query baseline objects. Defaults to true.

Baseline objects are objects which currently reside in Active Directory and include previously deleted objects.

host String Docs-W8R2-Std7 Host name for the Active Directory Monitor.
index String default The index in which to store the gathered data.

If not specified defaults to the default index.

monitorSubtree Number Required. Whether or not to monitor the subtree(s) of a given directory tree path. 1 means yes, 0 means no.
name String Required. A unique name that represents a configuration or set of configurations for a specific domain controller.
printSchema Boolean Indicates whether to print the Active Directory schema. Defaults to true.
source String Source for data inputs.
sourcetype String Source type of data inputs.
startingNode String Where in the Active Directory directory tree to start monitoring. If not specified, attempts to start at the root of the directory tree.
targetDc String Specifies a fully qualified domain name of a valid, network-accessible domain controller. If not specified, Splunk software gets the local domain controller.

Returned values
None

Example request and response


XML Request

curl -u admin:pass https://localhost:8089/servicesNS/admin/search/data/inputs/ad -d monitorSubtree=0 -d name=newdc

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-admon</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/ad</id>
  <updated>2011-07-29T19:14:57-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/ad/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/ad/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>



data/inputs/ad/{name}

https://<host>:<mPort>/services/data/inputs/ad/{name}

Manage {name} active directory monitoring.


DELETE

Delete the {name} Active Directory monitoring stanza.

Request parameters
None

Returned values
None

Example request and response


XML Request

curl -u admin:pass --request DELETE https://localhost:8089/servicesNS/nobody/search/data/inputs/ad/newdc

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-admon</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/ad</id>
  <updated>2011-07-29T19:22:50-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/ad/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/ad/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>



GET

Gets the current configuration for the {name} Active Directory monitoring stanza.

Request parameters
None

Returned values

Name Description
Attribute Description
disabled Indicates whether this input is disabled.
index The index in which to store the gathered data.

If no value is present, send data to the default index.

monitorSubtree Indicates whether or not to monitor the subtrees of a given Active Directory tree path.


Example request and response


XML Request

curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/ad/newdc

XML Response

...
  <title>win-admon</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/ad</id>
  <updated>2011-07-29T19:18:18-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/ad/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/ad/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>newdc</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/ad/newdc</id>
    <updated>2011-07-29T19:18:18-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/ad/newdc" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/ad/newdc" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/ad/newdc/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/ad/newdc" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/ad/newdc" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/ad/newdc/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>disabled</s:item>
                <s:item>index</s:item>
                <s:item>startingNode</s:item>
                <s:item>targetDc</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>monitorSubtree</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="index">default</s:key>
        <s:key name="monitorSubtree">0</s:key>
      </s:dict>
    </content>
  </entry>



POST

Update the {name} Active Directory monitoring stanza.

Request parameters

Name Datatype Default Description
baseline Boolean Indicates whether to query baseline objects. Defaults to true.

Baseline objects are objects which currently reside in Active Directory and include previously deleted objects.

host String Docs-W8R2-Std7 Host name for the Active Directory Monitor.
index String default The index in which to store the gathered data.

If not specified defaults to the default index.

monitorSubtree
required
Number Whether or not to monitor the subtree(s) of a given directory tree path. 1 means yes, 0 means no.
printSchema Boolean Indicates whether to print the Active Directory schema. Defaults to true.
source String Source for data inputs.
sourcetype String Source type of data inputs.
startingNode String Where in the Active Directory directory tree to start monitoring. If not specified, attempts to start at the root of the directory tree.
targetDc String Specifies a fully qualified domain name of a valid, network-accessible DC. If not specified, Splunk software gets the local computer's DC.

Returned values
None

Example request and response


XML Request

curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/ad/newdc -d monitorSubtree=1

XML Response

...
  <title>win-admon</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/ad</id>
  <updated>2011-07-29T19:20:16-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/ad/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/ad/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>




data/inputs/all

https://<host>:<mPort>/services/data/inputs/all

Access all inputs to the Splunk deployment. This includes any modular inputs that may be defined on the system.


GET

List all inputs, including modular inputs.


Request parameters

Name Datatype Description
common Boolean Indicates whether to return only attributes common to all inputs. The common attributes are as follows.
  • app
  • disabled
  • host
  • index
  • owner
  • source
  • sourcetype
  • title
  • updated

Pagination and filtering parameters can be used with this method.

Returned values
Returns an <entry> element for each input, listing attributes specific to the input. See the following example for more details.

Example request and response


XML Request

curl -u admin:pass https://localhost:8089/services/data/inputs/all

XML Response

...
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>all</title>
  <id>https://localhost:8089/services/data/inputs/all</id>
  <updated>2012-10-01T16:08:24-07:00</updated>
  <generator build="138753" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/all/_new" rel="create"/>
  <link href="/services/data/inputs/all/_reload" rel="_reload"/>
  <link href="/services/data/inputs/all/restart" rel="restart"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title></title>
    <id>https://localhost:8089/servicesNS/nobody/system/data/inputs/all/</id>
    <updated>2012-10-01T16:08:24-07:00</updated>
    <link href="/servicesNS/nobody/system/data/inputs/all/" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/inputs/all/" rel="list"/>
    <link href="/servicesNS/nobody/system/data/inputs/all//_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/inputs/all/" rel="edit"/>
    <link href="/servicesNS/nobody/system/data/inputs/all//enable" rel="enable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="cipherSuite">ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM</s:key>
        <s:key name="disabled">1</s:key>
        ... eai:acl node elided ...
        <s:key name="host">splunks-ombra.sv.splunk.com</s:key>
        <s:key name="index">default</s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>$SPLUNK_HOME/etc/splunk.version</title>
    <id>https://localhost:8089/servicesNS/nobody/system/data/inputs/all/%24SPLUNK_HOME%252Fetc%252Fsplunk.version</id>
    <updated>2012-10-01T16:08:24-07:00</updated>
    <link href="/servicesNS/nobody/system/data/inputs/all/%24SPLUNK_HOME%252Fetc%252Fsplunk.version" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/inputs/all/%24SPLUNK_HOME%252Fetc%252Fsplunk.version" rel="list"/>
    <link href="/servicesNS/nobody/system/data/inputs/all/%24SPLUNK_HOME%252Fetc%252Fsplunk.version/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/inputs/all/%24SPLUNK_HOME%252Fetc%252Fsplunk.version" rel="edit"/>
    <link href="/servicesNS/nobody/system/data/inputs/all/%24SPLUNK_HOME%252Fetc%252Fsplunk.version/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_TCP_ROUTING">*</s:key>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="filecount">1</s:key>
        <s:key name="host">splunks-ombra.sv.splunk.com</s:key>
        <s:key name="index">_internal</s:key>
        <s:key name="sourcetype">splunk_version</s:key>
      </s:dict>
    </content>
  </entry>
   . . . elided ...



data/inputs/all/{name}

https://<host>:<mPort>/services/data/inputs/all/{name}

Get information about the {name} input source.

GET

List details for the {name} input.

Request parameters

Name Datatype Description
common Boolean Indicates whether to return only attributes common to all inputs. These common attributes are as follows.
  • app
  • disabled
  • host
  • index
  • owner
  • source
  • sourcetype
  • title
  • updated

Returned values
The response lists attributes for the {name} input. See the following example for details.


Example request and response

XML Request

curl -u admin:pass https://localhost:8089/services/data/inputs/all/twitter

XML Response

...
 <title>all</title>
  <id>https://localhost:8089/services/data/inputs/all</id>
  <updated>2012-07-11T08:03:17-07:00</updated>
  <generator build="129290" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/all/restart" rel="restart"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>twitter</title>
    <id>https://localhost:8089/services/data/inputs/all/twitter</id>
    <updated>2012-07-11T08:03:17-07:00</updated>
    <link href="/services/data/inputs/all/twitter" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/data/inputs/all/twitter" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="description">Get data from Twitter.</s:key>
        ... eai:acl nodes and eai:attribute nodes elided ...
        <s:key name="endpoint">
          <s:dict>
            <s:key name="args">
              <s:dict>
                <s:key name="name">
                  <s:dict>
                    <s:key name="data_type">string</s:key>
                    <s:key name="description">Name of the current feed using the user credentials supplied.</s:key>
                    <s:key name="order">0</s:key>
                    <s:key name="title">Twitter feed name</s:key>
                  </s:dict>
                </s:key>
                <s:key name="password">
                  <s:dict>
                    <s:key name="data_type">string</s:key>
                    <s:key name="description">Your twitter password</s:key>
                    <s:key name="order">2</s:key>
                    <s:key name="required_on_create">1</s:key>
                    <s:key name="required_on_edit">0</s:key>
                    <s:key name="title">Password</s:key>
                  </s:dict>
                </s:key>
                <s:key name="username">
                  <s:dict>
                    <s:key name="data_type">string</s:key>
                    <s:key name="description">Your Twitter ID.</s:key>
                    <s:key name="order">1</s:key>
                    <s:key name="required_on_create">1</s:key>
                    <s:key name="required_on_edit">0</s:key>
                    <s:key name="title">Twitter ID/Handle</s:key>
                  </s:dict>
                </s:key>
              </s:dict>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="streaming_mode">simple</s:key>
        <s:key name="title">Twitter</s:key>
      </s:dict>
    </content>
  </entry>



data/inputs/http

https://<host>:<mPort>/services/data/inputs/http


Access or update HTTP Event Collector global configuration tokens and application tokens.

See also

For more information, see details for the following associated endpoints.


GET

Access global configuration information and a list of tokens

Request parameters
Pagination and filtering parameters can be used with this method.

Returned values
See data/inputs/http/{name} for app-level response data keys.


Example request and response


XML Request

curl -u admin:pass https://localhost:8089/services/data/inputs/http

XML Response

 <title>http</title>
 <id>https://localhost:8089/services/data/inputs/http</id>
 <updated>2015-01-26T22:43:26-08:00</updated>
 <generator build="250128" version="20150120"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/data/inputs/http/_new" rel="create"/>
 <link href="/services/data/inputs/http/_reload" rel="_reload"/>
 ... opensearch elided ...
 <s:messages/>
 <entry>
   <title>http</title>
   <id>https://localhost:8089/servicesNS/nobody/system/data/inputs/http/http</id>
   <updated>2015-01-26T22:43:26-08:00</updated>
   <link href="/servicesNS/nobody/system/data/inputs/http/http" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/system/data/inputs/http/http" rel="list"/>
   <link href="/servicesNS/nobody/system/data/inputs/http/http/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/system/data/inputs/http/http" rel="edit"/>
   <link href="/servicesNS/nobody/system/data/inputs/http/http/disable" rel="disable"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="_rcvbuf">1572864</s:key>
       <s:key name="disabled">0</s:key>
       ... eai:acl elided ...
       <s:key name="eai:appName">search</s:key>
       <s:key name="eai:userName">admin</s:key>
       <s:key name="host">$decideOnStartup</s:key>
       <s:key name="index">default</s:key>
     </s:dict>
   </content>
 </entry>
 <entry>
   <title>http://%22myapp"</title>
   <id>https://localhost:8089/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252F%22myapp%22</id>
   <updated>2015-01-26T22:43:26-08:00</updated>
   <link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252F%22myapp%22" rel="alternate"/>
   <author>
     <name>admin</name>
   </author>
   <link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252F%22myapp%22" rel="list"/>
   <link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252F%22myapp%22/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252F%22myapp%22" rel="edit"/>
   <link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252F%22myapp%22" rel="remove"/>
   <link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252F%22myapp%22/disable" rel="disable"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="_rcvbuf">1572864</s:key>
       <s:key name="disabled">0</s:key>
       ... eai:acl elided ...
       <s:key name="eai:appName">search</s:key>
       <s:key name="eai:userName">admin</s:key>
       <s:key name="host">$decideOnStartup</s:key>
       <s:key name="index">default</s:key>
       <s:key name="token">3DEA16E1-413A-46C2-A74F-E79DC3DF3CA2</s:key>
     </s:dict>
   </content>
 </entry>



POST

Modify global configuration. Add and modify tokens.

Global request parameters

Name Datatype Default Description
dedicatedIoThreads Number 2 Number of threads used by HTTP Input server.
disabled Boolean 1 Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled.
enableSSL Boolean 1 Enable SSL protocol for HTTP data input. 1 = SSL enabled, 0 = SSL disabled.
index String Index to store generated events.
indexes String Set of indexes allowed for events with this token.
maxSockets Number 0 Maximum number of simultaneous HTTP connections accepted. Adjusting this value may cause server performance issues and is not generally recommended. Possible values for this setting vary by OS.
maxThreads Number 0 Maximum number of threads that can be used by active HTTP transactions. Adjusting this value may cause server performance issues and is not generally recommended. Possible values for this setting vary by OS.
name
required
String Token name (inputs.conf key)
port
Number 8088 HTTP data input IP port.
source String Default source for events with this token.
sourcetype String Default sourcetype for events with this token.
useDeploymentServer Boolean 0 (disabled) Indicates whether the event collector input writes its configuration to a deployment server repository.

When this setting is set to 1 (enabled), the input writes its configuration to the directory specified as repositoryLocation in serverclass.conf.

Copy the full contents of the splunk_httpinput app directory to this directory for the configuration to work.

When enabled, only the tokens defined in the splunk_httpinput app in this repository are viewable and editable on the API and the Data Inputs page in Splunk Web.

When disabled, the input writes its configuration to $SPLUNK_HOME/etc/apps by default.

Defaults to 0 (disabled).


Application-level request parameters

Name Datatype Default Description
disabled Boolean 1 Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled.
index String Index to store generated events.
indexes String Set of indexes allowed for events with this token.
name
required
String Token name (inputs.conf key)
source String Default source for events with this token.
sourcetype String Default sourcetype for events with this token.


Global returned values

Name Description
dedicatedIoThreads Number of threads used by HTTP Input server.
disabled Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled.
enableSSL Enable SSL protocol for HTTP data input. 1 = SSL enabled, 0 = SSL disabled.
host Host from which the indexer gets data.
index Index to store generated events.
indexes Set of indexes allowed for events with this token.
port
HTTP data input IP port.
_rcvbuf Socket receive buffer size (bytes).
source Default source for events with this token.
sourcetype Default sourcetype for events with this token.
useDeploymentServer Boolean 0 (disabled) Indicates whether the event collector input writes its configuration to a deployment server repository.

When this setting is set to 1 (enabled), the input writes its configuration to the directory specified as repositoryLocation in serverclass.conf.

Copy the full contents of the splunk_httpinput app directory to this directory for the configuration to work.

When enabled, only the tokens defined in the splunk_httpinput app in this repository are viewable and editable on the API and the Data Inputs page in Splunk Web.

When disabled, the input writes its configuration to $SPLUNK_HOME/etc/apps by default.

Defaults to 0 (disabled).


Application-level returned values

Name Description
disabled Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled.
host Host from which the indexer gets data.
index Index to store generated events.
_rcvbuf Socket receive buffer size (bytes).
source Source for events with this token.
sourcetype Sourcetype for events with this token.
token Token value for sending data to collector/event endpoint.

Example request and response


XML Request

curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/http -d name=myapp

XML Response

...
 <title>http</title>
 <id>https://localhost:8089/servicesNS/nobody/system/data/inputs/http</id>
 <updated>2015-01-30T12:45:28-08:00</updated>
 <generator build="250128" version="20150120"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/servicesNS/nobody/system/data/inputs/http/_new" rel="create"/>
 <link href="/servicesNS/nobody/system/data/inputs/http/_reload" rel="_reload"/>
 ... opensearch ...
 <s:messages/>
 <entry>
   <title>http://myapp</title>
   <id>https://localhost:8089/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp</id>
   <updated>2015-01-30T12:45:28-08:00</updated>
   <link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp" rel="list"/>
   <link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp" rel="edit"/>
   <link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp" rel="remove"/>
   <link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp/disable" rel="disable"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="_rcvbuf">1572864</s:key>
       <s:key name="disabled">0</s:key>
       ... eai:acl ...
       <s:key name="eai:appName">system</s:key>
       <s:key name="eai:userName">nobody</s:key>
       <s:key name="host">$decideOnStartup</s:key>
       <s:key name="index">default</s:key>
       <s:key name="token">AABD8B82-2810-4BE8-823F-FE6C15ECB46E</s:key>
     </s:dict>
   </content>
 </entry>



data/inputs/http/{name}

https://<host>:<mPort>/services/data/inputs/http/{name}


Manage the {name} HTTP Event Collector token. HTTP, as in data/inputs/http/http, indicates global configuration.

See also

For more information, see details for the following associated endpoints.


DELETE

Delete a token.

Request parameters
None

Returned values
None


Example request and response


XML Request

curl -u admin:pass --request DELETE https://localhost:8089/servicesNS/nobody/search/data/inputs/http/http%3A%252F%252Fmyapp

XML Response

 <title>http</title>
 <id>https://localhost:8089/servicesNS/nobody/system/data/inputs/http</id>
 <updated>2015-01-30T13:03:18-08:00</updated>
 <generator build="250128" version="20150120"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/servicesNS/nobody/system/data/inputs/http/_new" rel="create"/>
 <link href="/servicesNS/nobody/system/data/inputs/http/_reload" rel="_reload"/>
 ... opensearch elided ...
 <s:messages/>
</feed>



GET

Get token configuration details.

Request parameters
None

Global response data keys

Name Description
_rcvbuf Socket receive buffer size (bytes).
dedicatedIoThreads Number of threads for HTTP event collector server.
disabled Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled.
enableSSL SSL enablement status.
host Host from which the indexer gets data.
index Index to store generated events.
port HTTP data event collector IP port.
source Source for events with this token.
sourcetype Sourcetype for events with this token.
token Token value for sending data to collector/event endpoint.
useDeploymentServer Indicates whether the event collector input writes its configuration to a deployment server repository.

When this setting is set to 1 (enabled), the input writes its configuration to the directory specified as repositoryLocation in serverclass.conf.

Copy the full contents of the splunk_httpinput app directory to this directory for the configuration to work.

When enabled, only the tokens defined in the splunk_httpinput app in this repository are viewable and editable on the API and the Data Inputs page in Splunk Web.

When disabled, the input writes its configuration to $SPLUNK_HOME/etc/apps by default.

Defaults to 0 (disabled).


Application-level response data keys

Name Description
_rcvbuf Socket receive buffer size (bytes).
disabled Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled.
host Host from which the indexer gets data.
index Index to store generated events.
source Source for events with this token.
sourcetype Sourcetype for events with this token.
token Token value for sending data to collector/event endpoint.


Example request and response


XML Request

curl -u admin:pass https://localhost:8089//servicesNS/nobody/system/data/inputs/http/http%3A%252F%252F%22myapp%22/http/%252Fvar%252Flog

XML Response

...
 <title>http</title>
 <id>https://localhost:8089/servicesNS/nobody/system/data/inputs/http</id>
 <updated>2015-01-26T23:01:34-08:00</updated>
 <generator build="250128" version="20150120"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/servicesNS/nobody/system/data/inputs/http/_new" rel="create"/>
 <link href="/servicesNS/nobody/system/data/inputs/http/_reload" rel="_reload"/>
 ... opensearch elided ...
 <s:messages/>
 <entry>
   <title>http://%22myapp"</title>
   <id>https://localhost:8089/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252F%22myapp%22</id>
   <updated>2015-01-26T23:01:34-08:00</updated>
   <link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252F%22myapp%22" rel="alternate"/>
   <author>
     <name>admin</name>
   </author>
   <link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252F%22myapp%22" rel="list"/>
   <link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252F%22myapp%22/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252F%22myapp%22" rel="edit"/>
   <link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252F%22myapp%22" rel="remove"/>
   <link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252F%22myapp%22/disable" rel="disable"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="_rcvbuf">1572864</s:key>
       <s:key name="disabled">0</s:key>
       ... eai:acl elided ...
       <s:key name="eai:appName">system</s:key>
       ... eai:attributes elided ...
       <s:key name="eai:userName">nobody</s:key>
       <s:key name="host">$decideOnStartup</s:key>
       <s:key name="index">default</s:key>
       <s:key name="token">3DEA16E1-413A-46C2-A74F-E79DC3DF3CA2</s:key>
     </s:dict>
   </content>
 </entry>



POST

Update token configuration information.

Request parameters

Name Datatype Default Description
disabled Boolean 1 Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled.
host String Default host.
index String Index to store generated events.
indexes String Set of indexes allowed for events with this token.
name String Required. Token name (inputs.conf key)
source String Default source for events with this token.
sourcetype String Default sourcetype for events with this token.
useDeploymentServer Boolean 0 (disabled) Indicates whether the event collector input writes its configuration to a deployment server repository.

When this setting is set to 1 (enabled), the input writes its configuration to the directory specified as repositoryLocation in serverclass.conf.

Copy the full contents of the splunk_httpinput app directory to this directory for the configuration to work.

When enabled, only the tokens defined in the splunk_httpinput app in this repository are viewable and editable on the API and the Data Inputs page in Splunk Web.

When disabled, the input writes its configuration to $SPLUNK_HOME/etc/apps by default.

Defaults to 0 (disabled).

Returned values

Name Description
_rcvbuf Socket receive buffer size (bytes).
disabled Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled.
host Host from which the indexer gets data.
index Index to store generated events.
source Source for events with this token.
sourcetype Sourcetype for events with this token.
token Token value for sending data to collector/event endpoint.
useDeploymentServer Indicates whether the event collector input writes its configuration to a deployment server repository.

When this setting is set to 1 (enabled), the input writes its configuration to the directory specified as repositoryLocation in serverclass.conf.

Copy the full contents of the splunk_httpinput app directory to this directory for the configuration to work.

When enabled, only the tokens defined in the splunk_httpinput app in this repository are viewable and editable on the API and the Data Inputs page in Splunk Web.

When disabled, the input writes its configuration to $SPLUNK_HOME/etc/apps by default.

Defaults to 0 (disabled).


Example request and response


XML Request

curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/http%3A%252F%252Fmyapp -d recursive=false

XML Response

...
 <title>http</title>
 <id>https://localhost:8089/servicesNS/nobody/system/data/inputs/http</id>
 <updated>2015-01-30T12:51:17-08:00</updated>
 <generator build="250128" version="20150120"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/servicesNS/nobody/system/data/inputs/http/_new" rel="create"/>
 <link href="/servicesNS/nobody/system/data/inputs/http/_reload" rel="_reload"/>
 ... opensearch elided ...
 <s:messages/>
 <entry>
   <title>http://myapp</title>
   <id>https://localhost:8089/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp</id>
   <updated>2015-01-30T12:51:17-08:00</updated>
   <link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp" rel="list"/>
   <link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp" rel="edit"/>
   <link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp" rel="remove"/>
   <link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp/disable" rel="disable"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="_rcvbuf">1572864</s:key>
       <s:key name="disabled">0</s:key>
       ... eai:acl elided ...
       <s:key name="eai:appName">system</s:key>
       <s:key name="eai:userName">nobody</s:key>
       <s:key name="host">$decideOnStartup</s:key>
       <s:key name="index">default</s:key>
       <s:key name="recursive">false</s:key>
       <s:key name="token">AABD8B82-2810-4BE8-823F-FE6C15ECB46E</s:key>
     </s:dict>
   </content>
 </entry>



data/inputs/http/{name}/disable

https://<host>:<mPort>/services/data/inputs/http/{name}/disable

Disable the {name} HTTP Event Collector token.

See also


POST

Disable the {name} HTTP Event Collector token.

Request parameters
None

Returned values

Name Description
_rcvbuf Socket receive buffer size (bytes).
disabled Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled.
host Host from which the indexer gets data.
index Index to store generated events.
source Default source for events with this token.
sourcetype Default sourcetype for events with this token.
token Token value for sending data to collector/event endpoint.


Example request and response


XML Request

curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/http/http%3A%252F%252Fmyapp/disable

XML Response

 <title>http</title>
 <id>https://localhost:8089/servicesNS/nobody/system/data/inputs/http</id>
 <updated>2015-01-30T12:59:44-08:00</updated>
 <generator build="250128" version="20150120"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/servicesNS/nobody/system/data/inputs/http/_new" rel="create"/>
 <link href="/servicesNS/nobody/system/data/inputs/http/_reload" rel="_reload"/>
 ... opensearch elided ...
 <s:messages/>
 <entry>
   <title>http://myapp</title>
   <id>https://localhost:8089/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp</id>
   <updated>2015-01-30T12:59:44-08:00</updated>
   <link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp" rel="list"/>
   <link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp" rel="edit"/>
   <link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp" rel="remove"/>
   <link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp/enable" rel="enable"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="_rcvbuf">1572864</s:key>
       <s:key name="disabled">1</s:key>
       ... eai:acl elided ...
       <s:key name="eai:appName">system</s:key>
       <s:key name="eai:userName">nobody</s:key>
       <s:key name="host">$decideOnStartup</s:key>
       <s:key name="index">default</s:key>
       <s:key name="recursive">false</s:key>
       <s:key name="token">AABD8B82-2810-4BE8-823F-FE6C15ECB46E</s:key>
     </s:dict>
   </content>
 </entry>



data/inputs/http/{name}/enable

https://<host>:<mPort>/services/data/inputs/http/{name}/enable

Enable the {name} HTTP Event Collector token.

The POST request to this endpoint reloads the HTTP Event Collector server, including when the server is already enabled and running.

See also


POST

Enable the {name} HTTP Event Collector token.

The POST request reloads the HTTP Event Collector server, including when the server is already enabled and running.

Request parameters
None

Returned values

Name Description
_rcvbuf Socket receive buffer size (bytes).
disabled Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled.
host Host from which the indexer gets data.
index Index to store generated events.
source Default source for events with this token.
sourcetype Default sourcetype for events with this token.
token Token value for sending data to collector/event endpoint.


Example request and response

XML Request

curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/http/http%3A%252F%252Fmyapp/enable

XML Response

...
 <title>http</title>
 <id>https://localhost:8089/servicesNS/nobody/system/data/inputs/http</id>
 <updated>2015-01-30T12:56:38-08:00</updated>
 <generator build="250128" version="20150120"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/servicesNS/nobody/system/data/inputs/http/_new" rel="create"/>
 <link href="/servicesNS/nobody/system/data/inputs/http/_reload" rel="_reload"/>
 ... opensearch elided ...
 <s:messages/>
 <entry>
   <title>http://myapp</title>
   <id>https://localhost:8089/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp</id>
   <updated>2015-01-30T12:56:38-08:00</updated>
   <link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp" rel="alternate"/>
   <author>
     <name>nobody</name>
   </author>
   <link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp" rel="list"/>
   <link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp" rel="edit"/>
   <link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp" rel="remove"/>
   <link href="/servicesNS/nobody/system/data/inputs/http/http%3A%252F%252Fmyapp/disable" rel="disable"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="_rcvbuf">1572864</s:key>
       <s:key name="disabled">0</s:key>
       ... eai:acl elided ...
       <s:key name="eai:appName">system</s:key>
       <s:key name="eai:userName">nobody</s:key>
       <s:key name="host">$decideOnStartup</s:key>
       <s:key name="index">default</s:key>
       <s:key name="recursive">false</s:key>
       <s:key name="token">AABD8B82-2810-4BE8-823F-FE6C15ECB46E</s:key>
     </s:dict>
   </content>
 </entry>



data/inputs/http/{name}/rotate

https://<host>:<mPort>/services/data/inputs/http/{name}/rotate

Regenerate the {name} token value.


POST

Regenerate the {name} token value.

Request parameters
None

Returned values

Name Description
token Regenerated token value.


Example request and response

XML Request

curl -u admin:changeme https://localhost:8089/servicesNS/nobody/splunk_httpinput/data/inputs/http/my_app_name/rotate -X post

XML Response

<?xml version="1.0" encoding="UTF-8"?>
        . . . . . .
        <s:key name="token">64D47EC6-C510-4519-A520-EC4CAA157B97</s:key>
        . . . . . .
</feed>

data/inputs/monitor

https://<host>:<mPort>/services/data/inputs/monitor

Access monitor inputs.


GET

List enabled and disabled monitor inputs.

Request parameters
Pagination and filtering parameters can be used with this method.

Returned values

Name Description
_TCP_ROUTING List of TCP forwarding groups, as specified in outputs.conf.
disabled Indicates if inputs monitoring is disabled.
filecount Number of files monitored.
host Name of the Splunk host for which inputs are monitored.
index The index in which to store the gathered data.
sourcetype Source type being monitored.

The source type of an event is the format of the data input from which it originates, such as access_combined or cisco_syslog. The source type determines how Splunk software formats your data.

Example request and response


XML Request

curl -u admin:pass https://localhost:8089/services/data/inputs/monitor

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>monitor</title>
  <id>https://localhost:8089/services/data/inputs/monitor</id>
  <updated>2011-07-10T14:25:53-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/monitor/_new" rel="create"/>
  <link href="/services/data/inputs/monitor/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>$SPLUNK_HOME/etc/splunk.version</title>
    <id>https://localhost:8089/servicesNS/nobody/system/data/inputs/monitor/%24SPLUNK_HOME%252Fetc%252Fsplunk.version</id>
    <updated>2011-07-10T14:25:53-07:00</updated>
    <link href="/servicesNS/nobody/system/data/inputs/monitor/%24SPLUNK_HOME%252Fetc%252Fsplunk.version" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/inputs/monitor/%24SPLUNK_HOME%252Fetc%252Fsplunk.version" rel="list"/>
    <link href="/servicesNS/nobody/system/data/inputs/monitor/%24SPLUNK_HOME%252Fetc%252Fsplunk.version/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/inputs/monitor/%24SPLUNK_HOME%252Fetc%252Fsplunk.version" rel="edit"/>
    <link href="/servicesNS/nobody/system/data/inputs/monitor/%24SPLUNK_HOME%252Fetc%252Fsplunk.version/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_TCP_ROUTING">*</s:key>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="filecount">1</s:key>
        <s:key name="host">MrT</s:key>
        <s:key name="index">_internal</s:key>
        <s:key name="sourcetype">splunk_version</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



POST

Create a new file or directory monitor input.


Request parameters

Name Datatype Description
blacklist String Specify a regular expression for a file path. The file path that matches this regular expression is not indexed.
check-index Boolean If set to true, the index value is checked to ensure that it is the name of a valid index.
check-path Boolean If set to true, the name value is checked to ensure that it exists.
crc-salt String A string that modifies the file tracking identity for files in this input. The magic value "<SOURCE>" invokes special behavior (see admin documentation).
disabled Boolean Indicates if input monitoring is disabled.
followTail Boolean If set to true, files that are seen for the first time is read from the end.
host String The value to populate in the host field for events from this data input.
host_regex String Specify a regular expression for a file path. If the path for a file matches this regular expression, the captured value is used to populate the host field for events from this data input. The regular expression must have one capture group.
host_segment Number Use the specified slash-separate segment of the filepath as the host field value.
ignore-older-than String Specify a time value. If the modification time of a file being monitored falls outside of this rolling time window, the file is no longer being monitored.
index String Which index events from this input should be stored in. Defaults to default.
name String Required. The file or directory path to monitor on the system.
recursive Boolean Setting this to false prevents monitoring of any subdirectories encountered within this data input.
rename-source String The value to populate in the source field for events from this data input. The same source should not be used for multiple data inputs.
sourcetype String The value to populate in the sourcetype field for incoming events.
time-before-close Number When Splunk software reaches the end of a file that is being read, the file is kept open for a minimum of the number of seconds specified in this value. After this period has elapsed, the file is checked again for more data.
whitelist String Specify a regular expression for a file path. Only file paths that match this regular expression are indexed.


Returned values
None

Example request and response


XML Request

curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor -d name=/var/log

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>monitor</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor</id>
  <updated>2011-07-10T14:27:57-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/monitor/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/monitor/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>



data/inputs/monitor/{name}

https://<host>:<mPort>/services/data/inputs/monitor/{name}

Manage the {name} monitor input.


DELETE

Disable the named monitor data input and remove it from the configuration.

Request parameters
None

Returned values
None


Example request and response


XML Request

curl -u admin:pass --request DELETE https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>monitor</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor</id>
  <updated>2011-07-10T14:35:35-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/monitor/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/monitor/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>



GET

List the properties of a single monitor data input.

Request parameters
None

Returned values

Name Description
disabled Indicates if inputs monitoring is disabled.
filecount Number of files being monitored.
host Name of the Splunk host for which inputs are monitored.
index The index events from this input should be stored in.


Example request and response


XML Request

curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>monitor</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor</id>
  <updated>2011-07-10T14:33:54-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/monitor/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/monitor/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>/var/log</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog</id>
    <updated>2011-07-10T14:33:54-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog/members" rel="members"/>
    <link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>blacklist</s:item>
                <s:item>check-index</s:item>
                <s:item>check-path</s:item>
                <s:item>crc-salt</s:item>
                <s:item>followTail</s:item>
                <s:item>host</s:item>
                <s:item>host_regex</s:item>
                <s:item>host_segment</s:item>
                <s:item>ignore-older-than</s:item>
                <s:item>index</s:item>
                <s:item>recursive</s:item>
                <s:item>rename-source</s:item>
                <s:item>sourcetype</s:item>
                <s:item>time-before-close</s:item>
                <s:item>whitelist</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="filecount">108</s:key>
        <s:key name="host">MrT</s:key>
        <s:key name="index">default</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



POST

Update properties of the named monitor input.

Request parameters

Name Datatype Description
blacklist String Specify a regular expression for a file path. The file path that matches this regular expression is not indexed.
check-index Boolean If set to true, the "index" value is checked to ensure that it is the name of a valid index.
check-path Boolean If set to true, the "name" value is checked to ensure that it exists.
crc-salt String A string that modifies the file tracking identity for files in this input. The magic value "<SOURCE>" invokes special behavior (see admin documentation).
disabled Boolean Indicates if input monitoring is disabled.
followTail Boolean If set to true, files that are seen for the first time is read from the end.
host String The value to populate in the host field for events from this data input.
host_regex String Specify a regular expression for a file path. If the path for a file matches this regular expression, the captured value is used to populate the host field for events from this data input. The regular expression must have one capture group.
host_segment Number Use the specified slash-separate segment of the filepath as the host field value.
ignore-older-than String Specify a time value. If the modification time of a file being monitored falls outside of this rolling time window, the file is no longer being monitored.
index String Which index events from this input should be stored in. Defaults to default.
recursive Boolean Setting this to "false" prevents monitoring of any subdirectories encountered within this data input.
rename-source String The value to populate in the source field for events from this data input. The same source should not be used for multiple data inputs.
sourcetype String The value to populate in the sourcetype field for incoming events.
time-before-close Number When Splunk software reaches the end of a file that is being read, the file is kept open for a minimum of the number of seconds specified in this value. After this period has elapsed, the file is checked again for more data.
whitelist String Specify a regular expression for a file path. Only file paths that match this regular expression are indexed.


Returned values
None


Example request and response


XML Request

curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog -d recursive=false

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>monitor</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor</id>
  <updated>2011-07-10T14:35:28-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/monitor/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/monitor/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>



data/inputs/monitor/{name}/members

https://<host>:<mPort>/services/data/inputs/monitor/{name}/members

List {name} monitor input files.


GET

List all files monitored under the named monitor input.

Request parameters
Pagination and filtering parameters can be used with this method.

Returned values
The response includes a list of monitored files. See the following example for more details.


Example request and response


XML Request

curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog/members

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>monitor</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor</id>
  <updated>2011-07-10T14:34:28-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/monitor/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/monitor/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>/var/log/acpid</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog%252Facpid</id>
    <updated>2011-07-10T14:34:28-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog%252Facpid" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog%252Facpid" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog%252Facpid/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog%252Facpid" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog%252Facpid" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        ... eai:acl node elided ...
      </s:dict>
    </content>
  </entry>
  . . . elided . . .
</feed>



data/inputs/oneshot

https://<host>:<mPort>/services/data/inputs/oneshot

Access oneshot inputs in progress or queue a file for immediate indexing.

GET

Access oneshot inputs in progress.

Request parameters
None

Returned values

Name Description
Bytes Indexed Total number of bytes read and sent to the pipeline for indexing during a oneshot input.

This total includes the uncompressed byte count from a source file that is compressed on disk.

Offset Current position in the source file, indicating how much of the file is read. For compressed source files, this offset represents the position in the compressed format.

You can obtain the percentage of a source file read by calculating offset/size.

Size Size of the source file, in bytes.

You can obtain the percentage of a source file read by calculating offset/size.

Sources Indexed Indicates the number of sources read from a file in a compressed format such as tar or zip.

A value of 0 indicates the source file was not compressed.

Spool Time Time that the request was made to read the source file.


Example request and response

XML Request

curl -u admin:pass https://localhost:8089/services/data/inputs/oneshot

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>oneshotinput</title>
  <id>https://localhost:8089/services/data/inputs/oneshot</id>
  <updated>2011-07-08T01:48:04-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/oneshot/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>/var/log/distccd.log</title>
    <id>https://localhost:8089/services/data/inputs/oneshot/%252Fvar%252Flog%252Fdistccd.log</id>
    <updated>2011-07-08T01:48:04-07:00</updated>
    <link href="/services/data/inputs/oneshot/%252Fvar%252Flog%252Fdistccd.log" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/data/inputs/oneshot/%252Fvar%252Flog%252Fdistccd.log" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="Bytes Indexed">7200768</s:key>
        <s:key name="Offset">7200768</s:key>
        <s:key name="Size">449630160</s:key>
        <s:key name="Sources Indexed">0</s:key>
        <s:key name="Spool Time">Fri Jul  8 01:47:53 PDT 2011</s:key>
        ... eai:acl node elided ...
      </s:dict>
    </content>
  </entry>
</feed>



POST

Queue a file for immediate indexing.

Usage details
The file being queued must be locally accessible from the server. This endpoint can handle any single file: plain, compressed or archive. The file is indexed in full, regardless of whether it is already indexed.

Request parameters

Name Datatype Default Description
host String The value of the host field to be applied to data from this file.
host_regex String A regex to be used to extract a host field from the path.

If the path matches this regular expression, the captured value is used to populate the host field for events from this data input. The regular expression must have one capture group.

host_segment Number Use the specified slash-separate segment of the path as the host field value.
index String The destination index for data processed from this file.
name String Required. The path to the file to be indexed. The file must be locally accessible by the server.
rename-source String The value of the source field to be applied to data from this file.
sourcetype String The value of the sourcetype field to be applied to data from this file.

Returned values
None

Example request and response


XML Request

curl -u admin:pass https://localhost:8089/services/data/inputs/oneshot -d name=/var/log/messages

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>oneshotinput</title>
  <id>https://localhost:8089/services/data/inputs/oneshot</id>
  <updated>2011-07-08T01:48:04-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/oneshot/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>



data/inputs/oneshot/{name}

https://<host>:<mPort>/services/data/inputs/oneshot/{name}

Get information about the {name} one-shot input.


GET

Access information about the {name} in-progress oneshot input.

Request parameters
None

Returned values

Name Description
Bytes Indexed Total number of bytes read and sent to the pipeline for indexing during a oneshot input.

This total includes the uncompressed byte count from a source file that is compressed on disk.

Offset Current position in the source file, indicating how much of the file is read. For compressed source files, this offset represents the position in the compressed format.

You can obtain the percentage of a source file read by calculating offset/size.

Size Size of the source file, in bytes.

You can obtain the percentage of a source file read by calculating offset/size.

Sources Indexed Indicates the number of sources read from a file in a compressed format such as tar or zip.

A value of 0 indicates the source file was not compressed.

Spool Time Time that the request was made to read the source file.

Example request and response


XML Request

curl -u admin:pass https://localhost:8089/services/data/inputs/oneshot/%252Fvar%252Flog%252Fmessages

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>oneshotinput</title>
  <id>https://localhost:8089/services/data/inputs/oneshot</id>
  <updated>2011-07-08T01:49:20-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/oneshot/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>/var/log/messages</title>
    <id>https://localhost:8089/services/data/inputs/oneshot/%252Fvar%252Flog%252Fmessages</id>
    <updated>2011-07-08T01:49:20-07:00</updated>
    <link href="/services/data/inputs/oneshot/%252Fvar%252Flog%252Fmessages" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/data/inputs/oneshot/%252Fvar%252Flog%252Fmessages" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="Bytes Indexed">114822</s:key>
        <s:key name="Offset">114822</s:key>
        <s:key name="Size">114822</s:key>
        <s:key name="Sources Indexed">0</s:key>
        <s:key name="Spool Time">Fri Jul  8 01:48:04 PDT 2011</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list/>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>



data/inputs/registry

https://<host>:<mPort>/services/data/inputs/registry

Access the Windows registry monitoring input.


GET

Get current registry monitoring configuration details.

Request parameters
Pagination and filtering parameters can be used with this method.

Returned values

Name Description
baseline Indicates whether or not Splunk software should get a baseline of Registry events when it starts. Defaults to false.

If true, the input captures a baseline for the specified hive when the input starts for the first time.

disabled Indicats whether this input is disabled.
hive Regular expression for Registry hives that this input should monitor for Registry access.

Matches against the Registry key which was accessed.

Events that contain hives that do not match the regular expression get filtered out. Events that contain hives that match the regular expression pass through.

index Specifies the index that this input should send the data to.

If no value is present, defaults to the default index.

monitorSubnodes Indicates whether to monitor all Registry hives beneath the specified hive.
proc Regular expression for processes this input should monitor for Registry access.

It matches against the process name which performed the Registry access.

Events generated by processes that do not match the regular expression get filtered out. Events generated by processes that match the regular expression pass through.

type A regular expression that specifies the types of Registry events to monitor.

Example request and response


XML Request

curl -u admin:pass https://localhost:8089/services/data/inputs/registry

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-regmon</title>
  <id>https://10.1.5.157:8089/services/data/inputs/registry</id>
  <updated>2011-07-29T19:31:32-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/registry/_new" rel="create"/>
  <link href="/services/data/inputs/registry/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>Machine keys</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/registry/Machine%20keys</id>
    <updated>2011-07-29T19:31:32-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/registry/Machine%20keys" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/registry/Machine%20keys" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/registry/Machine%20keys/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/registry/Machine%20keys" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/registry/Machine%20keys/enable" rel="enable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="baseline">0</s:key>
        <s:key name="disabled">1</s:key>
        ... eai:acl node elided ...
        <s:key name="hive">HKLM</s:key>
        <s:key name="index">default</s:key>
        <s:key name="monitorSubnodes">1</s:key>
        <s:key name="proc">c:\.*</s:key>
        <s:key name="type">
          <s:list>
            <s:item>set</s:item>
            <s:item>create</s:item>
            <s:item>delete</s:item>
            <s:item>rename</s:item>
          </s:list>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>



POST

Creates new or modify existing registry monitoring settings.

Request parameters

Name Datatype Default Description
baseline Boolean Required. Indicate whether to establish a baseline value for the registry keys. Use 1 to establish the baseline, 0 for no baseline.
hive String Required. Specify the registry hive for monitoring changes.
name String Required. Name of the configuration stanza.
proc String Required. Specify a regex for collecting changes if a process name matches the regex.
type String Required. List registry event types that you want to monitor. Separate each type with a pipe ('|') character. For example,
set | create | delete | rename
disabled Boolean Indicates whether the monitoring is disabled.
index String default The index in which to store the gathered data.
monitorSubnodes Boolean True Indicates whether to monitor all registry hives beneath the specified hive.

Returned values
None

Example request and response


XML Request

curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/registry -d baseline=1 -d hive="HKU\\.*" -d name=mykeys -d proc="c:\\.*" -d type="set|create|delete|rename"

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-regmon</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/registry</id>
  <updated>2011-07-29T19:29:18-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/registry/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/registry/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>



data/inputs/registry/{name}

https://<host>:<mPort>/services/data/inputs/registry/{name}

Manage registry monitoring {name} stanza.


DELETE

Delete a registry monitoring configuration stanza.

Request parameters
None

Returned values
None


Example request and response


XML Request

curl -u admin:pass --request DELETE https://localhost:8089/servicesNS/nobody/search/data/inputs/registry/mykeys

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-regmon</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/registry</id>
  <updated>2011-07-29T19:36:54-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/registry/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/registry/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>


GET

Gets current registry monitoring configuration stanza

Request parameters
None

Returned values

Name Description
baseline Indicates whether to get a baseline of Registry events when Splunk software starts.
disabled Indicates if the input is disabled.
hive Regular expression for Registry hives that this input should monitor for Registry access.

Matches against the Registry key which was accessed.

Events that contain hives that do not match the regular expression get filtered out. Events that contain hives that match the regular expression pass through.

index Specifies the index that this input should send the data to.

If no value is present, defaults to the default index.

monitorSubnodes Indicates whether to monitor all Registry hives beneath the specified hive.
proc Regular expression for processes this input should monitor for Registry access.

It matches against the process name which performed the Registry access.

Events generated by processes that do not match the regular expression get filtered out. Events generated by processes that match the regular expression pass through.

type Regular expression that specifies the types of Registry events to monitor.

Example request and response


XML Request

curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/registry/mykeys

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-regmon</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/registry</id>
  <updated>2011-07-29T19:33:21-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/registry/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/registry/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>mykeys</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/registry/mykeys</id>
    <updated>2011-07-29T19:33:21-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/registry/mykeys" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/registry/mykeys" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/registry/mykeys/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/registry/mykeys" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/registry/mykeys" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/registry/mykeys/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="baseline">1</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>disabled</s:item>
                <s:item>index</s:item>
                <s:item>monitorSubnodes</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>baseline</s:item>
                <s:item>hive</s:item>
                <s:item>proc</s:item>
                <s:item>type</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="hive">HKU</s:key>
        <s:key name="index">default</s:key>
        <s:key name="monitorSubnodes">1</s:key>
        <s:key name="proc">c:\.*</s:key>
        <s:key name="type">
          <s:list>
            <s:item>set</s:item>
            <s:item>create</s:item>
            <s:item>delete</s:item>
            <s:item>rename</s:item>
          </s:list>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>



POST

Modify the named registry monitoring stanza.


Request parameters

Name Datatype Default Description
baseline Number Required. Specifies whether or not to establish a baseline value for the registry keys. 1 means yes, 0 no.
hive String Required. Specifies the registry hive under which to monitor for changes.
proc String Required. Specifies a regex. If specified, collect changes if a process name matches that regex.
type String Required. A list of registry events types that you want to monitor. Separate each type with a pipe ('|') character.

For example:

set | create | delete | rename
disabled Number Indicates whether the monitoring is disabled.
index String default The index in which to store the gathered data.
monitorSubnodes Boolean True Indicates whether to monitor all Registry hives beneath the specified hive.

Returned values
None

Example request and response


XML Request

curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/registry/mykeys -d baseline=1 -d hive="HKU\\.*" -d proc="c:\\.*" -d type="set|create"

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-regmon</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/registry</id>
  <updated>2011-07-29T19:36:07-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/registry/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/registry/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>



data/inputs/script

https://<host>:<mPort>/services/data/inputs/script

Access scripted inputs.

GET

Get the configuration settings for scripted inputs.


Request parameters
Pagination and filtering parameters can be used with this method.

Returned values

Name Description
disabled Specifies whether the input script is disabled.
endtime If available, the time when the script stopped executing.
group The name of the inputstatus group, which is always "exec commands."
host Host with which these data are identified.
index Sets the index for events from this input. Defaults to the main index.
interval An integer or cron schedule.

Specifies how often to execute the specified script, in seconds or a valid cron schedule. For a cron schedule, the script is not executed on start-up.

source The source key/field for events from this input. Defaults to the input file path.

Sets the source key initial value. The key is used during parsing/indexing, in particular to set the source field during indexing. It is also the source field used at search time. As a convenience, the chosen string is prepended with 'source::'.

sourcetype Sets the sourcetype key/field for events from this input. If unset, Splunk software picks a source type based on various aspects of the data. There is no hard-coded default.

For more information, see the documentation for the sourcetype parameter for the POST operation.

starttime If available, the time the when the script was executed.


Example request and response

XML Request

curl -u admin:pass https://localhost:8089/services/data/inputs/script

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>script</title>
  <id>https://localhost:8089/services/data/inputs/script</id>
  <updated>2011-07-09T20:16:11-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/script/_new" rel="create"/>
  <link href="/services/data/inputs/script/_reload" rel="_reload"/>
  <link href="/services/data/inputs/script/restart" rel="restart"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>/Applications/splunk4.3/etc/apps/unix/bin/cpu.sh</title>
    <id>https://localhost:8089/servicesNS/nobody/unix/data/inputs/script/.%252Fbin%252Fcpu.sh</id>
    <updated>2011-07-09T20:16:11-07:00</updated>
    <link href="/servicesNS/nobody/unix/data/inputs/script/.%252Fbin%252Fcpu.sh" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/unix/data/inputs/script/.%252Fbin%252Fcpu.sh" rel="list"/>
    <link href="/servicesNS/nobody/unix/data/inputs/script/.%252Fbin%252Fcpu.sh/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/unix/data/inputs/script/.%252Fbin%252Fcpu.sh" rel="edit"/>
    <link href="/servicesNS/nobody/unix/data/inputs/script/.%252Fbin%252Fcpu.sh/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="endtime">Sat Jul  9 20:15:54 2011</s:key>
        <s:key name="group">exec commands</s:key>
        <s:key name="host">myhost.splunk.com</s:key>
        <s:key name="index">os</s:key>
        <s:key name="interval">30</s:key>
        <s:key name="source">cpu</s:key>
        <s:key name="sourcetype">cpu</s:key>
        <s:key name="starttime">Sat Jul  9 20:15:52 2011</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



POST

Configure scripted input settings.

Request parameters

Name Datatype Default Description
disabled Boolean Specifies whether the input script is disabled.
host String Sets the host for events from this input. Defaults to whatever host sent the event.
index String default Sets the index for events from this input. Defaults to the main index.
interval Number 60.0 Required. Specify an integer or cron schedule. This parameter specifies how often to execute the specified script, in seconds or a valid cron schedule. If you specify a cron schedule, the script is not executed on start-up.
name String Required. Specify the name of the scripted input.
passAuth String User to run the script as.

If you provide a username, Splunk software generates an auth token for that user and passes it to the script.

rename-source String Specify a new name for the source field for the script.
source String Sets the source key/field for events from this input. Defaults to the input file path.

Sets the source key initial value. The key is used during parsing/indexing, in particular to set the source field during indexing. It is also the source field used at search time. As a convenience, the chosen string is prepended with 'source::'.

Note: Overriding the source key is generally not recommended. Typically, the input layer provides a more accurate string to aid in problem analysis and investigation, accurately recording the file from which the data was retrieved. Consider use of source types, tagging, and search wildcards before overriding this value.

sourcetype String Sets the sourcetype key/field for events from this input. If unset, Splunk software picks a source type based on various aspects of the data. As a convenience, the chosen string is prepended with 'sourcetype::'. There is no hard-coded default.

Sets the sourcetype key initial value. The key is used during parsing/indexing, in particular to set the source type field during indexing. It is also the source type field used at search time.

Primarily used to explicitly declare the source type for this data, as opposed to allowing it to be determined using automated methods. This is typically important both for searchability and for applying the relevant configuration for this type of data during parsing and indexing.


Returned values
None

Example request and response


XML Request

curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/script -d name=/Applications/splunk4.3/etc/apps/myApp/bin/myScript.sh -d disabled=true -d interval=3600

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>script</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/script</id>
  <updated>2011-07-09T20:25:17-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/script/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/script/_reload" rel="_reload"/>
  <link href="/servicesNS/nobody/search/data/inputs/script/restart" rel="restart"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>



data/inputs/script/restart

https://<host>:<mPort>/services/data/inputs/script/restart

Allows for restarting scripted inputs.

POST

Causes a restart on a given scripted input.

Request parameters

Name Datatype Default Description
script String Required. Path to the script to be restarted. This path must match an already-configured existing scripted input.

Returned values
None

Example request and response


XML Request

curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/script/restart -d script=/Applications/splunk/bin/scripts/myScript.sh

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>script</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/script</id>
  <updated>2011-07-09T20:38:38-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/script/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/script/_reload" rel="_reload"/>
  <link href="/servicesNS/nobody/search/data/inputs/script/restart" rel="restart"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>



data/inputs/script/{name}

https://<host>:<mPort>/services/data/inputs/script/{name}

Manage the {name} scripted input.


DELETE

Removes the {name} scripted input.

Request parameters
None

Returned values
None


Example request and response

XML Request

curl -u admin:pass --request DELETE https://localhost:8089/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk4.3%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>script</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/script</id>
  <updated>2011-07-09T20:29:18-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/script/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/script/_reload" rel="_reload"/>
  <link href="/servicesNS/nobody/search/data/inputs/script/restart" rel="restart"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>



GET

Returns the configuration settings for the {name} scripted input.

Request parameters
None

Returned values

Name Description
disabled Specifies whether the input script is disabled.
group The name of the inputstatus group, which is always "exec commands."
host Host these data are identified with.
index Sets the index for events from this input. Defaults to the main index.
interval An integer or cron schedule.

Specifies how often to execute the specified script, in seconds or a valid cron schedule. For a cron schedule, the script is not executed on start-up.

Example request and response


XML Request

curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>script</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/script</id>
  <updated>2011-07-09T21:53:43-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/script/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/script/_reload" rel="_reload"/>
  <link href="/servicesNS/nobody/search/data/inputs/script/restart" rel="restart"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>/Applications/splunk/etc/apps/myApp/bin/myScript.sh</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh</id>
    <updated>2011-07-09T21:53:43-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>disabled</s:item>
                <s:item>host</s:item>
                <s:item>index</s:item>
                <s:item>interval</s:item>
                <s:item>rename-source</s:item>
                <s:item>source</s:item>
                <s:item>sourcetype</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="group">exec commands</s:key>
        <s:key name="host">ombroso-mbp15.splunk.com</s:key>
        <s:key name="index">default</s:key>
        <s:key name="interval">3600</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



POST

Configures settings for the {name} scripted input.

Request parameters

Name Datatype Default Description
disabled Boolean Specifies whether the input script is disabled.
host String Sets the host for events from this input. Defaults to whatever host sent the event.
index String default Sets the index for events from this input. Defaults to the main index.
interval Number 60.0 Specify an integer or cron schedule. This parameter specifies how often to execute the specified script, in seconds or a valid cron schedule. If you specify a cron schedule, the script is not executed on start-up.
passAuth String User to run the script as.

If you provide a username, Splunk software generates an auth token for that user and passes it to the script.

rename-source String Specify a new name for the source field for the script.
source String Sets the source key/field for events from this input. Defaults to the input file path.

Sets the source key initial value. The key is used during parsing/indexing, in particular to set the source field during indexing. It is also the source field used at search time. As a convenience, the chosen string is prepended with 'source::'.

Note: Overriding the source key is generally not recommended. Typically, the input layer provides a more accurate string to aid in problem analysis and investigation, accurately recording the file from which the data was retrieived. Consider use of source types, tagging, and search wildcards before overriding this value.


sourcetype String Sets the sourcetype key/field for events from this input. If unset, Splunk software picks a source type based on various aspects of the data. As a convenience, the chosen string is prepended with 'sourcetype::'. There is no hard-coded default.

Sets the sourcetype key initial value. The key is used during parsing/indexing, in particular to set the source type field during indexing. It is also the source type field used at search time.

Primarily used to explicitly declare the source type for this data, as opposed to allowing it to be determined using automated methods. This is typically important both for searchability and for applying the relevant configuration for this type of data during parsing and indexing.

Returned values
None

Example request and response


XML Request

curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh -d interval=86400

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>script</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/script</id>
  <updated>2011-07-09T20:27:59-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/script/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/script/_reload" rel="_reload"/>
  <link href="/servicesNS/nobody/search/data/inputs/script/restart" rel="restart"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>



data/inputs/tcp/cooked

https://<host>:<mPort>/services/data/inputs/tcp/cooked


Access cooked TCP input information and create new containers for managing cooked data.

Usage details
Forwarders can transmit three types of data: raw, unparsed, or parsed. "Cooked" data refers to parsed and unparsed formats.


GET

Access information about all cooked TCP inputs.


Request parameters
Pagination and filtering parameters can be used with this method.


Returned values

Name Description
_rcvbuf [Deprecated]
disabled Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled.
group Set to listenerports for listening ports.
host The default value to fill in for events lacking a host value.
index The index in which to store generated events.


Example request and response


XML Request

curl -u admin:pass https://localhost:8089/services/data/inputs/tcp/cooked

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>cooked</title>
  <id>https://localhost:8089/services/data/inputs/tcp/cooked</id>
  <updated>2011-07-10T14:50:50-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/tcp/cooked/_new" rel="create"/>
  <link href="/services/data/inputs/tcp/cooked/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>9993</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked/9993</id>
    <updated>2011-07-10T14:50:50-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9993" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9993" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9993/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9993" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9993" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9993/connections" rel="connections"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9993/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="group">listenerports</s:key>
        <s:key name="host">MrT</s:key>
        <s:key name="index">default</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



POST

Create a new container for managing cooked data.

Request parameters

Name Datatype Default Description
SSL Boolean If SSL is not already configured, error is returned
connection_host Enum dns Valid values: (ip | dns | none)

Set the host for the remote server that is sending data.

ip sets the host to the IP address of the remote server sending data.

dns sets the host to the reverse DNS entry for the IP address of the remote server sending data.

none leaves the host as specified in inputs.conf, which is typically the Splunk system hostname.

Default value is dns.

disabled Boolean Indicates whether the input is disabled.
host String The default value to fill in for events lacking a host value.
name Number Required. The port number of this input.
queue "parsingQueue" | "indexQueue" "parsingQueue" Specifies where the input processor should deposit the events it reads.
restrictToHost String Restrict incoming connections on this port to the host specified here.


Returned values
None

Example request and response


XML Request

curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked -d name=9998

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>cooked</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked</id>
  <updated>2011-07-10T14:52:33-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>



data/inputs/tcp/cooked/{name}

https://<host>:<mPort>/services/data/inputs/tcp/cooked/{name}


Manage cooked TCP inputs for the {name} host or port.


DELETE

Remove the cooked TCP inputs for port or host:port specified by {name}.

Request parameters
None


Returned values
None

Example request and response


XML Request

curl -u admin:pass --request DELETE https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked/tiny:9998

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>cooked</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked</id>
  <updated>2011-07-10T14:54:45-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>



GET

Access information for the {name} cooked TCP input.

Usage details
If port is restricted to a host, {name} should be a URI-encoded host:port.

Request parameters
None


Returned values

Name Description
_rcvbuf [Deprecated]
disabled Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled.
group Set to listenerports for listening ports.
host The default value to fill in for events lacking a host value.
index The index in which to store generated events.
restrictToHost Restrict incoming connections on this port to the specified host.

Example request and response


XML Request

curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked/9998

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>cooked</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked</id>
  <updated>2011-07-10T14:52:40-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>9998</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked/9998</id>
    <updated>2011-07-10T14:52:40-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9998" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9998" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9998/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9998" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9998" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9998/connections" rel="connections"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9998/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>SSL</s:item>
                <s:item>connection_host</s:item>
                <s:item>disabled</s:item>
                <s:item>host</s:item>
                <s:item>index</s:item>
                <s:item>queue</s:item>
                <s:item>restrictToHost</s:item>
                <s:item>source</s:item>
                <s:item>sourcetype</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="group">listenerports</s:key>
        <s:key name="host">MrT</s:key>
        <s:key name="index">default</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



POST

Update the container for managing cooked data.


Request parameters

Name Datatype Default Description
SSL Boolean If SSL is not already configured, error is returned
connection_host Enum ip Valid values: (ip | dns | none)

Set the host for the remote server that is sending data.

ip sets the host to the IP address of the remote server sending data.

dns sets the host to the reverse DNS entry for the IP address of the remote server sending data.

none leaves the host as specified in inputs.conf, which is typically the Splunk system hostname.

Default value is ip.

disabled Boolean Indicates whether the input is disabled.
host String The default value to fill in for events lacking a host value.
restrictToHost String Restrict incoming connections on this port to the host specified here.


Returned values
None

Example request and response


XML Request

curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked/9998 -d restrictToHost=tiny

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>cooked</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked</id>
  <updated>2011-07-10T14:52:54-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>



data/inputs/tcp/cooked/{name}/connections

https://<host>:<mPort>/services/data/inputs/tcp/cooked/{name}/connections

Get active connections to the {name} port.


GET

List active connections to the {name} port.

Request parameters
None

Returned values

Name Description
connection Identifies the connection to port.
servername Server name of forwarder connecting to this port.

Example request and response


XML Request

curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked/9998/connections

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>cooked</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked</id>
  <updated>2011-07-13T14:55:18-0700</updated>
  <generator version="101277"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_reload" rel="_reload"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>Cooked:9998:127.0.0.1:20089</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked/Cooked%3A9998%3A127.0.0.1%3A20089</id>
    <updated>2011-07-13T14:55:18-0700</updated>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/Cooked%3A9998%3A127.0.0.1%3A20089" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/Cooked%3A9998%3A127.0.0.1%3A20089" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/Cooked%3A9998%3A127.0.0.1%3A20089/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/Cooked%3A9998%3A127.0.0.1%3A20089" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/Cooked%3A9998%3A127.0.0.1%3A20089" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="connection">9998:127.0.0.1:20089</s:key>
        ... eai:acl node elided ...
        <s:key name="servername">fool03.splunk.com</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



data/inputs/tcp/raw

https://<host>:<mPort>/services/data/inputs/tcp/raw


Container for managing raw tcp inputs from forwarders.

Forwarders can transmit three types of data: raw, unparsed, or parsed. Cooked data refers to parsed and unparsed formats.


Authentication and authorization
The edit_tcp capability is required for this endpoint.


GET

Get information about all raw TCP inputs.


Request parameters
Pagination and filtering parameters can be used with this method.


Returned values

Name Description
_rcvbuf [Deprecated]
disabled Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled.
group Set to listenerports for listening ports.
host Host from which the indexer gets data.
index The index in which to store generated events.

Example request and response


XML Request

curl -u admin:pass https://localhost:8089/services/data/inputs/tcp/raw

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>raw</title>
  <id>https://localhost:8089/services/data/inputs/tcp/raw</id>
  <updated>2011-07-08T02:30:30-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/tcp/raw/_new" rel="create"/>
  <link href="/services/data/inputs/tcp/raw/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>44000</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw/44000</id>
    <updated>2011-07-08T02:30:30-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44000" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44000" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44000/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44000" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44000" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44000/connections" rel="connections"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44000/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="group">listenerports</s:key>
        <s:key name="host">MrT</s:key>
        <s:key name="index">default</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



POST

Create a new data input for accepting raw TCP data.


Request parameters

Name Datatype Default Description
connection_host Enum dns Valid values: (ip | dns | none)

Set the host for the remote server that is sending data.

ip sets the host to the IP address of the remote server sending data.

dns sets the host to the reverse DNS entry for the IP address of the remote server sending data.

none leaves the host as specified in inputs.conf, which is typically the Splunk system hostname.

Default value is ip.

disabled Boolean Indicates whether the inputs are disabled.
host String Host from which the indexer gets data.
index String default Index to store generated events.
name
required
String The input port which receives raw data.
queue Enum Valid values: (parsingQueue | indexQueue)

Specifies where the input processor should deposit the events it reads. Defaults to parsingQueue.

Set queue to parsingQueue to apply props.conf and other parsing rules to your data. For more information about props.conf and rules for timestamping and linebreaking, refer to props.conf and the online documentation at "Monitor files and directories with inputs.conf"

Set queue to indexQueue to send your data directly into the index.

rawTcpDoneTimeout Number Specifies in seconds the timeout value for adding a Done-key. Default value is 10 seconds.

If a connection over the port specified by name remains idle after receiving data for specified number of seconds, it adds a Done-key. This implies the last event is completely received.

restrictToHost String Allows for restricting this input to only accept data from the host specified here.
SSL Boolean
source String Sets the source key/field for events from this input. Defaults to the input file path.

Sets the source key initial value. The key is used during parsing/indexing, in particular to set the source field during indexing. It is also the source field used at search time. As a convenience, the chosen string is prepended with 'source::'.

Note: Overriding the source key is generally not recommended. Typically, the input layer provides a more accurate string to aid in problem analysis and investigation, accurately recording the file from which the data was retrieved. Consider use of source types, tagging, and search wildcards before overriding this value.

sourcetype String Set the source type for events from this input.

"sourcetype=" is automatically prepended to <string>.

Defaults to audittrail (if signedaudit=true) or fschange (if signedaudit=false).


Returned values
None

Example request and response


XML Request

curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw -d name=44343

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>raw</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw</id>
  <updated>2011-07-08T02:30:30-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>



data/inputs/tcp/raw/{name}

https://<host>:<mPort>/services/data/inputs/tcp/raw/{name}

Manage raw inputs for the {name} host or port.

Authentication and authorization
The edit_tcp capability is additionally required for this endpoint.


DELETE

Remove the raw inputs for port or host:port specified by {name}


Request parameters
None


Returned values
None


Example request and response


XML Request

curl -u admin:pass --request DELETE https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw/44343

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>raw</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw</id>
  <updated>2011-07-08T02:30:31-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>



GET

Returns information about raw TCP input port {name}.

If port is restricted to a host, name should be URI-encoded host:port.


Request parameters
None


Returned values

Name Description
_rcvbuf [Deprecated]
disabled Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled.
group Set to listenerports for listening ports.
host Host from which the indexer gets data.
index Index to store generated events.
restrictToHost Restrict incoming connections on this port to the specified host.


Example request and response


XML Request

curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw/44343

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>raw</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw</id>
  <updated>2011-07-08T02:37:09-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>44343</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw/44343</id>
    <updated>2011-07-08T02:37:09-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44343" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44343" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44343/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44343" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44343" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44343/connections" rel="connections"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44343/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>SSL</s:item>
                <s:item>connection_host</s:item>
                <s:item>disabled</s:item>
                <s:item>host</s:item>
                <s:item>index</s:item>
                <s:item>queue</s:item>
                <s:item>restrictToHost</s:item>
                <s:item>source</s:item>
                <s:item>sourcetype</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="group">listenerports</s:key>
        <s:key name="host">MrT</s:key>
        <s:key name="index">default</s:key>
      </s:dict>
    </content>
  </entry>
</feed>


POST

Updates the container for managing raw data.


Request parameters

Name Datatype Default Description
SSL Boolean
connection_host Enum dns Valid values: (ip | dns | none)

Set the host for the remote server that is sending data.

ip sets the host to the IP address of the remote server sending data.

dns sets the host to the reverse DNS entry for the IP address of the remote server sending data.

none leaves the host as specified in inputs.conf, which is typically the Splunk system hostname.

Default value is ip.

disabled Boolean Indicates whether the inputs are disabled.
host String Host from which the indexer gets data.
index String default Index to store generated events.
queue Enum Valid values: (parsingQueue | indexQueue)

Specifies where the input processor should deposit the events it reads. Defaults to parsingQueue.

Set queue to parsingQueue to apply props.conf and other parsing rules to your data. For more information about props.conf and rules for timestamping and linebreaking, refer to props.conf and Monitor files and directories with inputs.conf.

Set queue to indexQueue to send your data directly into the index.

rawTcpDoneTimeout Number Specifies in seconds the timeout value for adding a Done-key. Default value is 10 seconds.

If a connection over the port specified by name remains idle after receiving data for specified number of seconds, it adds a Done-key. This implies the last event is completely received.

restrictToHost String Allows for restricting this input to only accept data from the host specified here.
source String Sets the source key/field for events from this input. Defaults to the input file path.

Sets the source key initial value. The key is used during parsing/indexing, in particular to set the source field during indexing. It is also the source field used at search time. As a convenience, the chosen string is prepended with 'source::'.

Note: Overriding the source key is generally not recommended. Typically, the input layer provides a more accurate string to aid in problem analysis and investigation, accurately recording the file from which the data was retrieved. Consider use of source types, tagging, and search wildcards before overriding this value.

sourcetype String Set the source type for events from this input.

"sourcetype=" is automatically prepended to <string>.

Defaults to audittrail (if signedaudit=true) or fschange (if signedaudit=false).


Returned values
None

Example request and response


XML Request

curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw/44343 -d sourcetype=syslog

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>raw</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw</id>
  <updated>2011-07-08T02:30:30-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>



data/inputs/tcp/raw/{name}/connections

https://<host>:<mPort>/services/data/inputs/tcp/raw/{name}/connections

Get active connections the {name} host or port.


Authentication and authorization
The edit_tcp capability is additionally required for this endpoint.


GET

View all connections to the named data input.


Request parameters
None


Returned values

Name Description
connection IP address and port of the source connecting to this TCP input port.
servername DNS name of the source connecting to this TCP input port.


Example request and response


XML Request

curl -u admin:pass https://localhost:8089/services/data/inputs/tcp/raw/9998/connections

XML Response

...
  <title>raw</title>
  <id>https://localhost:8089/services/data/inputs/tcp/raw</id>
  <updated>2011-07-13T16:14:33-07:00</updated>
  <generator version="103477"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/tcp/raw/_new" rel="create"/>
  <link href="/services/data/inputs/tcp/raw/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>Raw:9998:127.0.0.1</title>
    <id>https://localhost:8089/services/data/inputs/tcp/raw/Raw%3A9998%3A127.0.0.1</id>
    <updated>2011-07-13T16:14:33-07:00</updated>
    <link href="/services/data/inputs/tcp/raw/Raw%3A9998%3A127.0.0.1" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/data/inputs/tcp/raw/Raw%3A9998%3A127.0.0.1" rel="list"/>
    <link href="/services/data/inputs/tcp/raw/Raw%3A9998%3A127.0.0.1/_reload" rel="_reload"/>
    <link href="/services/data/inputs/tcp/raw/Raw%3A9998%3A127.0.0.1" rel="edit"/>
    <link href="/services/data/inputs/tcp/raw/Raw%3A9998%3A127.0.0.1" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="connection">9998:127.0.0.1</s:key>
        ... eai:acl node elided ...
        <s:key name="servername"></s:key>
      </s:dict>
    </content>
  </entry>



data/inputs/tcp/splunktcptoken

https://<host>:<mPort>/services/data/inputs/tcp/splunktcptoken

Manage receiver access using tokens.

Usage details
Get information on all receiver tokens or create a new token. To edit or delete an existing token, see data/inputs/tcp/splunktcptoken/{name}.

Note: Configure the forwarder with the same token as the receiver to ensure that the forwarder receives data.

Authentication and Authorization:
The edit_splunktcp_token capability is required for this endpoint.


GET

Return all configured tokens.


Request parameters

Pagination and filtering parameters can be used with this method.


Returned values

Response data keys are returned for each receiver token.

Name Description
host Host from which the indexer gets data.
index Index to store generated events.
token Token value.


Example request and response


XML Request

curl  -k -u admin:changeme https://localhost:8089/services/data/inputs/tcp/splunktcptoken

XML Response

<title>splunktcptoken</title>
  <id>https://localhost:8089/services/data/inputs/tcp/splunktcptoken</id>
  <updated>2015-09-16T09:31:52-07:00</updated>
  <generator build="71e3b8d1908254f21434f97320ac5ad7e6bb1c16" version="20150910"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/tcp/splunktcptoken/_new" rel="create"/>
  <link href="/services/data/inputs/tcp/splunktcptoken/_reload" rel="_reload"/>
  <link href="/services/data/inputs/tcp/splunktcptoken/_acl" rel="_acl"/>
  <opensearch:totalResults>2</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>splunktcptoken://tok1</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1</id>
    <updated>2015-09-16T09:31:52-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">search</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">app</s:key>
          </s:dict>
        </s:key>
        <s:key name="host">$decideOnStartup</s:key>
        <s:key name="index">default</s:key>
        <s:key name="token">99C91C9E-F92E-40AF-BCDC-1A6AD2DC7AEF</s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>splunktcptoken://tok3</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok3</id>
    <updated>2015-09-16T09:31:52-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok3" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok3" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok3/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok3" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok3" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok3/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">search</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">app</s:key>
          </s:dict>
        </s:key>
        <s:key name="host">$decideOnStartup</s:key>
        <s:key name="index">default</s:key>
        <s:key name="token">4EFFBD13-B26F-4F3A-BED9-03850001EDA1</s:key>
      </s:dict>
    </content>
  </entry>



POST

Create a new token.

Request parameters

Pagination and filtering parameters can be used with this method.

Name Datatype Default Description
name String None Required. Name for the token to create.
token String None Optional. Token value to use. If unspecified, a token is generated automatically.


Returned values

Name Description
host Host from which the indexer gets data.
index Index to store generated events.
token Token value.


Example request and response


XML Request

curl  -k -u admin:changeme https://localhost:8089/services/data/inputs/tcp/splunktcptoken -d "name=tok1" -d "token=99C91C9E-F92E-40AF-BCDC-1A6AD2DC7AEF"

XML Response

 <title>splunktcptoken</title>
  <id>https://localhost:8089/services/data/inputs/tcp/splunktcptoken</id>
  <updated>2015-09-16T09:27:03-07:00</updated>
  <generator build="71e3b8d1908254f21434f97320ac5ad7e6bb1c16" version="20150910"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/tcp/splunktcptoken/_new" rel="create"/>
  <link href="/services/data/inputs/tcp/splunktcptoken/_reload" rel="_reload"/>
  <link href="/services/data/inputs/tcp/splunktcptoken/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>splunktcptoken://tok1</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1</id>
    <updated>2015-09-16T09:27:03-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">search</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">app</s:key>
          </s:dict>
        </s:key>
        <s:key name="host">$decideOnStartup</s:key>
        <s:key name="index">default</s:key>
        <s:key name="token">99C91C9E-F92E-40AF-BCDC-1A6AD2DC7AEF</s:key>
      </s:dict>
    </content>
  </entry>




data/inputs/tcp/splunktcptoken/{name}

https://<host>:<mPort>/services/data/inputs/tcp/splunktcptoken/{name}

Manage existing receiver tokens.

Authentication and Authorization
The edit_splunktcp_token capability is required for this endpoint.


GET

Access token information.

Request parameters
Pagination and filtering parameters can be used with this method.


Returned values

Name Description
host Host from which the indexer gets data.
index Index to store generated events.
token Token value.

Example request and response


XML Request

curl -u admin:pass https://localhost:8089/services/data/inputs/tcp/splunktcptoken

XML Response

...
 <title>splunktcptoken</title>
  <id>https://localhost:8089/services/data/inputs/tcp/splunktcptoken</id>
  <updated>2015-09-16T09:28:22-07:00</updated>
  <generator build="71e3b8d1908254f21434f97320ac5ad7e6bb1c16" version="20150910"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/tcp/splunktcptoken/_new" rel="create"/>
  <link href="/services/data/inputs/tcp/splunktcptoken/_reload" rel="_reload"/>
  <link href="/services/data/inputs/tcp/splunktcptoken/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>splunktcptoken://tok1</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1</id>
    <updated>2015-09-16T09:28:22-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">search</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">app</s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>disabled</s:item>
                <s:item>token</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list>
                <s:item>.*</s:item>
              </s:list>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="host">$decideOnStartup</s:key>
        <s:key name="index">default</s:key>
        <s:key name="token">99C91C9E-F92E-40AF-BCDC-1A6AD2DC7AEF</s:key>
      </s:dict>
    </content>
  </entry>



POST

Update the {name} token.

Request parameters

Name Datatype Default Description
token String None New token value.

Pagination and filtering parameters can be used with this method.


Returned values

Name Description
host Host from which the indexer gets data.
index Index to store generated events.
token Token value.


Example request and response


XML Request

curl  -k -u admin:changeme https://localhost:8089/services/data/inputs/tcp/splunktcptoken/tok1

XML Response

...
    <title>splunktcptoken://tok1</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1</id>
    <updated>2015-09-16T09:28:22-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/tcp/splunktcptoken/splunktcptoken%3A%252F%252Ftok1/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">search</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">app</s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>disabled</s:item>
                <s:item>token</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list>
                <s:item>.*</s:item>
              </s:list>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="host">$decideOnStartup</s:key>
        <s:key name="index">default</s:key>
        <s:key name="token">99C91C9E-F92E-40AF-BCDC-1A6AD2DC7AEF</s:key>
...



DELETE

Delete the {name} token.


Request parameters
None.

Returned values

Name Description
host Host from which the indexer gets data.
index Index to store generated events.
token Token value.

Example request and response


XML Request

curl -k -X "DELETE" -u admin:changeme https://localhost:8089/services/data/inputs/tcp/splunktcptoken/tok1 

XML Response

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>splunktcptoken</title>
  <id>https://localhost:8089/services/data/inputs/tcp/splunktcptoken</id>
  <updated>2015-09-16T09:34:51-07:00</updated>
  <generator build="71e3b8d1908254f21434f97320ac5ad7e6bb1c16" version="20150910"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/tcp/splunktcptoken/_new" rel="create"/>
  <link href="/services/data/inputs/tcp/splunktcptoken/_reload" rel="_reload"/>
  <link href="/services/data/inputs/tcp/splunktcptoken/_acl" rel="_acl"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
</feed>



data/inputs/tcp/ssl

https://<host>:<mPort>/services/data/inputs/tcp/ssl

Provides access to the SSL configuration of a Splunk server.


GET

Get SSL configuration details. There is only one SSL configuration for all input ports.


Request parameters
Pagination and filtering parameters can be used with this method.


Returned values

Name Description
_rcvbuf [Deprecated]
cipherSuite Specifies list of acceptable ciphers to use in ssl.
disabled Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled.
host Host from which the indexer gets data.
index Index to store generated events.


Example request and response


XML Request

curl -u admin:pass https://localhost:8089/services/data/inputs/tcp/ssl

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>ssl</title>
  <id>https://localhost:8089/services/data/inputs/tcp/ssl</id>
  <updated>2011-07-12T15:02:58-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/tcp/ssl/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title/>
    <id>https://localhost:8089/servicesNS/nobody/system/data/inputs/tcp/ssl/</id>
    <updated>2011-07-12T15:02:58-07:00</updated>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/ssl/" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/ssl/" rel="list"/>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/ssl//_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/ssl/" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="cipherSuite">ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM</s:key>
        <s:key name="disabled">1</s:key>
        ... eai:acl node elided ...
        <s:key name="host">ombroso-mbp15.splunk.com</s:key>
        <s:key name="index">default</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



data/inputs/tcp/ssl/{name}

https://<host>:<mPort>/services/data/inputs/tcp/ssl/{name}


Access or update the SSL configuration for the {name} host.


GET

Returns the SSL configuration for the host {name}.


Request parameters
None


Returned values

Name Description
_rcvbuf [Deprecated]
cipherSuite Specifies list of acceptable ciphers to use in ssl.
disabled Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled.
host Host from which the indexer gets data.
index Index to store generated events.


Example request and response


XML Request

curl -u admin:pass https://localhost:8089/services/data/inputs/tcp/ssl/ssl

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>ssl</title>
  <id>https://localhost:8089/services/data/inputs/tcp/ssl</id>
  <updated>2011-07-12T15:04:41-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/tcp/ssl/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title/>
    <id>https://localhost:8089/servicesNS/nobody/system/data/inputs/tcp/ssl/</id>
    <updated>2011-07-12T15:04:41-07:00</updated>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/ssl/" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/ssl/" rel="list"/>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/ssl//_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/inputs/tcp/ssl/" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="cipherSuite">ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM</s:key>
        <s:key name="disabled">1</s:key>
        ... eai:acl node elided ...
        <s:key name="host">ombroso-mbp15.splunk.com</s:key>
        <s:key name="index">default</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



POST

Configure SSL for the {name} host.


Request parameters

Name Datatype Default Description
disabled Boolean Indicates whether the inputs are disabled.
password String Server certificate password, if any.
requireClientCert Boolean Determines whether a client must authenticate.
rootCA String Certificate authority list (root file)
serverCert String Full path to the server certificate.


Returned values
None


Example request and response


XML Request

curl -u admin:pass https://localhost:8089/services/data/inputs/tcp/ssl/ssl -d disabled=true

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>ssl</title>
  <id>https://localhost:8089/services/data/inputs/tcp/ssl</id>
  <updated>2011-07-12T15:05:42-07:00</updated>
  <generator version="102824"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/tcp/ssl/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>



data/inputs/udp

https://<host>:<mPort>/services/data/inputs/udp


Access or create UDP data inputs.


GET

List enabled and disabled UDP data inputs.


Request parameters

Pagination and filtering parameters can be used with this method.


Returned values

Name Description
_rcvbuf Socket receive buffer size (bytes).
disabled Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled.
group Set to listenerports for listening ports.
host Host from which the indexer gets data.
index Index to store generated events.


Example request and response


XML Request

curl -u admin:pass https://localhost:8089/services/data/inputs/udp

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>udp</title>
  <id>https://localhost:8089/services/data/inputs/udp</id>
  <updated>2011-07-08T14:11:57-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/udp/_new" rel="create"/>
  <link href="/services/data/inputs/udp/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>44000</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp/44000</id>
    <updated>2011-07-08T14:11:57-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44000" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44000" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44000/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44000" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44000" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44000/connections" rel="connections"/>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44000/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="group">listenerports</s:key>
        <s:key name="host">MrT</s:key>
        <s:key name="index">default</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



POST

Create a new UDP data input.

Request parameters

Name Datatype Default Description
connection_host Enum ip Valid values: (ip | dns | none)

Set the host for the remote server that is sending data.

ip sets the host to the IP address of the remote server sending data.

dns sets the host to the reverse DNS entry for the IP address of the remote server sending data.

none leaves the host as specified in inputs.conf, which is typically the Splunk system hostname.

Default value is ip.

disabled Boolean Indicates if the input is disabled.
host String The value to populate in the host field for incoming events.

This is used during parsing/indexing, in particular to set the host field. It is also the host field used at search time.

index String default Which index events from this input should be stored in.
name String Required. The UDP port that this input should listen on.
no_appending_timestamp Boolean If set to true, prevents Splunk software from prepending a timestamp and hostname to incoming events.
no_priority_stripping Boolean If set to true, Splunk software does not remove the priority field from incoming syslog events.
queue String Which queue events from this input should be sent to. Generally this does not need to be changed.
restrictToHost String Restrict incoming connections on this port to the host specified here.

If this is not set, the value specified in [udp://<remote server>:<port>] in inputs.conf is used.

source String The value to populate in the source field for incoming events. The same source should not be used for multiple data inputs.
sourcetype String The value to populate in the sourcetype field for incoming events.


Returned values
None

Example request and response


XML Request

curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/udp -d name=44321

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>udp</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp</id>
  <updated>2011-07-08T14:12:13-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/udp/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/udp/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>



data/inputs/udp/{name}

https://<host>:<mPort>/services/data/inputs/udp/{name}


Manage the {name} UDP host or port.


DELETE

Disable the named UDP data input and remove it from the configuration.

Request parameters
None


Returned values
None

Example request and response


XML Request

curl -u admin:pass --request DELETE https://localhost:8089/servicesNS/nobody/search/data/inputs/udp/44321

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>udp</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp</id>
  <updated>2011-07-08T14:12:53-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/udp/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/udp/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>



GET

List the properties of a single UDP data input port or host:port {name}.

Usage details
If port is restricted to a host, {name} should be URI-encoded host:port.

Request parameters
None

Returned values

Name Description
_rcvbuf Socket receive buffer size (bytes).
disabled Input disabled indicator: 0 = Input Not disabled, 1 = Input disabled.
group Set to listenerports for listening ports.
host Host from which the indexer gets data.
index Index to store generated events.


XML Request

curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/udp/44321

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>udp</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp</id>
  <updated>2011-07-08T14:12:27-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/udp/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/udp/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>44321</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp/44321</id>
    <updated>2011-07-08T14:12:27-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44321" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44321" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44321/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44321" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44321" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44321/connections" rel="connections"/>
    <link href="/servicesNS/nobody/search/data/inputs/udp/44321/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="_rcvbuf">1572864</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>connection_host</s:item>
                <s:item>host</s:item>
                <s:item>index</s:item>
                <s:item>no_appending_timestamp</s:item>
                <s:item>no_priority_stripping</s:item>
                <s:item>queue</s:item>
                <s:item>source</s:item>
                <s:item>sourcetype</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="group">listenerports</s:key>
        <s:key name="host">MrT</s:key>
        <s:key name="index">default</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



POST

Edit properties of the named UDP data input.

Request parameters

Name Datatype Default Description
connection_host Enum ip Valid values: (ip | dns | none)

Set the host for the remote server that is sending data.

ip sets the host to the IP address of the remote server sending data.

dns sets the host to the reverse DNS entry for the IP address of the remote server sending data.

none leaves the host as specified in inputs.conf, which is typically the Splunk system hostname.

Default value is ip.

disabled Boolean Indicates if the input is disabled.
host String The value to populate in the host field for incoming events.

This is used during parsing/indexing, in particular to set the host field. It is also the host field used at search time.

index String default Which index events from this input should be stored in.
no_appending_timestamp Boolean If set to true, prevents Splunk software from prepending a timestamp and hostname to incoming events.
no_priority_stripping Boolean If set to true, Splunk software does not remove the priority field from incoming syslog events.
queue String Which queue events from this input should be sent to. Generally this does not need to be changed.
restrictToHost String Restrict incoming connections on this port to the host specified here.

If this is not set, the value specified in [udp://<remote server>:<port>] in inputs.conf is used.

source String The value to populate in the source field for incoming events. The same source should not be used for multiple data inputs.
sourcetype String The value to populate in the sourcetype field for incoming events.


Returned values
None


Example request and response


XML Request

curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/udp/44321 -d sourcetype=syslog

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>udp</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp</id>
  <updated>2011-07-08T14:12:47-07:00</updated>
  <generator version="102807"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/udp/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/udp/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>



data/inputs/udp/{name}/connections

https://<host>:<mPort>/services/data/inputs/udp/{name}/connections


List connections to the {name} host or port.

GET

List connections to the {name} host or port.

Request parameters
None

Returned values

Name Description
disabled Indicates whether the inputs are disabled.
group Set to 'listenerports' for listening ports.

Example request and response


XML Request

curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/udp/9998/connections

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>udp</title>
  <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp</id>
  <updated>2011-07-13T17:08:18-07:00</updated>
  <generator version="103477"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/udp/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/udp/_reload" rel="_reload"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>127.0.0.1</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp/127.0.0.1</id>
    <updated>2011-07-13T17:08:18-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/udp/127.0.0.1" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/udp/127.0.0.1" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/udp/127.0.0.1/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/udp/127.0.0.1" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/udp/127.0.0.1" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="group">hosts</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



data/inputs/win-event-log-collections

https://<host>:<mPort>/services/data/inputs/win-event-log-collections


Provides access to all configured event log collections.


GET

Retrieve a list of configured event log collections.


Request parameters

Name Datatype Default Description
lookup_host String For internal use. Used by the UI when editing the initial host from which we gather event log data.

Pagination and filtering parameters can be used with this method.


Returned values

Name Description
disabled Indicates if the input is disabled.
hosts Hosts you are monitoring.
index Index to store data.

If not specified defaults to the default index.

logs List of event log channels to monitor.


Example request and response


XML Request

curl -u admin:pass https://localhost:8089/services/data/inputs/win-event-log-collections

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-event-log-collections</title>
  <id>https://10.1.5.157:8089/services/data/inputs/win-event-log-collections</id>
  <updated>2011-07-27T11:26:47-07:00</updated>
  <generator version="103620"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/win-event-log-collections/_new" rel="create"/>
  <link href="/services/data/inputs/win-event-log-collections/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>localhost</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost</id>
    <updated>2011-07-27T11:26:47-07:00</updated>
    <link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="list"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="edit"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost/enable" rel="enable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">1</s:key>
        ... eai:acl node elided ...
        <s:key name="hosts">localhost</s:key>
        <s:key name="index">default</s:key>
        <s:key name="logs">
          <s:list>
            <s:item>Application</s:item>
            <s:item>ForwardedEvents</s:item>
            <s:item>HardwareEvents</s:item>
            <s:item>Internet Explorer</s:item>
            <s:item>Security</s:item>
            <s:item>Setup</s:item>
            <s:item>System</s:item>
          </s:list>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>



POST

Create or modify existing event log collection settings.

Usage details
You can configure both native and WMI collections with this endpoint.

Request parameters

Name Datatype Default Description
hosts String A comma-separated list of additional hosts to be used for monitoring. The first host should be specified with "lookup_host", and the additional ones using this parameter.
index String default The index in which to store the gathered data.
logs String List of event log names from which to gather data:
  • WMI collection format (CSV) example:
    logs=Application%2CSystem%2CSetup%2CSecurity
  • Native event log collection format example:
    logs=Application&logs=System&logs=Setup
lookup_host String Required. Host from which to monitor log events. To specify additional hosts to be monitored using WMI, use the "hosts" parameter.
name String Required. Collection name. This name appears in configuration file, as well as the source and the sourcetype of the indexed data. If the value is "localhost", it uses native event log collection; otherwise, it uses WMI.


Returned values

Name Description
disabled Indicates if the input is disabled.
hosts Monitored hosts.
index Index to store data.
logs List of event log channels to monitor.
lookup_host Host from which to monitor log events.
name The name of the collection. This name appears in a configuration file, as well as the source and the sourcetype of the indexed data. If the value is "localhost", it uses native event log collection; otherwise, it uses WMI


Example request and response


XML Request

curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections -d lookup_host=localhost -d name=mylogs -d logs=Application,System

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-event-log-collections</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections</id>
  <updated>2011-07-27T11:56:24-07:00</updated>
  <generator version="103620"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>localhost</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost</id>
    <updated>2011-07-27T11:56:24-07:00</updated>
    <link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="list"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">1</s:key>
        ... eai:acl node elided ...
        <s:key name="hosts">localhost</s:key>
        <s:key name="index">default</s:key>
        <s:key name="logs">
          <s:list>
            <s:item>Application</s:item>
            <s:item>ForwardedEvents</s:item>
            <s:item>HardwareEvents</s:item>
            <s:item>Internet Explorer</s:item>
            <s:item>Security</s:item>
            <s:item>Setup</s:item>
            <s:item>System</s:item>
          </s:list>
        </s:key>
        <s:key name="lookup_host">localhost</s:key>
        <s:key name="name">localhost</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



data/inputs/win-event-log-collections/{name}

https://<host>:<mPort>/services/data/inputs/win-event-log-collections/{name}


Manage the {name} Windows event log.


DELETE

Deletes an event log collection.


Request parameters
None

Returned values
None

Example request and response


XML Request

curl -u admin:pass --request DELETE https://localhost:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-event-log-collections</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections</id>
  <updated>2011-07-27T13:45:24-07:00</updated>
  <generator version="103620"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>



GET

Gets event log collection configurations.


Request parameters

Name Datatype Default Description
lookup_host String For internal use. Used by the UI when editing the initial host from which we gather event log data.


Returned values

Name Description
disabled Indicates if the input is disabled.
hosts Monitored hosts.
index Index to store data.

If not specified defaults to the default index.

logs List of event log channels to monitor.
lookup_host Host from which to monitor log events.
name The name of the collection. This name appears in a configuration file, as well as the source and the sourcetype of the indexed data. If the value is localhost, it uses native event log collection; otherwise, it uses WMI.


Example request and response


XML Request

curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-event-log-collections</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections</id>
  <updated>2011-07-27T12:00:38-07:00</updated>
  <generator version="103620"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>mylogs</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs</id>
    <updated>2011-07-27T12:00:38-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>hosts</s:item>
                <s:item>index</s:item>
                <s:item>logs</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>lookup_host</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="hosts"/>
        <s:key name="index">default</s:key>
        <s:key name="logs">
          <s:list>
            <s:item>Application,System</s:item>
          </s:list>
        </s:key>
        <s:key name="lookup_host">localhost</s:key>
        <s:key name="name">mylogs</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



POST

Modify an existing event log collection.


Request parameters

Name Datatype Default Description
hosts String A comma-separated list of additional hosts to be used for monitoring. The first host should be specified with "lookup_host", and the additional ones using this parameter.
index String default The index in which to store the gathered data.
logs String A comma-separated list of event log names to gather data from.
lookup_host String Required. This is a host from which we monitor log events. To specify additional hosts to be monitored using WMI, use the "hosts" parameter.

Returned values

Name Description
disabled Indicates if the input is disabled.
hosts Monitored hosts.
index Index to store data.
logs List of event log channels to monitor.
lookup_host Host from which to monitor log events.
name The name of the collection. This name appears in a configuration file, as well as the source and the sourcetype of the indexed data. If the value is localhost, it uses native event log collection; otherwise, it uses WMI.

Example request and response


XML Request

curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs -d lookup_host=localhost -d logs=Application

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-event-log-collections</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections</id>
  <updated>2011-07-27T13:43:46-07:00</updated>
  <generator version="103620"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>localhost</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost</id>
    <updated>2011-07-27T13:43:46-07:00</updated>
    <link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="list"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">1</s:key>
        ... eai:acl node elided ...
        <s:key name="hosts">localhost</s:key>
        <s:key name="index">default</s:key>
        <s:key name="logs">
          <s:list>
            <s:item>Application</s:item>
            <s:item>ForwardedEvents</s:item>
            <s:item>HardwareEvents</s:item>
            <s:item>Internet Explorer</s:item>
            <s:item>Security</s:item>
            <s:item>Setup</s:item>
            <s:item>System</s:item>
          </s:list>
        </s:key>
        <s:key name="lookup_host">localhost</s:key>
        <s:key name="name">localhost</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



data/inputs/win-wmi-collections

https://<host>:<mPort>/services/data/inputs/win-wmi-collections


Access configured WMI collections.


GET

Access configured WMI collections.


Request parameters

Pagination and filtering parameters can be used with this method.


Returned values

Name Description
class The WMI performance object class being monitored.
disabled Indicates whther the input is disbled.
fields The WMI performance counters being monitored.
index The index to which you are sending input data.
instances Instances of the WMI performance counter.
interval The interval, in seconds, at which the WMI provider(s) are queried.
name the name of the input.
server The server you are monitoring.
wql The actual WQL query for monitoring the performance object.

Example request and response


XML Request

curl -u admin:pass https://localhost:8089/services/data/inputs/win-wmi-collections

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-wmi-collections</title>
  <id>https://10.1.5.157:8089/services/data/inputs/win-wmi-collections</id>
  <updated>2011-07-27T14:00:24-07:00</updated>
  <generator version="103620"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/win-wmi-collections/_new" rel="create"/>
  <link href="/services/data/inputs/win-wmi-collections/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>CPUTime</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime</id>
    <updated>2011-07-27T14:00:24-07:00</updated>
    <link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime" rel="list"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime" rel="edit"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime/enable" rel="enable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="class">Win32_PerfFormattedData_PerfOS_Processor</s:key>
        <s:key name="disabled">1</s:key>
        ... eai:acl node elided ...
        <s:key name="fields">
          <s:list>
            <s:item>PercentProcessorTime</s:item>
            <s:item>PercentUserTime</s:item>
          </s:list>
        </s:key>
        <s:key name="index">default</s:key>
        <s:key name="instances">
          <s:list>
            <s:item>_Total</s:item>
          </s:list>
        </s:key>
        <s:key name="interval">3</s:key>
        <s:key name="name"/>
        <s:key name="server">localhost</s:key>
        <s:key name="wql">SELECT PercentProcessorTime,PercentUserTime FROM Win32_PerfFormattedData_PerfOS_Processor WHERE Name="_Total"</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



POST

Create or modify existing WMI collection settings.


Request parameters

Name Datatype Default Description
classes String Required. A valid WMI class name.
disabled Number 0 Disables the given collection.
fields String 1. * Properties (fields) that you want to gather from the given class.

Specify each property as a separate argument to the POST operation.

index String default The index in which to store the gathered data.
instances String empty Instances of a given class for which data is gathered.

Specify each instance as a separate argument to the POST operation.

interval Number Required. The interval, in seconds, at which the WMI provider(s) is queried.
lookup_host String Required. This is the server from which we is gathering WMI data. If you need to gather data from more than one machine, additional servers can be specified in the 'server' parameter.
name String Required. This is the name of the collection. This name appears in configuration file, as well as the source and the sourcetype of the indexed data.
server String localhost A comma-separated list of additional servers that you want to gather data from. Use this if you need to gather from more than a single machine. See also lookup_host.


Returned values

Name Description
classes A valid WMI class name.
disabled Indicates if the input is disabled.
fields Properties (fields) that you want to gather from the given class.
index The index in which to store the gathered data.
instances Instances of a given class for which data is gathered.
interval The interval, in seconds, at which the WMI provider(s) is queried.
lookup_host Host from which to monitor log events.
server Servers from which to gather data. Used if you need to gather from more than a single machine. See also lookup_host.
wql The actual WQL query for monitoring the performance object.

Example request and response


XML Request

curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections -d classes=Win32_PerfFormattedData_PerfOS_Processor -d interval=5 -d lookup_host=localhost -d name=cpu

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-wmi-collections</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections</id>
  <updated>2011-07-27T14:05:43-07:00</updated>
  <generator version="103620"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>CPUTime</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime</id>
    <updated>2011-07-27T14:05:43-07:00</updated>
    <link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime" rel="list"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">1</s:key>
        ... eai:acl node elided ...
        <s:key name="index">default</s:key>
        <s:key name="interval">3</s:key>
        <s:key name="wql">SELECT PercentProcessorTime,PercentUserTime FROM Win32_PerfFormattedData_PerfOS_Processor WHERE Name="_Total"</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



data/inputs/win-wmi-collections/{name}

https://<host>:<mPort>/services/data/inputs/win-wmi-collections/{name}


Manage the {name} WMI collection.


Method summary

Method Description Formats
DELETE Deletes a given collection. XML, JSON
GET Gets information about a single collection. XML, JSON
POST Modifies a given WMI collection. XML, JSON

DELETE

Delete a given collection.

Usage details
The method returns HTTP status code = 400, if {name} does not exist.


Request parameters
None


Returned values

None

Example request and response


XML Request

curl -u admin:pass --request DELETE https://localhost:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-wmi-collections</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections</id>
  <updated>2011-07-27T14:21:17-07:00</updated>
  <generator version="103620"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>



GET

Get information about a single collection.


Request parameters
None

Returned values

Name Description
classes A valid WMI class name.
disabled Indicates if the input is disabled.
fields Properties (fields) that you want to gather from the given class.
index The index in which to store the gathered data.
instances Instances of a given class for which data is gathered.
interval The interval, in seconds, at which the WMI provider(s) is queried.
lookup_host Host from which to monitor log events.
name Collection name. This name appears in a configuration file, as well as the source and the sourcetype of the indexed data. If the value is localhost, it uses native event log collection; otherwise, it uses WMI.
server Servers frpm which to gather data from. Used if you need to gather from more than a single machine. See also lookup_host.
wql The actual WQL query for monitoring the performance object.

Example request and response


XML Request

curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-wmi-collections</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections</id>
  <updated>2011-07-27T14:09:39-07:00</updated>
  <generator version="103620"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>cpu</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu</id>
    <updated>2011-07-27T14:09:39-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="classes">Win32_PerfFormattedData_PerfOS_Processor</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>disabled</s:item>
                <s:item>fields</s:item>
                <s:item>index</s:item>
                <s:item>instances</s:item>
                <s:item>server</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>classes</s:item>
                <s:item>interval</s:item>
                <s:item>lookup_host</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="fields">
          <s:list>
            <s:item>*</s:item>
          </s:list>
        </s:key>
        <s:key name="index">default</s:key>
        <s:key name="instances">
          <s:list/>
        </s:key>
        <s:key name="interval">5</s:key>
        <s:key name="lookup_host">localhost</s:key>
        <s:key name="name">cpu</s:key>
        <s:key name="server"/>
        <s:key name="wql">Select * from Win32_PerfFormattedData_PerfOS_Processor</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



POST

Modify a collection.

Request parameters

Name Datatype Default Description
classes String Required. A valid WMI class name.
disabled Number Disables the given collection.
fields String Properties (fields) that you want to gather from the given class.

Specify each property as a separate argument to the POST operation.

index String The index in which to store the gathered data.
instances String Instances of a given class for which data is gathered.

Specify each instance as a separate argument to the POST operation.

interval Number Required. The interval, in seconds, at which the WMI provider(s) is queried.
lookup_host String Required. This is the server from which we is gathering WMI data. If you need to gather data from more than one machine, additional servers can be specified in the 'server' parameter.
server String A comma-separated list of additional servers that you want to gather data from. Use this if you need to gather from more than a single machine. See also lookup_host parameter.


Returned values

Name Description
classes A valid WMI class name.
disabled Indicates if the input is disabled.
fields Properties (fields) that you want to gather from the given class.
index The index in which to store the gathered data.
instances Instances of a given class for which data is gathered.
interval The interval, in seconds, at which the WMI provider(s) are queried.
lookup_host Host from which to monitor log events.
name Collection name. This name appears in a configuration file, as well as the source and the sourcetype of the indexed data. If the value is localhost, it uses native event log collection; otherwise, it uses WMI.
server Servers from which to gather data. Used if you need to gather from more than a single machine. See also lookup_host.
wql The actual WQL query for monitoring the performance object.


Example request and response


XML Request

curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu -d classes=Win32_PerfFormattedData_PerfOS_Processor -d interval=5 -d lookup_host=localhost -d server=xx.1.5.157,10.1.5.158

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-wmi-collections</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections</id>
  <updated>2011-07-27T14:15:33-07:00</updated>
  <generator version="103620"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>cpu</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu</id>
    <updated>2011-07-27T14:15:33-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="classes">Win32_PerfFormattedData_PerfOS_Processor</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="fields">
          <s:list>
            <s:item>*</s:item>
          </s:list>
        </s:key>
        <s:key name="index">default</s:key>
        <s:key name="instances">
          <s:list/>
        </s:key>
        <s:key name="interval">5</s:key>
        <s:key name="lookup_host">localhost</s:key>
        <s:key name="name">cpu</s:key>
        <s:key name="server"/>
        <s:key name="wql">Select * from Win32_PerfFormattedData_PerfOS_Processor</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



data/inputs/win-perfmon

https://<host>:<mPort>/services/data/inputs/win-perfmon


Access and manage performance monitoring configurations. This input allows you to poll Windows performance monitor counters.


GET

Get current performance monitoring configuration details.


Request parameters
Pagination and filtering parameters can be used with this method.


Returned values

Name Description
counters List of valid Performance Monitor counters.
disabled Indicates whether the input is disabled.
index The index that this input should send data to.

If no value is present, send data to the default index.

instances List of valid instances for a Performance Monitor counter.
interval How often, in seconds, to poll for new data.
nonmetric_counters List of valid Performance Monitor counters.
object A valid Performance Monitor object as defined within Performance Monitor.

Example request and response


XML Request

curl -u admin:pass https://localhost:8089/services/data/inputs/win-perfmon

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-perfmon</title>
  <id>https://10.1.5.157:8089/services/data/inputs/win-perfmon</id>
  <updated>2011-07-29T19:42:06-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/inputs/win-perfmon/_new" rel="create"/>
  <link href="/services/data/inputs/win-perfmon/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>Available Memory</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory</id>
    <updated>2011-07-29T19:42:06-07:00</updated>
    <link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="list"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="edit"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory/enable" rel="enable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="counters">
          <s:list>
            <s:item>Available Bytes</s:item>
          </s:list>
        </s:key>
        <s:key name="disabled">1</s:key>
        ... eai:acl node elided ...
        <s:key name="index">default</s:key>
        <s:key name="instances">
          <s:list/>
        </s:key>
        <s:key name="interval">10</s:key>
        <s:key name="object">Memory</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



POST

Update performance monitoring collection settings.

Request parameters

Name Datatype Default Description
counters String A set of counters to monitor. A '*' is equivalent to all counters.

Specify each counter as a separate argument to the POST operation.

host String Docs-W8R2-Std7 Name of the host for the Windows Performance Monitor.
index String default The index in which to store the gathered data.
instances String A set of counter instances to monitor. A '*' is equivalent to all instances.

Specify each instance as a separate argument to the POST operation.

interval Number How frequently, in seconds, to poll for new data.
name
required
String This is the name of the collection. This name appears in configuration file, as well as the source and the sourcetype of the indexed data.
object String A valid performance monitor object (for example, 'Process,' 'Server,' 'PhysicalDisk.')
source String Source for inputs.
sourcetype String Source type of input.


Returned values

Name Description
counters List of valid Performance Monitor counters.
disabled Indicates whether the input is disabled.
host Name of the host for the Windows Performance Monitor.
index The index that this input should send data to.

If no value is present, send data to the default index.

instances List of valid instances for a Performance Monitor counter.
interval How frequently, in seconds, to poll for new data.
nonmetric_counters List of valid Performance Monitor counters.
object A valid Performance Monitor object as defined within Performance Monitor.
source Source for inputs.
sourcetype Source type of the input.

Example request and response


XML Request

curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/win-perfmon -d interval=4 -d name=mymemory -d object=Memory

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-perfmon</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-perfmon</id>
  <updated>2011-07-29T19:40:38-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>Available Memory</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory</id>
    <updated>2011-07-29T19:40:38-07:00</updated>
    <link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="list"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="counters">Available Bytes</s:key>
        <s:key name="disabled">1</s:key>
        ... eai:acl node elided ...
        <s:key name="instances"/>
        <s:key name="interval">10</s:key>
        <s:key name="object">Memory</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



data/inputs/win-perfmon/{name}

https://<host>:<mPort>/services/data/inputs/win-perfmon/{name}


Manage the {name} performance monitoring stanza.


DELETE

Delete a given monitoring stanza.


Request parameters
None

Returned values
None


Example request and response


XML Request

curl -u admin:pass --request DELETE https://localhost:8089/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-perfmon</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-perfmon</id>
  <updated>2011-07-29T19:47:06-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
</feed>



GET

Get settings for a given performance stanza.


Request parameters
None


Returned values

Name Description
counters List of valid Performance Monitor counters.
disabled Indicates whether the input is disabled.
index The index that this input should send data to.

If no value is present, send data to the default index.

instances List of valid instances for a Performance Monitor counter.
interval How often, in seconds, to poll for new data.
nonmetric_counters List of valid Performance Monitor counters.
object A valid Performance Monitor object as defined within Performance Monitor.

Example request and response


XML Request

curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-perfmon</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-perfmon</id>
  <updated>2011-07-29T19:44:21-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>mymemory</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory</id>
    <updated>2011-07-29T19:44:21-07:00</updated>
    <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory" rel="list"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="counters">
          <s:list/>
        </s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>counters</s:item>
                <s:item>disabled</s:item>
                <s:item>index</s:item>
                <s:item>instances</s:item>
                <s:item>interval</s:item>
                <s:item>object</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="index">default</s:key>
        <s:key name="instances">
          <s:list/>
        </s:key>
        <s:key name="interval">4</s:key>
        <s:key name="object">Memory</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



POST

Modify an existing monitoring stanza.


Request parameters

Name Datatype Default Description
counters String A set of counters to monitor. A '*' is equivalent to all counters.

Specify each counter as a separate argument to the POST operation.

host String Docs-W8R2-Std7 Name of the host for the Windows Performance Monitor.
index String default The index in which to store the gathered data.
instances String A set of counter instances to monitor. A '*' is equivalent to all instances.

Specify each instance as a separate argument to the POST operation.

interval Number How frequently, in seconds, to poll for new data.
object String A valid performance monitor object (for example, 'Process,' 'Server,' 'PhysicalDisk.')
source String Source for inputs.
sourcetype String Source type of input.


Returned values

Name Description
counters List of valid Performance Monitor counters.
disabled Indicates whether the input is disabled.
host Name of the host for the Windows Performance Monitor.
index The index that this input should send data to.

If no value is present, send data to the default index.

instances List of valid instances for a Performance Monitor counter.
interval How frequently, in seconds, to poll for new data.
nonmetric_counters List of valid Performance Monitor counters.
object A valid Performance Monitor object as defined within Performance Monitor,
source Source for inputs.
sourcetype Source type of the input.


Example request and response


XML Request

curl -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory -d interval=10

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
      xmlns:s="http://dev.splunk.com/ns/rest">
  <title>win-perfmon</title>
  <id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-perfmon</id>
  <updated>2011-07-29T19:45:59-07:00</updated>
  <generator version="104976"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_new" rel="create"/>
  <link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>Available Memory</title>
    <id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory</id>
    <updated>2011-07-29T19:45:59-07:00</updated>
    <link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="list"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="counters">Available Bytes</s:key>
        <s:key name="disabled">1</s:key>
        ... eai:acl node elided ...
        <s:key name="instances"/>
        <s:key name="interval">10</s:key>
        <s:key name="object">Memory</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



data/modular-inputs

https://<host>:<mPort>/services/data/modular-inputs

Access currently defined modular inputs on the system.


For more information, refer to Modular inputs: Introspection scheme details in Developing Views and Apps for Splunk Web.


GET

Get information about configured modular inputs.


Request parameters

Pagination and filtering parameters can be used with this method.


Returned values

Name Description
description Provides descriptive text for title shown on the Data inputs manager page.

The description also appears on the Add new data inputs page.

endpoint Contains one or more <arg> elements, which define the parameters to an endpoint.
streaming_mode Indicates the streaming mode for the modular input. Valid values are xml and simple.
title The label for a modular input script. The title appears on the Data inputs manager page.


Example request and response


XML Request

curl -u admin:pass https://localhost:8089/services/data/modular-inputs

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>modular-inputs</title>
  <id>https://localhost:8089/services/data/modular-inputs</id>
  <updated>2012-07-09T09:12:41-07:00</updated>
  <generator build="129290" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
   ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>s3</title>
    <id>https://localhost:8089/services/data/modular-inputs/s3</id>
    <updated>2012-07-09T09:12:41-07:00</updated>
    <link href="/services/data/modular-inputs/s3" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/data/modular-inputs/s3" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="description">Get data from Amazon S3.</s:key>
        ... eai:acl node elided ...
        <s:key name="endpoint">
          <s:dict>
            <s:key name="args">
              <s:dict>
                <s:key name="key_id">
                  <s:dict>
                    <s:key name="data_type">string</s:key>
                    <s:key name="description">Your Amazon key ID.</s:key>
                    <s:key name="order">1</s:key>
                    <s:key name="required_on_create">1</s:key>
                    <s:key name="required_on_edit">0</s:key>
                    <s:key name="title">Key ID</s:key>
                  </s:dict>
                </s:key>
                <s:key name="name">
                  <s:dict>
                    <s:key name="data_type">string</s:key>
                    <s:key name="description"><![CDATA[An S3 resource name without the leading s3://.  For example, for s3://bucket/file.txt specify bucket/file.txt.  You can also monitor a whole bucket (for example by specifying 'bucket'), or files within a sub-directory of a bucket (for example 'bucket/some/directory/'; note the trailing slash).]]></s:key>
                    <s:key name="order">0</s:key>
                    <s:key name="title">Resource name</s:key>
                  </s:dict>
                </s:key>
                <s:key name="secret_key">
                  <s:dict>
                    <s:key name="data_type">string</s:key>
                    <s:key name="description">Your Amazon secret key.</s:key>
                    <s:key name="order">2</s:key>
                    <s:key name="required_on_create">1</s:key>
                    <s:key name="required_on_edit">0</s:key>
                    <s:key name="title">Secret key</s:key>
                  </s:dict>
                </s:key>
              </s:dict>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="streaming_mode">xml</s:key>
        <s:key name="title">Amazon S3</s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>twitter</title>
    <id>https://localhost:8089/services/data/modular-inputs/twitter</id>
    . . . elided . . .
  </entry>
</feed>



data/modular-inputs/{name}

https://<host>:<mPort>/services/data/modular-inputs/{name}

Get information about the {name} modular input.


GET

Get information about a modular input.


Request parameters

None


Returned values

Name Description
description The label for a modular input script.

The label appears in the Data inputs manager page.

endpoint Contains one or more <arg> elements, which define the parameters to an endpoint.
streaming_mode Indicates the streaming mode for the modular input. Valid values are xml or simple (plain text).

Contains one or more <arg> elements, which define the parameters to an endpoint.

title The label for a modular input script. The label appears in the Data inputs manager page.

Example request and response


XML Request

curl -u admin:pass https://localhost:8089/services/data/modular-inputs/twitter

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>modular-inputs</title>
  <id>https://localhost:8089/services/data/modular-inputs</id>
  <updated>2012-07-09T11:07:29-07:00</updated>
  <generator build="129290" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>twitter</title>
    <id>https://localhost:8089/services/data/modular-inputs/twitter</id>
    <updated>2012-07-09T11:07:29-07:00</updated>
    <link href="/services/data/modular-inputs/twitter" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/data/modular-inputs/twitter" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="description">Get data from Twitter.</s:key>
        ... eai:acl and eai:attribute nodes elided ...
        <s:key name="endpoint">
          <s:dict>
            <s:key name="args">
              <s:dict>
                <s:key name="name">
                  <s:dict>
                    <s:key name="data_type">string</s:key>
                    <s:key name="description">Name of the current feed using the user credentials supplied.</s:key>
                    <s:key name="order">0</s:key>
                    <s:key name="title">Twitter feed name</s:key>
                  </s:dict>
                </s:key>
                <s:key name="password">
                  <s:dict>
                    <s:key name="data_type">string</s:key>
                    <s:key name="description">Your twitter password</s:key>
                    <s:key name="order">2</s:key>
                    <s:key name="required_on_create">1</s:key>
                    <s:key name="required_on_edit">0</s:key>
                    <s:key name="title">Password</s:key>
                  </s:dict>
                </s:key>
                <s:key name="username">
                  <s:dict>
                    <s:key name="data_type">string</s:key>
                    <s:key name="description">Your Twitter ID.</s:key>
                    <s:key name="order">1</s:key>
                    <s:key name="required_on_create">1</s:key>
                    <s:key name="required_on_edit">0</s:key>
                    <s:key name="title">Twitter ID/Handle</s:key>
                  </s:dict>
                </s:key>
              </s:dict>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="streaming_mode">simple</s:key>
        <s:key name="title">Twitter</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



indexing/preview

https://<host>:<mPort>/services/indexing/preview


Preview events from a source file before you index the file.

The edit_monitor or edit_upload_and_index capabilities are required for this endpoint.


GET

Return a list of all data preview jobs.

Usage details

Data returned includes the Splunk management URI to access each preview job.

You can check the status of a data preview job with GET request to /search/jobs/{search_id} to obtain information such as the dispatchState, doneProgress, and eventCount. You can also use the data preview job ID as the search_id parameter in a GET request to /search/jobs/{search_id}/results_preview to preview events from the source file.


Request parameters
None


Returned values
None

Example request and response


XML Request

curl -u admin:pass https://localhost:8089/services/indexing/preview

XML Response

<title>preview</title>
  <id>https://localhost:8089/services/indexing/preview</id>
  <updated>2011-11-28T14:35:35-08:00</updated>
  <generator version="108769"/>
  <author>
    <name>Splunk</name>
  </author>
  <entry>
    <title>1322518170.8</title>
    <id>https://localhost:8089/services/indexing/preview/1322518170.8</id>
    <updated>2011-11-28T14:35:35-08:00</updated>
    <link href="/services/indexing/preview/1322518170.8" rel="alternate"/>
    <link href="/services/search/jobs/1322518170.8" rel="job"/>
  </entry>
  <entry>
    <title>1322519686.9</title>
    <id>https://localhost:8089/services/indexing/preview/1322519686.9</id>
    <updated>2011-11-28T14:35:35-08:00</updated>
    <link href="/services/indexing/preview/1322519686.9" rel="alternate"/>
    <link href="/services/search/jobs/1322519686.9" rel="job"/>
  </entry>
  <entry>
    <title>1322519724.10</title>
    <id>https://localhost:8089/services/indexing/preview/1322519724.10</id>
    <updated>2011-11-28T14:35:35-08:00</updated>
    <link href="/services/indexing/preview/1322519724.10" rel="alternate"/>
    <link href="/services/search/jobs/1322519724.10" rel="job"/>
  </entry>



POST

Create a preview data job for the specified source file, returning the preview data job ID.


Usage details
Typically, you first examine preview data events returned from GET /search/jobs/{job_id}events. Then you define new sourcetypes as needed with this endpoint.

Use the POST operation to create a data preview job and return the corresponding data preview job ID. Use the preview job ID as the search_id parameter in GET /search/jobs/{search_id}/results_preview to obtain a data preview.

You can optionally define sourcetypes for a preview data job in props.conf.


Request parameters

Name Datatype Default Description
input.path String Required. The absolute file path to a local file that you want to preview data returned from indexing.
props.<props_attr> String Define a new sourcetype in props.conf for preview data that you are indexing.


Returned values
None


Example request and response


XML Request

curl -u admin:pass https://localhost:8089/services/indexing/preview -d input.path=/Applications/splunk/var/log/splunk/metrics.log

XML Response

<response>
  <messages>
    <msg type='INFO'>1319496093.11</msg>
  </messages>
</response>



indexing/preview/{job_id}

https://<host>:<mPort>/services/indexing/preview/{job_id}


Get props.conf file settings for the {job_id} job.


GET

Get props.conf file settings for a job.

Request parameters
None


Returned values
None


Example request and response


XML Request

curl -u admin:pass https://localhost:8089/services/indexing/preview/1319496093.11

XML Response

<entry xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest">
  <title>1319496093.11</title>
  <id>https://localhost:8089/services/indexing/preview/1319496093.11</id>
  <updated>2011-10-24T15:44:09-07:00</updated>
  <link href="/services/indexing/preview/1319496093.11" rel="alternate"/>
  <content type="text/xml">
    <s:dict>
      <s:key name="explicit">
        <s:dict>
          <s:key name="PREFERRED_SOURCETYPE">
            <s:dict>
              <s:key name="value">splunkd</s:key>
            </s:dict>
          </s:key>
        </s:dict>
      </s:key>
      <s:key name="inherited">
        <s:dict>
          <s:key name="ANNOTATE_PUNCT">
            <s:dict>
              <s:key name="value">True</s:key>
              <s:key name="stanza">default</s:key>
            </s:dict>
          </s:key>
          . . . elided . . .
          <s:key name="sourcetype">
            <s:dict>
              <s:key name="value">splunkd</s:key>
              <s:key name="stanza">source::.../var/log/splunk/metrics.log(.\d+)?</s:key>
            </s:dict>
          </s:key>
        </s:dict>
      </s:key>
    </s:dict>
  </content>
  <link href="/services/search/jobs/1319496093.11" rel="job"/>
</entry>



receivers/simple

https://<host>:<mPort>/services/receivers/simple

Allows for sending events to Splunk in an HTTP request.


Authentication and authorization
The edit_tcp capability is additionally required for this endpoint.


POST

Create events from the contents contained in the HTTP body.


Request parameters

Name Datatype Default Description
<arbitrary_data> String Required. Raw event text. This is the entirety of the HTTP request body.
host String The value to populate in the host field for events from this data input.
host_regex String A regular expression used to extract the host value from each event.
index String default The destination index where events are sent.
source String The source value to fill in the metadata for this input's events.
sourcetype String The sourcetype to apply to events from this input.


Returned values
None


Example request and response


XML Request

curl -u admin:pass "https://localhost:8089/services/receivers/simple?source=www&sourcetype=web_event" -d "Sun Jul 10 15:56:02 PDT 2011   User myusername logged in successfully."

XML Response

<response>
  <results>
    <result>
      <field k="_index">
        <value>
          <text>default</text>
        </value>
      </field>
      <field k="bytes">
        <value>
          <text>67</text>
        </value>
      </field>
      <field k="host">
        <value>
          <text>127.0.0.1</text>
        </value>
      </field>
      <field k="source">
        <value>
          <text>www</text>
        </value>
      </field>
      <field k="sourcetype">
        <value>
          <text>web_event</text>
        </value>
      </field>
    </result>
  </results>
</response>



receivers/stream

https://<host>:<mPort>/services/receivers/stream


Open a socket to receive streaming data.

Authentication and authorization
The edit_tcp or edit_tcp_stream capabilities are required for this endpoint.


POST

Create events from the stream of data following HTTP headers.


Usage details

Data transfer continues until you enter <CTRL-C>.

For streaming connections, set streaming and x-splunk-input-mode arguments in the header.

For HTTP uploads, if the caller passes a content-type of "multipart/form data", the HTTP file upload protocol is used and files are indexed.


Request parameters

Name Datatype Default Description
<data_stream> String Required. Raw event text. This does not need to be presented as a complete HTTP request, but can be streamed in as data is available.
host String The value to populate in the host field for events from this data input.
host_regex String A regular expression used to extract the host value from each event.
index String The index to send events from this input to.
source String The source value to fill in the metadata for this input's events.
sourcetype String The sourcetype to apply to events from this input.


Returned values
None


Example


Python Request

import httplib, time

conn = httplib.HTTPSConnection("localhost", 8089)
conn.connect()
conn.putrequest("POST", "/services/receivers/stream?source=www&sourcetype=web_data")
conn.putheader("Authorization", "Splunk 67bed982ce1af9ba2e393b15ed63c916")
conn.putheader("x-splunk-input-mode", "streaming")
conn.endheaders()

i = 0
while i < 100:
   conn.send("%s A sample event (idx: %s).\n" % (time.asctime(), i))
   time.sleep(1)
   i += 1

conn.close()



server/pipelinesets

https://<host>:<mPort>/services/server/pipelinesets

Provides information on the ingestion pipeline sets on an indexer.

Authentication and authorization
The list_pipeline_sets capability is required for this endpoint.

Usage details
See Manage pipeline sets for index parallelization in Managing Indexers and Clusters of Indexers.

GET

Query the status of pipeline sets.

Request parameters
None

Returned values

Name Description
busiest_thread_name The name of the busiest pipeline thread within the pipeline set for past calculation period.
dutycycle_ratio The dutycycle ratio of the busiest pipeline thread within the pipeline set for past calculation period.
requests_last_period The number of ingestion requests processed by the pipeline set in the past calculation period.
share The relative probability of selection of the pipeline set for the past calculation period.


Example request and response

XML Request

curl -k -u admin:changeme https://ronnie:8178/services/server/pipelinesets

XML Response

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>server-pipeline-sets</title>
  <id>https://ronnie:8178/services/server/pipelinesets</id>
  <updated>2019-02-20T12:24:55-08:00</updated>
  <generator build="62a7f5ca3846ba6f152b123cfab9d4432e97a4a2" version="20190219"/>
  <author>
    <name>Splunk</name>
  </author>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>ingest_pipe_0</title>
    <id>https://ronnie:8178/services/server/pipelinesets/ingest_pipe_0</id>
    <updated>1969-12-31T16:00:00-08:00</updated>
    <link href="/services/server/pipelinesets/ingest_pipe_0" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/server/pipelinesets/ingest_pipe_0" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="busiest_thread_name">indexerPipe</s:key>
        <s:key name="dutycycle_ratio">0.0017552064875708618</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list/>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="requests_last_period">0</s:key>
        <s:key name="share">1</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

services/collector

<protocol>://<host>:<mPort>/services/collector

Send events to HTTP Event Collector using the Splunk platform JSON event protocol.

By default, this endpoint works on port 8088 and uses HTTPs for transport. The port and HTTP protocol settings can be configured independently of settings for any other servers in your deployment.

Note: When using an ACK-enabled token, an ackID is returned within a JSON object in the response. For example, {"ackID": "0"} indicates an ackID of 0. Use the ackID to query the services/collector/ack endpoint to verify event indexing. For more information, see services/collector/ack.

Authorization
Requires an HTTP Event Collector token or basic auth, as defined in RFC 1945. See request examples for more details.


See also


POST

Send events to the HTTP Event Collector.

Usage details

HTTP Event Collector functionality must be enabled to send events.

To send events to the HTTP Event Collector, you must provide an HTTP Event Collector token in the authorization header. The token is created using the data/inputs/http endpoint. You can then retrieve the token with a GET request on the data/inputs/http/{name} endpoint, where {name} is the name of your token. Include the authentication token in the request header using the following format: Authorization: Splunk <token>. The format is case-sensitive.

Use the Splunk search application to view the logged events. For example, use index=main | search sourcetype=access to view all logged events with a sourcetype of access.

For performance reasons, the data input endpoint follows a simple error handling model. It assumes that in most cases it receives a well-formed event data payload. If there is malformed event data in the payload, events continue to be extracted until an error is encountered. Processing stops immediately on an error and the error and number of payload events processed successfully are reported. Events processed before the error are sent to indexers and all events after the first error are dropped.


Request parameters

Name Datatype Description
channel See description Required if useAck is enabled. Pass in the channel GUID as a string parameter or using the "x-splunk-request-channel" header.
event string Required. Event payload key-value. Value can be a string or a JSON object.

JSON example: {"event": {"message":"Access log test message"}}
String example: "event": "Access log test message."

fields JSON object Fields for indexing that do not occur in the event payload itself. You can use this parameter when you do not want particular fields to be included in the event data, but you need additional metadata for indexing and searching.

Specify one or more additional fields to include for indexing with the event payload. For each field, use a key to specify the name and include one or more values. Specify multiple values in an array.

In the following example, the "severity" field gets the value "INFO" and the "category" key gets both "foo" and "bar" values.
-d {"event": "something happened", "fields": {"severity": "INFO", "category": ["foo", "bar"]}}

host string Host name. Specify with the host query string parameter. Sets a default for all events in the request. The default host name can be overridden.
index string Index name. Specify with the index query string parameter. Sets a default for all events in the request. The default index name can be overridden.
source string User-defined event source. Specify with the source query string parameter. Sets a default for all events in the request. The default source can be overridden.
sourcetype string User-defined event sourcetype. Specify with the sourcetype query string parameter. Sets a default for all events in the request. The default sourcetype can be overridden.
time string or unsigned integer Epoch-formatted time. Specify with the time query string parameter. Sets a default for all events in the request. The default time can be overridden.


Returned values

Name Description
text Human readable status, same value as code.
code Machine format status, same value as text.
invalid-event-number When errors occur, indicates the zero-based index of first invalid event in an event sequence.
ackId If useACK is enabled for the token, indicates the ackId to use for checking an indexer acknowledgement.

Response status codes

The following status codes have particular meaning for all HTTP Event Collector endpoints:

Status Code HTTP status code ID HTTP status code Status message
0 200 OK Success
1 403 Forbidden Token disabled
2 401 Unauthorized Token is required
3 401 Unauthorized Invalid authorization
4 403 Forbidden Invalid token
5 400 Bad Request No data
6 400 Bad Request Invalid data format
7 400 Bad Request Incorrect index
8 500 Internal Error Internal server error
9 503 Service Unavailable Server is busy
10 400 Bad Request Data channel is missing
11 400 Bad Request Invalid data channel
12 400 Bad Request Event field is required
13 400 Bad Request Event field cannot be blank
14 400 Bad Request ACK is disabled
15 400 Bad Request Error in handling indexed fields
16 400 Bad Request Query string authorization is not enabled


Example response messages

Success:

    {"text":"Success","code":0}

Failure:

    {"text":"Incorrect data format","code":5,"invalid-event-number":0}


Example request and response


JSON Request

curl https://localhost:8089/services/collector -H 'Authorization: Splunk 3DEA16E1-413A-46C2-A74F-E79DC3DF3CA2' -d '{"sourcetype":"access", "source":"/var/log/access.log", "event": {"message":"Access log test message"}} {"sourcetype":"access", "source":"/var/log/access.log", "event": {"message":"Access log test message 2"}}'

JSON Response


{"text":"Success","code":0}


JSON Response
For index=main | search sourcetype=access



Time 		Event
1/26/15
10:07:09.000 PM 	
		{ [-]
		   message: Access log test message 2
		}

1/26/15
10:07:09.000 PM 	
		{ [-]
		   message: Access log test message
		}

Request including the fields parameter

curl https://localhost:8088/services/collector? 
-H 'Authorization: Splunk 46931F1C-352C-4DF6-820C-F2689CF88494'
-d '{"event":"something happened", "fields":{"severity":"INFO", "category":["foo","bar"]}}'


Basic auth request

curl -u x:46931F1C-352C-4DF6-820C-F2689CF88494 
https://localhost:8088/services/collector/JSON
-d 'Hello World'



services/collector/ack

<protocol>://<host>:<mPort>/services/collector/ack


Query event indexing status.

For events sent using HTTP Event Collector, check event indexing status. Requests must use a valid channel ID and authorization token with useACK enabled. An event ACK ID, returned in response to a POST to services/collector, is also required.

By default, this endpoint works on port 8088 and uses HTTPs for transport. The port and HTTP protocol settings can be configured independently of settings for any other servers in your deployment.

Authentication and authorization
Requires an HTTP Event Collector <Token>.


GET

Get HTTP Event Collector event indexing status.


Request parameters

Parameter Datatype Description
channel See description Required. Pass in the channel GUID as the channel string parameter or using the x-splunk-request-channel header.
"acks" JSON object Required. JSON object with an array of ack ID values. Include in the request payload.


Returned values

Name Description
acks Contains the key/value pairs for each ACK ID requested. For each key in the "acks" object, a true value means the ACK ID's events were indexed. A false value means that indexing status is unknown. For example, an event may have an indexing delay long enough that it is no longer tracked.

Here is an example response.
{"acks" : { "0" : true, "1" : false, "2" : true, "3" : false}}


Response status codes
Several HTTP status codes have particular meaning for all HTTP Event Collector endpoints. See HTTP Status Codes in services/collector.

Example requests and responses

For application token = B48F6736-479F-486B-96F9-3EF8C6378E70.

Note: useACK must be enabled on the token for use with this endpoint.

JSON request

curl https://localhost:8088/services/collector/ack?channel=2AC79941-CB26-421C-8826-F57AE23E9702 -H "Authorization: Splunk B48F6736-479F-486B-96F9-3EF8C6378E70" -d '{"acks":[0,1]}'

JSON response body

{"acks":{"0":true,"1":true}}

services/collector/event

Sends timestamped events to HTTP Event Collector using the Splunk platform JSON event protocol when auto_extract_timestamp is set to "true" in the /event URL.

  • An example of a timestamp is: 2017-01-02 00:00:00.
  • If there is a timestamp in the event's JSON envelope, Splunk honors that timestamp first.
  • If there is no timestamp in the event's JSON envelope, the merging pipeline extracts the timestamp from the event.
  • If "time=xxx" is used in the /event URL then auto_extract_timestamp is disabled.
  • Splunk supports timestamps using the Epoch format.

services/collector/event/1.0

This endpoint works identically to services/collector/event but introduces a protocol version for future scalability. For more information, see services/collector.

services/collector/health

<protocol>://<host>:8088/services/collector/health

This endpoint checks if HEC is healthy and able to accept new data from a load balancer. HEC health is determined if there is space available in the queue.

This endpoint works identically to services/health/1.0, except services/health/1.0 introduces a format version for future scalability. For more information, see services/collector/health/1.0.

Usage details

Port and protocol
By default, this endpoint works on port 8088 and uses HTTPs for transport. The port and HTTP protocol settings can be configured independently of settings for any other servers in your deployment.


Response codes

Status Code Description
200 HEC is available and accepting input
17 HEC is available and accepting input
503 HEC is unhealthy, queues are full

services/collector/health/1.0

<protocol>://<host>:8088/services/collector/health/1.0

This endpoint checks if HEC is healthy and able to accept new data from a load balancer. HEC health is determined if there is space available in the queue.

This endpoint works identically to services/health but introduces a protocol version for future scalability. For more information, see services/collector/health.

Usage details

Port and protocol
By default, this endpoint works on port 8088 and uses HTTPs for transport. The port and HTTP protocol settings can be configured independently of settings for any other servers in your deployment.


Response codes

Status Code Description
200 HEC is available and accepting input
17 HEC is available and accepting input
503 HEC is unhealthy, queues are full

services/collector/mint

<protocol>://<host>:<mPort>/services/collector/mint

Post MINT formatted data to the HTTP Event Collector. The authorization header contains the authorization scheme and application token. The HTTP POST body contains event data in the MINT payload format.


Authentication and authorization
Requires an HTTP Event Collector <token>.


Note: By default, this endpoint works on port 8088 and uses HTTPs for transport. The port and HTTP protocol settings can be configured independently of settings for any other servers in your deployment.


POST

Post MINT formatted data.


Request parameters

Name Datatype Description
host String Host name. Specify with the host query string parameter. Sets a default for all events in the request. Can be overridden.
index String Index name. Specify with the index query string parameter. Sets a default for all events in the request. Can be overridden.
source String User-defined event source. Specify with the source query string parameter. Sets a default for all events in the request. The default source can be overridden.
sourcetype string User-defined event sourcetype. Specify with the sourcetype query string parameter. Sets a default for all events in the request. The default sourcetype can be overridden.
time string or unsigned integer Epoch-formatted time. Specify with the time query string parameter. Sets a default for all events in the request. The default time can be overridden.

Returned values

None

Response status codes

Several HTTP status codes have particular meaning for all HTTP Event Collector endpoints. See HTTP Status Codes in services/collector.

Example request and response

Observe that the POST request is made to port 8088 and uses HTTPs for transport. The port and HTTP protocol settings can be configured independently of settings for any other servers in your deployment.

MINT

For application token = B5A79AAD-D822-46CC-80D1-819F80D7BFB0

MINT Request

curl http://localhost:8088/services/collector/mint -H 'Authorization: Splunk B5A79AAD-D822-46CC-80D1-819F80D7BFB0' -d '{"data":"hello"}{^1^log^1433256}'

services/collector/mint/1.0

This endpoint works identically to receivers/token/mint but introduces a protocol version for future scalability.

[ Top ]


services/collector/raw

<protocol>://<host>:<mPort>/services/collector/raw


Send raw data directly to the HTTP Event Collector. This endpoint allows one or more raw events to be sent in a single request. Events are parsed using regex or JSON extraction. JSON field extraction works at index time.

Usage details

Channel
This endpoint requires a data channel GUID to differentiate data from different clients. Generate a GUID and provide it in a POST request as a custom HTTP header or as a parameter.

If a channel is not provided in the POST request, an error response is sent. Only valid GUIDs can be used. An error message is returned if GUID validation fails.

Port and protocol
By default, this endpoint works on port 8088 and uses HTTPs for transport. The port and HTTP protocol settings can be configured independently of settings for any other servers in your deployment.

Authentication and authorization
Requires an HTTP Event Collector token or basic auth, as defined in RFC 1945. See request examples for more details.


POST

Send raw data to the to the indexer queue. Requires a data channel GUID, provided as a custom HTTP header or request parameter.


Request parameters

Name Datatype Description
channel See description. Required. Pass in the channel GUID as the channel string parameter or using the x-splunk-request-channel header.
host String Host name. Specify with the host query string parameter. Sets a default for all events in the request. Can be overridden.
index String Index name. Specify with the index query string parameter. Sets a default for all events in the request. Can be overridden.
source String User-defined event source. Specify with the source query string parameter. Sets a default for all events in the request. The default source can be overridden.
sourcetype string User-defined event sourcetype. Specify with the sourcetype query string parameter. Sets a default for all events in the request. The default sourcetype can be overridden.
time string or unsigned integer Epoch-formatted time. Specify with the time query string parameter. Sets a default for all events in the request. The default time can be overridden.


Returned values

None

Response status codes
Several HTTP status codes have particular meaning for all HTTP Event Collector endpoints. See HTTP Status Codes in services/collector.

Example request and response


Note that the following POST request examples are made to port 8088 and uses HTTPs for transport. The port and HTTP protocol settings can be configured independently of settings for any other servers in your deployment.

Simple request
This example passes the channel ID as part of the header.

curl  https://localhost:8088/services/collector/raw?channel=934793C0-FC91-467E-965A-7EAACEFBC4AB -H "Authorization: Splunk B5A79AAD-D822-46CC-80D1-819F80D7BFB0" -d 'Hello World'}'

Request including a timestamp

curl  https://localhost:8088/services/collector/raw?channel=934793C0-FC91-467E-965A-7EAACEFBC4AB 
-H 'Authorization: Splunk 934793C0-FC91-467E-965A-7EAACEFBC4AB' 
-d 'Wed Aug 10 12:27:53 PDT 2016 Hello World'

JSON request with timestamp

curl  https://localhost:8088/services/collector/raw?channel=934793C0-FC91-467E-965A-7EAACEFBC4AB 
-H 'Authorization: Splunk 934793C0-FC91-467E-965A-7EAACEFBC4AB' 
-d '{"message":"Hello World", "date":"Wed Aug 10 12:27:53 PDT 2016"}'

Basic auth request

curl -u x:46931F1C-352C-4DF6-820C-F2689CF88494 
https://localhost:8088/services/collector/raw?channel=934793C0-FC91-467E-965A-7EAACEFBC4AB 
-d 'Hello World'


Example JSON Response

{"text":"Success","code":0}

services/collector/raw/1.0

This endpoint works identically to services/collector/raw but introduces a protocol version for future scalability. See services/collector/raw.

services/collector/s2s

Compatible with Splunk Enterprise versions 8.1.0 and higher

<protocol>://<host>:8088/services/collector/s2s

This endpoint receives Splunk TCP data over HTTP from the Splunk Universal Forwarder. Compatible with Splunk 8.1.0 and later.

Usage details

Port and protocol
By default, this endpoint works on port 8088 and uses HTTPs for transport. The port and HTTP protocol settings can be configured independently of settings for any other servers in your deployment.


Response codes

Status Code Description
200 HEC is available and accepting input
400 Invalid HEC token
503 HEC is unhealthy, queues are full
Last modified on 01 March, 2023
Federated search endpoint descriptions   Introspection endpoint descriptions

This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.3.0, 9.3.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters