Skip to main content
Splunk® Enterprise

REST API Reference Manual

Splunk® Enterprise
9.2.1

Input endpoint descriptions

Manage and preview streaming and non-streaming and other input data.

Usage details

Review ACL information for an endpoint

To check Access Control List (ACL) properties for an endpoint, append /acl to the path. For more information see Access Control List in the REST API User Manual.

Authentication and Authorization

Username and password authentication is required for access to endpoints and REST operations.

Splunk users must have role and/or capability-based authorization to use REST endpoints. Users with an administrative role, such as admin, can access authorization information in Splunk Web. To view the roles assigned to a user, select Settings > Access controls and click Users. To determine the capabilities assigned to a role, select Settings > Access controls and click Roles.

App and user context

Typically, knowledge objects, such as saved searches or event types, have an app/user context that is the namespace. For more information about specifying a namespace, see Namespace in the REST API User Manual.

Splunk Cloud URL for REST API access

Splunk Cloud has a different host and management port syntax than Splunk Enterprise. Depending on your deployment type, use one of the following options to access REST API resources.

Managed Splunk Cloud deployments

https://<deployment-name>.splunkcloud.com:8089

Self-service Splunk Cloud deployments
To get the required credentials, submit a support case on the Support Portal. After installing the credentials, use the following URL.

https://input-<deployment-name>.cloud.splunk.com:8089


See Using the REST API in Splunk Cloud in the the Splunk REST API Tutorials for more information.


data/ingest/rfsdestinations

https://<host>:<mPort>/services/data/ingest/rfsdestinations

Create/configure, get, or delete an S3 destination for ingest action.

Authentication and authorization
Requires the capabilities list_ingest_rulesets and edit_ingest_rulesets.


DELETE

Expand

Deletes the S3 destination.

GET

Expand

Gets list of the s3 destination configuration values.

POST

Expand

Creates and configures the S3 destination.


data/ingest/rulesets

https://<host>:<mPort>/services/data/ingest/rulesets

Retrieve a list of your rulesets.


GET

Expand

Return a list of your deployed rulesets.

POST

Expand

Creates and updates a ruleset.


data/ingest/rulesets/{name}

https://<host>:<mPort>/services/data/ingest/rulesets/{name}

Retrieve a particular ruleset.


GET

Expand

Return a named deployed ruleset.

POST

Expand

Creates and updates a named ruleset.



data/ingest/rulesets/publish

https://<host>:<mPort>/services/data/ingest/rulesets/publish

Publish ruleset changes on the indexer cluster manager.


POST

Expand

Push the ruleset changes into deployment.



data/inputs/ad

https://<host>:<mPort>/services/data/inputs/ad

Access and configure the active directory monitoring input.


GET

Expand

Get the current active directory monitoring configuration.

POST

Expand

Create or modify performance monitoring settings.


data/inputs/ad/{name}

https://<host>:<mPort>/services/data/inputs/ad/{name}

Manage {name} active directory monitoring.


DELETE

Expand

Delete the {name} Active Directory monitoring stanza.


GET

Expand

Gets the current configuration for the {name} Active Directory monitoring stanza.


POST

Expand

Update the {name} Active Directory monitoring stanza.



data/inputs/all

https://<host>:<mPort>/services/data/inputs/all

Access all inputs to the Splunk deployment. This includes any modular inputs that may be defined on the system.


GET

Expand

List all inputs, including modular inputs.


data/inputs/all/{name}

https://<host>:<mPort>/services/data/inputs/all/{name}

Get information about the {name} input source.

GET

Expand

List details for the {name} input.


data/inputs/http

https://<host>:<mPort>/services/data/inputs/http


Access or update HTTP Event Collector global configuration tokens and application tokens.

See also

For more information, see details for the following associated endpoints.


GET

Expand

Access global configuration information and a list of tokens


POST

Expand

Modify global configuration. Add and modify tokens.


data/inputs/http/{name}

https://<host>:<mPort>/services/data/inputs/http/{name}


Manage the {name} HTTP Event Collector token. HTTP, as in data/inputs/http/http, indicates global configuration.

See also

For more information, see details for the following associated endpoints.


DELETE

Expand

Delete a token.


GET

Expand

Get token configuration details.


POST

Expand

Update token configuration information.


data/inputs/http/{name}/disable

https://<host>:<mPort>/services/data/inputs/http/{name}/disable

Disable the {name} HTTP Event Collector token.

See also


POST

Expand

Disable the {name} HTTP Event Collector token.


data/inputs/http/{name}/enable

https://<host>:<mPort>/services/data/inputs/http/{name}/enable

Enable the {name} HTTP Event Collector token.

The POST request to this endpoint reloads the HTTP Event Collector server, including when the server is already enabled and running.

See also


POST

Expand

Enable the {name} HTTP Event Collector token.


data/inputs/http/{name}/rotate

https://<host>:<mPort>/services/data/inputs/http/{name}/rotate

Regenerate the {name} token value.


POST

Expand

Regenerate the {name} token value.


data/inputs/monitor

https://<host>:<mPort>/services/data/inputs/monitor

Access monitor inputs.


GET

Expand

List enabled and disabled monitor inputs.


POST

Expand

Create a new file or directory monitor input.


data/inputs/monitor/{name}

https://<host>:<mPort>/services/data/inputs/monitor/{name}

Manage the {name} monitor input.


DELETE

Expand

Disable the named monitor data input and remove it from the configuration.


GET

Expand

List the properties of a single monitor data input.


POST

Expand

Update properties of the named monitor input.


data/inputs/monitor/{name}/members

https://<host>:<mPort>/services/data/inputs/monitor/{name}/members

List {name} monitor input files.


GET

Expand

List all files monitored under the named monitor input.


data/inputs/oneshot

https://<host>:<mPort>/services/data/inputs/oneshot

Access oneshot inputs in progress or queue a file for immediate indexing.

GET

Expand

Access oneshot inputs in progress.


POST

Expand

Queue a file for immediate indexing.


data/inputs/oneshot/{name}

https://<host>:<mPort>/services/data/inputs/oneshot/{name}

Get information about the {name} one-shot input.


GET

Expand

Access information about the {name} in-progress oneshot input.


data/inputs/registry

https://<host>:<mPort>/services/data/inputs/registry

Access the Windows registry monitoring input.


GET

Expand

Get current registry monitoring configuration details.


POST

Expand

Creates new or modify existing registry monitoring settings.


data/inputs/registry/{name}

https://<host>:<mPort>/services/data/inputs/registry/{name}

Manage registry monitoring {name} stanza.


DELETE

Expand

Delete a registry monitoring configuration stanza.


GET

Expand

Gets current registry monitoring configuration stanza


POST

Expand

Modify the named registry monitoring stanza.


data/inputs/script

https://<host>:<mPort>/services/data/inputs/script

Access scripted inputs.

GET

Expand

Get the configuration settings for scripted inputs.


POST

Expand

Configure scripted input settings.


data/inputs/script/restart

https://<host>:<mPort>/services/data/inputs/script/restart

Allows for restarting scripted inputs.

POST

Expand

Causes a restart on a given scripted input.


data/inputs/script/{name}

https://<host>:<mPort>/services/data/inputs/script/{name}

Manage the {name} scripted input.


DELETE

Expand

Removes the {name} scripted input.


GET

Expand

Returns the configuration settings for the {name} scripted input.


POST

Expand

Configures settings for the {name} scripted input.


data/inputs/tcp/cooked

https://<host>:<mPort>/services/data/inputs/tcp/cooked


Access cooked TCP input information and create new containers for managing cooked data.

Usage details
Forwarders can transmit three types of data: raw, unparsed, or parsed. "Cooked" data refers to parsed and unparsed formats.


GET

Expand

Access information about all cooked TCP inputs.


POST

Expand

Create a new container for managing cooked data.


data/inputs/tcp/cooked/{name}

https://<host>:<mPort>/services/data/inputs/tcp/cooked/{name}


Manage cooked TCP inputs for the {name} host or port.


DELETE

Expand

Remove the cooked TCP inputs for port or host:port specified by {name}.


GET

Expand

Access information for the {name} cooked TCP input.


POST

Expand

Update the container for managing cooked data.


data/inputs/tcp/cooked/{name}/connections

https://<host>:<mPort>/services/data/inputs/tcp/cooked/{name}/connections

Get active connections to the {name} port.


GET

Expand

List active connections to the {name} port.


data/inputs/tcp/raw

https://<host>:<mPort>/services/data/inputs/tcp/raw


Container for managing raw tcp inputs from forwarders.

Forwarders can transmit three types of data: raw, unparsed, or parsed. Cooked data refers to parsed and unparsed formats.


Authentication and authorization
The edit_tcp capability is required for this endpoint.


GET

Expand

Get information about all raw TCP inputs.


POST

Expand

Create a new data input for accepting raw TCP data.


data/inputs/tcp/raw/{name}

https://<host>:<mPort>/services/data/inputs/tcp/raw/{name}

Manage raw inputs for the {name} host or port.

Authentication and authorization
The edit_tcp capability is additionally required for this endpoint.


DELETE

Expand

Remove the raw inputs for port or host:port specified by {name}


GET

Expand

Returns information about raw TCP input port {name}.


POST

Expand

Updates the container for managing raw data.


data/inputs/tcp/raw/{name}/connections

https://<host>:<mPort>/services/data/inputs/tcp/raw/{name}/connections

Get active connections the {name} host or port.


Authentication and authorization
The edit_tcp capability is additionally required for this endpoint.


GET

Expand

View all connections to the named data input.


data/inputs/tcp/splunktcptoken

https://<host>:<mPort>/services/data/inputs/tcp/splunktcptoken

Manage receiver access using tokens.

Usage details
Get information on all receiver tokens or create a new token. To edit or delete an existing token, see data/inputs/tcp/splunktcptoken/{name}.

Note: Configure the forwarder with the same token as the receiver to ensure that the forwarder receives data.

Authentication and Authorization:
The edit_splunktcp_token capability is required for this endpoint.


GET

Expand

Return all configured tokens.


POST

Expand

Create a new token.



data/inputs/tcp/splunktcptoken/{name}

https://<host>:<mPort>/services/data/inputs/tcp/splunktcptoken/{name}

Manage existing receiver tokens.

Authentication and Authorization
The edit_splunktcp_token capability is required for this endpoint.


GET

Expand

Access token information.


POST

Expand

Update the {name} token.


DELETE

Expand

Delete the {name} token.


data/inputs/tcp/ssl

https://<host>:<mPort>/services/data/inputs/tcp/ssl

Provides access to the SSL configuration of a Splunk server.


GET

Expand

Get SSL configuration details. There is only one SSL configuration for all input ports.


data/inputs/tcp/ssl/{name}

https://<host>:<mPort>/services/data/inputs/tcp/ssl/{name}


Access or update the SSL configuration for the {name} host.


GET

Expand

Returns the SSL configuration for the host {name}.


POST

Expand

Configure SSL for the {name} host.


data/inputs/udp

https://<host>:<mPort>/services/data/inputs/udp


Access or create UDP data inputs.


GET

Expand

List enabled and disabled UDP data inputs.


POST

Expand

Create a new UDP data input.


data/inputs/udp/{name}

https://<host>:<mPort>/services/data/inputs/udp/{name}


Manage the {name} UDP host or port.


DELETE

Expand

Disable the named UDP data input and remove it from the configuration.


GET

Expand

List the properties of a single UDP data input port or host:port {name}.


POST

Expand

Edit properties of the named UDP data input.


data/inputs/udp/{name}/connections

https://<host>:<mPort>/services/data/inputs/udp/{name}/connections


List connections to the {name} host or port.

GET

Expand

List connections to the {name} host or port.


data/inputs/win-event-log-collections

https://<host>:<mPort>/services/data/inputs/win-event-log-collections


Provides access to all configured event log collections.


GET

Expand

Retrieve a list of configured event log collections.


POST

Expand

Create or modify existing event log collection settings.


data/inputs/win-event-log-collections/{name}

https://<host>:<mPort>/services/data/inputs/win-event-log-collections/{name}


Manage the {name} Windows event log.


DELETE

Expand

Deletes an event log collection.


GET

Expand

Gets event log collection configurations.


POST

Expand

Modify an existing event log collection.


data/inputs/win-wmi-collections

https://<host>:<mPort>/services/data/inputs/win-wmi-collections


Access configured WMI collections.


GET

Expand

Access configured WMI collections.


POST

Expand

Create or modify existing WMI collection settings.


data/inputs/win-wmi-collections/{name}

https://<host>:<mPort>/services/data/inputs/win-wmi-collections/{name}


Manage the {name} WMI collection.


Method summary

Method Description Formats
DELETE Deletes a given collection. XML, JSON
GET Gets information about a single collection. XML, JSON
POST Modifies a given WMI collection. XML, JSON

DELETE

Expand

Delete a given collection.


GET

Expand

Get information about a single collection.


POST

Expand

Modify a collection.


data/inputs/win-perfmon

https://<host>:<mPort>/services/data/inputs/win-perfmon


Access and manage performance monitoring configurations. This input allows you to poll Windows performance monitor counters.


GET

Expand

Get current performance monitoring configuration details.


POST

Expand

Update performance monitoring collection settings.


data/inputs/win-perfmon/{name}

https://<host>:<mPort>/services/data/inputs/win-perfmon/{name}


Manage the {name} performance monitoring stanza.


DELETE

Expand

Delete a given monitoring stanza.


GET

Expand

Get settings for a given performance stanza.


POST

Expand

Modify an existing monitoring stanza.


data/modular-inputs

https://<host>:<mPort>/services/data/modular-inputs

Access currently defined modular inputs on the system.


For more information, refer to Modular inputs: Introspection scheme details in Developing Views and Apps for Splunk Web.


GET

Expand

Get information about configured modular inputs.


data/modular-inputs/{name}

https://<host>:<mPort>/services/data/modular-inputs/{name}

Get information about the {name} modular input.


GET

Expand

Get information about a modular input.


indexing/preview

https://<host>:<mPort>/services/indexing/preview


Preview events from a source file before you index the file.

The edit_monitor or edit_upload_and_index capabilities are required for this endpoint.


GET

Expand

Return a list of all data preview jobs.


POST

Expand

Create a preview data job for the specified source file, returning the preview data job ID.


indexing/preview/{job_id}

https://<host>:<mPort>/services/indexing/preview/{job_id}


Get props.conf file settings for the {job_id} job.


GET

Expand

Get props.conf file settings for a job.


receivers/simple

https://<host>:<mPort>/services/receivers/simple

Allows for sending events to Splunk in an HTTP request.


Authentication and authorization
The edit_tcp capability is additionally required for this endpoint.


POST

Expand

Create events from the contents contained in the HTTP body.


receivers/stream

https://<host>:<mPort>/services/receivers/stream


Open a socket to receive streaming data.

Authentication and authorization
The edit_tcp or edit_tcp_stream capabilities are required for this endpoint.


POST

Expand

Create events from the stream of data following HTTP headers.


server/pipelinesets

https://<host>:<mPort>/services/server/pipelinesets

Provides information on the ingestion pipeline sets on an indexer.

Authentication and authorization
The list_pipeline_sets capability is required for this endpoint.

Usage details
See Manage pipeline sets for index parallelization in Managing Indexers and Clusters of Indexers.

GET

Expand

Query the status of pipeline sets.


services/collector

<protocol>://<host>:<mPort>/services/collector

Send events to HTTP Event Collector using the Splunk platform JSON event protocol.

By default, this endpoint works on port 8088 and uses HTTPs for transport. The port and HTTP protocol settings can be configured independently of settings for any other servers in your deployment.

Note: When using an ACK-enabled token, an ackID is returned within a JSON object in the response. For example, {"ackID": "0"} indicates an ackID of 0. Use the ackID to query the services/collector/ack endpoint to verify event indexing. For more information, see services/collector/ack.

Authorization
Requires an HTTP Event Collector token or basic auth, as defined in RFC 1945. See request examples for more details.


See also


POST

Expand

Send events to the HTTP Event Collector.


services/collector/ack

<protocol>://<host>:<mPort>/services/collector/ack


Query event indexing status.

For events sent using HTTP Event Collector, check event indexing status. Requests must use a valid channel ID and authorization token with useACK enabled. An event ACK ID, returned in response to a POST to services/collector, is also required.

By default, this endpoint works on port 8088 and uses HTTPs for transport. The port and HTTP protocol settings can be configured independently of settings for any other servers in your deployment.

Authentication and authorization
Requires an HTTP Event Collector <Token>.


GET

Expand

Get HTTP Event Collector event indexing status.


services/collector/event

Sends timestamped events to HTTP Event Collector using the Splunk platform JSON event protocol when auto_extract_timestamp is set to "true" in the /event URL.

  • An example of a timestamp is: 2017-01-02 00:00:00.
  • If there is a timestamp in the event's JSON envelope, Splunk honors that timestamp first.
  • If there is no timestamp in the event's JSON envelope, the merging pipeline extracts the timestamp from the event.
  • If "time=xxx" is used in the /event URL then auto_extract_timestamp is disabled.
  • Splunk supports timestamps using the Epoch format.

services/collector/event/1.0

This endpoint works identically to services/collector/event but introduces a protocol version for future scalability. For more information, see services/collector.

services/collector/health

<protocol>://<host>:8088/services/collector/health

This endpoint checks if HEC is healthy and able to accept new data from a load balancer. HEC health is determined if there is space available in the queue.

This endpoint works identically to services/health/1.0, except services/health/1.0 introduces a format version for future scalability. For more information, see services/collector/health/1.0.

Usage details

Port and protocol
By default, this endpoint works on port 8088 and uses HTTPs for transport. The port and HTTP protocol settings can be configured independently of settings for any other servers in your deployment.


Response codes

Status Code Description
200 HEC is available and accepting input
17 HEC is available and accepting input
503 HEC is unhealthy, queues are full

services/collector/health/1.0

<protocol>://<host>:8088/services/collector/health/1.0

This endpoint checks if HEC is healthy and able to accept new data from a load balancer. HEC health is determined if there is space available in the queue.

This endpoint works identically to services/health but introduces a protocol version for future scalability. For more information, see services/collector/health.

Usage details

Port and protocol
By default, this endpoint works on port 8088 and uses HTTPs for transport. The port and HTTP protocol settings can be configured independently of settings for any other servers in your deployment.


Response codes

Status Code Description
200 HEC is available and accepting input
17 HEC is available and accepting input
503 HEC is unhealthy, queues are full

services/collector/mint

<protocol>://<host>:<mPort>/services/collector/mint

Post MINT formatted data to the HTTP Event Collector. The authorization header contains the authorization scheme and application token. The HTTP POST body contains event data in the MINT payload format.


Authentication and authorization
Requires an HTTP Event Collector <token>.


Note: By default, this endpoint works on port 8088 and uses HTTPs for transport. The port and HTTP protocol settings can be configured independently of settings for any other servers in your deployment.


POST

Expand

Post MINT formatted data.


services/collector/mint/1.0

This endpoint works identically to receivers/token/mint but introduces a protocol version for future scalability.

[ Top ]


services/collector/raw

<protocol>://<host>:<mPort>/services/collector/raw


Send raw data directly to the HTTP Event Collector. This endpoint allows one or more raw events to be sent in a single request. Events are parsed using regex or JSON extraction. JSON field extraction works at index time.

Usage details

Channel
This endpoint requires a data channel GUID to differentiate data from different clients. Generate a GUID and provide it in a POST request as a custom HTTP header or as a parameter.

If a channel is not provided in the POST request, an error response is sent. Only valid GUIDs can be used. An error message is returned if GUID validation fails.

Port and protocol
By default, this endpoint works on port 8088 and uses HTTPs for transport. The port and HTTP protocol settings can be configured independently of settings for any other servers in your deployment.

Authentication and authorization
Requires an HTTP Event Collector token or basic auth, as defined in RFC 1945. See request examples for more details.


POST

Expand

Send raw data to the to the indexer queue. Requires a data channel GUID, provided as a custom HTTP header or request parameter.


services/collector/raw/1.0

This endpoint works identically to services/collector/raw but introduces a protocol version for future scalability. See services/collector/raw.

services/collector/s2s

Compatible with Splunk Enterprise versions 8.1.0 and higher

<protocol>://<host>:8088/services/collector/s2s

This endpoint receives Splunk TCP data over HTTP from the Splunk Universal Forwarder. Compatible with Splunk 8.1.0 and later.

Usage details

Port and protocol
By default, this endpoint works on port 8088 and uses HTTPs for transport. The port and HTTP protocol settings can be configured independently of settings for any other servers in your deployment.


Response codes

Status Code Description
200 HEC is available and accepting input
400 Invalid HEC token
503 HEC is unhealthy, queues are full
Last modified on 11 October, 2024
Federated search endpoint descriptions   Introspection endpoint descriptions

This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters