Skip to main content
Splunk® Enterprise

REST API Reference Manual

Splunk® Enterprise
9.2.1
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Knowledge endpoint descriptions

Work with searches and other knowledge objects.

  • Define data configurations indexed and searched by the Splunk platform.
  • Manage how data is handled, using look-ups, field extractions, field aliases, sourcetypes, and transforms.
  • Manage saved event types.
  • Manage search field configurations and search time tags.

Usage details

Review ACL information for an endpoint

To check Access Control List (ACL) properties for an endpoint, append /acl to the path. For more information see Access Control List in the REST API User Manual.

Authentication and Authorization

Username and password authentication is required for access to endpoints and REST operations.

Splunk users must have role and/or capability-based authorization to use REST endpoints. Users with an administrative role, such as admin, can access authorization information in Splunk Web. To view the roles assigned to a user, select Settings > Access controls and click Users. To determine the capabilities assigned to a role, select Settings > Access controls and click Roles.

App and user context

Typically, knowledge objects, such as saved searches or event types, have an app/user context that is the namespace. For more information about specifying a namespace, see Namespace in the REST API User Manual.

Splunk Cloud Platform URL for REST API access

Splunk Cloud Platform has a different host and management port syntax than Splunk Enterprise. Use the following URL for Splunk Cloud Platform deployments. If necessary, submit a support case using the Splunk Support Portal to open port 8089 on your deployment.

https://<deployment-name>.splunkcloud.com:8089

Free trial Splunk Cloud Platform accounts cannot access the REST API.

See Access requirements and limitations for the Splunk Cloud Platform REST API in the the REST API Tutorials manual for more information.


admin/summarization

https://<host>:<mPort>/services/admin/summarization/?by_tstats=1 

Get aggregated details about all accelerated data model summaries.

Authentication and authorization
Authorization to access data model acceleration information is role-based.


GET

Expand

Get a list of field:value pairs that provide details about accelerated data models and their summaries.


admin/summarization/tstats:DM_{app}_{data_model_ID}

https://<host>:<mPort>/services/admin/summarization/tstats:DM_{app}_{data_model_ID}

Review information about the summaries of a specific data model. Identify specific data models by providing their app short name and their data model ID.

Authentication and authorization
Authorization to access data model acceleration information is role-based.

GET

Expand

Get detailed information about the acceleration summaries of a specific datamodel. See statistics about data model usage and information about the latest summary creation run.


data/lookup-table-files

https://<host>:<mPort>/services/data/lookup-table-files/


Access lookup table files.

This endpoint is available only in Splunk Enterprise.

GET

Expand

List lookup table files.


POST

Expand

Create a lookup table file by moving a file from the upload staging area into $SPLUNK_HOME.


data/lookup-table-files/{name}

https://<host>:<mPort>/services/data/lookup-table-files/{name}

Manage the {name} lookup table file.

This endpoint is available only in Splunk Enterprise.

DELETE

Expand

Delete the named lookup table file.


GET

Expand

List a single lookup table file.


POST

Expand

Modify a lookup table file by replacing it with a file from the upload staging area.


data/props/calcfields

https://<host>:<mPort>/services/data/props/calcfields


Provides access to calculated fields, which are eval expressions in props.conf.


GET

Expand

Returns information on calculated fields for this instance of your Splunk deployment.


POST

Expand

Create an eval expression defining a calculated field in props.conf.


data/props/calcfields/{name}

https://<host>:<mPort>/services/data/props/calcfields/{name}

Manage the {name} calculated field.


DELETE

Expand

Deletes the named calculated field.


GET

Expand

Access the named calculated field.


POST

Expand

Update the named calculated field.


data/props/extractions

https://<host>:<mPort>/services/data/props/extractions


GET

Expand

List field extractions.


POST

Expand

Create a new field extraction.


data/props/extractions/{name}

https://<host>:<mPort>/services/data/props/extractions/{name}


Manage the {name} field extraction.

DELETE

Expand

Delete the named field extraction.


GET

Expand

List a single field extraction.


POST

Expand

Modify the named field extraction.


data/props/fieldaliases

https://<host>:<mPort>/services/data/props/fieldaliases

Access or create field aliases.


GET

Expand

List field aliases.


POST

Expand

Create a new field alias.


data/props/fieldaliases/{name}

https://<host>:<mPort>/services/data/props/fieldaliases/{name}

Manage the {name} field alias.


DELETE

Expand

Delete the named field alias.


GET

Expand

Access a field alias.


POST

Expand

Update a field alias.


data/props/lookups

https://<host>:<mPort>/services/data/props/lookups

Access or create automatic lookups.


GET

Expand

List automatic lookups.


POST

Expand

Create an automatic lookup.


data/props/lookups/{name}

https://<host>:<mPort>/services/data/props/lookups/{name}


Manage the {name} automatic lookup.


DELETE

Expand

Delete an automatic lookup.


GET

Expand

Access an automatic lookup.


POST

Expand

Update an automatic lookup.


data/props/sourcetype-rename

https://<host>:<mPort>/services/data/props/sourcetype-rename

Access or rename props.conf sourcetypes.


GET

Expand

List renamed sourcetypes.


POST

Expand

Rename a sourcetype.


data/props/sourcetype-rename/{name}

https://<host>:<mPort>/services/data/props/sourcetype-rename/{name}

Access, delete, or update a sourcetype name.


DELETE

Expand

Restore the original sourcetype name for {name}.


GET

Expand

Access a specific renamed sourcetype.


POST

Expand

Update a renamed sourcetype name.


data/transforms/extractions

https://<host>:<mPort>/services/data/transforms/extractions

Access field extraction definitions.


GET

Expand

List field extractions.

POST

Expand

Create a new field transformation.


data/transforms/extractions/{name}

https://<host>:<mPort>/services/data/transforms/extractions/{name}

Access, delete, or update the {name} field extraction.

DELETE

Expand

Delete a field extraction.


GET

Expand

Access a specific field extraction.


POST

Expand

Update a field extraction.


data/transforms/lookups

https://<host>:<mPort>/services/data/transforms/lookups

Access or create lookup definitions.


GET

Expand

List lookup definitions.

POST

Expand

Update a lookup definition.


data/transforms/lookups/{name}

https://<host>:<mPort>/services/data/transforms/lookups/{name}

Manage the {name} lookup definition.


DELETE

Expand

Delete a specific lookup definition.


GET

Expand

Access a specific lookup definition.


POST

Expand

Update a lookup definition.


data/transforms/metric-schema

https://<host>:<mPort>/services/data/transforms/metric-schema

Use this endpoint to configure ingest-time log-to-metrics transformations. Identify measurements and blacklist dimensions. Design transformations that target specific event schemas within a log.

Authentication and Authorization
Use of this endpoint is restricted to roles that have the edit_metric_schema capability.

Usage Details
For more information about carrying out ingest-time log-to-metrics transformations using this endpoint, see Convert event logs to metric data points in Metrics.

GET

Expand

List existing log-to-metrics configurations.

POST

Expand

Configures ingest-time conversion of log events to metric data points.

DELETE

Expand

Delete existing log-to-metrics configurations.

data/transforms/statsdextractions

https://<host>:<mPort>/services/data/transforms/statsdextractions

Use this endpoint to configure dimension extraction from StatsD metrics.

Authentication and Authorization
Use of this endpoint is restricted to roles that have the edit_statsd_transforms capability.

Usage Details
For more information about StatsD dimension extraction using this endpoint, see Get metrics in with StatsD in Metrics.

POST

Expand

Configures dimension extraction from StatsD metrics.


data/ui/global-banner

https://<host>:<mPort>/services/data/ui/global-banner

View or create a global banner.

Authentication and Authorization
Use of the POST function of this endpoint is restricted to users with an edit_global_banner capability. The GET function of this endpoint is not restricted.

GET

Expand

View a global banner.

POST

Expand

Create a new global banner.

data/ui/panels

https://<host>:<mPort>/servicesNS/{user}/{app_name}/data/ui/panels

View, add, or edit dashboard panels.

GET

Expand

Access all the XML definitions for existing panels.

POST

Expand

Create a new dashboard panel source XML definition.


data/ui/views

https://<host>:<mPort>/servicesNS/{user}/{app_name}/data/ui/views

View or create a dashboard source XML definition.

GET

Expand

Access all the XML definitions for existing dashboards.

POST

Expand

Create a new dashboard source XML definition.


data/ui/views/{name}

https://<host>:<mPort>/servicesNS/{user}/{app_name}/data/ui/views/{name}

Access or update source XML for an existing dashboard.


GET

Expand

Access an existing dashboard XML definition.


POST

Expand

Update a specific dashboard XML definition.


DELETE

Expand

Delete a specific dashboard XML definition.


datamodel/acceleration (DEPRECATED)

https://<host>:<mPort>/services/datamodel/acceleration

Access information about data models that have acceleration enabled.



datamodel/acceleration/{name} (DEPRECATED)

https://<host>:<mPort>/services/datamodel/acceleration/{name}

Get information about the {name} datamodel.

Note: This endpoint is deprecated.


GET

Expand

Get information about a specific data model.


datamodel/model

https://<host>:<mPort>/services/datamodel/model

Access or create data models.


GET

Expand

List data models on the server.


POST

Expand

Create a new data model.


datamodel/model/{name}

https://<host>:<mPort>/services/datamodel/model/{name}

Access, delete, or update the {name} data model.


DELETE

Expand

Delete a specific data model.


GET

Expand

Access a specific data model.


POST

Expand

Update a specific data model.


datamodel/pivot

https://<host>:<mPort>/services/datamodel/pivot/{name}

Access pivots that are based on named data models.


GET

Expand

Get information about a specific pivot.



directory

https://<host>:<mPort>/services/directory

Access user configurable objects.

These objects includes search commands, UI views, UI navigation, saved searches and event types. This is useful to see which objects are provided by all apps, or a specific app when the call is namespaced.


GET

Expand

List app-scoped objects.


directory/{name}

https://<host>:<mPort>/services/directory/{name}

Get information about the {name} directory entity.

Usage details
This is rarely used. Typically after using the directory service enumeration, a client follows the specific link for an object in an enumeration.

GET

Expand

Get information about a specific directory entity.


saved/bookmarks/monitoring_console

https://<host>:<mPort>/services/saved/bookmarks/monitoring_console

Add URLs that link to monitoring consoles of your other deployments. For example, if you're admin overseeing multiple separate Splunk deployments for different teams.


GET

Expand

List deployment bookmarks.

POST

Expand

Add deployment bookmark URLs.

DELETE

Expand

Remove deployment bookmark URLs.


saved/eventtypes

https://<host>:<mPort>/services/saved/eventtypes

Access or create an event type.

GET

Expand

Retrieve saved event types.

POST

Expand

Create an event type.


saved/eventtypes/{name}

https://<host>:<mPort>/services/saved/eventtypes/{name}


Manage the {name} event type.


DELETE

Expand

Delete an event type.


GET

Expand

Access the {name} event type.


POST

Expand

Update an event type.


search/fields

https://<host>:<mPort>/services/search/fields

Access search field configurations.

Usage details
Field configuration is specified in $SPLUNK_HOME/etc/system/default/fields.conf, with overriden values in $SPLUNK_HOME/etc/system/local/fields.conf.


GET

Expand

Get a list of fields registered for field configuration.


search/fields/{field_name}

https://<host>:<mPort>/services/search/fields/{field_name}

Access the {field_name} field.


GET

Expand

Get information about the {field_name} field.


search/fields/{field_name}/tags

https://<host>:<mPort>/services/search/fields/{field_name}/tags

Access or update the tags associated with the {field_name} field.


GET

Expand

Get tags associated with the {field_name} field.


POST

Expand

Update tags associated with the {field_name} field.


search/tags

https://<host>:<mPort>/services/search/tags

Access search time tags.


GET

Expand

List all search time tags.


search/tags/{tag_name}

https://<host>:<mPort>/services/search/tags/{tag_name}

Access, update, or delete {tag_name} values.


DELETE

Expand

Delete the tag and its associated field:value pair assignments.


GET

Expand

Returns a list of field:value pairs associated with the {tag_name} tag.


POST

Expand

Update the field:value pairs associated with the {tag_name} tag.


Last modified on 25 September, 2024
Introspection endpoint descriptions   KV store endpoint descriptions

This documentation applies to the following versions of Splunk® Enterprise: 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters