Splunk® Enterprise

REST API Reference Manual

This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Access endpoint descriptions

Access and manage user credentials.

Usage details

Review ACL information for an endpoint

To check Access Control List (ACL) properties for an endpoint, append /acl to the path. For more information see Access Control List in the REST API User Manual.

Authentication and Authorization

Username and password authentication is required for access to endpoints and REST operations.

Splunk users must have role and/or capability-based authorization to use REST endpoints. Users with an administrative role, such as admin, can access authorization information in Splunk Web. To view the roles assigned to a user, select Settings > Access controls and click Users. To determine the capabilities assigned to a role, select Settings > Access controls and click Roles.

App and user context

Typically, knowledge objects, such as saved searches or event types, have an app/user context that is the namespace. For more information about specifying a namespace, see Namespace in the REST API User Manual.

Splunk Cloud Platform URL for REST API access

Splunk Cloud Platform has a different host and management port syntax than Splunk Enterprise. Use the following URL for Splunk Cloud Platform deployments. If necessary, submit a support case using the Splunk Support Portal to open port 8089 on your deployment.

https://<deployment-name>.splunkcloud.com:8089

Free trial Splunk Cloud Platform accounts cannot access the REST API.

See Access requirements and limitations for the Splunk Cloud Platform REST API in the REST API Tutorials manual for more information.


admin/Duo-MFA

Configure Duo Multifactor authentication.

Authentication and Authorization
Requires the change_authentication capability.

Usage details
Disable any SSO configurations, such as SAML, before enabling Duo authentication for the first time. Duo only works with local auth types.


GET

List Duo Multifactor configuration settings.

Request parameters
None

Returned values

Name Description
name Configuration stanza name
integrationKey Duo integration key for Splunk. Must be of size = 20.
secretKey Shared secret key between Splunk and Duo.
apiHostname Duo REST API endpoint used by Splunk for multifactor authentication
appSecretKey Splunk application specific secret key. Must be a random generated hex of length 40 or more.
failOpen Boolean indicating whether Splunk should bypass the Duo service if it is unavailable. Defaults to false.
timeout Positive integer indicating the Duo connection timeout, in seconds, for declaring the Duo service unavailable. Defaults to 15 seconds.
sslVersions SSL version to use for accessing the Duo REST API. Defaults to Splunkd sslVersion.
cipherSuite Cipher suite to use for accessing the Duo REST API. Defaults to Splunkd cipherSuite.
ecdhCurves ECDH curve value to use for accessing the Duo REST API. Defaults to Splunkd ecdhCurves.
sslVerifyServerCert Boolean indicating if Duo server certificate verification is required. Defaults to false.
sslRootCAPath Full path of the certificate to be used for certificate verification if sslVerifyServerCert is true.
sslCommonNameToCheck Common name to verify if sslVerifyServerCert is true.
sslAltNameToCheck Alternate name to verify if sslVerifyServerCert is true.
useClientSSLCompression Boolean indicating if client side SSL compression is enabled. Defaults to Splunkd useClientSSLCompression.

Example request and response


XML Request

admin:changeme -X GET https://localhost:8089/services/admin/Duo-MFA

XML Response

 <title>Duo-MFA</title>
  <id>https://localhost:8089/services/admin/Duo-MFA</id>
  <updated>2016-07-26T11:05:14-07:00</updated>
  <generator build="321df14f2b1047b51259ee2d4eeacb4184dc6679" version="20160720"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/admin/Duo-MFA/_new" rel="create"/>
  <link href="/services/admin/Duo-MFA/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>duo-mfa</title>
    <id>https://localhost:8089/servicesNS/nobody/system/admin/Duo-MFA/duo-mfa</id>
    <updated>2016-07-26T11:05:14-07:00</updated>
    <link href="/servicesNS/nobody/system/admin/Duo-MFA/duo-mfa" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/admin/Duo-MFA/duo-mfa" rel="list"/>
    <link href="/servicesNS/nobody/system/admin/Duo-MFA/duo-mfa" rel="edit"/>
    <link href="/servicesNS/nobody/system/admin/Duo-MFA/duo-mfa" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="apiHostname">api-cc7a8eab.duosecurity.com</s:key>
        <s:key name="appSecretKey">$1$cQdFd4+XlOrAfgBgQEwe+VevD/MOOfFTIA4vwoaFnCX0V0TO8ZsCsKQ=</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">system</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="failOpen">0</s:key>
        <s:key name="integrationKey">$1$RHhrEPy965XhV3kSQmB/zyf6IZV/</s:key>
        <s:key name="secretKey">$1$A3t8AvuwwoDzSgUgB1x50FesOpd0ZKBWaHR5xY6uqWeaB02vsuFh4KQ=</s:key>
        <s:key name="sslCommonNameToCheck">*.duosecurity.com</s:key>
        <s:key name="sslRootCAPath">/home/mkandaswamy/git/splunkApp/etc/auth/DigiCertHighAssuranceEVRootCA.pem</s:key>
        <s:key name="sslVerifyServerCert">true</s:key>
        <s:key name="sslVersions">tls1.2</s:key>
        <s:key name="timeout">5</s:key>
        <s:key name="useClientSSLCompression">true</s:key>
      </s:dict>
    </content>
  </entry>

POST

Create a Duo Multifactor configuration.


Request parameters

Name Type Description
name String Required. Configuration stanza name
integrationKey See description Required. Duo integration key for Splunk. Must be of size = 20.
secretKey See description Required. Shared secret key between Splunk and Duo.
apiHostname See description Required. Duo REST API endpoint used by Splunk for multifactor authentication
appSecretKey See description Required. Splunk application specific secret key. Must be a random generated hex of length 40 or more.
failOpen Boolean Optional. Indicates whether Splunk should bypass the Duo service if it is unavailable. Defaults to false.
timeout Positive integer Optional. Positive integer indicating the Duo connection timeout, in seconds, for declaring the Duo service unavailable. Defaults to 15 seconds.
sslVersions See description Optional. SSL version to use for accessing the Duo REST API. Defaults to Splunkd sslVersion.
cipherSuite See description Optional. Cipher suite to use for accessing the Duo REST API. Defaults to Splunkd cipherSuite.
ecdhCurves See description Optional. ECDH curve value to use for accessing the Duo REST API. Defaults to Splunkd ecdhCurves.
sslVerifyServerCert Boolean Optional. Indicates if Duo server certificate verification is required. Defaults to false. If set to true, provide a sslRootCAPath to ensure successful certificate validation.
sslRootCAPath See description Optional. Full path of the certificate to be used for certificate verification. If sslVerifyServerCert is true, this path must be provided to ensure successful certificate validation.
sslCommonNameToCheck See description Optional. Common name to verify if sslVerifyServerCert is true.
sslAltNameToCheck See description Optional. Alternate name to verify if sslVerifyServerCert is true.
useClientSSLCompression See description Optional. Boolean indicating if client side SSL compression is enabled. Defaults to Splunkd useClientSSLCompression.


Returned values

Name Description
name Configuration stanza name
integrationKey Duo integration key for Splunk. Must be of size = 20.
secretKey Shared secret key between Splunk and Duo.
apiHostname Duo REST API endpoint used by Splunk for multifactor authentication
appSecretKey Splunk application specific secret key. Must be a random generated hex of length 40 or more.
failOpen Boolean indicating whether Splunk should bypass the Duo service if it is unavailable. Defaults to false.
timeout Positive integer indicating the Duo connection timeout, in seconds, for declaring the Duo service unavailable. Defaults to 15 seconds.
sslVersions SSL version to use for accessing the Duo REST API. Defaults to Splunkd sslVersion.
cipherSuite Cipher suite to use for accessing the Duo REST API. Defaults to Splunkd cipherSuite.
ecdhCurves ECDH curve value to use for accessing the Duo REST API. Defaults to Splunkd ecdhCurves.
sslVerifyServerCert Boolean that indicates if Duo server certificate verification is required. Defaults to false. If set to true, provide a sslRootCAPath to ensure successful certificate validation.
sslRootCAPath Full path of the certificate to be used for certificate verification. If sslVerifyServerCert is true, this path must be provided to ensure successful certificate validation.
sslCommonNameToCheck Common name to verify if sslVerifyServerCert is true.
sslAltNameToCheck Alternate name to verify if sslVerifyServerCert is true.
useClientSSLCompression Boolean indicating if client side SSL compression is enabled. Defaults to Splunkd useClientSSLCompression.


Example request and response

XML Request

curl -k -u admin:changeme -X POST https://localhost:8089/services/admin/Duo-MFA/duo-mfa -d integrationKey=DIOXYOKGDJNK4JRRT0KT -d secretKey=DABZXYbRVW2yqvTM6fPVMkbgxBna0HTuYa9XuCQ2 -d appSecretKey=56a15e48ec796f3d6ee2763b088f8ca77109692c -d apiHostname=api-cc7a8eab.duosecurity.com -d failOpen=false -d timeout=10 -d sslVersions=tls1.2 -d sslCommonNameToCheck=*.duosecurity.com -d useClientSSLCompression=true -d sslVerifyServerCert=true -d sslRootCAPath=/home/user1/git/example/splunk/etc/auth/DigiCertHighAssuranceEVRootCA.pem

XML Response

   <title>Duo-MFA</title>
  <id>https://localhost:8089/services/admin/Duo-MFA</id>
  <updated>2016-09-21T14:54:43-07:00</updated>
  <generator build="3fe21d2159a8" version="6.5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/admin/Duo-MFA/_new" rel="create"/>
  <link href="/services/admin/Duo-MFA/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>duo-mfa</title>
    <id>https://localhost:8089/servicesNS/nobody/system/admin/Duo-MFA/duo-mfa</id>
    <updated>2016-09-21T14:54:43-07:00</updated>
    <link href="/servicesNS/nobody/system/admin/Duo-MFA/duo-mfa" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/admin/Duo-MFA/duo-mfa" rel="list"/>
    <link href="/servicesNS/nobody/system/admin/Duo-MFA/duo-mfa" rel="edit"/>
    <link href="/servicesNS/nobody/system/admin/Duo-MFA/duo-mfa" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="apiHostname">api-cc7a8eab.duosecurity.com</s:key>
        <s:key name="appSecretKey">****************************************</s:key>
        <s:key name="cipherSuite">TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">system</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="failOpen">0</s:key>
        <s:key name="integrationKey">$1$W0/LVm4ziyz2U1HZEP8Xzn8WWRa1</s:key>
        <s:key name="secretKey">****************************************</s:key>
        <s:key name="sslCommonNameToCheck">*.duosecurity.com</s:key>
        <s:key name="sslRootCAPath">/home/user1/git/example/splunk/etc/auth/DigiCertHighAssuranceEVRootCA.pem</s:key>
        <s:key name="sslVerifyServerCert">true</s:key>
        <s:key name="sslVersions">tls1.2</s:key>
        <s:key name="timeout">10</s:key>
        <s:key name="useClientSSLCompression">true</s:key>
      </s:dict>
    </content>
  </entry>


admin/Duo-MFA/{name}

Access and manage the {name} Duo Multifactor configuration.

Authentication and Authorization
Requires the change_authentication capability.


GET

List the {name} Duo Multifactor configuration settings.

Request parameters
None

Returned values

Name Description
name Configuration stanza name
integrationKey Duo integration key for Splunk. Must be of size = 20.
secretKey Shared secret key between Splunk and Duo.
apiHostname Duo REST API endpoint used by Splunk for multifactor authentication
appSecretKey Splunk application specific secret key. Must be a random generated hex of length 40 or more.
failOpen Boolean indicating whether Splunk should bypass the Duo service if it is unavailable. Defaults to false.
timeout Positive integer indicating the Duo connection timeout, in seconds, for declaring the Duo service unavailable. Defaults to 15 seconds.
sslVersions SSL version to use for accessing the Duo REST API. Defaults to Splunkd sslVersion.
cipherSuite Cipher suite to use for accessing the Duo REST API. Defaults to Splunkd cipherSuite.
ecdhCurves ECDH curve value to use for accessing the Duo REST API. Defaults to Splunkd ecdhCurves.
sslVerifyServerCert Boolean indicating if Duo server certificate verification is required. Defaults to false.
sslRootCAPath Full path of the certificate to be used for certificate verification if sslVerifyServerCert is true.
sslCommonNameToCheck Common name to verify if sslVerifyServerCert is true.
sslAltNameToCheck Alternate name to verify if sslVerifyServerCert is true.
useClientSSLCompression Boolean indicating if client side SSL compression is enabled. Defaults to Splunkd useClientSSLCompression.

Example request and response


XML Request

admin:changeme -X GET https://localhost:8089/services/admin/Duo-MFA

XML Response

 <title>Duo-MFA</title>
  <id>https://localhost:8089/services/admin/Duo-MFA</id>
  <updated>2016-07-26T11:05:14-07:00</updated>
  <generator build="321df14f2b1047b51259ee2d4eeacb4184dc6679" version="20160720"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/admin/Duo-MFA/_new" rel="create"/>
  <link href="/services/admin/Duo-MFA/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>duo-mfa</title>
    <id>https://localhost:8089/servicesNS/nobody/system/admin/Duo-MFA/duo-mfa</id>
    <updated>2016-07-26T11:05:14-07:00</updated>
    <link href="/servicesNS/nobody/system/admin/Duo-MFA/duo-mfa" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/admin/Duo-MFA/duo-mfa" rel="list"/>
    <link href="/servicesNS/nobody/system/admin/Duo-MFA/duo-mfa" rel="edit"/>
    <link href="/servicesNS/nobody/system/admin/Duo-MFA/duo-mfa" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="apiHostname">api-cc7a8eab.duosecurity.com</s:key>
        <s:key name="appSecretKey">$1$cQdFd4+XlOrAfgBgQEwe+VevD/MOOfFTIA4vwoaFnCX0V0TO8ZsCsKQ=</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">system</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="failOpen">0</s:key>
        <s:key name="integrationKey">$1$RHhrEPy965XhV3kSQmB/zyf6IZV/</s:key>
        <s:key name="secretKey">$1$A3t8AvuwwoDzSgUgB1x50FesOpd0ZKBWaHR5xY6uqWeaB02vsuFh4KQ=</s:key>
        <s:key name="sslCommonNameToCheck">*.duosecurity.com</s:key>
        <s:key name="sslRootCAPath">/home/mkandaswamy/git/splunkApp/etc/auth/DigiCertHighAssuranceEVRootCA.pem</s:key>
        <s:key name="sslVerifyServerCert">true</s:key>
        <s:key name="sslVersions">tls1.2</s:key>
        <s:key name="timeout">5</s:key>
        <s:key name="useClientSSLCompression">true</s:key>
      </s:dict>
    </content>
  </entry>

POST

Update the {name} Duo Multifactor configuration.

Request parameters

Name Type Description
name String Configuration stanza name
integrationKey See description Duo integration key for Splunk. Must be of size = 20.
secretKey See description Shared secret key between Splunk and Duo.
apiHostname See description Duo REST API endpoint used by Splunk for multifactor authentication
appSecretKey See description Splunk application specific secret key. Must be a random generated hex of length 40 or more.
failOpen Boolean Indicates whether Splunk should bypass the Duo service if it is unavailable. Defaults to false.
timeout Positive integer Optional. Positive integer indicating the Duo connection timeout, in seconds, for declaring the Duo service unavailable. Defaults to 15 seconds.
sslVersions See description Optional. SSL version to use for accessing the Duo REST API. Defaults to Splunkd sslVersion.
cipherSuite See description Optional. Cipher suite to use for accessing the Duo REST API. Defaults to Splunkd cipherSuite.
ecdhCurves See description Optional. ECDH curve value to use for accessing the Duo REST API. Defaults to Splunkd ecdhCurves.
sslVerifyServerCert Boolean Optional. Indicates if Duo server certificate verification is required. Defaults to false. If set to true, provide a sslRootCAPath to ensure successful certificate validation.
sslRootCAPath See description Optional. Full path of the certificate to be used for certificate verification. If sslVerifyServerCert is true, this path must be provided to ensure successful certificate validation.
sslCommonNameToCheck See description Optional. Common name to verify if sslVerifyServerCert is true.
sslAltNameToCheck See description Optional. Alternate name to verify if sslVerifyServerCert is true.
useClientSSLCompression See description Optional. Boolean indicating if client side SSL compression is enabled. Defaults to Splunkd useClientSSLCompression.


Returned values

Name Description
name Configuration stanza name
integrationKey Duo integration key for Splunk. Must be of size = 20.
secretKey Shared secret key between Splunk and Duo.
apiHostname Duo REST API endpoint used by Splunk for multifactor authentication
appSecretKey Splunk application specific secret key. Must be a random generated hex of length 40 or more.
failOpen Boolean indicating whether Splunk should bypass the Duo service if it is unavailable. Defaults to false.
timeout Positive integer indicating the Duo connection timeout, in seconds, for declaring the Duo service unavailable. Defaults to 15 seconds.
sslVersions SSL version to use for accessing the Duo REST API. Defaults to Splunkd sslVersion.
cipherSuite Cipher suite to use for accessing the Duo REST API. Defaults to Splunkd cipherSuite.
ecdhCurves ECDH curve value to use for accessing the Duo REST API. Defaults to Splunkd ecdhCurves.
sslVerifyServerCert Boolean that indicates if Duo server certificate verification is required. Defaults to false. If set to true, provide a sslRootCAPath to ensure successful certificate validation.
sslRootCAPath Full path of the certificate to be used for certificate verification. If sslVerifyServerCert is true, this path must be provided to ensure successful certificate validation.
sslCommonNameToCheck Common name to verify if sslVerifyServerCert is true.
sslAltNameToCheck Alternate name to verify if sslVerifyServerCert is true.
useClientSSLCompression Boolean indicating if client side SSL compression is enabled. Defaults to Splunkd useClientSSLCompression.


Example request and response


XML Request

curl -k -u admin:changed https://localhost:8089/services/admin/Duo-MFA/duo-mfa -d failOpen=0

XML Response

 <title>Duo-MFA</title>
  <id>https://localhost:8089/services/admin/Duo-MFA</id>
  <updated>2016-07-26T11:03:58-07:00</updated>
  <generator build="321d123f2b1047b51259ee2d4eeacb4184dc6679" version="20160720"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/admin/Duo-MFA/_new" rel="create"/>
  <link href="/services/admin/Duo-MFA/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>duo-mfa</title>
    <id>https://localhost:8089/servicesNS/nobody/system/admin/Duo-MFA/duo-mfa</id>
    <updated>2016-07-26T11:03:58-07:00</updated>
    <link href="/servicesNS/nobody/system/admin/Duo-MFA/duo-mfa" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/admin/Duo-MFA/duo-mfa" rel="list"/>
    <link href="/servicesNS/nobody/system/admin/Duo-MFA/duo-mfa" rel="edit"/>
    <link href="/servicesNS/nobody/system/admin/Duo-MFA/duo-mfa" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="apiHostname">api-cc7a8eab.duosecurity.com</s:key>
        <s:key name="appSecretKey">$1$cQdFd4+XlOrAfgBgQEwe+VevD/MOOfFTIA4vwoaFnCX0123TO8ZsCsKQ=</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">system</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="failOpen">0</s:key>
        <s:key name="integrationKey">$1$RHhrEPy123XhV3kSQmB/zyf6IZV/</s:key>
        <s:key name="secretKey">$1$A3t8AvuwwoDzSgUgB1x50FesOpd0123WaHR5xY6uqWeaB02vsuFh4KQ=</s:key>
        <s:key name="sslCommonNameToCheck">*.duosecurity.com</s:key>
        <s:key name="sslRootCAPath">/home/user/git/splunkApp/etc/auth/DigiCertHighAssuranceEVRootCA.pem</s:key>
        <s:key name="sslVerifyServerCert">true</s:key>
        <s:key name="sslVersions">tls1.2</s:key>
        <s:key name="timeout">5</s:key>
        <s:key name="useClientSSLCompression">true</s:key>
      </s:dict>
    </content>
  </entry>


DELETE

Delete the {name} Duo Multifactor configuration.

Request parameters
None

Returned values
None

Example request and response


XML Request

curl -k -u admin:changeme -X DELETE https://localhost:8089/services/admin/Duo-MFA/duo-mfa

XML Response

...
  <title>Duo-MFA</title>
  <id>https://localhost:8089/services/admin/Duo-MFA</id>
  <updated>2016-07-26T11:06:00-07:00</updated>
  <generator build="321df14f2b1047b51259ee2d4eeacb4184dc6679" version="20160720"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/admin/Duo-MFA/_new" rel="create"/>
  <link href="/services/admin/Duo-MFA/_acl" rel="_acl"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages>
    <s:msg type="WARN">No active Duo MFA configuration to list.</s:msg>
  </s:messages>




RSA multifactor authentication REST API usage details

Splunk Enterprise users can configure RSA user authentication using the REST API.

You can use the RSA multifactor authentication REST API to configure RSA authentication and to verify that the authentication is configured correctly.

  • To configure multifactor authentication for Splunk Web, you use the /services/admin/Rsa-MFA endpoint. To enable CLI and management port, set the parameter enableMfaAuthRest to true.
  • To verify the authentication, you use the /services/admin/Rsa-MFA-config-verify/ endpoint.

Authentication and Authorization

Requires the change_authentication capability.

To learn more about using RSA multifactor authentication, see About multifactor authentication with RSA Authentication Manager in Securing Splunk Enterprise.

admin/Rsa-MFA

Configure RSA multifactor authentication.

GET

List the RSA Authentication Manager configuration settings.

Request parameters
None

Returned values

Name Description
name Configuration stanza name
authManagerUrl URL of REST endpoint of RSA Authentication Manager.
accessKey Access key needed by Splunk to communicate with RSA Authentication Manager. Note that this value is hidden output.
clientId Agent name created on RSA Authentication Manager is clientId.
failOpen If true, allow login in case authentication server is unavailable.
timeout It determines the connection timeout in seconds for the outbound HTTPS connection.
messageOnError Message that will be shown to user in case of login failure.
enableMfaAuthRest If true, enable authentication of REST calls.
caCertBundlePayload SSL certificate chain return by RSA server.
replicateCertificates If enabled, RSA certificate files are replicated across search head cluster setup.

Example request and response


XML Request

curl -k -u admin:changeme -X GET https://ronnie.sv.splunk.com:8130/services/admin/Rsa-MFA/rsa-mfa

XML Response

 
...
<title>Rsa-MFA</title>
 
  <id>https://ronnie.sv.splunk.com:8130/services/admin/Rsa-MFA</id>
 
  <updated>2018-04-03T12:42:27-07:00</updated>
 
  <generator build="80906e769c378b3c090160fc090717553dd4e8ef" version="20180331"/>
 
  <author>
 
    <name>Splunk</name>
 
  </author>
 
  <link href="/services/admin/Rsa-MFA/_new" rel="create"/>
 
  <link href="/services/admin/Rsa-MFA/_acl" rel="_acl"/>
 
  <opensearch:totalResults>1</opensearch:totalResults>
 
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 
  <opensearch:startIndex>0</opensearch:startIndex>
 
  <s:messages/>
 
  <entry>
 
    <title>rsa-mfa</title>
 
    <id>https://ronnie.sv.splunk.com:8130/servicesNS/nobody/system/admin/Rsa-MFA/rsa-mfa</id>
 
    <updated>1969-12-31T16:00:00-08:00</updated>
 
    <link href="/servicesNS/nobody/system/admin/Rsa-MFA/rsa-mfa" rel="alternate"/>
 
    <author>
 
      <name>nobody</name>
 
    </author>
 
    <link href="/servicesNS/nobody/system/admin/Rsa-MFA/rsa-mfa" rel="list"/>
 
    <link href="/servicesNS/nobody/system/admin/Rsa-MFA/rsa-mfa" rel="edit"/>
 
    <link href="/servicesNS/nobody/system/admin/Rsa-MFA/rsa-mfa" rel="remove"/>
 
    <link href="/servicesNS/nobody/system/admin/Rsa-MFA/rsa-mfa/disable" rel="disable"/>
 
    <content type="text/xml">
 
      <s:dict>
 
        <s:key name="accessKey">****************************************</s:key>
 
        <s:key name="authManagerCertPath">etc/auth/rsa-2fa/cert.pem</s:key>
 
        <s:key name="authManagerUrl">https://qa-rsaam-002.sv.splunk.com:5555</s:key>
 
        <s:key name="clientId">ronnie.splunk.com</s:key>
 
        <s:key name="eai:acl">
 
          <s:dict>
 
            <s:key name="app">system</s:key>
 
            <s:key name="can_change_perms">1</s:key>
 
            <s:key name="can_list">1</s:key>
 
            <s:key name="can_share_app">1</s:key>
 
            <s:key name="can_share_global">1</s:key>
 
            <s:key name="can_share_user">0</s:key>
 
            <s:key name="can_write">1</s:key>
 
            <s:key name="modifiable">1</s:key>
 
            <s:key name="owner">nobody</s:key>
 
            <s:key name="perms">
 
              <s:dict>
 
                <s:key name="read">
 
                  <s:list>
 
                    <s:item>*</s:item>
 
                  </s:list>
 
                </s:key>
 
                <s:key name="write">
 
                  <s:list>
 
                    <s:item>*</s:item>
 
                  </s:list>
 
                </s:key>
 
              </s:dict>
 
            </s:key>
 
            <s:key name="removable">1</s:key>
 
            <s:key name="sharing">system</s:key>
 
          </s:dict>
 
        </s:key>
 
        <s:key name="enableMfaAuthRest">false</s:key>
 
        <s:key name="failOpen">1</s:key>
 
        <s:key name="messageOnError">Please_contact_admin</s:key>
 
        <s:key name="timeout">10</s:key>
 
      </s:dict>
 
    </content>
 
  </entry>

POST

Edit the RSA Authentication Manager configuration.

Request parameters

Name Type Description
name String Required. Name of RSA configuration stanza
authManagerUrl String Required. URL of REST endpoint of RSA Authentication Manager.
accessKey String Required. Access key needed by Splunk to communicate with RSA Authentication Manager.
clientId String Required. Agent name created on RSA Authentication Manager is clientId.
failOpen Boolean Optional. If true, allow login in case authentication server is unavailable.
timeout Integer Optional. It determines the connection timeout in seconds for the outbound HTTPS connection.
messageOnError String Optional. Message that will be shown to user in case of login failure.
enableMfaAuthRest Boolean Optional. If true, enable authentication of REST calls.
caCertBundlePayload String Required. SSL certificate chain return by RSA server.
replicateCertificates Boolean If enabled, RSA certificate files will be replicated across search head cluster setup.


Returned values

Name Description
name Configuration stanza name
authManagerUrl URL of REST endpoint of RSA Authentication Manager.
accessKey Access key needed by Splunk to communicate with RSA Authentication Manager. Note that this value is hidden output.
clientId Agent name created on RSA Authentication Manager is clientId.
failOpen If true, allow login in case authentication server is unavailable.
timeout It determines the connection timeout in seconds for the outbound HTTPS connection.
messageOnError Message that will be shown to user in case of login failure.
enableMfaAuthRest If true, enable authentication of REST calls.
caCertBundlePayload SSL certificate chain return by RSA server.
replicateCertificates If enabled, RSA certificate files will be replicated across search head cluster setup.


Example request and response


XML Request

curl -k -u admin:Splunk_123 -X POST https://localhost:8092/services/admin/Rsa-MFA -d name=rsa-mfa  -d timeout=10 -d failOpen=true -d authManagerUrl=https://rsa-auth-manager.company.com:5555 -d  accessKey=sdrf23ri90jn00i -d  clientId=linux-vm -d  messageOnError=Please_contact_admin -d caCertBundlePayload=-----BEGIN%20CERTIFICATE-----%0AMIIF8jCCBNqgAwIBAgIQDmTF%2B8I2reFLFyrrQceMsDANBgkqhkiG9w0BAQsFADBw%0AMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3%0Ad3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz%0AdXJhbmNlIFNlcnZlciBDQTAeFw0xNTExMDMwMDAwMDBaFw0xODExMjgxMjAwMDBa%0AMIGlMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxML%0ATG9zIEFuZ2VsZXMxPDA6BgNVBAoTM0ludGVybmV0IENvcnBvcmF0aW9uIGZvciBB%0Ac3NpZ25lZCBOYW1lcyBhbmQgTnVtYmVyczETMBEGA1UECxMKVGVjaG5vbG9neTEY%0AMBYGA1UEAxMPd3d3LmV4YW1wbGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A%0AMIIBCgKCAQEAs0CWL2FjPiXBl61lRfvvE0KzLJmG9LWAC3bcBjgsH6NiVVo2dt6u%0AXfzi5bTm7F3K7srfUBYkLO78mraM9qizrHoIeyofrV%2Fn%2BpZZJauQsPjCPxMEJnRo%0AD8Z4KpWKX0LyDu1SputoI4nlQ%2FhtEhtiQnuoBfNZxF7WxcxGwEsZuS1KcXIkHl5V%0ARJOreKFHTaXcB1qcZ%2FQRaBIv0yhxvK1yBTwWddT4cli6GfHcCe3xGMaSL328Fgs3%0AjYrvG29PueB6VJi%2FtbbPu6qTfwp%2FH1brqdjh29U52Bhb0fJkM9DWxCP%2FCattcc7a%0Az8EXnCO%2BLK8vkhw%2FkAiJWPKx4RBvgy73nwIDAQABo4ICUDCCAkwwHwYDVR0jBBgw%0AFoAUUWj%2FkK8CB3U8zNllZGKiErhZcjswHQYDVR0OBBYEFKZPYB4fLdHn8SOgKpUW%0A5Oia6m5IMIGBBgNVHREEejB4gg93d3cuZXhhbXBsZS5vcmeCC2V4YW1wbGUuY29t%0AggtleGFtcGxlLmVkdYILZXhhbXBsZS5uZXSCC2V4YW1wbGUub3Jngg93d3cuZXhh%0AbXBsZS5jb22CD3d3dy5leGFtcGxlLmVkdYIPd3d3LmV4YW1wbGUubmV0MA4GA1Ud%0ADwEB%2FwQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdQYDVR0f%0ABG4wbDA0oDKgMIYuaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NoYTItaGEtc2Vy%0AdmVyLWc0LmNybDA0oDKgMIYuaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL3NoYTIt%0AaGEtc2VydmVyLWc0LmNybDBMBgNVHSAERTBDMDcGCWCGSAGG%2FWwBATAqMCgGCCsG%0AAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAgGBmeBDAECAjCB%0AgwYIKwYBBQUHAQEEdzB1MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2Vy%0AdC5jb20wTQYIKwYBBQUHMAKGQWh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9E%0AaWdpQ2VydFNIQTJIaWdoQXNzdXJhbmNlU2VydmVyQ0EuY3J0MAwGA1UdEwEB%2FwQC%0AMAAwDQYJKoZIhvcNAQELBQADggEBAISomhGn2L0LJn5SJHuyVZ3qMIlRCIdvqe0Q%0A6ls%2BC8ctRwRO3UU3x8q8OH%2B2ahxlQmpzdC5al4XQzJLiLjiJ2Q1p%2Bhub8MFiMmVP%0APZjb2tZm2ipWVuMRM%2BzgpRVM6nVJ9F3vFfUSHOb4%2FJsEIUvPY%2Bd8%2FKrc%2BkPQwLvy%0AieqRbcuFjmqfyPmUv1U9QoI4TQikpw7TZU0zYZANP4C%2Fgj4Ry48%2FznmUaRvy2kvI%0Al7gRQ21qJTK5suoiYoYNo3J9T%2BpXPGU7Lydz%2FHwW%2Bw0DpArtAaukI8aNX4ohFUKS%0AwDSiIIWIWJiJGbEeIO0TIFwEVWTOnbNl%2FfaPXpk5IRXicapqiII%3D%0A-----END%20CERTIFICATE--

XML Response

...
<title>Rsa-MFA</title>
  
  <id>https://localhost:8092/services/admin/Rsa-MFA</id>
  
  <updated>2018-08-09T20:03:01-07:00</updated>
  
  <generator build="179002a8c333" version="7.2.0"/>
  
  <author>
  
    <name>Splunk</name>
  
  </author>
  
  <link href="/services/admin/Rsa-MFA/_new" rel="create"/>
  
  <link href="/services/admin/Rsa-MFA/_acl" rel="_acl"/>
  
  <opensearch:totalResults>1</opensearch:totalResults>
  
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  
  <opensearch:startIndex>0</opensearch:startIndex>
  
  <s:messages/>
  
  <entry>
  
    <title>rsa-mfa</title>
  
    <id>https://localhost:8092/servicesNS/nobody/search/admin/Rsa-MFA/rsa-mfa</id>
  
    <updated>1969-12-31T16:00:00-08:00</updated>
  
    <link href="/servicesNS/nobody/search/admin/Rsa-MFA/rsa-mfa" rel="alternate"/>
  
    <author>
  
      <name>nobody</name>
  
    </author>
  
    <link href="/servicesNS/nobody/search/admin/Rsa-MFA/rsa-mfa" rel="list"/>
  
    <link href="/servicesNS/nobody/search/admin/Rsa-MFA/rsa-mfa" rel="edit"/>
  
    <link href="/servicesNS/nobody/search/admin/Rsa-MFA/rsa-mfa" rel="remove"/>
  
    <link href="/servicesNS/nobody/search/admin/Rsa-MFA/rsa-mfa/disable" rel="disable"/>
  
    <content type="text/xml">
  
      <s:dict>
  
        <s:key name="accessKey">****************************************</s:key>
  
        <s:key name="authManagerUrl">https://rsa-auth-manager.company.com:5555</s:key>
  
        <s:key name="clientId">linux-vm</s:key>
  
        <s:key name="eai:acl">
  
          <s:dict>
  
            <s:key name="app">search</s:key>
  
            <s:key name="can_change_perms">1</s:key>
  
            <s:key name="can_list">1</s:key>
  
            <s:key name="can_share_app">1</s:key>
  
            <s:key name="can_share_global">1</s:key>
  
            <s:key name="can_share_user">0</s:key>
  
            <s:key name="can_write">1</s:key>
  
            <s:key name="modifiable">1</s:key>
  
            <s:key name="owner">nobody</s:key>
  
            <s:key name="perms">
  
              <s:dict>
  
                <s:key name="read">
  
                  <s:list>
  
                    <s:item>*</s:item>
  
                  </s:list>
  
                </s:key>
  
                <s:key name="write">
  
                  <s:list>
  
                    <s:item>admin</s:item>
  
                    <s:item>power</s:item>
  
                  </s:list>
  
                </s:key>
  
              </s:dict>
  
            </s:key>
  
            <s:key name="removable">1</s:key>
  
            <s:key name="sharing">app</s:key>
  
          </s:dict>
  
        </s:key>
  
        <s:key name="eai:appName">search</s:key>
  
        <s:key name="eai:userName">admin</s:key>
  
        <s:key name="enableMfaAuthRest">false</s:key>
  
        <s:key name="failOpen">1</s:key>
  
        <s:key name="messageOnError">Please_contact_admin</s:key>
  
        <s:key name="replicateCertificates">true</s:key>
  
        <s:key name="sslRootCAPath">$SPLUNK_HOME/etc/auth/rsa-2fa/cert.pem</s:key>
  
        <s:key name="timeout">10</s:key>
  
      </s:dict>
  
    </content>
  
  </entry>
  

DELETE

Delete the RSA Authentication Manager configuration.

Request parameters
None

Returned values
None

Example request and response


XML Request

curl -k -u admin:changeme -X DELETE https://ronnie.sv.splunk.com:8130/services/admin/Rsa-MFA/rsa-mfa

XML Response

...
 <title>Rsa-MFA</title>
 
  <id>https://ronnie.sv.splunk.com:8130/services/admin/Rsa-MFA</id>
 
  <updated>2018-04-03T12:42:27-07:00</updated>
 
  <generator build="80906e769c378b3c090160fc090717553dd4e8ef" version="20180331"/>
 
  <author>
 
    <name>Splunk</name>
 
  </author>
 
  <link href="/services/admin/Rsa-MFA/_new" rel="create"/>
 
  <link href="/services/admin/Rsa-MFA/_acl" rel="_acl"/>
 
  <opensearch:totalResults>1</opensearch:totalResults>
 
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 
  <opensearch:startIndex>0</opensearch:startIndex>
 
  <s:messages/>
 
  <entry>
 
    <title>rsa-mfa</title>
 
    <id>https://ronnie.sv.splunk.com:8130/servicesNS/nobody/system/admin/Rsa-MFA/rsa-mfa</id>
 
    <updated>1969-12-31T16:00:00-08:00</updated>
 
    <link href="/servicesNS/nobody/system/admin/Rsa-MFA/rsa-mfa" rel="alternate"/>
 
    <author>
 
      <name>nobody</name>
 
    </author>
 
    <link href="/servicesNS/nobody/system/admin/Rsa-MFA/rsa-mfa" rel="list"/>
 
    <link href="/servicesNS/nobody/system/admin/Rsa-MFA/rsa-mfa" rel="edit"/>
 
    <link href="/servicesNS/nobody/system/admin/Rsa-MFA/rsa-mfa" rel="remove"/>
 
    <link href="/servicesNS/nobody/system/admin/Rsa-MFA/rsa-mfa/disable" rel="disable"/>
 
    <content type="text/xml">
 
      <s:dict>
 
        <s:key name="accessKey">****************************************</s:key>
 
        <s:key name="authManagerCertPath">etc/auth/rsa-2fa/cert.pem</s:key>
 
        <s:key name="authManagerUrl">https://qa-rsaam-002.sv.splunk.com:5555</s:key>
 
        <s:key name="clientId">ronnie.splunk.com</s:key>
 
        <s:key name="eai:acl">
 
          <s:dict>
 
            <s:key name="app">system</s:key>
 
            <s:key name="can_change_perms">1</s:key>
 
            <s:key name="can_list">1</s:key>
 
            <s:key name="can_share_app">1</s:key>
 
            <s:key name="can_share_global">1</s:key>
 
            <s:key name="can_share_user">0</s:key>
 
            <s:key name="can_write">1</s:key>
 
            <s:key name="modifiable">1</s:key>
 
            <s:key name="owner">nobody</s:key>
 
            <s:key name="perms">
 
              <s:dict>
 
                <s:key name="read">
 
                  <s:list>
 
                    <s:item>*</s:item>
 
                  </s:list>
 
                </s:key>
 
                <s:key name="write">
 
                  <s:list>
 
                    <s:item>*</s:item>
 
                  </s:list>
 
                </s:key>
 
              </s:dict>
 
            </s:key>
 
            <s:key name="removable">1</s:key>
 
            <s:key name="sharing">system</s:key>
 
          </s:dict>
 
        </s:key>
 
        <s:key name="enableMfaAuthRest">false</s:key>
 
        <s:key name="failOpen">1</s:key>
 
        <s:key name="messageOnError">Please_contact_admin</s:key>
 
        <s:key name="timeout">10</s:key>
 
      </s:dict>
 
    </content>
 
  </entry>




admin/Rsa-MFA-config-verify/<rsa-stanza-name>

Verify RSA multifactor authentication.

POST

Verify the RSA mutifactor authentication.

Request parameters

Name Type Description
username' String Optional. RSA username.
passcode String Optional. RSA passcode consists of PIN followed by tokencode.


Returned values
Information on whether RSA configuration is valid or not.

Example request and response


XML Request

curl -k -u user1:Splunk_123 -X POST https://localhost:8201//services/admin/Rsa-MFA-config-verify/rsa-mfa

XML Response

...
 <title>Rsa-MFA-config-verify</title>
 
  <id>https://localhost:8201/services/admin/Rsa-MFA-config-verify</id>
 
  <updated>2018-06-15T22:46:35-07:00</updated>
 
  <generator build="e23985b8ecacbe6a245c427b75ec77906439d540" version="20180614"/>
 
  <author>
 
    <name>Splunk</name>
 
  </author>
  <link href="/services/admin/Rsa-MFA-config-verify/_acl" rel="_acl"/>
 
  <opensearch:totalResults>0</opensearch:totalResults>
 
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 
  <opensearch:startIndex>0</opensearch:startIndex>
 
  <s:messages>
 
    <s:msg type="INFO">Config verification successful</s:msg>
 
  </s:messages>

LDAP REST API usage details

Splunk Enterprise users can configure LDAP user authentication using the REST API. If you are using Splunk Cloud Platform, contact Support for assistance with setting up LDAP authentication.

LDAP user authentication lets you specify configurations, user groups, and group to role mappings to manage permissions in your Splunk deployment.

You can use the LDAP REST API for the following LDAP management tasks.

  • Configure an LDAP strategy for a server in your deployment.
  • Map LDAP groups to user roles in a server to manage group permissions.
  • Enable or disable an LDAP strategy.

To learn more about using LDAP authentication, see Set up user authentication with LDAP in Securing Splunk Enterprise.

admin/LDAP-groups

https://<host>:<mPort>/services/admin/LDAP-groups

Access and update LDAP group to role mappings.

Authentication and authorization
Requires the change_authentication capability for access.


GET

Access LDAP group mappings.

Request parameters

If you are passing in a strategy name with an LDAP group name, they must be comma separated.

Name Description
strategy LDAP strategy name
LDAPgroup LDAP group name

Returned values
For each group, the following values are returned in the response.

Name Description
roles Roles mapped to this group
strategy Strategy name
type Group type
users List of users in this group


Example request and response

curl -u admin:changeme -X GET -k https://localhost:8089/services/admin/LDAP-groups/
...
  <title>LDAP-groups</title>
  <id>https://localhost:8089/services/admin/LDAP-groups</id>
  <updated>2016-11-10T13:04:02-08:00</updated>
  <generator build="2469654e091cb630e237a02094e683ced50f2fe5" version="20161031"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/admin/LDAP-groups/_acl" rel="_acl"/>
  <opensearch:totalResults>20</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>Abc123-Admin</title>
    <id>https://localhost:8089/services/admin/LDAP-groups/ActiveDirectory_New%2CAbc123-Admin</id>
    <updated>2016-11-10T13:04:02-08:00</updated>
    <link href="/services/admin/LDAP-groups/ActiveDirectory_New%2CAbc123-Admin" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/admin/LDAP-groups/ActiveDirectory_New%2CAbc123-Admin" rel="list"/>
    <link href="/services/admin/LDAP-groups/ActiveDirectory_New%2CAbc123-Admin" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="roles">
          <s:list/>
        </s:key>
        <s:key name="strategy">ActiveDirectory_New</s:key>
        <s:key name="type">static</s:key>
        <s:key name="users">
          <s:list>
            <s:item>CN=Abc123 CI,OU=Abc123,OU=SAML Test,DC=qa,DC=ad2008r2,DC=com</s:item>
            <s:item>CN=Test 1 User,OU=Abc123,OU=SAML Test,DC=qa,DC=ad2008r2,DC=com</s:item>
            <s:item>CN=Test 2. User,OU=Abc123,OU=SAML Test,DC=qa,DC=ad2008r2,DC=com</s:item>
          </s:list>
        </s:key>
      </s:dict>
    </content>
  </entry>

POST

Create an LDAP group.


Request parameters
Append the group name to the LDAP-groups/ endpoint. Pass in a strategy name using comma separation. For example, this POST creates the ActiveDirectory_New strategy and specifies the Abc123 group name.

  curl -k -u admin:password -X POST
  https://localhost:8089/services/admin/LDAP-groups/ActiveDirectory_New,Abc123-Admin -d roles=user
Name Description
strategy Required. LDAP strategy name
LDAPgroup Required. LDAP group name


Returned values

Name Description
roles Roles mapped to this group.
strategy Strategy name
type Group type
users List of users in this group.


Example request and response


curl -k -u admin:password -X POST https://localhost:8089/services/admin/LDAP-groups/ActiveDirectory_New,Abc123-Admin -d roles=user

.
.
.
    <title>Abc123-Admin</title>
    <id>https://localhost:8089/services/admin/LDAP-groups/ActiveDirectory_New%2CAbc123-Admin</id>
    <updated>2016-11-10T13:07:28-08:00</updated>
    <link href="/services/admin/LDAP-groups/ActiveDirectory_New%2CAbc123-Admin" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/admin/LDAP-groups/ActiveDirectory_New%2CAbc123-Admin" rel="list"/>
    <link href="/services/admin/LDAP-groups/ActiveDirectory_New%2CAbc123-Admin" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="roles">
          <s:list>
            <s:item>user</s:item>
          </s:list>
        </s:key>
        <s:key name="strategy">ActiveDirectory_New</s:key>
        <s:key name="type">static</s:key>
        <s:key name="users">
          <s:list>
            <s:item>CN=Abc123 CI,OU=Abc123,OU=SAML Test,DC=qa,DC=ad2008r2,DC=com</s:item>
            <s:item>CN=Test 1 User,OU=Abc123,OU=SAML Test,DC=qa,DC=ad2008r2,DC=com</s:item>
            <s:item>CN=Test 2. User,OU=Abc123,OU=SAML Test,DC=qa,DC=ad2008r2,DC=com</s:item>
          </s:list>
        </s:key>
      </s:dict>
    </content>
  </entry>
.
.
.



authentication/providers/LDAP

https://<host>:<mPort>/services/authentication/providers/LDAP

Access or create LDAP authentication strategies on a server in your deployment.

Authentication and authorization
Requires the change_authentication capability for access.

GET

Access LDAP configurations strategies.

Request parameters

Name Description
strategy Name of LDAP configuration strategy

Returned values
The response lists LDAP strategy settings.

See LDAP settings in authentication.conf for strategy settings information.

Example request and response

curl -k -u admin:password https://localhost:8089/services/authentication/providers/LDAP/
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>providers/LDAP</title>
  <id>https://localhost:8089/services/authentication/providers/LDAP</id>
  <updated>2016-11-09T16:14:07-08:00</updated>
  <generator build="2469654e091cb630e237a02094e683ced50f2fe5" version="20161031"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/authentication/providers/LDAP/_new" rel="create"/>
  <link href="/services/authentication/providers/LDAP/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>my_strategy</title>
    <id>https://localhost:8089/servicesNS/nobody/system/authentication/providers/LDAP/my_strategy</id>
    <updated>2016-11-09T16:14:07-08:00</updated>
    <link href="/servicesNS/nobody/system/authentication/providers/LDAP/my_strategy" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/authentication/providers/LDAP/my_strategy" rel="list"/>
    <link href="/servicesNS/nobody/system/authentication/providers/LDAP/my_strategy" rel="edit"/>
    <link href="/servicesNS/nobody/system/authentication/providers/LDAP/my_strategy" rel="remove"/>
    <link href="/servicesNS/nobody/system/authentication/providers/LDAP/my_strategy/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="SSLEnabled">0</s:key>
        <s:key name="anonymous_referrals">1</s:key>
        <s:key name="bindDN">CN=Saml user2,OU=SAML Test,DC=qa,DC=ad2008r2,DC=com</s:key>
        <s:key name="bindDNpassword">********</s:key>
        <s:key name="charset">utf8</s:key>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">system</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="emailAttribute">mail</s:key>
        <s:key name="groupBaseDN">CN=Saml user2,OU=SAML Test,DC=qa,DC=ad2008r2,DC=com</s:key>
        <s:key name="groupMappingAttribute">dn</s:key>
        <s:key name="groupMemberAttribute">sn</s:key>
        <s:key name="groupNameAttribute">sn</s:key>
        <s:key name="host">1.1.1.1</s:key>
        <s:key name="nestedGroups">0</s:key>
        <s:key name="network_timeout">20</s:key>
        <s:key name="order">1</s:key>
        <s:key name="port">389</s:key>
        <s:key name="realNameAttribute">sn</s:key>
        <s:key name="sizelimit">1000</s:key>
        <s:key name="timelimit">15</s:key>
        <s:key name="userBaseDN">OU=SAML Test,DC=qa,DC=ad2008r2,DC=com</s:key>
        <s:key name="userNameAttribute">sn</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST

Create an LDAP strategy.

Usage details
Use the following endpoints to enable or disable an LDAP strategy after you create it.

  • services/authentication/providers/LDAP/{LDAP_strategy_name}/enable
  • services/authentication/providers/LDAP/{LDAP_strategy_name}/disable

Request parameters
See LDAP settings in authentication.conf for required and optional settings information.

Returned values
None.

Example request and response

curl —k u admin:password -X POST https://localhost:8089/services/authentication/providers/LDAP/ -d name=my_strategy -d groupBaseDN="CN=Saml user2,OU=SAML Test,DC=qa,DC=ad2008r2,DC=com" -d groupMemberAttribute=sn -d groupNameAttribute=sn -d host=1.1.1.1 -d realNameAttribute=sn -d userBaseDN="OU=SAML Test,DC=qa,DC=ab2008e2,DC=com" -d userNameAttribute=sn -d bindDN="CN=Saml user2,OU=SAML Test,DC=qa,DC=ad2008r2,DC=com" -d bindDNpassword=password

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>providers/LDAP</title>
  <id>https://localhost:8089/services/authentication/providers/LDAP</id>
  <updated>2016-11-09T16:20:14-08:00</updated>
  <generator build="2469654e091cb630e237a02094e683ced50f2fe5" version="20161031"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/authentication/providers/LDAP/_new" rel="create"/>
  <link href="/services/authentication/providers/LDAP/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages>
    <s:msg type="INFO">Successfully performed a bind to the LDAP server</s:msg>
    <s:msg type="WARN">Failed to find the email attribute 'mail' in a returned user entry.</s:msg>
  </s:messages>
  <entry>
    <title>my_strategy</title>
    <id>https://localhost:8089/servicesNS/nobody/system/authentication/providers/LDAP/my_strategy</id>
    <updated>2016-11-09T16:20:14-08:00</updated>
    <link href="/servicesNS/nobody/system/authentication/providers/LDAP/my_strategy" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/authentication/providers/LDAP/my_strategy" rel="list"/>
    <link href="/servicesNS/nobody/system/authentication/providers/LDAP/my_strategy" rel="edit"/>
    <link href="/servicesNS/nobody/system/authentication/providers/LDAP/my_strategy" rel="remove"/>
    <link href="/servicesNS/nobody/system/authentication/providers/LDAP/my_strategy/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="SSLEnabled">0</s:key>
        <s:key name="anonymous_referrals">1</s:key>
        <s:key name="bindDN">CN=Saml user2,OU=SAML Test,DC=qa,DC=ad2008r2,DC=com</s:key>
        <s:key name="bindDNpassword">********</s:key>
        <s:key name="charset">utf8</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">system</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="emailAttribute">mail</s:key>
        <s:key name="groupBaseDN">CN=Saml user2,OU=SAML Test,DC=qa,DC=ad2008r2,DC=com</s:key>
        <s:key name="groupMappingAttribute">dn</s:key>
        <s:key name="groupMemberAttribute">sn</s:key>
        <s:key name="groupNameAttribute">sn</s:key>
        <s:key name="host">1.1.1.1</s:key>
        <s:key name="nestedGroups">0</s:key>
        <s:key name="network_timeout">20</s:key>
        <s:key name="order">1</s:key>
        <s:key name="port">389</s:key>
        <s:key name="realNameAttribute">sn</s:key>
        <s:key name="sizelimit">1000</s:key>
        <s:key name="timelimit">15</s:key>
        <s:key name="userBaseDN">OU=SAML Test,DC=qa,DC=ab2008e2,DC=com</s:key>
        <s:key name="userNameAttribute">sn</s:key>
      </s:dict>
    </content>
  </entry>
</feed>



authentication/providers/LDAP/{LDAP_strategy_name}

https://<host>:<mPort>/services/authentication/providers/LDAP/{LDAP_strategy_name}

Access, update, or delete the {LDAP_strategy_name} strategy.

Authentication and authorization
Requires the change_authentication capability for access.

POST

Update an existing LDAP strategy.

Request parameters and returned values
See LDAP settings in authentication.conf for strategy settings information.

Example request and response

curl -k -u admin:password -X POST https://localhost:8089/services/authentication/providers/LDAP/my_strategy -d port=390
  <entry>
    <title>my_strategy</title>
    <id>https://localhost:8089/servicesNS/nobody/system/authentication/providers/LDAP/my_strategy</id>
    <updated>2016-11-09T16:14:07-08:00</updated>
    <link href="/servicesNS/nobody/system/authentication/providers/LDAP/my_strategy" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/authentication/providers/LDAP/my_strategy" rel="list"/>
    <link href="/servicesNS/nobody/system/authentication/providers/LDAP/my_strategy" rel="edit"/>
    <link href="/servicesNS/nobody/system/authentication/providers/LDAP/my_strategy" rel="remove"/>
    <link href="/servicesNS/nobody/system/authentication/providers/LDAP/my_strategy/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="SSLEnabled">0</s:key>
        <s:key name="anonymous_referrals">1</s:key>
        <s:key name="bindDN">CN=Saml user2,OU=SAML Test,DC=qa,DC=ad2008r2,DC=com</s:key>
        <s:key name="bindDNpassword">********</s:key>
        <s:key name="charset">utf8</s:key>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">system</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="emailAttribute">mail</s:key>
        <s:key name="groupBaseDN">CN=Saml user2,OU=SAML Test,DC=qa,DC=ad2008r2,DC=com</s:key>
        <s:key name="groupMappingAttribute">dn</s:key>
        <s:key name="groupMemberAttribute">sn</s:key>
        <s:key name="groupNameAttribute">sn</s:key>
        <s:key name="host">1.1.1.1</s:key>
        <s:key name="nestedGroups">0</s:key>
        <s:key name="network_timeout">20</s:key>
        <s:key name="order">1</s:key>
        <s:key name="port">390</s:key>
        <s:key name="realNameAttribute">sn</s:key>
        <s:key name="sizelimit">1000</s:key>
        <s:key name="timelimit">15</s:key>
        <s:key name="userBaseDN">OU=SAML Test,DC=qa,DC=ad2008r2,DC=com</s:key>
        <s:key name="userNameAttribute">sn</s:key>
      </s:dict>
    </content>
  </entry>
.
.
.

DELETE

Delete an existing LDAP strategy.

Request parameters
None

Returned values
None

Example request and response

curl -k -u admin:password -X DELETE https://localhost:8089/services/authentication/providers/LDAP/my_strategy
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>providers/LDAP</title>
  <id>https://ronnie:8132/services/authentication/providers/LDAP</id>
  <updated>2016-11-09T16:18:37-08:00</updated>
  <generator build="2469654e091cb630e237a02094e683ced50f2fe5" version="20161031"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/authentication/providers/LDAP/_new" rel="create"/>
  <link href="/services/authentication/providers/LDAP/_acl" rel="_acl"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
</feed>



authentication/providers/LDAP/{LDAP_strategy_name}/enable

https://<host>:<mPort>/services/authentication/providers/LDAP/{LDAP_strategy_name}/enable


POST

Enable the {LDAP_strategy_name} LDAP strategy.

Request parameters
None

Returned values
None

Example request

curl -k -u admin:password -X POST https://localhost:8089/services/authentication/providers/LDAP/my_strategy/enable

authentication/providers/LDAP/{LDAP_strategy_name}/disable

https://<host>:<mPort>/services/authentication/providers/LDAP/{LDAP_strategy_name}/disable


POST

Disable the {LDAP_strategy_name} LDAP strategy.

Request parameters
None

Returned values
None

Example request

curl -k -u admin:password -X POST https://localhost:8089/services/authentication/providers/LDAP/my_strategy/disable

admin/metrics-reload/_reload

https://<host>:<mPort>/services/admin/metrics-reload/_reload

Use this endpoint to reload the metrics processor after updating a metrics-related configuration.

POST

Reload the metrics processor.

Example request and response

Request

curl -k -u admin:changeme \https://localhost:8089/services/admin/metrics-reload/_reload

Response

...
<title>metrics-reload</title>
  <id>https://<localhost>:<mport>/services/admin/metrics-reload</id>
  <updated>2017-08-08T23:33:13+00:00</updated>
  <generator build="eb729684699b" version="7.0.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/admin/metrics-reload/_reload" rel="_reload"/>
  <link href="/services/admin/metrics-reload/_acl" rel="_acl"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
</feed>

ProxySSO REST API usage details

SSO mode must be enabled before you can configure ProxySSO. If you are creating a new ProxySSO configuration for the first time, follow these steps.

  1. Locate the web.conf file in the etc/system/local directory.
  2. Make the following additions to the [settings] stanza of web.conf file. If the file does not already exist in this location, create a new file called web.conf and add only the [settings] stanza name and the following settings to it.
    [settings]
    SSOMode = strict
    trustedIP = <IP_address>
    remoteUser = <remote user>
    remoteGroups = <remote group>
    tools.proxy.on = False
    allowSsoWithoutChangingServerConf = 1
    
    
  3. Restart the Splunk deployment after updating web.conf.
  4. Use the admin/ProxySSO-auth/{proxy_name}/enable endpoint to enable the configuration that you are creating.
  5. Use the admin/ProxySSO-auth endpoint to add the new configuration.
  6. (Optional) Use the services/admin/auth-services endpoint to verify that the active_authmodule is set to ProxySSO.

admin/ProxySSO-auth

https://<host>:<mPort>/services/admin/ProxySSO-auth

Access or create a ProxySSO configuration.

GET

Review existing ProxySSO configurations.

Request parameters
None.


Returned values
For each configuration the following values are returned.

Name Description
defaultRoleIfMissing Name of default role to use if no mapping is found.
blacklistedUsers Comma separated list of blacklisted users.
blacklistedAutoMappedRoles Comma separated list of blacklisted roles.
disabled Boolean value indicating whether the configuration is disabled.
0 indicates that the configuration is enabled.
title Configuration name

Example request and response

XML Request

curl -k -u admin:changed https://localhost:8089/services/admin/ProxySSO-auth

XML Response

...
  <title>ProxySSO-auth</title>
  <id>https://localhost:8089/services/admin/ProxySSO-auth</id>
  <updated>2016-08-31T15:57:42-07:00</updated>
  <generator build="ca6bc6de37c2" version="6.5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/admin/ProxySSO-auth/_new" rel="create"/>
  <link href="/services/admin/ProxySSO-auth/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>my_proxy</title>
    <id>https://localhost:8089/services/admin/ProxySSO-auth/my_proxy</id>
    <updated>2016-08-31T15:57:42-07:00</updated>
    <link href="/services/admin/ProxySSO-auth/my_proxy" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/admin/ProxySSO-auth/my_proxy" rel="list"/>
    <link href="/services/admin/ProxySSO-auth/my_proxy" rel="edit"/>
    <link href="/services/admin/ProxySSO-auth/my_proxy" rel="remove"/>
    <link href="/services/admin/ProxySSO-auth/my_proxy/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="blacklistedAutoMappedRoles">role1</s:key>
        <s:key name="blacklistedUsers"></s:key>
        <s:key name="defaultRoleIfMissing"></s:key>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
      </s:dict>
    </content>
  </entry>

...



POST

Add a new ProxySSO configuration.

Usage details
Changes are written to the app context.

Request parameters

Name Type Description
name String Required. New ProxySSO configuration name
defaultRoleIfMissing Role name Specify a default role to use if no mapping is found.
blacklistedUsers Comma separated list Specify blacklisted users.
blacklistedAutoMappedRoles Comma separated list Specify blacklisted roles.


Returned values

Name Description
defaultRoleIfMissing Name of default role to use if no mapping is found.
blacklistedUsers Comma separated list of blacklisted users.
blacklistedAutoMappedRoles Comma separated list of blacklisted roles.
disabled Boolean value indicating whether the configuration is disabled.
0 indicates that the configuration is enabled.


Example request and response

XML Request

curl -k -u admin:changed https://localhost:8089/services/admin/ProxySSO-auth -d name=my_proxy 

XML Response


...
<title>ProxySSO-auth</title>
  <id>https://wimpy:7102/services/admin/ProxySSO-auth</id>
  <updated>2016-08-31T14:53:42-07:00</updated>
  <generator build="ca6bc6de37c2" version="6.5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/admin/ProxySSO-auth/_new" rel="create"/>
  <link href="/services/admin/ProxySSO-auth/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>my_proxy</title>
    <id>https://localhost:8089/services/admin/ProxySSO-auth/my_proxy</id>
    <updated>2016-08-31T14:53:42-07:00</updated>
    <link href="/services/admin/ProxySSO-auth/my_proxy" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/admin/ProxySSO-auth/my_proxy" rel="list"/>
    <link href="/services/admin/ProxySSO-auth/my_proxy" rel="edit"/>
    <link href="/services/admin/ProxySSO-auth/my_proxy" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="blacklistedAutoMappedRoles"></s:key>
        <s:key name="blacklistedUsers"></s:key>
        <s:key name="defaultRoleIfMissing"></s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
      </s:dict>
    </content>
  </entry>
...

admin/ProxySSO-auth/{proxy_name}

https://<host>:<mPort>/services/admin/ProxySSO-auth/{proxy_name} 

Access, update, or delete the {proxy_name} configuration.

GET

Access configuration details.

Request parameters
None

Returned values

Name Description
defaultRoleIfMissing Name of default role to use if no mapping is found.
blacklistedUsers Comma separated list of blacklisted users.
blacklistedAutoMappedRoles Comma separated list of blacklisted roles.
disabled Boolean value indicating whether the configuration is disabled.
0 indicates that the configuration is enabled.
title Configuration name


Example request and response


XML Request

curl -k -u admin:changed https://localhost:8089/services/admin/ProxySSO-auth/my_proxy


XML Response

<title>ProxySSO-auth</title>
  <id>https://localhost:8089/services/admin/ProxySSO-auth</id>
     ...
  <entry>
    <title>my_proxy</title>
    <id>https://localhost:8089/services/admin/ProxySSO-auth/my_proxy</id>
    <updated>2016-08-31T16:09:38-07:00</updated>
    <link href="/services/admin/ProxySSO-auth/my_proxy" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/admin/ProxySSO-auth/my_proxy" rel="list"/>
    <link href="/services/admin/ProxySSO-auth/my_proxy" rel="edit"/>
    <link href="/services/admin/ProxySSO-auth/my_proxy" rel="remove"/>
    <link href="/services/admin/ProxySSO-auth/my_proxy/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="blacklistedAutoMappedRoles">role1</s:key>
        <s:key name="blacklistedUsers"></s:key>
        <s:key name="defaultRoleIfMissing"></s:key>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>blacklistedAutoMappedRoles</s:item>
                <s:item>blacklistedUsers</s:item>
                <s:item>defaultRoleIfMissing</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
      </s:dict>
    </content>
  </entry>


POST

Update a configuration.

Changes are written to the app context.

Request parameters

Name Type Description
name String Required. New ProxySSO configuration name
defaultRoleIfMissing Role name Specify a default role to use if no mapping is found.
blacklistedUsers Comma separated list Specify blacklisted users.
blacklistedAutoMappedRoles Comma separated list Specify blacklisted roles.

Returned values

Name Description
defaultRoleIfMissing Name of default role to use if no mapping is found.
blacklistedUsers Comma separated list of blacklisted users.
blacklistedAutoMappedRoles Comma separated list of blacklisted roles.
disabled Boolean value indicating whether the configuration is disabled.
0 indicates that the configuration is enabled.
title Configuration name


Example request and response

XML Request

curl -k -u admin:changed https://localhost:8089/services/admin/ProxySSO-auth/my_proxy -d blacklistedAutoMappedRoles=role2,role3

XML Response

...
 <title>ProxySSO-auth</title>
  <id>https://localhost:8089/services/admin/ProxySSO-auth</id>
  <updated>2016-08-31T16:19:07-07:00</updated>
  <generator build="ca6bc6de37c2" version="6.5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/admin/ProxySSO-auth/_new" rel="create"/>
  <link href="/services/admin/ProxySSO-auth/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>my_proxy</title>
    <id>https://localhost:8089/services/admin/ProxySSO-auth/my_proxy</id>
    <updated>2016-08-31T16:19:07-07:00</updated>
    <link href="/services/admin/ProxySSO-auth/my_proxy" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/admin/ProxySSO-auth/my_proxy" rel="list"/>
    <link href="/services/admin/ProxySSO-auth/my_proxy" rel="edit"/>
    <link href="/services/admin/ProxySSO-auth/my_proxy" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="blacklistedAutoMappedRoles">role2,role3</s:key>
        <s:key name="blacklistedUsers"></s:key>
        <s:key name="defaultRoleIfMissing"></s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
      </s:dict>
    </content>
  </entry>


DELETE

Delete a configuration.

Changes are written to the app context.

Request parameters
None

Returned values
None


Example request and response


XML Request

curl -k -u admin:changeme -X DELETE https://localhost:8089/services/admin/ProxySSO-auth/my_proxy

XML Response



admin/ProxySSO-auth/{proxy_name}/disable

https://<host>:<mPort>/services/admin/ProxySSO-auth/{proxy_name}/disable

Disable the {proxy_name} configuration.


GET

Disable the {proxy_name} configuration.

Request parameters
None

Returned values
None


Example request and response


XML Request

curl -k -u admin:changed https://localhost:8089/services/admin/ProxySSO-auth/my_proxy/disable

XML Response

...
  <title>ProxySSO-auth</title>
  <id>https://localhost:8089/services/admin/ProxySSO-auth</id>
  <updated>2016-08-31T16:43:46-07:00</updated>
  <generator build="ca6bc6de37c2" version="6.5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/admin/ProxySSO-auth/_new" rel="create"/>
  <link href="/services/admin/ProxySSO-auth/_acl" rel="_acl"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
...

admin/ProxySSO-auth/{proxy_name}/enable

https://<host>:<mPort>/services/admin/ProxySSO-auth/{proxy_name}/enable

Use a GET request to create and enable the {proxy_name} authentication setting. Changes are made in the default app context.


GET

Enable the {proxy_name} configuration.

Usage details
For new configurations, specify a new {proxy_name}. After enabling the configuration, use the same {proxy_name} in the POST to admin/ProxySSO-auth to add the configuration.


Request parameters
None

Returned values
None

Example request and response


XML Request

curl -k -u admin:changed https://localhost:8089/services/admin/ProxySSO-auth/my_proxy/enable


XML Response

  <title>ProxySSO-auth</title>
  <id>https://wimpy:7102/services/admin/ProxySSO-auth</id>
  <updated>2016-08-31T16:44:05-07:00</updated>
  <generator build="ca6bc6de37c2" version="6.5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/admin/ProxySSO-auth/_new" rel="create"/>
  <link href="/services/admin/ProxySSO-auth/_acl" rel="_acl"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>

admin/ProxySSO-groups

https://<host>:<mPort>/services/admin/ProxySSO-groups

Access or create role to group ProxySSO mappings.


Authentication and authorization
Requires the change_authentication capability.

GET

Access ProxySSO role to group mappings.

Request parameters
None

Returned values
For each group returned, lists the roles assigned to it.


Example request and response


XML Request

curl -k -u admin:changed https://localhost:8089/services/admin/ProxySSO-groups

XML Response

...
  <title>ProxySSO-groups</title>
  <id>https://localhost:8089/services/admin/ProxySSO-groups</id>
     ...
  <entry>
    <title>group1</title>
    <id>https://localhost:8089/services/admin/ProxySSO-groups/group1</id>
    <updated>2016-08-31T17:03:46-07:00</updated>
    <link href="/services/admin/ProxySSO-groups/group1" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/admin/ProxySSO-groups/group1" rel="list"/>
    <link href="/services/admin/ProxySSO-groups/group1" rel="edit"/>
    <link href="/services/admin/ProxySSO-groups/group1" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="roles">
          <s:list>
            <s:item>power</s:item>
          </s:list>
        </s:key>
      </s:dict>
    </content>
  </entry>
...


POST

Create a new mapping.

Changes are written to the app context.

Request parameters

Name Type Description
roles User role name Specify roles to map to the group that you are creating. Use a separate roles parameter for each role added.

Returned values
None


Example request and response


XML Request

curl -k -u admin:changed -X POST https://localhost:8089/services/admin/ProxySSO-groups/group1 -d roles=power 

XML Response


...
  <title>ProxySSO-groups</title>
  <id>https://localhost:8089/services/admin/ProxySSO-groups</id>
  <updated>2016-08-31T17:01:20-07:00</updated>
  <generator build="ca6bc6de37c2" version="6.5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/admin/ProxySSO-groups/_new" rel="create"/>
  <link href="/services/admin/ProxySSO-groups/_acl" rel="_acl"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
 ...

admin/ProxySSO-groups/{group_name}

https://<host>:<mPort>/services/admin/ProxySSO-groups/{group_name} 

Access, create, and manage role to group mappings.

Authentication and authorization
Requires the change_authentication capability.

GET

Access role mappings for the {group_name} group.


Request parameters
None

Returned values

Name Description
roles Roles mapped to this group.

Example request and response


XML Request

curl -k -u admin:changed https://localhost:8089/services/admin/ProxySSO-groups/group2

XML Response

  <title>ProxySSO-groups</title>
  <id>https://wimpy:7102/services/admin/ProxySSO-groups</id>
   ...
  <entry>
    <title>group2</title>
    <id>https://localhost:8089/services/admin/ProxySSO-groups/group2</id>
    <updated>2016-08-31T17:25:01-07:00</updated>
    <link href="/services/admin/ProxySSO-groups/group2" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/admin/ProxySSO-groups/group2" rel="list"/>
    <link href="/services/admin/ProxySSO-groups/group2" rel="edit"/>
    <link href="/services/admin/ProxySSO-groups/group2" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list/>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>roles</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="roles">
          <s:list>
            <s:item>user</s:item>
          </s:list>
        </s:key>
      </s:dict>
    </content>
  </entry>
...



POST

Create a new {group_name} mapping or update an existing one.

Changes are written to the app context.

Request parameters
If you are creating a new group, specify the new group name in the URL.

Name Type Description
roles User role name Specify roles to map to the group that you are creating or updating. Use a separate roles parameter for each role added.

Returned values
None


Example request and response


XML Request

curl -k -u admin:changed -X POST https://localhost:8089/services/admin/ProxySSO-groups/group1 -d roles=power 

XML Response


...
  <title>ProxySSO-groups</title>
  <id>https://localhost:8089/services/admin/ProxySSO-groups</id>
  <updated>2016-08-31T17:01:20-07:00</updated>
  <generator build="ca6bc6de37c2" version="6.5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/admin/ProxySSO-groups/_new" rel="create"/>
  <link href="/services/admin/ProxySSO-groups/_acl" rel="_acl"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
 ...


DELETE

Delete the {group_name} group mapping.

Changes are written to the app context.


Request parameters
None

Returned values
None


Example request and response


XML Request

curl -k -u admin:changed -X DELETE https://localhost:8089/services/admin/ProxySSO-groups/group2

XML Response

  <title>ProxySSO-groups</title>
  <id>https://localhost:8089/services/admin/ProxySSO-groups</id>
  <updated>2016-08-31T17:42:39-07:00</updated>
  <generator build="ca6bc6de37c2" version="6.5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/admin/ProxySSO-groups/_new" rel="create"/>
  <link href="/services/admin/ProxySSO-groups/_acl" rel="_acl"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>

admin/ProxySSO-user-role-map

https://<host>:<mPort>/services/admin/ProxySSO-user-role-map

Access or create a user to role mapping.

Authentication and authorization
Requires the edit_user capability.

GET

Access user to role mappings

Request parameters
None

Returned values

Name Description
roles Roles mapped to the user
title User name

Example request and response


XML Request

curl -k -u admin:changed https://localhost:8089/services/admin/ProxySSO-user-role-map

XML Response

 ...
  <title>ProxySSO-user-role-map</title>
  <id>https://localhost:8089/services/admin/ProxySSO-user-role-map</id>
    ...
  <entry>
    <title>user1</title>
    <id>https://localhost:8089/services/admin/ProxySSO-user-role-map/user1</id>
    <updated>2016-08-31T18:00:28-07:00</updated>
    <link href="/services/admin/ProxySSO-user-role-map/user1" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/admin/ProxySSO-user-role-map/user1" rel="list"/>
    <link href="/services/admin/ProxySSO-user-role-map/user1" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="roles">
          <s:list>
            <s:item>power</s:item>
          </s:list>
        </s:key>
      </s:dict>
    </content>
  </entry>
...


POST

Create a user to role mapping.

Changes are written to the etc/system/local directory.

Note: User to role mappings cannot be updated.


Request parameters

Name Type Description
name User name Specify a user to map to specific roles
roles User role name Specify a role to map to the user. Use a separate roles parameter for each role that you are mapping.

Returned values
None

XML Request

curl -k -u admin:changed -X POST https://localhost:8089/services/admin/ProxySSO-user-role-map -d name=user1  -d roles=power

XML Response

  <title>ProxySSO-user-role-map</title>
  <id>https://wimpy:7102/services/admin/ProxySSO-user-role-map</id>
   ...
  <entry>
    <title>user1</title>
    <id>https://wimpy:7102/services/admin/ProxySSO-user-role-map/user1</id>
    <updated>2016-08-31T17:57:53-07:00</updated>
    <link href="/services/admin/ProxySSO-user-role-map/user1" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/admin/ProxySSO-user-role-map/user1" rel="list"/>
    <link href="/services/admin/ProxySSO-user-role-map/user1" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="roles">
          <s:list>
            <s:item>power</s:item>
          </s:list>
        </s:key>
      </s:dict>
    </content>
  </entry>
...

admin/ProxySSO-user-role-map/{user_name}

https://<host>:<mPort>/services/admin/ProxySSO-user-role-map/{user_name} 

Access or delete a user to role mapping.

Authentication and authorization
Requires the edit_user capability.

GET

Access role mappings for the {user_name} user.

Request parameters
None

Returned values

Name Description
roles Roles mapped to the {user_name} user.

Example request and response


XML Request

curl -k -u admin:changed https://localhost:8089/services/admin/ProxySSO-user-role-map/user1

XML Response

  <title>ProxySSO-user-role-map</title>
  <id>https://wimpy:7102/services/admin/ProxySSO-user-role-map</id>
  <updated>2016-08-31T18:13:01-07:00</updated>
  ...
  <entry>
    <title>user1</title>
    <id>https://localhost:8089/services/admin/ProxySSO-user-role-map/user1</id>
    <updated>2016-08-31T18:13:01-07:00</updated>
    <link href="/services/admin/ProxySSO-user-role-map/user1" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/admin/ProxySSO-user-role-map/user1" rel="list"/>
    <link href="/services/admin/ProxySSO-user-role-map/user1" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list/>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="roles">
          <s:list>
            <s:item>power</s:item>
          </s:list>
        </s:key>
      </s:dict>
    </content>
  </entry>
...



DELETE

Delete the {user_name} user to role mapping.

Changes are written to the etc/system/local directory.

Request parameters
None

Returned values
The response lists remaining user to role mappings.


Example request and response

XML Request

curl -k -u admin:changed -X DELETE https://localhost:8089/services/admin/ProxySSO-user-role-map/user2

XML Response

 <title>ProxySSO-user-role-map</title>
  <id>https://localhost:8089/services/admin/ProxySSO-user-role-map</id>
   ...
  <entry>
    <title>user1</title>
    <id>https://localhost:8089/services/admin/ProxySSO-user-role-map/user1</id>
    <updated>2016-08-31T18:11:02-07:00</updated>
    <link href="/services/admin/ProxySSO-user-role-map/user1" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/admin/ProxySSO-user-role-map/user1" rel="list"/>
    <link href="/services/admin/ProxySSO-user-role-map/user1" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="roles">
          <s:list>
            <s:item>power</s:item>
          </s:list>
        </s:key>
      </s:dict>
    </content>
  </entry>



SAML REST API usage details

Splunk Enterprise users can configure SAML authentication for single sign-on (SSO). If you are using Splunk Cloud Platform, contact Support to request assistance.

You can use the REST API to make the following SAML configurations.

  • Manage group and user role mappings.
  • Access service and identity provider information.
  • Replicate SAML IdP certificates across a search head cluster.


For more information on using SAML for SSO, see Authentication using single sign-on with SAML in Securing Splunk Enterprise. You can also review the SAML settings stanza in authentication.conf in the Admin Manual.


admin/replicate-SAML-certs

https://<host>:<mPort>/services/admin/replicate-SAML-certs

Replicate SAML IdP certificates across a search head cluster.

Note: This endpoint is only available for use on search head clustered deployments with KV Store enabled.

Authentication and authorization
Requires the change_authentication capability for access.


POST

Usage details
After editing SAML IdP certificate files in $SPLUNK_HOME/etc/auth/idpCerts on one node in the cluster, you can POST to /replicate-SAML-certs to replicate the certificates across the cluster. This can be useful if there is an error in the certificate files from /SAML-idp-metadata and you need to edit them manually.

There are no request parameters or returned values.


admin/SAML-groups

https://<host>:<mPort>/services/admin/SAML-groups

Manage external groups in an IdP response to internal Splunk roles.

Authentication and authorization
Requires change_authentication capability for all operations.


GET

Access internal roles for this external group.


Request parameters
None.

Response keys

Name Description
roles Corresponding internal role for the external group.


Example request and response


XML Request

curl -k -u admin:password https://localhost:8089/services/admin/SAML-groups

XML Response

<title>SAML-groups</title>
  <id>https://localhost:8089/services/admin/SAML-groups</id>
  <updated>2015-11-07T18:00:05-08:00</updated>
  <generator build="05ee6658a12a17d11f47076b544" version="20151021"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/admin/SAML-groups/_new" rel="create"/>
  <link href="/services/admin/SAML-groups/_acl" rel="_acl"/>
  <opensearch:totalResults>4</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>admin</title>
    <id>https://localhost:8089/services/admin/SAML-groups/admin</id>
    <updated>2015-11-07T18:00:05-08:00</updated>
    <link href="/services/admin/SAML-groups/admin" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/admin/SAML-groups/admin" rel="list"/>
    <link href="/services/admin/SAML-groups/admin" rel="edit"/>
    <link href="/services/admin/SAML-groups/admin" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>_spl_cloud</s:item>
                    <s:item>_spl_cloud_user</s:item>
                    <s:item>admin</s:item>
                    <s:item>spl_cloud_user</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>_spl_cloud</s:item>
                    <s:item>_spl_cloud_user</s:item>
                    <s:item>admin</s:item>
                    <s:item>spl_cloud_user</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="roles">
          <s:list>
            <s:item>sc_admin</s:item>
          </s:list>
        </s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>employee</title>
    <id>https://localhost:8089/services/admin/SAML-groups/employee</id>
    <updated>2015-11-07T18:00:05-08:00</updated>
    <link href="/services/admin/SAML-groups/employee" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/admin/SAML-groups/employee" rel="list"/>
    <link href="/services/admin/SAML-groups/employee" rel="edit"/>
    <link href="/services/admin/SAML-groups/employee" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>_spl_cloud</s:item>
                    <s:item>_spl_cloud_user</s:item>
                    <s:item>admin</s:item>
                    <s:item>spl_cloud_user</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>_spl_cloud</s:item>
                    <s:item>_spl_cloud_user</s:item>
                    <s:item>admin</s:item>
                    <s:item>spl_cloud_user</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="roles">
          <s:list>
            <s:item>user</s:item>
          </s:list>
        </s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>power admin</title>
    <id>https://localhost:8089/services/admin/SAML-groups/power%20admin</id>
    <updated>2015-11-07T18:00:05-08:00</updated>
    <link href="/services/admin/SAML-groups/power%20admin" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/admin/SAML-groups/power%20admin" rel="list"/>
    <link href="/services/admin/SAML-groups/power%20admin" rel="edit"/>
    <link href="/services/admin/SAML-groups/power%20admin" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>_spl_cloud</s:item>
                    <s:item>_spl_cloud_user</s:item>
                    <s:item>admin</s:item>
                    <s:item>spl_cloud_user</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>_spl_cloud</s:item>
                    <s:item>_spl_cloud_user</s:item>
                    <s:item>admin</s:item>
                    <s:item>spl_cloud_user</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="roles">
          <s:list>
            <s:item>power</s:item>
          </s:list>
        </s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>user admin</title>
    <id>https://localhost:8089/services/admin/SAML-groups/user%20admin</id>
    <updated>2015-11-07T18:00:05-08:00</updated>
    <link href="/services/admin/SAML-groups/user%20admin" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/admin/SAML-groups/user%20admin" rel="list"/>
    <link href="/services/admin/SAML-groups/user%20admin" rel="edit"/>
    <link href="/services/admin/SAML-groups/user%20admin" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>_spl_cloud</s:item>
                    <s:item>_spl_cloud_user</s:item>
                    <s:item>admin</s:item>
                    <s:item>spl_cloud_user</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>_spl_cloud</s:item>
                    <s:item>_spl_cloud_user</s:item>
                    <s:item>admin</s:item>
                    <s:item>spl_cloud_user</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="roles">
          <s:list>
            <s:item>power</s:item>
          </s:list>
        </s:key>
      </s:dict>
    </content>
  </entry>


POST

Convert an external group to internal roles.


Request parameters

Name Type Description
name String External group name.
roles String Equivalent internal role for the group.

Response keys
None

Example request and response

XML Request

curl -k -u admin:changeme  https://localhost:8089/services/admin/SAML-groups -d name=Splunk -d roles=user

XML Response

  <title>SAML-groups</title>
  <id>https://localhost:8089/services/admin/SAML-groups</id>
  <updated>2015-11-07T18:04:56-08:00</updated>
  <generator build="05ee6658a1d11f47076b549133a47050ca24" version="20151021"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/admin/SAML-groups/_new" rel="create"/>
  <link href="/services/admin/SAML-groups/_acl" rel="_acl"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>

admin/SAML-groups/{group_name}

https://<host>:<mPort>/services/admin/SAML-groups/{group_name}

Delete the {group_name} group.

Authentication and authorization
Requires change_authentication capability for all operations.


DELETE

Delete the {group_name} particular group.

Request parameters
None

Response keys
None

Example request and response

XML Request

curl -k -u admin:password --request DELETE https://localhost:8089/services/admin/SAML-groups/group_to_delete

XML Response

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>SAML-groups</title>
  <id>https://localhost:8089/services/admin/SAML-groups</id>
  <updated>2015-11-07T18:04:25-08:00</updated>
  <generator build="05ee6658a12a17d11f47133a47050ca24" version="20151021"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/admin/SAML-groups/_new" rel="create"/>
  <link href="/services/admin/SAML-groups/_acl" rel="_acl"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
</feed>

admin/SAML-idp-metadata

https://<host>:<mPort>/services/admin/SAML-idp-metadata

Access IdP SAML metadata attributes.


Authentication and authorization
Requires change_authentication capability for all operations.


GET

Access SAML user and role information for saved searches.

Request parameters

Name Type Description
idpMetadataFile File path. See description. Full path of the metadata file location. File should be local to splunkd server.

Response keys

Name Description
idpMetadataPayload SAML IdP metadata in XML format.

Example request and response


XML Request

curl -k -u admin:changeme  https://localhost:8089/services/admin/SAML-idp-metadata

XML Response

<title>SAML-idp-metadata</title>
  <id>https://localhost:8089/services/admin/SAML-idp-metadata</id>
  <updated>2015-11-07T18:34:07-08:00</updated>
  <generator build="05ee6658a12a17d11f47076h3453ffdd50ca24" version="20151021"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/admin/SAML-idp-metadata/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>idpMetadataPayload</title>
    <id>https://localhost:8089/services/admin/SAML-idp-metadata/idpMetadataPayload</id>
    <updated>2015-11-07T18:34:07-08:00</updated>
    <link href="/services/admin/SAML-idp-metadata/idpMetadataPayload" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/admin/SAML-idp-metadata/idpMetadataPayload" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>_spl_cloud</s:item>
                    <s:item>_spl_cloud_user</s:item>
                    <s:item>admin</s:item>
                    <s:item>spl_cloud_user</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>_spl_cloud</s:item>
                    <s:item>_spl_cloud_user</s:item>
                    <s:item>admin</s:item>
                    <s:item>spl_cloud_user</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="idpCertificatePayload"><![CDATA[MIIDpjCCAo6gAwIBAgIGAU7gBZ6oMA0GCSqGSIb3DQEBBQUAMIGTMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ2FsaWZvcrterye444uIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
MBIGA1UECwwLU1NPUHJvdmlkZXIxFDASBgNVBAMMC3NwbHVua3Rlc3QxMRwwGgYJKoZIhvcNAQkB
Fg1pbmZvQG9rdGEuY29tMB4XDTE1MDczMDE3MzEyMVoXDTQ1MDczMDE3MzIyMVowgZMxCzAJBgNV
BAYTAlnJhbmNpc2NvMQ0wCwYD
VQQKDARPa3RhMRQwEgYDVQQLDAtTU09Qcm92aWRlcjEUMBIGA1UEAwwLc3BsdW5rdGVzdDExHDAa
BgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQCQS0Zh/PCBRsbHkJhi6RtGSkEzFjPZyPyFr2ND9KysDf4WRgMiklOBdrlM/++BJkqPCTYFbt/L
ZXnVqo7v9wJ538MrTp6o1iBi52zhpDnqAoOIrlSaB0PbbQVd/oz49YbEW6/ThsAMHdIyz3/CSqEM
o6oD7GiQzoGH4jidhx1Gjgmfk2OdkKAnWQDmZGKAMHJQXtjfrUK3y0H5j2tla9iIPLUVDyopzWNa
o8TKw68iWDZs9ZGrwu9ptF4fpjiaslkWp3oyO1FmAencabXMddFZ7HgVziI2TjbExNa+bzS9SUhY
gZlf2meD/ib2ul6HVFKlVM0IJA56qWGImiJRzGj1AgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAC+I
566v40xTMhFjTlF3sRGjbXQDnJGXcuF1GFkAp/IEmdo
7mawu7Z7qcHb2BcQiVViuHY5ON2O/gbz5ggDipc803JMD7dTtFxDthfZgvN1tE/nPNgx2QAKCADw
FkhYwAf6R7zV1VvyRfUzmbbl6V9JZh7Mju0vFsVJUsGhsAqJfZWQ+QckedB/NIpr9OxBu4IYgMZ4
gbV4yQ+FaICBh/vpqrtp5KmIIp63gXuV+Lh71NW0dj8oty3JpJmjZEdwXPjBKp5Xx94KHiA7Esyh
+7Zk/NK0PJTvlTrsyk+UIeSJZE473SdxI7A=]]></s:key>
        <s:key name="protocol_endpoints">
          <s:dict>
            <s:key name="idpSLOUrl">https://test.example.com/app/example/exk4nkqqsypk32FMF0h7/slo/saml</s:key>
            <s:key name="idpSSOUrl">https://test.example.com/app/example/exk4nkqqsypk32FMF0h7/sso/saml</s:key>
          </s:dict>
        </s:key>
        <s:key name="signAuthnRequest">1</s:key>
      </s:dict>
    </content>
  </entry>

admin/SAML-sp-metadata

https://<host>:<mPort>/services/admin/SAML-sp-metadata

Access service provider SAML metadata attributes.


Authentication and authorization
Requires change_authentication capability for all operations.


GET

Access SAML metadata attributes.

Request parameters
None.

Response keys

Name Description
spMetadataPayload SAML service provider metadata in XML format.

Example request and response


XML Request

curl -k -u admin:changeme  https://localhost:8089/services/admin/SAML-sp-metadata

XML Response


  <title>SAML-sp-metadata</title>
  <id>https://localhost:8089/services/admin/SAML-sp-metadata</id>
  <updated>2015-12-16T13:47:39-08:00</updated>
  <generator build="d48f9f793521" version="6.4.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/admin/SAML-sp-metadata/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>spMetadata</title>
    <id>https://localhost:8089/services/admin/SAML-sp-metadata/spMetadata</id>
    <updated>2015-12-16T13:47:39-08:00</updated>
    <link href="/services/admin/SAML-sp-metadata/spMetadata" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/admin/SAML-sp-metadata/spMetadata" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="spMetadata"><![CDATA[<md:EntityDescriptor entityID="splunkEntityId"  xmlns:ds="http://www.w3.org/2000/09/xmldsig#"  xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"  AuthnRequestsSigned="true"  WantAssertionsSigned="true">  <md:KeyDescriptor>  <ds:KeyInfo>  <ds:X509Data>  <ds:X509Certificate>
MIICLTCCAZYCCQDCCiSo4+bLSzANBgkqhkiG9w0BAQUFADB/MQswCQYDVQQGEwJV
UzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDzANBgNVBAoM
BlNwbHVuazEXMBUGA1UEAwwOU3BsdW5rQ29tbW9uQ0ExITAfBgkqhkiG9w0BCQEW
EnN1cHBvcnRAc3BsdW5rLmNvbTAeFw0xNTA3MjgxNjMzNDNaFw0xODA3MjcxNjMz
NDNaMDcxIDAeBgNVBAMMF1NwbHVerTRer55ZlckRlZmF1bHRDZXJ0MRMwEQYDVQQK
DApTcGx1bmtVc2VyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCmxUfArn3l
Pxn24lBl1pWDFg5VCB/f8IS7MlEFPJiepioAli+yE7exlzD0wRniw2Akiyg1Kbt9
zNe1z9Dxi1fEOailFaV5ryENabYgYJFJonZKWucNvWzde50Cn4fm1nNqVSZOH90F
9zTGCD7Kkem0hIqx506TI2C2dKP+cJWeWwIDAQABMA0GCSqGSIb3DQEBBQUAA4GB
ADy75DKIegJo2ALOZsckvrllqGZ2+g/xBupuRBDBSRp9vs3VqN+wB39uDtMzXlZ1
u0J5OhPVMdqO0RJuYzZmFpAhCX4hFfsNeazfFzSK/DQCURvfYG4pZit3P8gJ6uDv
3OxcDGUorMNlGRRO61UAkrLUywE44MMs1jgidDw2QlMY
</ds:X509Certificate>  </ds:X509Data>  </ds:KeyInfo>  </md:KeyDescriptor>  <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat> <md:SingleLogoutService  Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"  Location="http://example-unix-58667/saml/logout"  index="0">  </md:SingleLogoutService>  <md:AssertionConsumerService  Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"  Location="http://example-unix-58667/saml/acs"  index="0">  </md:AssertionConsumerService>  </md:SPSSODescriptor> </md:EntityDescriptor> ]]></s:key>
      </s:dict>
    </content>
  </entry>

admin/SAML-user-role-map

https://<host>:<mPort>/services/admin/SAML-user-role-map

Description

Access or create SAML user and role information for saved searches if your IdP does not support Attribute Query Requests. To delete a username, see admin/SAML-user-role-map/{name}.

Authentication and authorization
Requires edit_user capability for all operations.


GET

Access SAML user and role information for saved searches.

Request parameters

None.

Response keys

Name Description
name SAML username for running saved searches.
roles Assigned roles for this user.

Example request and response

XML Request

curl -k -u admin:password https://localhost:8089/services/admin/SAML-user-role-map 

XML Response

  <title>SAML-user-role-map</title>
  <id>https://localhost:8089/services/admin/SAML-user-role-map</id>
  <updated>2015-11-07T17:34:12-08:00</updated>
  <generator build="05ee6658a12a17d11f47076b549133a47050ca24" version="20151021"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/admin/SAML-user-role-map/_new" rel="create"/>
  <link href="/services/admin/SAML-user-role-map/_acl" rel="_acl"/>
  <opensearch:totalResults>3</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>samluser001@example.com</title>
    <id>https://localhost:8089/services/admin/SAML-user-role-map/samluser001%40example.com</id>
    <updated>2015-11-07T17:34:12-08:00</updated>
    <link href="/services/admin/SAML-user-role-map/samluser001%40example.com" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/admin/SAML-user-role-map/samluser001%40example.com" rel="list"/>
    <link href="/services/admin/SAML-user-role-map/samluser001%40example.com" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>_spl_cloud</s:item>
                    <s:item>_spl_cloud_user</s:item>
                    <s:item>admin</s:item>
                    <s:item>sc_admin</s:item>
                    <s:item>spl_cloud_user</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>_spl_cloud</s:item>
                    <s:item>_spl_cloud_user</s:item>
                    <s:item>admin</s:item>
                    <s:item>sc_admin</s:item>
                    <s:item>spl_cloud_user</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="email">samluser001@example.com</s:key>
        <s:key name="realname">Firstname Lastname001</s:key>
        <s:key name="roles">
          <s:list>
            <s:item>sc_admin</s:item>
            <s:item>user</s:item>
          </s:list>
        </s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>samluser002@example.com</title>
    <id>https://localhost:8089/services/admin/SAML-user-role-map/samluser002%40example.com</id>
    <updated>2015-11-07T17:34:12-08:00</updated>
    <link href="/services/admin/SAML-user-role-map/samluser002%40example.com" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/admin/SAML-user-role-map/samluser002%40example.com" rel="list"/>
    <link href="/services/admin/SAML-user-role-map/samluser002%40example.com" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>_spl_cloud</s:item>
                    <s:item>_spl_cloud_user</s:item>
                    <s:item>admin</s:item>
                    <s:item>sc_admin</s:item>
                    <s:item>spl_cloud_user</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>_spl_cloud</s:item>
                    <s:item>_spl_cloud_user</s:item>
                    <s:item>admin</s:item>
                    <s:item>sc_admin</s:item>
                    <s:item>spl_cloud_user</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="email">samluser002@example.com</s:key>
        <s:key name="realname">Firstname Lastname002</s:key>
        <s:key name="roles">
          <s:list>
            <s:item>power</s:item>
          </s:list>
        </s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>samluser003@example.com</title>
    <id>https://localhost:8089/services/admin/SAML-user-role-map/samluser003%40example.com</id>
    <updated>2015-11-07T17:34:12-08:00</updated>
    <link href="/services/admin/SAML-user-role-map/samluser003%40example.com" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/admin/SAML-user-role-map/samluser003%40example.com" rel="list"/>
    <link href="/services/admin/SAML-user-role-map/samluser003%40example.com" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>_spl_cloud</s:item>
                    <s:item>_spl_cloud_user</s:item>
                    <s:item>admin</s:item>
                    <s:item>sc_admin</s:item>
                    <s:item>spl_cloud_user</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>_spl_cloud</s:item>
                    <s:item>_spl_cloud_user</s:item>
                    <s:item>admin</s:item>
                    <s:item>sc_admin</s:item>
                    <s:item>spl_cloud_user</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="email">samluser003@example.com</s:key>
        <s:key name="realname">Firstname Lastname003</s:key>
        <s:key name="roles">
          <s:list>
            <s:item>user</s:item>
          </s:list>
        </s:key>
      </s:dict>
    </content>
  </entry>

POST

Update SAML user and role information for saved searches.

Request parameters

Name Type Description
name String SAML username for running saved searches.
roles String Assigned roles for this user.

Response keys

Name Description
name SAML username for running saved searches.
roles Assigned roles for this user.


Example request and response


XML Request

curl -k -u admin:password https://localhost:8089/services/admin/SAML-user-role-map -d name=samluser004@example.foo -d roles=user

XML Response

 <title>SAML-user-role-map</title>
  <id>https://localhost:8089/services/admin/SAML-user-role-map</id>
  <updated>2015-11-07T17:45:54-08:00</updated>
  <generator build="05ee6658a12a17d11f47076b549133a47050ca24" version="20151021"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/admin/SAML-user-role-map/_new" rel="create"/>
  <link href="/services/admin/SAML-user-role-map/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>samluser004@example.foo</title>
    <id>https://localhost:8089/services/admin/SAML-user-role-map/samluser004%40example.foo</id>
    <updated>2015-11-07T17:45:54-08:00</updated>
    <link href="/services/admin/SAML-user-role-map/samluser004%40example.foo" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/admin/SAML-user-role-map/samluser004%40example.foo" rel="list"/>
    <link href="/services/admin/SAML-user-role-map/samluser004%40example.foo" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>_spl_cloud</s:item>
                    <s:item>_spl_cloud_user</s:item>
                    <s:item>admin</s:item>
                    <s:item>sc_admin</s:item>
                    <s:item>spl_cloud_user</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>_spl_cloud</s:item>
                    <s:item>_spl_cloud_user</s:item>
                    <s:item>admin</s:item>
                    <s:item>sc_admin</s:item>
                    <s:item>spl_cloud_user</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="roles">
          <s:list>
            <s:item>user</s:item>
          </s:list>
        </s:key>
      </s:dict>
    </content>
  </entry>


DELETE

See admin/SAML-user-role-map/{name}


admin/SAML-user-role-map/{name}

https://<host>:<mPort>/services/admin/SAML-user-role-map/{name}

Delete SAML user and role information for saved searches if your IdP does not support Attribute Query Requests.

Authentication and authorization
Requires edit_user capability for all operations.


DELETE

Remove a username from SAML users for saved searches.

Request parameters

None.

Response keys

Name Description
name SAML username for running saved searches.
roles Assigned roles for this user.

Example request and response


XML Request

curl -k -u admin:password --request DELETE https://localhost:8089/services/admin/SAML-user-role-map/samluser004@example.com

XML Response

 <title>SAML-user-role-map</title>
  <id>https://localhost:8089/services/admin/SAML-user-role-map</id>
  <updated>2015-11-07T17:46:26-08:00</updated>
  <generator build="05ee6658a12a17d11f47076b549133a47050ca24" version="20151021"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/admin/SAML-user-role-map/_new" rel="create"/>
  <link href="/services/admin/SAML-user-role-map/_acl" rel="_acl"/>
  <opensearch:totalResults>3</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>samluser001@example.com</title>
    <id>https://localhost:8089/services/admin/SAML-user-role-map/samluser001%40example.com</id>
    <updated>2015-11-07T17:46:26-08:00</updated>
    <link href="/services/admin/SAML-user-role-map/samluser001%40example.com" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/admin/SAML-user-role-map/samluser001%40example.com" rel="list"/>
    <link href="/services/admin/SAML-user-role-map/samluser001%40example.com" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>_spl_cloud</s:item>
                    <s:item>_spl_cloud_user</s:item>
                    <s:item>admin</s:item>
                    <s:item>sc_admin</s:item>
                    <s:item>spl_cloud_user</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>_spl_cloud</s:item>
                    <s:item>_spl_cloud_user</s:item>
                    <s:item>admin</s:item>
                    <s:item>sc_admin</s:item>
                    <s:item>spl_cloud_user</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="roles">
          <s:list>
            <s:item>sc_admin</s:item>
            <s:item>user</s:item>
          </s:list>
        </s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>samluser002@example.com</title>
    <id>https://localhost:8089/services/admin/SAML-user-role-map/samluser002%40example.com</id>
    <updated>2015-11-07T17:46:26-08:00</updated>
    <link href="/services/admin/SAML-user-role-map/samluser002%40example.com" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/admin/SAML-user-role-map/samluser002%40example.com" rel="list"/>
    <link href="/services/admin/SAML-user-role-map/samluser002%40example.com" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>_spl_cloud</s:item>
                    <s:item>_spl_cloud_user</s:item>
                    <s:item>admin</s:item>
                    <s:item>sc_admin</s:item>
                    <s:item>spl_cloud_user</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>_spl_cloud</s:item>
                    <s:item>_spl_cloud_user</s:item>
                    <s:item>admin</s:item>
                    <s:item>sc_admin</s:item>
                    <s:item>spl_cloud_user</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="roles">
          <s:list>
            <s:item>power</s:item>
          </s:list>
        </s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>samluser003@example.com</title>
    <id>https://localhost:8089/services/admin/SAML-user-role-map/samluser003%40example.com</id>
    <updated>2015-11-07T17:46:26-08:00</updated>
    <link href="/services/admin/SAML-user-role-map/samluser003%40example.com" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/admin/SAML-user-role-map/samluser003%40example.com" rel="list"/>
    <link href="/services/admin/SAML-user-role-map/samluser003%40example.com" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>_spl_cloud</s:item>
                    <s:item>_spl_cloud_user</s:item>
                    <s:item>admin</s:item>
                    <s:item>sc_admin</s:item>
                    <s:item>spl_cloud_user</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>_spl_cloud</s:item>
                    <s:item>_spl_cloud_user</s:item>
                    <s:item>admin</s:item>
                    <s:item>sc_admin</s:item>
                    <s:item>spl_cloud_user</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="roles">
          <s:list>
            <s:item>user</s:item>
          </s:list>
        </s:key>
      </s:dict>
    </content>
  </entry>

authentication/providers/SAML

https://<host>:<mPort>/services/authentication/providers/SAML

Access and create SAML configurations.

Authentication and authorization
Requires change_authentication capability for all operations.


GET

Access SAML configurations.

Request parameters
None.

Response keys

Name Description
allowSslCompression Indicates whether ssl data compression is enabled.
assertionConsumerServiceUrl Endpoint where SAML assertions are posted by the IdP.
attributeAliasMail Specifies which SAML attribute is mapped to 'email'. Defaults to 'email'.
attributeAliasRealName Specifies which SAML attribute maps to 'realName'. Defaults to realName.
attributeAliasRole Specifies which SAML attribute maps to role. Defaults to role.
attributeQueryRequestSigned Indicates whether Attribute Queries should be signed.
attributeQueryResponseSigned Indicates whether Attribute Query responses should be signed.
attributeQuerySoapPassword Credentials for making Attribute Query using SOAP over HTTP.
attributeQuerySoapUsername Credentials for making Attribute Query using SOAP over HTTP.
attributeQueryTTL ttl (time to live) for the Attribute Query credentials cache.
blacklistedAutoMappedRoles Comma separated list of Splunk roles that should be blacklisted from being auto-mapped from the IDP Response.
blacklistedUsers Comma separated list of user names from the IDP response to be blacklisted by Splunk software.
caCertFile File path for CA certificate. For example, /home/user123/saml-install/etc/auth/server.pem
cipherSuite Ciphersuite for making Attribute Queries using ssl. For example, TLSv1+HIGH:@STRENGTH.
defaultRoleIfMissing Default role to use if no role is returned in a SAML response.
ecdhCurves EC curves for ECDH/ECDHE key exchange - ssl setting.
entityId Unique id preconfigured by the IdP.
errorUrL URL to display for a SAML error. Errors may be due to incorrect or incomplete configuration in either the IDP or Splunk deployment.
errorUrlLabel Label or title of the content to which errorUrl points. Defaults to Click here to resolve SAML error..
fqdn Load balancer url.
idpAttributeQueryUrl IdP attribute query url where SAML attribute queries are sent.
idpCertPath Path for IdP certificate.
idpSLOUrl IdP sso url where SAML SSO requests are sent.
idpSSOUrl IdP SSO url where SAML SLO requests are sent.
maxAttributeQueryQueueSize Maximum number of Attribute jobs to queue.
maxAttributeQueryThreads Maximum number of threads for asynchronous Attribute Queries.
name Configuration stanza name.
nameIdFormat Specifies how subject is identified in SAML Assertion. Defaults to
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

Override it when using Azure AD as an IDP and set it to
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
redirectAfterLogoutToUrl Redirect URL after user logout If no SLO URL is configured.
redirectPort Port where SAML responses are sent. Typically, this is the web port. Set this port if internal port redirection is needed. The

assertionconsumerServiceUrl in the AuthNRequest uses the set port instead of the splunkweb port. To prevent any port information being appended to the assertionConsumerServiceUrl, set to 0.

signAuthnRequest Indicates whether to sign authentication requests.
signatureAlgorithm Applicable only for redirect binding. Indicates the signature algorithm used for a SP-initiated SAML request when signedAuthnRequest is set to true.

Possible values are:

  • RSA-SHA1 (default)
    • corresponds to http://www.w3.org/2000/09/xmldsig#rsa-sha1
  • RSA-SHA256
    • corresponds to http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
signedAssertion Indicates whether to sign SAML assertions.
singleLogoutServiceUrl URL where the IdP posts SAML Single Logout responses.
skipAttributeQueryRequestForUsers Used in conjunction with defaultRoleIFMissing. Indicates whether to skip Attribute Queries for some users.
sloBinding Binding used when making a logout request or sending a logout response to complete the logout workflow. Possible values are HTTPPost (default) and HTTPRedirect. This binding must match the binding configured on the IDP.
spCertPath Service provider certificate path.
sslAltNameToCheck Alternate name to check in the peer certificate.
sslCommonNameToCheck Common name to check in the peer certificate.
sslKeysfile Location of service provider private key.
sslKeysfilePassword SSL password.
sslVerifyServerCert Indicates whether to verify peer certificate.
sslVersions SSL versions.
ssoBinding Binding used when making a SP-initiated SAML request. Possible values are HTTPPost (default) and HTTPRedirect. This binding must match the binding configured on the IDP.
uiStatusPage Splunk Web page for redirecting users in case of errors.


Example request and response

XML Request

curl -u admin:pass -k -X GET  https://localhost:8089/services/authentication/providers/SAML

XML Response

  <title>SAML-auth</title>
  <id>https://localhost:8089/services/authentication/providers/SAML</id>
  <updated>2017-04-10T23:27:22+00:00</updated>
  <generator build="a8914247a786" version="6.5.1612"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/authentication/providers/SAML/_new" rel="create"/>
  <link href="/services/authentication/providers/SAML/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>saml-test</title>
    <id>https://localhost:8089/services/authentication/providers/SAML/saml-test</id>
    <updated>2017-04-10T23:27:22+00:00</updated>
    <link href="/services/authentication/providers/SAML/saml-test" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/authentication/providers/SAML/saml-test" rel="list"/>
    <link href="/services/authentication/providers/SAML/saml-test" rel="edit"/>
    <link href="/services/authentication/providers/SAML/saml-test" rel="remove"/>
    <link href="/services/authentication/providers/SAML/saml-test/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="allowSslCompression">true</s:key>
        <s:key name="assertionConsumerServiceUrl">http://so1:12800/saml/acs</s:key>
        <s:key name="attributeQueryRequestSigned">1</s:key>
        <s:key name="attributeQueryResponseSigned">1</s:key>
        <s:key name="attributeQuerySoapPassword">******</s:key>
        <s:key name="attributeQuerySoapUsername">test_ping</s:key>
        <s:key name="attributeQueryTTL">3600</s:key>
        <s:key name="attribute_aliases"/>
        <s:key name="blacklistedAutoMappedRoles">
          <s:list/>
        </s:key>
        <s:key name="blacklistedUsers">
          <s:list/>
        </s:key>
        <s:key name="caCertFile">/opt/splunk/etc/auth/cacert.pem</s:key>
        <s:key name="cipherSuite"></s:key>
        <s:key name="defaultRoleIfMissing"></s:key>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="ecdhCurves"></s:key>
        <s:key name="entityId">saml-test-entity</s:key>
        <s:key name="errorUrl"></s:key>
        <s:key name="errorUrlLabel"></s:key>
        <s:key name="fqdn">http://so1</s:key>
        <s:key name="idpCertChains">
          <s:list/>
        </s:key>
        <s:key name="idpCertPath"></s:key>
        <s:key name="maxAttributeQueryQueueSize">100</s:key>
        <s:key name="maxAttributeQueryThreads">2</s:key>
        <s:key name="nameIdFormat"></s:key>
        <s:key name="protocol_endpoints">
          <s:dict>
            <s:key name="idpAttributeQueryUrl">https://saml-idp:9999/idp/attrsvc.ssaml2</s:key>
            <s:key name="idpSLOUrl"></s:key>
            <s:key name="idpSSOUrl">https://saml-idp:9999/idp/SSO.saml2</s:key>
            <s:key name="issuerId"></s:key>
          </s:dict>
        </s:key>
        <s:key name="redirectAfterLogoutToUrl">http://www.splunk.com</s:key>
        <s:key name="redirectPort">12800</s:key>
        <s:key name="replicateCertificates">1</s:key>
        <s:key name="signAuthnRequest">1</s:key>
        <s:key name="signatureAlgorithm">
          <s:dict>
            <s:key name="name">RSA-SHA1</s:key>
            <s:key name="uri">http://www.w3.org/2000/09/xmldsig#rsa-sha1</s:key>
          </s:dict>
        </s:key>
        <s:key name="signedAssertion">1</s:key>
        <s:key name="singleLogoutServiceUrl">http://so1:12800/saml/logout</s:key>
        <s:key name="skipAttributeQueryRequestForUsers">
          <s:list/>
        </s:key>
        <s:key name="sloBinding">HTTPPost</s:key>
        <s:key name="spCertPath">/opt/splunk/etc/auth/server.pem</s:key>
        <s:key name="sslAltNameToCheck"></s:key>
        <s:key name="sslCommonNameToCheck"></s:key>
        <s:key name="sslKeysfile">/opt/splunk/etc/auth/server.pem</s:key>
        <s:key name="sslKeysfilePassword">******</s:key>
        <s:key name="sslVerifyServerCert">false</s:key>
        <s:key name="sslVersions">SSL3,TLS1.0,TLS1.1,TLS1.2</s:key>
        <s:key name="ssoBinding">HTTPPost</s:key>
        <s:key name="uiStatusPage">/account/status</s:key>
      </s:dict>
    </content>
  </entry>

POST

Create a new SAML configuration.

Request parameters

Name Description
allowSslCompression Indicates whether ssl data compression is enabled.
attributeAliasMail Specifies which SAML attribute is mapped to 'email'. Defaults to 'email'.
attributeAliasRealName Specifies which SAML attribute maps to 'realName'. Defaults to realName.
attributeAliasRole Specifies which SAML attribute maps to role. Defaults to role.
attributeQueryRequestSigned Indicates whether Attribute Queries should be signed.
attributeQueryResponseSigned Indicates whether Attribute Query responses should be signed.
attributeQuerySoapPassword Credentials for making Attribute Query using SOAP over HTTP.
attributeQuerySoapUsername Credentials for making Attribute Query using SOAP over HTTP.
attributeQueryTTL ttl (time to live) for the Attribute Query credentials cache.
blacklistedAutoMappedRoles Comma separated list of Splunk roles that should be blacklisted from being auto-mapped from the IDP Response.
blacklistedUsers Comma separated list of user names from the IDP response to be blacklisted by Splunk software.
caCertFile File path for CA certificate. For example, /home/user123/saml-install/etc/auth/server.pem
cipherSuite Ciphersuite for making Attribute Queries using ssl. For example, TLSv1+HIGH:@STRENGTH.
defaultRoleIfMissing Default role to use if no role is returned in a SAML response.
ecdhCurves EC curves for ECDH/ECDHE key exchange - ssl setting.
entityId Required. Unique id preconfigured by the IdP.
errorUrL URL to display for a SAML error. Errors may be due to incorrect or incomplete configuration in either the IDP or the Splunk deployment.
errorUrlLabel Label or title of the content to which errorUrl points. Defaults to Click here to resolve SAML error..
fqdn Load balancer url.
idpAttributeQueryUrl IdP attribute query url where SAML attribute queries are sent.
idpCertPath Path for IdP certificate.
idpMetadataFile Full path to idpMetadata on disk. Used to retrieve IdP information such as idpSLOUrl, idpSSOUrl, and signing certificate.
idpSLOUrl IdP sso url where SAML SSO requests are sent.
idpSSOUrl Required. IdP SSO url where SAML SLO requests are sent.
name Required. Configuration stanza name.
nameIdFormat Specifies how subject is identified in SAML Assertion. Defaults to
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

Override it when using Azure AD as an IDP and set it to
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
redirectAfterLogoutToUrl Redirect URL after user logout If no SLO URL is configured.
redirectPort Port where SAML responses are sent. Typically, this is the web port. Set this port if internal port redirection is needed. The

assertionconsumerServiceUrl in the AuthNRequest uses the set port instead of the splunkweb port. To prevent any port information being appended to the assertionConsumerServiceUrl, set to 0.

signAuthnRequest Indicates whether to sign authentication requests.
signatureAlgorithm Applicable only for redirect binding. Indicates the signature algorithm used for a SP-initiated SAML request when signedAuthnRequest is set to true.

Possible values are:

  • RSA-SHA1 (default)
    • corresponds to http://www.w3.org/2000/09/xmldsig#rsa-sha1
  • RSA-SHA256
    • corresponds to http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
signedAssertion Indicates whether to sign SAML assertions.
skipAttributeQueryRequestForUsers Used in conjunction with defaultRoleIFMissing. Indicates whether to skip Attribute Queries for some users.
sloBinding Binding used when making a logout request or sending a logout response to complete the logout workflow. Possible values are HTTPPost (default) and HTTPRedirect. This binding must match the binding configured on the IDP.
sslAltNameToCheck Alternate name to check in the peer certificate.
sslCommonNameToCheck Common name to check in the peer certificate.
sslKeysfile Location of service provider private key.
sslKeysfilePassword SSL password.
sslVerifyServerCert Indicates whether to verify peer certificate.
sslVersions SSL versions.
ssoBinding Binding used when making a SP-initiated SAML request. Possible values are HTTPPost (default) and HTTPRedirect. This binding must match the binding configured on the IDP.


Response keys
None.


Example request and response


XML Request

curl -k -u admin:changed https://localhost:8089/services/authentication/providers/SAML -d "name=saml-test" -d "idpSSOUrl=https://saml-idp:9999/idp/SSO.saml2" -d "idpAttributeQueryUrl=https://saml-idp:9999/idp/attrsvc.ssaml2" -d "entityId=saml-test-entity" -d "attributeQuerySoapPassword=splunk" -d "attributeQuerySoapUsername=test_ping"

XML Response

  <title>SAML-auth</title>
  <id>https://localhost:8089/services/authentication/providers/SAML</id>
  <updated>2017-04-10T23:26:35+00:00</updated>
  <generator build="a8914247a786" version="6.5.1612"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/authentication/providers/SAML/_new" rel="create"/>
  <link href="/services/authentication/providers/SAML/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>saml-test</title>
    <id>https://localhost:8089/services/authentication/providers/SAML/saml-test</id>
    <updated>2017-04-10T23:26:35+00:00</updated>
    <link href="/services/authentication/providers/SAML/saml-test" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/authentication/providers/SAML/saml-test" rel="list"/>
    <link href="/services/authentication/providers/SAML/saml-test" rel="edit"/>
    <link href="/services/authentication/providers/SAML/saml-test" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="allowSslCompression">true</s:key>
        <s:key name="assertionConsumerServiceUrl">http://so1:12800/saml/acs</s:key>
        <s:key name="attributeQueryRequestSigned">1</s:key>
        <s:key name="attributeQueryResponseSigned">1</s:key>
        <s:key name="attributeQuerySoapPassword">******</s:key>
        <s:key name="attributeQuerySoapUsername">test_ping</s:key>
        <s:key name="attributeQueryTTL">3600</s:key>
        <s:key name="attribute_aliases"/>
        <s:key name="blacklistedAutoMappedRoles">
          <s:list/>
        </s:key>
        <s:key name="blacklistedUsers">
          <s:list/>
        </s:key>
        <s:key name="caCertFile">/opt/splunk/etc/auth/cacert.pem</s:key>
        <s:key name="cipherSuite"></s:key>
        <s:key name="defaultRoleIfMissing"></s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="ecdhCurves"></s:key>
        <s:key name="entityId">saml-test-entity</s:key>
        <s:key name="errorUrl"></s:key>
        <s:key name="errorUrlLabel"></s:key>
        <s:key name="fqdn">http://so1</s:key>
        <s:key name="idpCertChains">
          <s:list/>
        </s:key>
        <s:key name="idpCertPath"></s:key>
        <s:key name="maxAttributeQueryQueueSize">100</s:key>
        <s:key name="maxAttributeQueryThreads">2</s:key>
        <s:key name="nameIdFormat"></s:key>
        <s:key name="protocol_endpoints">
          <s:dict>
            <s:key name="idpAttributeQueryUrl">https://saml-idp:9999/idp/attrsvc.ssaml2</s:key>
            <s:key name="idpSLOUrl"></s:key>
            <s:key name="idpSSOUrl">https://saml-idp:9999/idp/SSO.saml2</s:key>
            <s:key name="issuerId"></s:key>
          </s:dict>
        </s:key>
        <s:key name="redirectAfterLogoutToUrl">http://www.splunk.com</s:key>
        <s:key name="redirectPort">12800</s:key>
        <s:key name="replicateCertificates">1</s:key>
        <s:key name="signAuthnRequest">1</s:key>
        <s:key name="signatureAlgorithm">
          <s:dict>
            <s:key name="name">RSA-SHA1</s:key>
            <s:key name="uri">http://www.w3.org/2000/09/xmldsig#rsa-sha1</s:key>
          </s:dict>
        </s:key>
        <s:key name="signedAssertion">1</s:key>
        <s:key name="singleLogoutServiceUrl">http://so1:12800/saml/logout</s:key>
        <s:key name="skipAttributeQueryRequestForUsers">
          <s:list/>
        </s:key>
        <s:key name="sloBinding">HTTPPost</s:key>
        <s:key name="spCertPath">/opt/splunk/etc/auth/server.pem</s:key>
        <s:key name="sslAltNameToCheck"></s:key>
        <s:key name="sslCommonNameToCheck"></s:key>
        <s:key name="sslKeysfile">/opt/splunk/etc/auth/server.pem</s:key>
        <s:key name="sslKeysfilePassword">******</s:key>
        <s:key name="sslVerifyServerCert">false</s:key>
        <s:key name="sslVersions">SSL3,TLS1.0,TLS1.1,TLS1.2</s:key>
        <s:key name="ssoBinding">HTTPPost</s:key>
        <s:key name="uiStatusPage">/account/status</s:key>
      </s:dict>
    </content>
  </entry>


authentication/providers/SAML/{stanza_name}

https://<host>:<mPort>/services/authentication/providers/SAML/{stanza_name}


GET

Access a SAML configuration.

Request parameters
None.

Response keys

Name Description
allowSslCompression Indicates whether ssl data compression is enabled.
assertionConsumerServiceUrl Endpoint where SAML assertions are posted by the IdP.
attributeAliasMail Specifies which SAML attribute is mapped to 'email'. Defaults to 'email'.
attributeAliasRealName Specifies which SAML attribute maps to 'realName'. Defaults to realName.
attributeAliasRole Specifies which SAML attribute maps to role. Defaults to role.
attributeQueryRequestSigned Indicates whether Attribute Queries should be signed.
attributeQueryResponseSigned Indicates whether Attribute Query responses should be signed.
attributeQuerySoapPassword Credentials for making Attribute Query using SOAP over HTTP.
attributeQuerySoapUsername Credentials for making Attribute Query using SOAP over HTTP.
attributeQueryTTL ttl (time to live) for the Attribute Query credentials cache.
blacklistedAutoMappedRoles Comma separated list of Splunk roles that should be blacklisted from being auto-mapped from the IDP Response.
blacklistedUsers Comma separated list of user names from the IDP response to be blacklisted by Splunk software.
caCertFile File path for CA certificate. For example, /home/user123/saml-install/etc/auth/server.pem
cipherSuite Ciphersuite for making Attribute Queries using ssl. For example, TLSv1+HIGH:@STRENGTH.
defaultRoleIfMissing Default role to use if no role is returned in a SAML response.
ecdhCurves EC curves for ECDH/ECDHE key exchange - ssl setting.
entityId Unique id preconfigured by the IdP.
errorUrL URL to display for a SAML error. Errors may be due to incorrect or incomplete configuration in either the IDP or Splunk deployment.
errorUrlLabel Label or title of the content to which errorUrl points. Defaults to Click here to resolve SAML error..
fqdn Load balancer url.
idpAttributeQueryUrl IdP attribute query url where SAML attribute queries are sent.
idpCertPath Path for IdP certificate.
idpSLOUrl IdP sso url where SAML SSO requests are sent.
idpSSOUrl IdP SSO url where SAML SLO requests are sent.
maxAttributeQueryQueueSize Maximum number of Attribute jobs to queue.
maxAttributeQueryThreads Maximum number of threads for asynchronous Attribute Queries.
name Configuration stanza name.
nameIdFormat Specifies how subject is identified in SAML Assertion. Defaults to
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

Override it when using Azure AD as an IDP and set it to
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
redirectAfterLogoutToUrl Redirect URL after user logout If no SLO URL is configured.
redirectPort Port where SAML responses are sent. Typically, this is the web port. Set this port if internal port redirection is needed. The

assertionconsumerServiceUrl in the AuthNRequest uses the set port instead of the splunkweb port. To prevent any port information being appended to the assertionConsumerServiceUrl, set to 0.

signAuthnRequest Indicates whether to sign authentication requests.
signatureAlgorithm Applicable only for redirect binding. Indicates the signature algorithm used for a SP-initiated SAML request when signedAuthnRequest is set to true.

Possible values are:

  • RSA-SHA1 (default)
    • corresponds to http://www.w3.org/2000/09/xmldsig#rsa-sha1
  • RSA-SHA256
    • corresponds to http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
signedAssertion Indicates whether to sign SAML assertions.
singleLogoutServiceUrl URL where the IdP posts SAML Single Logout responses.
skipAttributeQueryRequestForUsers Used in conjunction with defaultRoleIFMissing. Indicates whether to skip Attribute Queries for some users.
sloBinding Binding used when making a logout request or sending a logout response to complete the logout workflow. Possible values are HTTPPost (default) and HTTPRedirect. This binding must match the binding configured on the IDP.
spCertPath Service provider certificate path.
sslAltNameToCheck Alternate name to check in the peer certificate.
sslCommonNameToCheck Common name to check in the peer certificate.
sslKeysfile Location of service provider private key.
sslKeysfilePassword SSL password.
sslVerifyServerCert Indicates whether to verify peer certificate.
sslVersions SSL versions.
ssoBinding Binding used when making a SP-initiated SAML request. Possible values are HTTPPost (default) and HTTPRedirect. This binding must match the binding configured on the IDP.
uiStatusPage Splunk Web page for redirecting users in case of errors.


Example request and response

XML Request

 curl -k -u admin:password https://localhost:8089/services/authentication/providers/SAML/saml_settings

XML Response

<title>SAML-auth</title>
  <id>https://localhost:8089/services/authentication/providers/SAML</id>
  <updated>2017-04-10T23:29:58+00:00</updated>
  <generator build="a8914247a786" version="6.5.1612"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/authentication/providers/SAML/_new" rel="create"/>
  <link href="/services/authentication/providers/SAML/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>saml-test</title>
    <id>https://localhost:8089/services/authentication/providers/SAML/saml-test</id>
    <updated>2017-04-10T23:29:58+00:00</updated>
    <link href="/services/authentication/providers/SAML/saml-test" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/authentication/providers/SAML/saml-test" rel="list"/>
    <link href="/services/authentication/providers/SAML/saml-test" rel="edit"/>
    <link href="/services/authentication/providers/SAML/saml-test" rel="remove"/>
    <link href="/services/authentication/providers/SAML/saml-test/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="allowSslCompression">true</s:key>
        <s:key name="assertionConsumerServiceUrl">http://so1:12800/saml/acs</s:key>
        <s:key name="attributeQueryRequestSigned">1</s:key>
        <s:key name="attributeQueryResponseSigned">1</s:key>
        <s:key name="attributeQuerySoapPassword">******</s:key>
        <s:key name="attributeQuerySoapUsername">test_ping</s:key>
        <s:key name="attributeQueryTTL">3600</s:key>
        <s:key name="attribute_aliases"/>
        <s:key name="blacklistedAutoMappedRoles">
          <s:list/>
        </s:key>
        <s:key name="blacklistedUsers">
          <s:list/>
        </s:key>
        <s:key name="caCertFile">/opt/splunk/etc/auth/cacert.pem</s:key>
        <s:key name="cipherSuite"></s:key>
        <s:key name="defaultRoleIfMissing"></s:key>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>allowSslCompression</s:item>
                <s:item>attributeAliasMail</s:item>
                <s:item>attributeAliasRealName</s:item>
                <s:item>attributeAliasRole</s:item>
                <s:item>attributeQueryRequestSigned</s:item>
                <s:item>attributeQueryResponseSigned</s:item>
                <s:item>attributeQuerySoapPassword</s:item>
                <s:item>attributeQuerySoapUsername</s:item>
                <s:item>attributeQueryTTL</s:item>
                <s:item>blacklistedAutoMappedRoles</s:item>
                <s:item>blacklistedUsers</s:item>
                <s:item>caCertFile</s:item>
                <s:item>cipherSuite</s:item>
                <s:item>defaultRoleIfMissing</s:item>
                <s:item>ecdhCurveName</s:item>
                <s:item>ecdhCurves</s:item>
                <s:item>entityId</s:item>
                <s:item>errorUrl</s:item>
                <s:item>errorUrlLabel</s:item>
                <s:item>fqdn</s:item>
                <s:item>idpAttributeQueryUrl</s:item>
                <s:item>idpCertChains</s:item>
                <s:item>idpCertPath</s:item>
                <s:item>idpCertificatePayload</s:item>
                <s:item>idpMetadataFile</s:item>
                <s:item>idpMetadataPayload</s:item>
                <s:item>idpSLOUrl</s:item>
                <s:item>idpSSOUrl</s:item>
                <s:item>issuerId</s:item>
                <s:item>nameIdFormat</s:item>
                <s:item>redirectAfterLogoutToUrl</s:item>
                <s:item>redirectPort</s:item>
                <s:item>replicateCertificates</s:item>
                <s:item>signAuthnRequest</s:item>
                <s:item>signatureAlgorithm</s:item>
                <s:item>signedAssertion</s:item>
                <s:item>skipAttributeQueryRequestForUsers</s:item>
                <s:item>sloBinding</s:item>
                <s:item>sslAltNameToCheck</s:item>
                <s:item>sslCommonNameToCheck</s:item>
                <s:item>sslKeysfile</s:item>
                <s:item>sslKeysfilePassword</s:item>
                <s:item>sslVerifyServerCert</s:item>
                <s:item>sslVersions</s:item>
                <s:item>ssoBinding</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="ecdhCurves"></s:key>
        <s:key name="entityId">saml-test-entity</s:key>
        <s:key name="errorUrl"></s:key>
        <s:key name="errorUrlLabel"></s:key>
        <s:key name="fqdn">http://so1</s:key>
        <s:key name="idpCertChains">
          <s:list/>
        </s:key>
        <s:key name="idpCertPath"></s:key>
        <s:key name="maxAttributeQueryQueueSize">100</s:key>
        <s:key name="maxAttributeQueryThreads">2</s:key>
        <s:key name="nameIdFormat"></s:key>
        <s:key name="protocol_endpoints">
          <s:dict>
            <s:key name="idpAttributeQueryUrl">https://saml-idp:9999/idp/attrsvc.ssaml2</s:key>
            <s:key name="idpSLOUrl"></s:key>
            <s:key name="idpSSOUrl">https://saml-idp:9999/idp/SSO.saml2</s:key>
            <s:key name="issuerId"></s:key>
          </s:dict>
        </s:key>
        <s:key name="redirectAfterLogoutToUrl">http://www.splunk.com</s:key>
        <s:key name="redirectPort">12800</s:key>
        <s:key name="replicateCertificates">1</s:key>
        <s:key name="signAuthnRequest">1</s:key>
        <s:key name="signatureAlgorithm">
          <s:dict>
            <s:key name="name">RSA-SHA1</s:key>
            <s:key name="uri">http://www.w3.org/2000/09/xmldsig#rsa-sha1</s:key>
          </s:dict>
        </s:key>
        <s:key name="signedAssertion">1</s:key>
        <s:key name="singleLogoutServiceUrl">http://so1:12800/saml/logout</s:key>
        <s:key name="skipAttributeQueryRequestForUsers">
          <s:list/>
        </s:key>
        <s:key name="sloBinding">HTTPPost</s:key>
        <s:key name="spCertPath">/opt/splunk/etc/auth/server.pem</s:key>
        <s:key name="sslAltNameToCheck"></s:key>
        <s:key name="sslCommonNameToCheck"></s:key>
        <s:key name="sslKeysfile">/opt/splunk/etc/auth/server.pem</s:key>
        <s:key name="sslKeysfilePassword">******</s:key>
        <s:key name="sslVerifyServerCert">false</s:key>
        <s:key name="sslVersions">SSL3,TLS1.0,TLS1.1,TLS1.2</s:key>
        <s:key name="ssoBinding">HTTPPost</s:key>
        <s:key name="uiStatusPage">/account/status</s:key>
      </s:dict>
    </content>
  </entry>


POST

Update a SAML configuration.

Request parameters

Name Description
allowSslCompression Indicates whether ssl data compression is enabled.
attributeAliasMail Specifies which SAML attribute is mapped to 'email'. Defaults to 'email'.
attributeAliasRealName Specifies which SAML attribute maps to 'realName'. Defaults to realName.
attributeAliasRole Specifies which SAML attribute maps to role. Defaults to role.
attributeQueryRequestSigned Indicates whether Attribute Queries should be signed.
attributeQueryResponseSigned Indicates whether Attribute Query responses should be signed.
attributeQuerySoapPassword Credentials for making Attribute Query using SOAP over HTTP.
attributeQuerySoapUsername Credentials for making Attribute Query using SOAP over HTTP.
attributeQueryTTL ttl (time to live) for the Attribute Query credentials cache.
blacklistedAutoMappedRoles Comma separated list of Splunk roles that should be blacklisted from being auto-mapped from the IDP Response.
blacklistedUsers Comma separated list of user names from the IDP response to be blacklisted by Splunk software.
caCertFile File path for CA certificate. For example, /home/user123/saml-install/etc/auth/server.pem
cipherSuite Ciphersuite for making Attribute Queries using ssl. For example, TLSv1+HIGH:@STRENGTH.
defaultRoleIfMissing Default role to use if no role is returned in a SAML response.
ecdhCurves EC curves for ECDH/ECDHE key exchange - ssl setting.
entityId Required. Unique id preconfigured by the IdP.
errorUrL URL to display for a SAML error. Errors may be due to incorrect or incomplete configuration in either the IDP or the Splunk deployment.
errorUrlLabel Label or title of the content to which errorUrl points. Defaults to Click here to resolve SAML error..
fqdn Load balancer url.
idpAttributeQueryUrl IdP attribute query url where SAML attribute queries are sent.
idpCertPath Path for IdP certificate.
idpSLOUrl IdP sso url where SAML SSO requests are sent.
idpSSOUrl Required. IdP SSO url where SAML SLO requests are sent.
name Required. Configuration stanza name.
nameIdFormat Specifies how subject is identified in SAML Assertion. Defaults to
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

Override it when using Azure AD as an IDP and set it to
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
redirectAfterLogoutToUrl Redirect URL after user logout If no SLO URL is configured.
redirectPort Port where SAML responses are sent. Typically, this is the web port. Set this port if internal port redirection is needed. The

assertionconsumerServiceUrl in the AuthNRequest uses the set port instead of the splunkweb port. To prevent any port information being appended to the assertionConsumerServiceUrl, set to 0.

signAuthnRequest Indicates whether to sign authentication requests.
signatureAlgorithm Applicable only for redirect binding. Indicates the signature algorithm used for a SP-initiated SAML request when signedAuthnRequest is set to true.

Possible values are:

  • RSA-SHA1 (default)
    • corresponds to http://www.w3.org/2000/09/xmldsig#rsa-sha1
  • RSA-SHA256
    • corresponds to http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
signedAssertion Indicates whether to sign SAML assertions.
skipAttributeQueryRequestForUsers Used in conjunction with defaultRoleIFMissing. Indicates whether to skip Attribute Queries for some users.
sloBinding Binding used when making a logout request or sending a logout response to complete the logout workflow. Possible values are HTTPPost (default) and HTTPRedirect. This binding must match the binding configured on the IDP.
sslAltNameToCheck Alternate name to check in the peer certificate.
sslCommonNameToCheck Common name to check in the peer certificate.
sslKeysfile Location of service provider private key.
sslKeysfilePassword SSL password.
sslVerifyServerCert Indicates whether to verify peer certificate.
sslVersions SSL versions.
ssoBinding Binding used when making a SP-initiated SAML request. Possible values are HTTPPost (default) and HTTPRedirect. This binding must match the binding configured on the IDP.

Response keys
None


Example request and response

XML Request

curl -k -u admin:changed https://localhost:8089/services/authentication/providers/SAML/saml-test -d "entityId=someOtherEntityId"

XML Response

 <title>SAML-auth</title>
  <id>https://localhost:8089/services/authentication/providers/SAML</id>
  <updated>2017-04-10T23:30:41+00:00</updated>
  <generator build="a8914247a786" version="6.5.1612"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/authentication/providers/SAML/_new" rel="create"/>
  <link href="/services/authentication/providers/SAML/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>saml-test</title>
    <id>https://localhost:8089/services/authentication/providers/SAML/saml-test</id>
    <updated>2017-04-10T23:30:41+00:00</updated>
    <link href="/services/authentication/providers/SAML/saml-test" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/authentication/providers/SAML/saml-test" rel="list"/>
    <link href="/services/authentication/providers/SAML/saml-test" rel="edit"/>
    <link href="/services/authentication/providers/SAML/saml-test" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="allowSslCompression">true</s:key>
        <s:key name="assertionConsumerServiceUrl">http://so1:12800/saml/acs</s:key>
        <s:key name="attributeQueryRequestSigned">1</s:key>
        <s:key name="attributeQueryResponseSigned">1</s:key>
        <s:key name="attributeQuerySoapPassword">******</s:key>
        <s:key name="attributeQuerySoapUsername">test_ping</s:key>
        <s:key name="attributeQueryTTL">3600</s:key>
        <s:key name="attribute_aliases"/>
        <s:key name="blacklistedAutoMappedRoles">
          <s:list/>
        </s:key>
        <s:key name="blacklistedUsers">
          <s:list/>
        </s:key>
        <s:key name="caCertFile">/opt/splunk/etc/auth/cacert.pem</s:key>
        <s:key name="cipherSuite"></s:key>
        <s:key name="defaultRoleIfMissing"></s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="ecdhCurves"></s:key>
        <s:key name="entityId">someOtherEntityId</s:key>
        <s:key name="errorUrl"></s:key>
        <s:key name="errorUrlLabel"></s:key>
        <s:key name="fqdn">http://so1</s:key>
        <s:key name="idpCertChains">
          <s:list/>
        </s:key>
        <s:key name="idpCertPath"></s:key>
        <s:key name="maxAttributeQueryQueueSize">100</s:key>
        <s:key name="maxAttributeQueryThreads">2</s:key>
        <s:key name="nameIdFormat"></s:key>
        <s:key name="protocol_endpoints">
          <s:dict>
            <s:key name="idpAttributeQueryUrl">https://saml-idp:9999/idp/attrsvc.ssaml2</s:key>
            <s:key name="idpSLOUrl"></s:key>
            <s:key name="idpSSOUrl">https://saml-idp:9999/idp/SSO.saml2</s:key>
            <s:key name="issuerId"></s:key>
          </s:dict>
        </s:key>
        <s:key name="redirectAfterLogoutToUrl">http://www.splunk.com</s:key>
        <s:key name="redirectPort">12800</s:key>
        <s:key name="replicateCertificates">1</s:key>
        <s:key name="signAuthnRequest">1</s:key>
        <s:key name="signatureAlgorithm">
          <s:dict>
            <s:key name="name">RSA-SHA1</s:key>
            <s:key name="uri">http://www.w3.org/2000/09/xmldsig#rsa-sha1</s:key>
          </s:dict>
        </s:key>
        <s:key name="signedAssertion">1</s:key>
        <s:key name="singleLogoutServiceUrl">http://so1:12800/saml/logout</s:key>
        <s:key name="skipAttributeQueryRequestForUsers">
          <s:list/>
        </s:key>
        <s:key name="sloBinding">HTTPPost</s:key>
        <s:key name="spCertPath">/opt/splunk/etc/auth/server.pem</s:key>
        <s:key name="sslAltNameToCheck"></s:key>
        <s:key name="sslCommonNameToCheck"></s:key>
        <s:key name="sslKeysfile">/opt/splunk/etc/auth/server.pem</s:key>
        <s:key name="sslKeysfilePassword">******</s:key>
        <s:key name="sslVerifyServerCert">false</s:key>
        <s:key name="sslVersions">SSL3,TLS1.0,TLS1.1,TLS1.2</s:key>
        <s:key name="ssoBinding">HTTPPost</s:key>
        <s:key name="uiStatusPage">/account/status</s:key>
      </s:dict>
    </content>
  </entry>


authentication/providers/SAML/{stanza_name}/enable

https://<host>:<mPort>/services/authentication/providers/SAML/{stanza_name}/enable

POST

Enable a SAML strategy.

Request parameters
None

Returned values
None

Example request

curl -k -u admin:password -X POST https://localhost:8089/services/authentication/providers/SAML/my_strategy/enable

authentication/providers/SAML/{stanza_name}/disable

https://<host>:<mPort>/services/authentication/providers/SAML/{stanza_name}/disable

POST

Delete a SAML strategy.

Request parameters
None

Returned values
None

Example request

curl -k -u admin:password -X POST https://localhost:8089/services/authentication/providers/SAML/my_strategy/disable

auth/login

https://<host>:<mPort>/services/auth/login


Get a session ID for use in subsequent API calls that require authentication. Set up cookie-based authorization.

The splunkd server supports token-based authentication using the standard HTTP authorization header. Before you can access Splunk Enterprise resources, you must authenticate with the splunkd server using your username and password.

Use cookie-based authorization

To use cookie-based authorization, first ensure that the allowCookieAuth setting is enabled in server.conf. By default, this setting is enabled in Splunk software versions 6.2 and later.

If allowCookieAuth is enabled, you can pass a cookie=1 parameter to the POST request on auth/login. As noted in the Response data keys section below, a Set-Cookie header is returned. This header must be used in subsequent requests.

Any request authenticated using a cookie may include a new Set-Cookie header in its response. Use this new cookie value in any subsequent requests.

If you do not receive a Set-Cookie header in response to the auth/login POST request but login succeeded, you can use the standard Authorization:Splunk... header with the session key for authorization.


See also


POST

Get a session ID for use in subsequent API calls that require authentication. Optionally, use cookie-based authentication or multifactor authentication.

Request parameters

Name Type Description
cookie Boolean, only used value is 1. To use cookie-based REST auth, pass in cookie=1. Cookies will only be returned if the cookie parameter is passed in with the value of 1.
password String Required. Current username password.
passcode String Required for users with RSA multifactor authentication. The passcode associated with RSA multifactor authentication. This is a combination of the user's RSA token and PIN.
username String Required. Authenticated session owner name.


Response data keys

Note: Only a <response> element is returned instead of a full <atom> feed.
Name Description
sessionKey Session ID.

A Set-Cookie HTTP header is returned if cookie-based authentication is requested.

Failure to authenticate returns the following response.

<response>
     <messages>
         <msg type="WARN">Login failed</msg>
     </messages>
</response>


Example request and response

XML Request

curl -k -u admin:changeme  https://localhost:8089/services/auth/login -d username=admin -d password=changeme

XML Response

<response>
    <sessionKey>192fd3e46a31246da7ea7f109e7f95fd</sessionKey>
</response>

Example request and response using RSA passcode

XML Request

curl -k https://tsen-centos62x64-7:8089/services/auth/login -d username=john@test-splunk.com -d password=changed123 -d passcode='gq!k##9b'

XML Response

<response>
<sessionKey>8Q1QczpArNgKqfUmkmhwgiZVEr4^phZzEbX9NGonO^EdW8DOKXHR9iXNStzAEpVteSkShTxS^8QcyZ8zYj4P812iRBskRurK_RZ2dEy7FZjYoaLG0wx2rkSS0sIc</sessionKey>
</response>
<messages>
    <msg code=""></msg>
  </messages>
  </response>

Example failed login with missing RSA passcode

XML Request

curl -k https://tsen-centos62x64-7:8089/services/auth/login -d username=john@test-splunk.com -d password='changed123:gq!k##9b'

XML Response

<response>
  <messages>
    <msg type="WARN" code="incorrect_username_or_password">Login failed</msg>
  </messages>
</response>

authentication/current-context

https://<host>:<mPort>/services/authentication/current-context

Get the authenticated session owner username.

For additional information, see the following resources.


GET

Get user information for the current context.


Request parameters
Pagination and filtering parameters can be used with this method.


Response keys

Name Description
capabilities List of capabilities assigned to role.
defaultApp Default app for the user, which is invoked at login.
defaultAppIsUserOverride Default app override indicates:
true = Default app overrides the user role default app.
false = Default app does not override the user role default app.
defaultAppSourceRole The role that determines the default app for the user, if the user has multiple roles.
email User email address.
password User password.
realname User full name.
restart_background_jobs Restart background search job that has not completed when Splunk restarts indication:
true = Restart job.
false = Do not restart job.
roles Roles assigned to the user.
type User authentication system type:
  • LDAP
  • Scripted
  • Splunk
  • System (reserved for system user)
tz User timezone.
username Authenticated session owner name.


Usage in search
Here is an example of calling this endpoint in a search command to get the current user.

... rest /services/authentication/current-context/context | fields + username ...


Example request and response


XML Request

curl -k -u admin:changeme https://localhost:8089/services/authentication/current-context

XML Response

.
.
.
<title>current-context</title>
 <id>https://localhost:8089/services/authentication/current-context</id>
 <updated>2014-06-30T11:26:19-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>context</title>
   <id>https://localhost:8089/services/authentication/current-context/context</id>
   <updated>2014-06-30T11:26:19-07:00</updated>
   <link href="/services/authentication/current-context/context" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/authentication/current-context/context" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="capabilities">
         <s:list>
           <s:item>accelerate_datamodel</s:item>
           <s:item>accelerate_search</s:item>
           <s:item>admin_all_objects</s:item>
           <s:item>change_authentication</s:item>
           <s:item>change_own_password</s:item>
           <s:item>edit_deployment_client</s:item>
           <s:item>edit_deployment_server</s:item>
           <s:item>edit_dist_peer</s:item>
           <s:item>edit_forwarders</s:item>
           <s:item>edit_httpauths</s:item>
           <s:item>edit_input_defaults</s:item>
           <s:item>edit_monitor</s:item>
           <s:item>edit_roles</s:item>
           <s:item>edit_scripted</s:item>
           <s:item>edit_search_server</s:item>
           <s:item>edit_server</s:item>
           <s:item>edit_splunktcp</s:item>
           <s:item>edit_splunktcp_ssl</s:item>
           <s:item>edit_tcp</s:item>
           <s:item>edit_udp</s:item>
           <s:item>edit_user</s:item>
           <s:item>edit_view_html</s:item>
           <s:item>edit_web_settings</s:item>
           <s:item>edit_win_admon</s:item>
           <s:item>edit_win_eventlogs</s:item>
           <s:item>edit_win_perfmon</s:item>
           <s:item>edit_win_regmon</s:item>
           <s:item>edit_win_wmiconf</s:item>
           <s:item>embed_report</s:item>
           <s:item>get_diag</s:item>
           <s:item>get_metadata</s:item>
           <s:item>get_typeahead</s:item>
           <s:item>indexes_edit</s:item>
           <s:item>input_file</s:item>
           <s:item>license_edit</s:item>
           <s:item>license_tab</s:item>
           <s:item>list_deployment_client</s:item>
           <s:item>list_deployment_server</s:item>
           <s:item>list_forwarders</s:item>
           <s:item>list_httpauths</s:item>
           <s:item>list_inputs</s:item>
           <s:item>list_pdfserver</s:item>
           <s:item>list_win_localavailablelogs</s:item>
           <s:item>output_file</s:item>
           <s:item>request_remote_tok</s:item>
           <s:item>rest_apps_management</s:item>
           <s:item>rest_apps_view</s:item>
           <s:item>rest_properties_get</s:item>
           <s:item>rest_properties_set</s:item>
           <s:item>restart_splunkd</s:item>
           <s:item>rtsearch</s:item>
           <s:item>run_debug_commands</s:item>
           <s:item>schedule_rtsearch</s:item>
           <s:item>schedule_search</s:item>
           <s:item>search</s:item>
           <s:item>write_pdfserver</s:item>
         </s:list>
       </s:key>
       <s:key name="defaultApp">launcher</s:key>
       <s:key name="defaultAppIsUserOverride">1</s:key>
       <s:key name="defaultAppSourceRole">system</s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="email">changeme@example.com</s:key>
       <s:key name="password">********</s:key>
       <s:key name="realname">Administrator</s:key>
       <s:key name="restart_background_jobs">1</s:key>
       <s:key name="roles">
         <s:list>
           <s:item>admin</s:item>
         </s:list>
       </s:key>
       <s:key name="type">Splunk</s:key>
       <s:key name="tz"></s:key>
       <s:key name="username">admin</s:key>
     </s:dict>
   </content>
 </entry>

authentication/httpauth-tokens

https://<host>:<mPort>/services/authentication/httpauth-tokens

List currently active session IDs and users.

For additional information, see the following resources.


GET

List currently active session IDs/users.

Request parameters
Pagination and filtering parameters can be used with this method.

Response keys

Name Description
authString Unique identifier for this session.
searchId Search ID associated with the session, if it was created for a search job. If it is a login-type session, the value is empty. The session ID token is valid for the duration of the web session.
timeAccessed Last time the session was touched.
userName Username associated with the session.


Usage in searches
Here is an example of calling this endpoint in a search.

| rest /services/authentication/httpauth-tokens | search (NOT userName="splunk-system-user") searchId="" | table userName splunk_server timeAccessed


Example request and response

XML Request

curl -k -u admin:changeme https://localhost:8089/services/authentication/httpauth-tokens

XML Response

.
.
.
<title>httpauth-tokens</title>
 <id>https://localhost:8089/services/authentication/httpauth-tokens</id>
 <updated>2014-06-30T11:28:04-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <opensearch:totalResults>2</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>15a773187d3e4437cbe9809f41f23d8f</title>
   <id>https://localhost:8089/services/authentication/httpauth-tokens/15a773187d3e4437cbe9809f41f23d8f</id>
   <updated>2014-06-30T11:28:04-07:00</updated>
   <link href="/services/authentication/httpauth-tokens/15a773187d3e4437cbe9809f41f23d8f" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/authentication/httpauth-tokens/15a773187d3e4437cbe9809f41f23d8f" rel="list"/>
   <link href="/services/authentication/httpauth-tokens/15a773187d3e4437cbe9809f41f23d8f" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="authString">vdZv2eB9F0842dyJhrIEiGNTcBMpBeGuwGPYxtGLKAESQkzjSjG7dbymQW58y^oI3kxYXWfK_Fd3cRGqwPQGp58RvEkzwCaC6PmQgCsK</s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="searchId"></s:key>
       <s:key name="timeAccessed">Mon Jun 30 11:28:04 2014</s:key>
       <s:key name="userName">admin</s:key>
     </s:dict>
   </content>
 </entry>
 <entry>
   <title>694ef5bda40ae8c4f59626671b5f0c9a</title>
   <id>https://localhost:8089/services/authentication/httpauth-tokens/694ef5bda40ae8c4f59626671b5f0c9a</id>
   <updated>2014-06-30T11:28:04-07:00</updated>
   <link href="/services/authentication/httpauth-tokens/694ef5bda40ae8c4f59626671b5f0c9a" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/authentication/httpauth-tokens/694ef5bda40ae8c4f59626671b5f0c9a" rel="list"/>
   <link href="/services/authentication/httpauth-tokens/694ef5bda40ae8c4f59626671b5f0c9a" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="authString">1RU5vGFm2OPq29plLtvqlEB9xzPDLZ3AleUhE1bwPjIrKtvyLE4fODhs^TgI4_NamvVtqusj8GnnNxd5wBB1wT^qHXn1DOV7LcCvErpyTzOvISr^2TnKUC</s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="searchId"></s:key>
       <s:key name="timeAccessed">Mon Jun 30 11:26:09 2014</s:key>
       <s:key name="userName">splunk-system-user</s:key>
     </s:dict>
   </content>
 </entry>

authentication/httpauth-tokens/{name}

https://<host>:<mPort>/services/authentication/httpauth-tokens/<name>


Access or delete the {name} session, where {name} is the session ID returned by auth/login.

For additional information, see the following resources.


DELETE

Delete the session associated with this session ID.

Request parameters
None

Response keys
None

Example request and response

XML Request

curl -k -u admin:changeme --request DELETE https://localhost:8089/services/authentication/httpauth-tokens/vdZv2eB9F0842dyJhrIEiGNTcBMpBeGuwGPYxtGLKAESQkzjSjG7dbymQW58y^oI3kxYXWfK_Fd3cRGqwPQGp58RvEkzwCaC6PmQgCsK

XML Response

.
.
.
<title>httpauth-tokens</title>
 <id>https://localhost:8089/services/authentication/httpauth-tokens</id>
 <updated>2014-06-30T12:02:12-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>694ef5bda40ae8c4f59626671b5f0c9a</title>
   <id>https://localhost:8089/services/authentication/httpauth-tokens/694ef5bda40ae8c4f59626671b5f0c9a</id>
   <updated>2014-06-30T12:02:12-07:00</updated>
   <link href="/services/authentication/httpauth-tokens/694ef5bda40ae8c4f59626671b5f0c9a" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/authentication/httpauth-tokens/694ef5bda40ae8c4f59626671b5f0c9a" rel="list"/>
   <link href="/services/authentication/httpauth-tokens/694ef5bda40ae8c4f59626671b5f0c9a" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="authString">1RU5vGFm2OPq29plLtvqlEB9xzPDLZ3AleUhE1bwPjIrKtvyLE4fODhs^TgI4_NamvVtqusj8GnnNxd5wBB1wT^qHXn1DOV7LcCvErpyTzOvISr^2TnKUC</s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="searchId"></s:key>
       <s:key name="timeAccessed">Mon Jun 30 11:42:31 2014</s:key>
       <s:key name="userName">splunk-system-user</s:key>
     </s:dict>
   </content>
 </entry>


GET

Get session information.


Request parameters
None

Response keys

Name Description
authString Unique session identifier.
searchId Session search ID, if it is a search job session. The value is blank for a login-type session.
timeAccessed Last time the session was touched.
userName Username associated with the session.


Example request and response

XML Request

curl -k -u admin:changeme https://localhost:8089/services/authentication/httpauth-tokens/vdZv2eB9F0842dyJhrIEiGNTcBMpBeGuwGPYxtGLKAESQkzjSjG7dbymQW58y^oI3kxYXWfK_Fd3cRGqwPQGp58RvEkzwCaC6PmQgCsK

XML Response

.
.
.
 <title>httpauth-tokens</title>
 <id>https://localhost:8089/services/authentication/httpauth-tokens</id>
 <updated>2014-06-30T11:39:52-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>15a773187d3e4437cbe9809f41f23d8f</title>
   <id>https://localhost:8089/services/authentication/httpauth-tokens/15a773187d3e4437cbe9809f41f23d8f</id>
   <updated>2014-06-30T11:39:52-07:00</updated>
   <link href="/services/authentication/httpauth-tokens/15a773187d3e4437cbe9809f41f23d8f" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/authentication/httpauth-tokens/15a773187d3e4437cbe9809f41f23d8f" rel="list"/>
   <link href="/services/authentication/httpauth-tokens/15a773187d3e4437cbe9809f41f23d8f" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="authString">vdZv2eB9F0842dyJhrIEiGNTcBMpBeGuwGPYxtGLKAESQkzjSjG7dbymQW58y^oI3kxYXWfK_Fd3cRGqwPQGp58RvEkzwCaC6PmQgCsK</s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="eai:attributes">
         <s:dict>
           <s:key name="optionalFields">
             <s:list/>
           </s:key>
           <s:key name="requiredFields">
             <s:list/>
           </s:key>
           <s:key name="wildcardFields">
             <s:list/>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="searchId"></s:key>
       <s:key name="timeAccessed">Mon Jun 30 11:39:52 2014</s:key>
       <s:key name="userName">admin</s:key>
     </s:dict>
   </content>
 </entry>


authentication/users

https://<host>:<mPort>/services/authentication/users


List current users and create new users.

For additional information about configuring users and roles, see the following resources in Securing Splunk Enterprise.

Authentication and authorization
Requires the edit_user capability.

GET

List current users.


Request parameters
Pagination and filtering parameters can be used with this method.

Response keys

Name Description
capabilities List of capabilities assigned to role.
defaultApp Default app for the user, which is invoked at login.
defaultAppIsUserOverride Default app override indicates:
true = Default app overrides the user role default app.
false = Default app does not override the user role default app.
defaultAppSourceRole The role that determines the default app for the user, if the user has multiple roles.
email User email address.
password User password.
realname User full name.
restart_background_jobs Restart background search job that has not completed when Splunk restarts indication:
true = Restart job.
false = Do not restart job.
roles Roles assigned to the user.
type One of the following user authentication system types.
  • LDAP
  • Scripted
  • Splunk
  • System (reserved for system user)
tz User timezone.


Example request and response

XML Request

curl -k -u admin:changeme https://localhost:8089/services/authentication/users

XML Response

.
.
.
 <title>users</title>
 <id>https://localhost:8089/services/authentication/users</id>
 <updated>2014-06-30T12:27:48-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/authentication/users/_new" rel="create"/>
 <opensearch:totalResults>2</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>admin</title>
   <id>https://localhost:8089/services/authentication/users/admin</id>
   <updated>2014-06-30T12:27:48-07:00</updated>
   <link href="/services/authentication/users/admin" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/authentication/users/admin" rel="list"/>
   <link href="/services/authentication/users/admin" rel="edit"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="capabilities">
         <s:list>
           <s:item>accelerate_datamodel</s:item>
           <s:item>accelerate_search</s:item>
           <s:item>admin_all_objects</s:item>
           <s:item>change_authentication</s:item>
           <s:item>change_own_password</s:item>
           <s:item>edit_deployment_client</s:item>
           <s:item>edit_deployment_server</s:item>
           <s:item>edit_dist_peer</s:item>
           <s:item>edit_forwarders</s:item>
           <s:item>edit_httpauths</s:item>
           <s:item>edit_input_defaults</s:item>
           <s:item>edit_monitor</s:item>
           <s:item>edit_roles</s:item>
           <s:item>edit_scripted</s:item>
           <s:item>edit_search_server</s:item>
           <s:item>edit_server</s:item>
           <s:item>edit_splunktcp</s:item>
           <s:item>edit_splunktcp_ssl</s:item>
           <s:item>edit_tcp</s:item>
           <s:item>edit_udp</s:item>
           <s:item>edit_user</s:item>
           <s:item>edit_view_html</s:item>
           <s:item>edit_web_settings</s:item>
           <s:item>edit_win_admon</s:item>
           <s:item>edit_win_eventlogs</s:item>
           <s:item>edit_win_perfmon</s:item>
           <s:item>edit_win_regmon</s:item>
           <s:item>edit_win_wmiconf</s:item>
           <s:item>embed_report</s:item>
           <s:item>get_diag</s:item>
           <s:item>get_metadata</s:item>
           <s:item>get_typeahead</s:item>
           <s:item>indexes_edit</s:item>
           <s:item>input_file</s:item>
           <s:item>license_edit</s:item>
           <s:item>license_tab</s:item>
           <s:item>list_deployment_client</s:item>
           <s:item>list_deployment_server</s:item>
           <s:item>list_forwarders</s:item>
           <s:item>list_httpauths</s:item>
           <s:item>list_inputs</s:item>
           <s:item>list_pdfserver</s:item>
           <s:item>list_win_localavailablelogs</s:item>
           <s:item>output_file</s:item>
           <s:item>request_remote_tok</s:item>
           <s:item>rest_apps_management</s:item>
           <s:item>rest_apps_view</s:item>
           <s:item>rest_properties_get</s:item>
           <s:item>rest_properties_set</s:item>
           <s:item>restart_splunkd</s:item>
           <s:item>rtsearch</s:item>
           <s:item>run_debug_commands</s:item>
           <s:item>schedule_rtsearch</s:item>
           <s:item>schedule_search</s:item>
           <s:item>search</s:item>
           <s:item>write_pdfserver</s:item>
         </s:list>
       </s:key>
       <s:key name="defaultApp">launcher</s:key>
       <s:key name="defaultAppIsUserOverride">1</s:key>
       <s:key name="defaultAppSourceRole">system</s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="email">changeme@example.com</s:key>
       <s:key name="password">********</s:key>
       <s:key name="realname">Administrator</s:key>
       <s:key name="restart_background_jobs">1</s:key>
       <s:key name="roles">
         <s:list>
           <s:item>admin</s:item>
         </s:list>
       </s:key>
       <s:key name="type">Splunk</s:key>
       <s:key name="tz"></s:key>
     </s:dict>
   </content>
 </entry>
 <entry>
   <title>user1</title>
   <id>https://localhost:8089/services/authentication/users/user1</id>
   <updated>2014-06-30T12:27:48-07:00</updated>
   <link href="/services/authentication/users/user1" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/authentication/users/user1" rel="list"/>
   <link href="/services/authentication/users/user1" rel="edit"/>
   <link href="/services/authentication/users/user1" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="capabilities">
         <s:list>
           <s:item>accelerate_datamodel</s:item>
           <s:item>accelerate_search</s:item>
           <s:item>admin_all_objects</s:item>
           <s:item>change_authentication</s:item>
           <s:item>change_own_password</s:item>
           <s:item>edit_deployment_client</s:item>
           <s:item>edit_deployment_server</s:item>
           <s:item>edit_dist_peer</s:item>
           <s:item>edit_forwarders</s:item>
           <s:item>edit_httpauths</s:item>
           <s:item>edit_input_defaults</s:item>
           <s:item>edit_monitor</s:item>
           <s:item>edit_roles</s:item>
           <s:item>edit_scripted</s:item>
           <s:item>edit_search_server</s:item>
           <s:item>edit_server</s:item>
           <s:item>edit_splunktcp</s:item>
           <s:item>edit_splunktcp_ssl</s:item>
           <s:item>edit_tcp</s:item>
           <s:item>edit_udp</s:item>
           <s:item>edit_user</s:item>
           <s:item>edit_view_html</s:item>
           <s:item>edit_web_settings</s:item>
           <s:item>edit_win_admon</s:item>
           <s:item>edit_win_eventlogs</s:item>
           <s:item>edit_win_perfmon</s:item>
           <s:item>edit_win_regmon</s:item>
           <s:item>edit_win_wmiconf</s:item>
           <s:item>embed_report</s:item>
           <s:item>get_diag</s:item>
           <s:item>get_metadata</s:item>
           <s:item>get_typeahead</s:item>
           <s:item>indexes_edit</s:item>
           <s:item>input_file</s:item>
           <s:item>license_edit</s:item>
           <s:item>license_tab</s:item>
           <s:item>list_deployment_client</s:item>
           <s:item>list_deployment_server</s:item>
           <s:item>list_forwarders</s:item>
           <s:item>list_httpauths</s:item>
           <s:item>list_inputs</s:item>
           <s:item>list_pdfserver</s:item>
           <s:item>list_win_localavailablelogs</s:item>
           <s:item>output_file</s:item>
           <s:item>request_remote_tok</s:item>
           <s:item>rest_apps_management</s:item>
           <s:item>rest_apps_view</s:item>
           <s:item>rest_properties_get</s:item>
           <s:item>rest_properties_set</s:item>
           <s:item>restart_splunkd</s:item>
           <s:item>rtsearch</s:item>
           <s:item>run_debug_commands</s:item>
           <s:item>schedule_rtsearch</s:item>
           <s:item>schedule_search</s:item>
           <s:item>search</s:item>
           <s:item>write_pdfserver</s:item>
         </s:list>
       </s:key>
       <s:key name="defaultApp">launcher</s:key>
       <s:key name="defaultAppIsUserOverride">0</s:key>
       <s:key name="defaultAppSourceRole">system</s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="email"></s:key>
       <s:key name="password">********</s:key>
       <s:key name="realname"></s:key>
       <s:key name="restart_background_jobs">1</s:key>
       <s:key name="roles">
         <s:list>
           <s:item>admin</s:item>
         </s:list>
       </s:key>
       <s:key name="type">Splunk</s:key>
       <s:key name="tz"></s:key>
     </s:dict>
   </content>
 </entry>


POST

Create a user.

Usage details
When creating a user you must specify at least one role.

Specify one or more roles for the user. You can create a new role for the user by setting the createrole parameter to "true" and specify the new role name as a roles parameter value.

Request parameters

Name Datatype Description
createrole Boolean Flag to indicate that a new role should be created for the user. If set to "true", the new role user-<name> is created and assigned to the user. The <name> portion of the new role matches the name parameter value passed in with this POST request.

If set to "false", at least one existing role must be specified using the roles parameter for the POST request.

Defaults to "false".

defaultApp String User default app. Overrides the default app inherited from the user roles.
email String User email address.
force-change-pass Boolean Force user to change password indication:
true = Force password change.
false = Do not force password change.
name String Required. Unique user login name.
password String User login password.
realname String Full user name.
restart_background_jobs Boolean Restart background search job that has not completed when Splunk restarts indication:
true = Restart job.
false = Do not restart job.
roles String Role to assign to this user. To assign multiple roles, pass in each role using a separate roles parameter value.
For example, -d roles="role1", -d roles="role2".
At least one existing role is required if you are not using the createrole parameter to create a new role for the user. If you are using createrole to create a new role, you can optionally use this parameter to specify additional roles to assign to the user.
tz String User timezone.

Response keys
None


Example request and response

XML Request

curl -k -u admin:changeme https://localhost:8089/services/authentication/users -d name=User1 -d password=changeme -d roles=admin

XML Response

<title>users</title>
 <id>https://localhost:8089/services/authentication/users</id>
 <updated>2014-06-30T12:18:19-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/authentication/users/_new" rel="create"/>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>user1</title>
   <id>https://localhost:8089/services/authentication/users/user1</id>
   <updated>2014-06-30T12:18:19-07:00</updated>
   <link href="/services/authentication/users/user1" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/authentication/users/user1" rel="list"/>
   <link href="/services/authentication/users/user1" rel="edit"/>
   <link href="/services/authentication/users/user1" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="capabilities">
         <s:list>
           <s:item>accelerate_datamodel</s:item>
           <s:item>accelerate_search</s:item>
           <s:item>admin_all_objects</s:item>
           <s:item>change_authentication</s:item>
           <s:item>change_own_password</s:item>
           <s:item>edit_deployment_client</s:item>
           <s:item>edit_deployment_server</s:item>
           <s:item>edit_dist_peer</s:item>
           <s:item>edit_forwarders</s:item>
           <s:item>edit_httpauths</s:item>
           <s:item>edit_input_defaults</s:item>
           <s:item>edit_monitor</s:item>
           <s:item>edit_roles</s:item>
           <s:item>edit_scripted</s:item>
           <s:item>edit_search_server</s:item>
           <s:item>edit_server</s:item>
           <s:item>edit_splunktcp</s:item>
           <s:item>edit_splunktcp_ssl</s:item>
           <s:item>edit_tcp</s:item>
           <s:item>edit_udp</s:item>
           <s:item>edit_user</s:item>
           <s:item>edit_view_html</s:item>
           <s:item>edit_web_settings</s:item>
           <s:item>edit_win_admon</s:item>
           <s:item>edit_win_eventlogs</s:item>
           <s:item>edit_win_perfmon</s:item>
           <s:item>edit_win_regmon</s:item>
           <s:item>edit_win_wmiconf</s:item>
           <s:item>embed_report</s:item>
           <s:item>get_diag</s:item>
           <s:item>get_metadata</s:item>
           <s:item>get_typeahead</s:item>
           <s:item>indexes_edit</s:item>
           <s:item>input_file</s:item>
           <s:item>license_edit</s:item>
           <s:item>license_tab</s:item>
           <s:item>list_deployment_client</s:item>
           <s:item>list_deployment_server</s:item>
           <s:item>list_forwarders</s:item>
           <s:item>list_httpauths</s:item>
           <s:item>list_inputs</s:item>
           <s:item>list_pdfserver</s:item>
           <s:item>list_win_localavailablelogs</s:item>
           <s:item>output_file</s:item>
           <s:item>request_remote_tok</s:item>
           <s:item>rest_apps_management</s:item>
           <s:item>rest_apps_view</s:item>
           <s:item>rest_properties_get</s:item>
           <s:item>rest_properties_set</s:item>
           <s:item>restart_splunkd</s:item>
           <s:item>rtsearch</s:item>
           <s:item>run_debug_commands</s:item>
           <s:item>schedule_rtsearch</s:item>
           <s:item>schedule_search</s:item>
           <s:item>search</s:item>
           <s:item>write_pdfserver</s:item>
         </s:list>
       </s:key>
       <s:key name="defaultApp">launcher</s:key>
       <s:key name="defaultAppIsUserOverride">0</s:key>
       <s:key name="defaultAppSourceRole">system</s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="email"></s:key>
       <s:key name="password">********</s:key>
       <s:key name="realname"></s:key>
       <s:key name="restart_background_jobs">1</s:key>
       <s:key name="roles">
         <s:list>
           <s:item>admin</s:item>
         </s:list>
       </s:key>
       <s:key name="type">Splunk</s:key>
       <s:key name="tz"></s:key>
     </s:dict>
   </content>
 </entry>



authentication/users/{name}

https://<host>:<mPort>/services/authentication/users/{name}

Access and update user information or delete the {name}> user.

Usage details
The /{name} username portion of the URL is not case sensitive.

For additional information about user capabiilties, see the following resource in Securing Splunk Enterprise.

Authentication and authorization
Requires the edit_user capability.

DELETE

Remove the specified user from the system.

Request parameters
None

Response keys
None


Example request and response


XML Request

curl -k -u admin:changeme --request DELETE https://localhost:8089/services/authentication/users/user1

XML Response

.
.
.
 <title>users</title>
 <id>https://localhost:8089/services/authentication/users</id>
 <updated>2014-06-30T12:51:09-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/authentication/users/_new" rel="create"/>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>admin</title>
   <id>https://localhost:8089/services/authentication/users/admin</id>
   <updated>2014-06-30T12:51:09-07:00</updated>
   <link href="/services/authentication/users/admin" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/authentication/users/admin" rel="list"/>
   <link href="/services/authentication/users/admin" rel="edit"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="capabilities">
         <s:list>
           <s:item>accelerate_datamodel</s:item>
           <s:item>accelerate_search</s:item>
           <s:item>admin_all_objects</s:item>
           <s:item>change_authentication</s:item>
           <s:item>change_own_password</s:item>
           <s:item>edit_deployment_client</s:item>
           <s:item>edit_deployment_server</s:item>
           <s:item>edit_dist_peer</s:item>
           <s:item>edit_forwarders</s:item>
           <s:item>edit_httpauths</s:item>
           <s:item>edit_input_defaults</s:item>
           <s:item>edit_monitor</s:item>
           <s:item>edit_roles</s:item>
           <s:item>edit_scripted</s:item>
           <s:item>edit_search_server</s:item>
           <s:item>edit_server</s:item>
           <s:item>edit_splunktcp</s:item>
           <s:item>edit_splunktcp_ssl</s:item>
           <s:item>edit_tcp</s:item>
           <s:item>edit_udp</s:item>
           <s:item>edit_user</s:item>
           <s:item>edit_view_html</s:item>
           <s:item>edit_web_settings</s:item>
           <s:item>edit_win_admon</s:item>
           <s:item>edit_win_eventlogs</s:item>
           <s:item>edit_win_perfmon</s:item>
           <s:item>edit_win_regmon</s:item>
           <s:item>edit_win_wmiconf</s:item>
           <s:item>embed_report</s:item>
           <s:item>get_diag</s:item>
           <s:item>get_metadata</s:item>
           <s:item>get_typeahead</s:item>
           <s:item>indexes_edit</s:item>
           <s:item>input_file</s:item>
           <s:item>license_edit</s:item>
           <s:item>license_tab</s:item>
           <s:item>list_deployment_client</s:item>
           <s:item>list_deployment_server</s:item>
           <s:item>list_forwarders</s:item>
           <s:item>list_httpauths</s:item>
           <s:item>list_inputs</s:item>
           <s:item>list_pdfserver</s:item>
           <s:item>list_win_localavailablelogs</s:item>
           <s:item>output_file</s:item>
           <s:item>request_remote_tok</s:item>
           <s:item>rest_apps_management</s:item>
           <s:item>rest_apps_view</s:item>
           <s:item>rest_properties_get</s:item>
           <s:item>rest_properties_set</s:item>
           <s:item>restart_splunkd</s:item>
           <s:item>rtsearch</s:item>
           <s:item>run_debug_commands</s:item>
           <s:item>schedule_rtsearch</s:item>
           <s:item>schedule_search</s:item>
           <s:item>search</s:item>
           <s:item>write_pdfserver</s:item>
         </s:list>
       </s:key>
       <s:key name="defaultApp">launcher</s:key>
       <s:key name="defaultAppIsUserOverride">1</s:key>
       <s:key name="defaultAppSourceRole">system</s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="email">changeme@example.com</s:key>
       <s:key name="password">********</s:key>
       <s:key name="realname">Administrator</s:key>
       <s:key name="restart_background_jobs">1</s:key>
       <s:key name="roles">
         <s:list>
           <s:item>admin</s:item>
         </s:list>
       </s:key>
       <s:key name="type">Splunk</s:key>
       <s:key name="tz"></s:key>
     </s:dict>
   </content>
 </entry>


GET

Return information for the specified user.


Request parameters
None

Response keys

Name Description
capabilities List of capabilities assigned to role.
defaultApp Default app for the user, which is invoked at login.
defaultAppIsUserOverride Default app override indicator.
true = Default app overrides the user role default app.
false = Default app does not override the user role default app.
defaultAppSourceRole Role that determines the default app for the user, if the user has multiple roles.
email User email address
password User password
realname User full name
restart_background_jobs Indicates whether incomplete background search jobs restart when the Splunk deployment restarts.
true = Restart jobs.
false = Do not restart jobs.
roles Roles assigned to the user.
type One of the following user authentication system types.
  • LDAP
  • Scripted
  • Splunk
  • System (reserved for system user)
tz User timezone.


Example request and response

XML Request

curl -k -u admin:changeme https://localhost:8089/services/authentication/users/user1

XML Response

.
.
.
<title>users</title>
 <id>https://localhost:8089/services/authentication/users</id>
 <updated>2014-06-30T12:39:18-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/authentication/users/_new" rel="create"/>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>user1</title>
   <id>https://localhost:8089/services/authentication/users/user1</id>
   <updated>2014-06-30T12:39:18-07:00</updated>
   <link href="/services/authentication/users/user1" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/authentication/users/user1" rel="list"/>
   <link href="/services/authentication/users/user1" rel="edit"/>
   <link href="/services/authentication/users/user1" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="capabilities">
         <s:list>
           <s:item>accelerate_datamodel</s:item>
           <s:item>accelerate_search</s:item>
           <s:item>admin_all_objects</s:item>
           <s:item>change_authentication</s:item>
           <s:item>change_own_password</s:item>
           <s:item>edit_deployment_client</s:item>
           <s:item>edit_deployment_server</s:item>
           <s:item>edit_dist_peer</s:item>
           <s:item>edit_forwarders</s:item>
           <s:item>edit_httpauths</s:item>
           <s:item>edit_input_defaults</s:item>
           <s:item>edit_monitor</s:item>
           <s:item>edit_roles</s:item>
           <s:item>edit_scripted</s:item>
           <s:item>edit_search_server</s:item>
           <s:item>edit_server</s:item>
           <s:item>edit_splunktcp</s:item>
           <s:item>edit_splunktcp_ssl</s:item>
           <s:item>edit_tcp</s:item>
           <s:item>edit_udp</s:item>
           <s:item>edit_user</s:item>
           <s:item>edit_view_html</s:item>
           <s:item>edit_web_settings</s:item>
           <s:item>edit_win_admon</s:item>
           <s:item>edit_win_eventlogs</s:item>
           <s:item>edit_win_perfmon</s:item>
           <s:item>edit_win_regmon</s:item>
           <s:item>edit_win_wmiconf</s:item>
           <s:item>embed_report</s:item>
           <s:item>get_diag</s:item>
           <s:item>get_metadata</s:item>
           <s:item>get_typeahead</s:item>
           <s:item>indexes_edit</s:item>
           <s:item>input_file</s:item>
           <s:item>license_edit</s:item>
           <s:item>license_tab</s:item>
           <s:item>list_deployment_client</s:item>
           <s:item>list_deployment_server</s:item>
           <s:item>list_forwarders</s:item>
           <s:item>list_httpauths</s:item>
           <s:item>list_inputs</s:item>
           <s:item>list_pdfserver</s:item>
           <s:item>list_win_localavailablelogs</s:item>
           <s:item>output_file</s:item>
           <s:item>request_remote_tok</s:item>
           <s:item>rest_apps_management</s:item>
           <s:item>rest_apps_view</s:item>
           <s:item>rest_properties_get</s:item>
           <s:item>rest_properties_set</s:item>
           <s:item>restart_splunkd</s:item>
           <s:item>rtsearch</s:item>
           <s:item>run_debug_commands</s:item>
           <s:item>schedule_rtsearch</s:item>
           <s:item>schedule_search</s:item>
           <s:item>search</s:item>
           <s:item>write_pdfserver</s:item>
         </s:list>
       </s:key>
       <s:key name="defaultApp">launcher</s:key>
       <s:key name="defaultAppIsUserOverride">0</s:key>
       <s:key name="defaultAppSourceRole">system</s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="eai:attributes">
         <s:dict>
           <s:key name="optionalFields">
             <s:list>
               <s:item>defaultApp</s:item>
               <s:item>email</s:item>
               <s:item>force-change-pass</s:item>
               <s:item>password</s:item>
               <s:item>realname</s:item>
               <s:item>restart_background_jobs</s:item>
               <s:item>roles</s:item>
               <s:item>tz</s:item>
             </s:list>
           </s:key>
           <s:key name="requiredFields">
             <s:list/>
           </s:key>
           <s:key name="wildcardFields">
             <s:list/>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="email"></s:key>
       <s:key name="password">********</s:key>
       <s:key name="realname"></s:key>
       <s:key name="restart_background_jobs">1</s:key>
       <s:key name="roles">
         <s:list>
           <s:item>admin</s:item>
         </s:list>
       </s:key>
       <s:key name="type">Splunk</s:key>
       <s:key name="tz"></s:key>
     </s:dict>
   </content>
 </entry>


POST

Update the specified user.

Request parameters

Name Type Description
defaultApp String User default app. This overrides the default app inherited from the user roles.
email String User email address.
force-change-pass Boolean Indicates whether to force user password change.
true = Force password change.
false = Do not force password change.
oldpassword String Old user login password. Only required if using the password parameter to change the current user's password.
password String Required. User login password. To change the user password, enter the new user login password here. To change the current user's password, also supply the old password in the oldpassword parameter.
realname String Full user name.
restart_background_jobs Boolean Indicates whether to restart background search job that has not completed when the Splunk deployment restarts.
true = Restart job.
false = Do not restart job.
roles String Role to assign to this user. To assign multiple roles, pass in each role using a separate roles parameter value.
For example, -d roles="role1", -d roles="role2".

At least one existing role is required if you are not using the createrole parameter to create a new role for the user. If you are using createrole to create a new role, you can optionally use this parameter to specify additional roles to assign to the user.
tz String User timezone.

Response keys

Name Description
capabilities List of capabilities assigned to role.
defaultApp Default app for the user, which is invoked at login.
defaultAppIsUserOverride Default app override indicator.
true = Default app overrides the user role default app.
false = Default app does not override the user role default app.
defaultAppSourceRole Role that determines the default app for the user, if the user has multiple roles.
email User email address.
password User password.
realname User full name.
restart_background_jobs Indicates whether to restart background search job that has not completed when the Splunk deployment restarts.
true = Restart job.
false = Do not restart job.
roles Roles assigned to the user.
type One of the following user authentication system types.
  • LDAP
  • Scripted
  • Splunk
  • System (reserved for system user)
tz User timezone.


Example request and response


XML Request

curl -k -u admin:changeme https://localhost:8089/services/authentication/users/user1 -d defaultApp=launcher

XML Response

.
.
.
<title>users</title>
 <id>https://localhost:8089/services/authentication/users</id>
 <updated>2014-06-30T12:45:23-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/authentication/users/_new" rel="create"/>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>user1</title>
   <id>https://localhost:8089/services/authentication/users/user1</id>
   <updated>2014-06-30T12:45:23-07:00</updated>
   <link href="/services/authentication/users/user1" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/authentication/users/user1" rel="list"/>
   <link href="/services/authentication/users/user1" rel="edit"/>
   <link href="/services/authentication/users/user1" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="capabilities">
         <s:list>
           <s:item>accelerate_datamodel</s:item>
           <s:item>accelerate_search</s:item>
           <s:item>admin_all_objects</s:item>
           <s:item>change_authentication</s:item>
           <s:item>change_own_password</s:item>
           <s:item>edit_deployment_client</s:item>
           <s:item>edit_deployment_server</s:item>
           <s:item>edit_dist_peer</s:item>
           <s:item>edit_forwarders</s:item>
           <s:item>edit_httpauths</s:item>
           <s:item>edit_input_defaults</s:item>
           <s:item>edit_monitor</s:item>
           <s:item>edit_roles</s:item>
           <s:item>edit_scripted</s:item>
           <s:item>edit_search_server</s:item>
           <s:item>edit_server</s:item>
           <s:item>edit_splunktcp</s:item>
           <s:item>edit_splunktcp_ssl</s:item>
           <s:item>edit_tcp</s:item>
           <s:item>edit_udp</s:item>
           <s:item>edit_user</s:item>
           <s:item>edit_view_html</s:item>
           <s:item>edit_web_settings</s:item>
           <s:item>edit_win_admon</s:item>
           <s:item>edit_win_eventlogs</s:item>
           <s:item>edit_win_perfmon</s:item>
           <s:item>edit_win_regmon</s:item>
           <s:item>edit_win_wmiconf</s:item>
           <s:item>embed_report</s:item>
           <s:item>get_diag</s:item>
           <s:item>get_metadata</s:item>
           <s:item>get_typeahead</s:item>
           <s:item>indexes_edit</s:item>
           <s:item>input_file</s:item>
           <s:item>license_edit</s:item>
           <s:item>license_tab</s:item>
           <s:item>list_deployment_client</s:item>
           <s:item>list_deployment_server</s:item>
           <s:item>list_forwarders</s:item>
           <s:item>list_httpauths</s:item>
           <s:item>list_inputs</s:item>
           <s:item>list_pdfserver</s:item>
           <s:item>list_win_localavailablelogs</s:item>
           <s:item>output_file</s:item>
           <s:item>request_remote_tok</s:item>
           <s:item>rest_apps_management</s:item>
           <s:item>rest_apps_view</s:item>
           <s:item>rest_properties_get</s:item>
           <s:item>rest_properties_set</s:item>
           <s:item>restart_splunkd</s:item>
           <s:item>rtsearch</s:item>
           <s:item>run_debug_commands</s:item>
           <s:item>schedule_rtsearch</s:item>
           <s:item>schedule_search</s:item>
           <s:item>search</s:item>
           <s:item>write_pdfserver</s:item>
         </s:list>
       </s:key>
       <s:key name="defaultApp">launcher</s:key>
       <s:key name="defaultAppIsUserOverride">1</s:key>
       <s:key name="defaultAppSourceRole">system</s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="email"></s:key>
       <s:key name="password">********</s:key>
       <s:key name="realname"></s:key>
       <s:key name="restart_background_jobs">1</s:key>
       <s:key name="roles">
         <s:list>
           <s:item>admin</s:item>
         </s:list>
       </s:key>
       <s:key name="type">Splunk</s:key>
       <s:key name="tz"></s:key>
     </s:dict>
   </content>
 </entry>

authorization/capabilities

https://<host>:<mPort>/services/authorization/capabilities

Access system capabilities.

GET

List system capabiilities.

Request parameters
Pagination and filtering parameters can be used with this method.

Response keys

Name Description
capabilities List of capabilities assigned to role.

Example request and response


XML Request

curl -k -u admin:changeme https://localhost:8089/services/authorization/capabilities

XML Response

.
.
.
<title>capabilities</title>
 <id>https://localhost:8089/services/authorization/capabilities</id>
 <updated>2014-06-30T12:56:35-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>capabilities</title>
   <id>https://localhost:8089/services/authorization/capabilities/capabilities</id>
   <updated>2014-06-30T12:56:35-07:00</updated>
   <link href="/services/authorization/capabilities/capabilities" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/authorization/capabilities/capabilities" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="capabilities">
         <s:list>
           <s:item>accelerate_datamodel</s:item>
           <s:item>accelerate_search</s:item>
           <s:item>admin_all_objects</s:item>
           <s:item>change_authentication</s:item>
           <s:item>change_own_password</s:item>
           <s:item>delete_by_keyword</s:item>
           <s:item>edit_deployment_client</s:item>
           <s:item>edit_deployment_server</s:item>
           <s:item>edit_dist_peer</s:item>
           <s:item>edit_forwarders</s:item>
           <s:item>edit_httpauths</s:item>
           <s:item>edit_input_defaults</s:item>
           <s:item>edit_monitor</s:item>
           <s:item>edit_roles</s:item>
           <s:item>edit_scripted</s:item>
           <s:item>edit_search_server</s:item>
           <s:item>edit_server</s:item>
           <s:item>edit_splunktcp</s:item>
           <s:item>edit_splunktcp_ssl</s:item>
           <s:item>edit_tcp</s:item>
           <s:item>edit_udp</s:item>
           <s:item>edit_user</s:item>
           <s:item>edit_view_html</s:item>
           <s:item>edit_web_settings</s:item>
           <s:item>edit_win_admon</s:item>
           <s:item>edit_win_eventlogs</s:item>
           <s:item>edit_win_perfmon</s:item>
           <s:item>edit_win_regmon</s:item>
           <s:item>edit_win_wmiconf</s:item>
           <s:item>embed_report</s:item>
           <s:item>get_diag</s:item>
           <s:item>get_metadata</s:item>
           <s:item>get_typeahead</s:item>
           <s:item>indexes_edit</s:item>
           <s:item>input_file</s:item>
           <s:item>license_edit</s:item>
           <s:item>license_tab</s:item>
           <s:item>list_deployment_client</s:item>
           <s:item>list_deployment_server</s:item>
           <s:item>list_forwarders</s:item>
           <s:item>list_httpauths</s:item>
           <s:item>list_inputs</s:item>
           <s:item>list_pdfserver</s:item>
           <s:item>list_win_localavailablelogs</s:item>
           <s:item>output_file</s:item>
           <s:item>request_remote_tok</s:item>
           <s:item>rest_apps_management</s:item>
           <s:item>rest_apps_view</s:item>
           <s:item>rest_properties_get</s:item>
           <s:item>rest_properties_set</s:item>
           <s:item>restart_splunkd</s:item>
           <s:item>rtsearch</s:item>
           <s:item>run_debug_commands</s:item>
           <s:item>schedule_rtsearch</s:item>
           <s:item>schedule_search</s:item>
           <s:item>search</s:item>
           <s:item>use_file_operator</s:item>
           <s:item>write_pdfserver</s:item>
         </s:list>
       </s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
     </s:dict>
   </content>
 </entry>

authorization/fieldfilters

https://<host>:<mPort>/services/authorization/fieldfilters

Create a field filter or get a list of field filters. See Protect PII, PHI, and other sensitive data with field filters in Securing Splunk Platform.

READ THIS FIRST: Should you deploy field filters in your organization?
Field filters are a powerful tool that can help many organizations protect their sensitive fields from prying eyes, but it might not be a good fit for everyone. If your organization runs Splunk Enterprise Security or if your users rely heavily on commands that field filters restricts by default (mpreview, mstats, tstats, typeahead, and walklex), do not use field filters in production until you have thoroughly planned how you will work around these restricted commands. See READ THIS: Restricted commands do not work in searches on indexes that have field filters in Securing Splunk platform.

GET

List all field filters. To use GET with this endpoint, you must be a member of the admin, sc_admin, or power user role.


Request parameters
None

Response keys

Name Description
"name": "A field filter name"
The name of the field filter. Field filter names can contain only alphanumeric characters and underscores ( _ ). Spaces and special symbols are not allowed.
action.field The name of the field to filter for this action.
action.operator The operator for the action. Operators for actions are described as follows:
  • null(): Removes the field value from results of searches to which this filter is applied.
  • sha256(): Computes and returns the secure hash of the value of the field based on the FIPS-compliant SHA-256 (SHA-2 family) hash function. This hash is then used to replace the value of the field wherever it appears in results of searches to which this filter is applied. See Cryptographic functions in the Splunk Cloud Platform Search Reference.
  • sha512(): Computes and returns the secure hash of the value of the field based on the FIPS-compliant SHA-512 (SHA-2 family) hash function. This hash is then used to replace the value of the field wherever it appears in results of searches to which this filter is applied. See Cryptographic functions in the Splunk Cloud Platform Search Reference.
  • <string literal>: Replaces the fieldname value with the specified string wherever the field value appears in results of searches to which this filter is applied. A string literal is a sequence of characters enclosed in double quotation marks (" "). Use backslash ( \ ) to escape the \ and " characters in a string literal. For example, use \\ and \" .
  • sed(<string literal>): For _raw fields. The sed expression acts on searches to which this filter is applied. The sed expression replaces strings in search results that are matched by a regular expression (s) or transliterates characters found in search results with corresponding characters provided by the sed expression (y). A string literal is a sequence of characters enclosed in double quotation marks (" "). Use backslash ( \ ) to escape the \ and " characters in a string literal. For example, use \\ and \" .
"description": "A field filter description"
Stores a description of the field filter.
"index": "One or more index names"
Specifies an index name or a list of comma-separated index names of the target indexes you want to search that contain the data you want to protect. If an index is not specified, all indexes are searched.
limit.key The key for the field filter limit, which limits the field filter to events with a specific target host, source, or sourcetype. You can specify only one value. If the limit key is empty, the field filter doesn't apply to events with a specific host, source, or sourcetype. Limit statements that include wildcards or the following operators are not supported: AND, OR.
limit.value The value for the limit, which is a sequence of characters enclosed in double quotation marks ( " ) that represents the name of the hosts, the sources, or the source types. The limit value can be a value or a list of comma-separated values for the specified limit.
"roleExemptions": [

list of exempted roles ]

A list of field filters from which each role is exempt. If a role is exempt from a field filter, the field filter is not run at search time for any users holding this role. Roles inherit all field filter exemptions from imported roles. You can't remove inherited field filter exemptions.

Example request and response

XML Request

$ curl -sk -u admin:changeme https://localhost:8106/services/authorization/fieldfilters

XML Response

<?xml version="1.0" encoding="UTF-8"?>
<!--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-->
<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>fieldfilters</title>
  <id>https://localhost:8106/services/authorization/fieldfilters</id>
  <updated>2023-09-07T20:54:51+00:00</updated>
  <generator build="4464e07e99dad5532f25c08d83b3af6675536bdf" version="20230907"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/authorization/fieldfilters/_new" rel="create"/>
  <link href="/services/authorization/fieldfilters/_reload" rel="_reload"/>
  <link href="/services/authorization/fieldfilters/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>demofilter</title>
    <id>https://localhost:8106/servicesNS/nobody/search/authorization/fieldfilters/demofilter</id>
    <updated>1970-01-01T00:00:00+00:00</updated>
    <link href="/servicesNS/nobody/search/authorization/fieldfilters/demofilter" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/authorization/fieldfilters/demofilter" rel="list"/>
    <link href="/servicesNS/nobody/search/authorization/fieldfilters/demofilter/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/authorization/fieldfilters/demofilter" rel="edit"/>
    <link href="/servicesNS/nobody/search/authorization/fieldfilters/demofilter" rel="remove"/>
    <link href="/servicesNS/nobody/search/authorization/fieldfilters/demofilter/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="action">
          <s:dict>
            <s:key name="field">bytes</s:key>
            <s:key name="operator">"HIDDEN"</s:key>
          </s:dict>
        </s:key>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">search</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">app</s:key>
          </s:dict>
        </s:key>
        <s:key name="limit"/>
        <s:key name="roleExemptions">
          <s:list/>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST

Create a field filter. To use POST with this endpoint, you must be a member of the admin or sc_admin role.

Request parameters
None

Response keys
None

Example request and response


XML Request

curl -k -u admin:changeme https://localhost:8106/servicesNS/nobody/system/authorization/fieldfilters/ -d name=demo_hash_filter -d action=\"fieldName\"=sha256\(\)

XML Response

If a filter filter with the specified name already exists, an error is returned. If the field filter is successfully created, the newly created field filter is returned.

The following is the XML response:

<?xml version="1.0" encoding="UTF-8"?>
<!--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-->
<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>fieldfilters</title>
  <id>https://localhost:8106/servicesNS/nobody/system/authorization/fieldfilters</id>
  <updated>2023-09-07T22:11:14+00:00</updated>
  <generator build="4464e07e99dad5532f25c08d83b3af6675536bdf" version="20230907"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/nobody/system/authorization/fieldfilters/_new" rel="create"/>
  <link href="/servicesNS/nobody/system/authorization/fieldfilters/_reload" rel="_reload"/>
  <link href="/servicesNS/nobody/system/authorization/fieldfilters/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>demo_hash_filter</title>
    <id>https://localhost:8106/servicesNS/nobody/system/authorization/fieldfilters/demo_hash_filter</id>
    <updated>1970-01-01T00:00:00+00:00</updated>
    <link href="/servicesNS/nobody/system/authorization/fieldfilters/demo_hash_filter" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/authorization/fieldfilters/demo_hash_filter" rel="list"/>
    <link href="/servicesNS/nobody/system/authorization/fieldfilters/demo_hash_filter/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/authorization/fieldfilters/demo_hash_filter" rel="edit"/>
    <link href="/servicesNS/nobody/system/authorization/fieldfilters/demo_hash_filter" rel="remove"/>
    <link href="/servicesNS/nobody/system/authorization/fieldfilters/demo_hash_filter/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="action">
          <s:dict>
            <s:key name="field">fieldName</s:key>
            <s:key name="operator">sha256()</s:key>
          </s:dict>
        </s:key>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">system</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="limit"/>
        <s:key name="roleExemptions">
          <s:list/>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>

authorization/fieldfilters/{name}

https://<host>:<mPort>/services/authorization/fieldfilters/<name>

Access, create, or delete properties for the {name} field filter. See Protect PII, PHI, and other sensitive data with field filters in Securing Splunk Platform.

READ THIS FIRST: Should you deploy field filters in your organization?
Field filters are a powerful tool that can help many organizations protect their sensitive fields from prying eyes, but it might not be a good fit for everyone. If your organization runs Splunk Enterprise Security or if your users rely heavily on commands that field filters restricts by default (mpreview, mstats, tstats, typeahead, and walklex), do not use field filters in production until you have thoroughly planned how you will work around these restricted commands. See READ THIS: Restricted commands do not work in searches on indexes that have field filters in Securing Splunk platform.

DELETE

Delete the specified field filter. To use DELETE with this endpoint, you must be a member of the admin or sc_admin role.

Request parameters
None

Response keys
None

Example request and response


XML Request

curl -k -u admin:changeme --request DELETE https://localhost:8106/services/authorization/fieldfilters/demo_hash_filter

XML Response

<?xml version="1.0" encoding="UTF-8"?>
<!--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-->
<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>fieldfilters</title>
  <id>https://localhost:8106/services/authorization/fieldfilters</id>
  <updated>2023-09-07T22:22:48+00:00</updated>
  <generator build="4464e07e99dad5532f25c08d83b3af6675536bdf" version="20230907"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/authorization/fieldfilters/_new" rel="create"/>
  <link href="/services/authorization/fieldfilters/_reload" rel="_reload"/>
  <link href="/services/authorization/fieldfilters/_acl" rel="_acl"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
</feed>

GET

Retrieve details about a specific field filter. To use GET with this endpoint, you must be a member of the admin, sc_admin, or power user role.


Request parameters
None

Response keys

"name": "A field filter name"
The name of the field filter. Field filter names can contain only alphanumeric characters and underscores ( _ ). Spaces and special symbols are not allowed.
action.field The name of the field to filter for this action.
action.operator The operator for the action. Operators for actions are described as follows:
  • null(): Removes the field value from results of searches to which this filter is applied.
  • sha256(): Computes and returns the secure hash of the value of the field based on the FIPS-compliant SHA-256 (SHA-2 family) hash function. This hash is then used to replace the value of the field wherever it appears in results of searches to which this filter is applied. See Cryptographic functions in the Splunk Cloud Platform Search Reference.
  • sha512(): Computes and returns the secure hash of the value of the field based on the FIPS-compliant SHA-512 (SHA-2 family) hash function. This hash is then used to replace the value of the field wherever it appears in results of searches to which this filter is applied. See Cryptographic functions in the Splunk Cloud Platform Search Reference.
  • <string literal>: Replaces the fieldname value with the specified string wherever the field value appears in results of searches to which this filter is applied. A string literal is a sequence of characters enclosed in double quotation marks (" "). Use backslash ( \ ) to escape the \ and " characters in a string literal. For example, use \\ and \" .
  • sed(<string literal>): For _raw fields. The sed expression acts on searches to which this filter is applied. The sed expression replaces strings in search results that are matched by a regular expression (s) or transliterates characters found in search results with corresponding characters provided by the sed expression (y). A string literal is a sequence of characters enclosed in double quotation marks (" "). Use backslash ( \ ) to escape the \ and " characters in a string literal. For example, use \\ and \" .
"description": "A field filter description"
Stores a description of the field filter.
"index": "One or more index names"
Specifies an index name or a list of comma-separated index names of the target indexes you want to search that contain the data you want to protect. If an index is not specified, all indexes are searched.
limit.key The key for the field filter limit, which limits the field filter to events with a specific target host, source, or sourcetype. You can specify only one value. If the limit key is empty, the field filter doesn't apply to events with a specific host, source, or sourcetype. Limit statements that include wildcards or the following operators are not supported: AND, OR.
limit.value The value for the limit, which is a sequence of characters enclosed in double quotation marks ( " ) that represents the name of one or more hosts, sources, or source types. The limit value can be a value or a list of comma-separated values for the specified limit.
"roleExemptions": [

list of exempted roles ]

A list of field filters from which each role is exempt. If a role is exempt from a field filter, the field filter is not run at search time for any users holding this role. Roles inherit all field filter exemptions from imported roles. You can't remove inherited field filter exemptions.

Example request and response

XML Request

curl -k -u admin:changeme https://localhost:8106/services/authorization/fieldfilters/demo_hash_filter

XML Response

<?xml version="1.0" encoding="UTF-8"?>
<!--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-->
<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>fieldfilters</title>
  <id>https://localhost:8106/services/authorization/fieldfilters</id>
  <updated>2023-09-07T22:14:08+00:00</updated>
  <generator build="4464e07e99dad5532f25c08d83b3af6675536bdf" version="20230907"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/authorization/fieldfilters/_new" rel="create"/>
  <link href="/services/authorization/fieldfilters/_reload" rel="_reload"/>
  <link href="/services/authorization/fieldfilters/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>demo_hash_filter</title>
    <id>https://localhost:8106/servicesNS/nobody/system/authorization/fieldfilters/demo_hash_filter</id>
    <updated>1970-01-01T00:00:00+00:00</updated>
    <link href="/servicesNS/nobody/system/authorization/fieldfilters/demo_hash_filter" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/authorization/fieldfilters/demo_hash_filter" rel="list"/>
    <link href="/servicesNS/nobody/system/authorization/fieldfilters/demo_hash_filter/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/authorization/fieldfilters/demo_hash_filter" rel="edit"/>
    <link href="/servicesNS/nobody/system/authorization/fieldfilters/demo_hash_filter" rel="remove"/>
    <link href="/servicesNS/nobody/system/authorization/fieldfilters/demo_hash_filter/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="action">
          <s:dict>
            <s:key name="field">fieldName</s:key>
            <s:key name="operator">sha256()</s:key>
          </s:dict>
        </s:key>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">system</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list/>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list>
                <s:item>.*</s:item>
              </s:list>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="limit"/>
        <s:key name="roleExemptions">
          <s:list/>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST

Update the specified field filter with the field values provided. To use POST with this endpoint, you must be a member of the admin or sc_admin role.


Request parameters

Name Description
action.field The name of the field to filter for this action. Only one field can be specified per request.
action.operator The operator for the action. Operators for actions are described as follows:
  • null(): Removes the field value from results of searches to which this filter is applied.
  • sha256(): Computes and returns the secure hash of the value of the field based on the FIPS-compliant SHA-256 (SHA-2 family) hash function. This hash is then used to replace the value of the field wherever it appears in results of searches to which this filter is applied. See Cryptographic functions in the Splunk Cloud Platform Search Reference.
  • sha512(): Computes and returns the secure hash of the value of the field based on the FIPS-compliant SHA-512 (SHA-2 family) hash function. This hash is then used to replace the value of the field wherever it appears in results of searches to which this filter is applied. See Cryptographic functions in the Splunk Cloud Platform Search Reference.
  • <string literal>: Replaces the fieldname value with the specified string wherever the field value appears in results of searches to which this filter is applied. A string literal is a sequence of characters enclosed in double quotation marks (" "). Use backslash ( \ ) to escape the \ and " characters in a string literal. For example, use \\ and \" .
  • sed(<string literal>): For _raw fields. The sed expression acts on searches to which this filter is applied. The sed expression replaces strings in search results that are matched by a regular expression (s) or transliterates characters found in search results with corresponding characters provided by the sed expression (y). A string literal is a sequence of characters enclosed in double quotation marks (" "). Use backslash ( \ ) to escape the \ and " characters in a string literal. For example, use \\ and \" .
description = <string> Stores a description of the field filter.
"index": "One or more index names"
Specifies an index name or a list of comma-separated index names of the target indexes you want to search that contain the data you want to protect. If an index is not specified, all indexes are searched.
limit.key The key for the field filter limit, which limits the field filter to events with a specific target host, source, or sourcetype. You can specify only one value. If the limit key is empty, the field filter doesn't apply to events with a specific host, source, or sourcetype. Limit statements that include wildcards or the following operators are not supported: AND, OR.
limit.value The value for the limit, which is a sequence of characters enclosed in double quotation marks ( " ) that represents the name of one or more hosts, sources, or source types. The limit value can be a value or a list of comma-separated values for the specified limit.
"roleExemptions": [

list of exempted roles ]

A list of field filters from which each role is exempt. If a role is exempt from a field filter, the field filter is not run at search time for any users holding this role. Roles inherit all field filter exemptions from imported roles. You can't remove inherited field filter exemptions.


Response keys
None

Example request and response

XML Request

curl -k -u admin:changeme https://localhost:8106/services/authorization/fieldfilters/demo_hash_filter -d limit=host::abc

XML Response

<?xml version="1.0" encoding="UTF-8"?>
<!--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-->
<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>fieldfilters</title>
  <id>https://localhost:8106/services/authorization/fieldfilters</id>
  <updated>2023-09-07T22:17:00+00:00</updated>
  <generator build="4464e07e99dad5532f25c08d83b3af6675536bdf" version="20230907"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/authorization/fieldfilters/_new" rel="create"/>
  <link href="/services/authorization/fieldfilters/_reload" rel="_reload"/>
  <link href="/services/authorization/fieldfilters/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>demo_hash_filter</title>
    <id>https://localhost:8106/servicesNS/nobody/search/authorization/fieldfilters/demo_hash_filter</id>
    <updated>1970-01-01T00:00:00+00:00</updated>
    <link href="/servicesNS/nobody/search/authorization/fieldfilters/demo_hash_filter" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/authorization/fieldfilters/demo_hash_filter" rel="list"/>
    <link href="/servicesNS/nobody/search/authorization/fieldfilters/demo_hash_filter/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/authorization/fieldfilters/demo_hash_filter" rel="edit"/>
    <link href="/servicesNS/nobody/search/authorization/fieldfilters/demo_hash_filter" rel="remove"/>
    <link href="/servicesNS/nobody/search/authorization/fieldfilters/demo_hash_filter/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="action">
          <s:dict>
            <s:key name="field">fieldName</s:key>
            <s:key name="operator">sha256()</s:key>
          </s:dict>
        </s:key>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">search</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">app</s:key>
          </s:dict>
        </s:key>
        <s:key name="limit">
          <s:dict>
            <s:key name="key">host</s:key>
            <s:key name="value">abc</s:key>
          </s:dict>
        </s:key>
        <s:key name="roleExemptions">
          <s:list/>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>

authorization/grantable_capabilities

https://<host>:<mPort>/services/authorization/grantable_capabilities

Get a list of all capabilities that the current user can grant.

Authorization
Capabilities listed depend on the current user authorization. If the current user has the edit_roles capability, the response lists all capabilities. Otherwise, depending on the current user's edit_user permissions and configured grantableRoles in authorize.conf, the response lists only the capabilities that the current user can grant.


GET

List capabilities that the current user can grant.

Request parameters
Pagination and filtering parameters can be used with this method.

Response keys

Name Description
capabilities For users with the edit_roles capability, lists all capabilities. For users with edit_roles_grantable, edit_user, and grantableRoles, lists only grantable capabilities.

Example request and response


XML Request

curl -k -u admin:changeme https://localhost:8089/services/authorization/grantable_capabilities

XML Response

<title>grantable_capabilities</title>
  <id>https://localhost:8089/services/authorization/grantable_capabilities</id>
.
.
.
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/authorization/grantable_capabilities/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>capabilities</title>
    <id>https://localhost:8089/services/authorization/grantable_capabilities/capabilities</id>
    <updated>2015-10-06T17:44:09-07:00</updated>
    <link href="/services/authorization/grantable_capabilities/capabilities" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/authorization/grantable_capabilities/capabilities" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="capabilities">
          <s:list>
            <s:item>accelerate_datamodel</s:item>
            <s:item>accelerate_search</s:item>
            <s:item>admin_all_objects</s:item>
            <s:item>change_authentication</s:item>
            <s:item>change_own_password</s:item>
            <s:item>delete_by_keyword</s:item>
            <s:item>edit_deployment_client</s:item>
            <s:item>edit_deployment_server</s:item>
            <s:item>edit_dist_peer</s:item>
            <s:item>edit_forwarders</s:item>
            <s:item>edit_httpauths</s:item>
            <s:item>edit_input_defaults</s:item>
            <s:item>edit_monitor</s:item>
            <s:item>edit_roles</s:item>
            <s:item>edit_roles_grantable</s:item>
            <s:item>edit_scripted</s:item>
            <s:item>edit_search_head_clustering</s:item>
            <s:item>edit_search_scheduler</s:item>
            <s:item>edit_search_server</s:item>
            <s:item>edit_server</s:item>
            <s:item>edit_sourcetypes</s:item>
            <s:item>edit_splunktcp</s:item>
            <s:item>edit_splunktcp_ssl</s:item>
            <s:item>edit_tcp</s:item>
            <s:item>edit_token_http</s:item>
            <s:item>edit_udp</s:item>
            <s:item>edit_user</s:item>
            <s:item>edit_view_html</s:item>
            <s:item>edit_web_settings</s:item>
            <s:item>embed_report</s:item>
            <s:item>get_diag</s:item>
            <s:item>get_metadata</s:item>
            <s:item>get_typeahead</s:item>
            <s:item>indexes_edit</s:item>
            <s:item>input_file</s:item>
            <s:item>license_edit</s:item>
            <s:item>license_tab</s:item>
            <s:item>license_view_warnings</s:item>
            <s:item>list_deployment_client</s:item>
            <s:item>list_deployment_server</s:item>
            <s:item>list_forwarders</s:item>
            <s:item>list_httpauths</s:item>
            <s:item>list_inputs</s:item>
            <s:item>list_introspection</s:item>
            <s:item>list_search_head_clustering</s:item>
            <s:item>list_search_scheduler</s:item>
            <s:item>output_file</s:item>
            <s:item>pattern_detect</s:item>
            <s:item>request_remote_tok</s:item>
            <s:item>rest_apps_management</s:item>
            <s:item>rest_apps_view</s:item>
            <s:item>rest_properties_get</s:item>
            <s:item>rest_properties_set</s:item>
            <s:item>restart_splunkd</s:item>
            <s:item>rtsearch</s:item>
            <s:item>run_debug_commands</s:item>
            <s:item>schedule_rtsearch</s:item>
            <s:item>schedule_search</s:item>
            <s:item>search</s:item>
            <s:item>use_file_operator</s:item>
            <s:item>web_debug</s:item>
          </s:list>
        </s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
      </s:dict>
    </content>
  </entry>

authorization/roles

https://<host>:<mPort>/services/authorization/roles


Create a role or get a list of defined roles with role permissions.

For additional information, see the following resources in Securing Splunk Enterprise.


GET

List all roles and the permissions for each role.


Request parameters
Pagination and filtering parameters can be used with this method.

Response keys

Name Description
capabilities List of capabilities assigned to role.
cumulativeRTSrchJobsQuota Maximum number of concurrently running real-time searches for all role members. Warning message logged when limit is reached.
cumulativeSrchJobsQuota Maximum number of concurrently running searches for all role members. Warning message logged when limit is reached.
defaultApp The name of the app to use as the default app for this role.

A user-specific default app overrides this.

fieldFilterExemption A list of field filters from which each role is exempt. If a role is exempt from a field filter, the field filter is not run at search time for any users holding this role. Roles inherit all field filter exemptions from imported roles. You can't remove inherited field filter exemptions.
imported_capabilities List of capabilities assigned to role made available from imported roles.
imported_roles List of imported roles for this role.

Importing other roles imports all aspects of that role, such as capabilities and allowed indexes to search. In combining multiple roles, the effective value for each attribute is value with the broadest permissions.

imported_rtSrchJobsQuota The maximum number of concurrent real time search jobs for this role. This count is independent from the normal search jobs limit.

imported_rtSrchJObsQuota specifies the quota imported from other roles.

imported_srchDiskQuota The maximum disk space in MB that can be used by a user's search jobs. For example, 100 limits this role to 100 MB total.

imported_srchDiskQuota specifies the quota for this role that have imported from other roles.

imported_srchFilter Search string, imported from other roles, that restricts the scope of searches run by this role.

Search results for this role only show events that also match this search string. When a user has multiple roles with different search filters, they are combined with an OR.

imported_srchIndexesAllowed A list of indexes, imported from other roles, this role has permissions to search.
imported_srchIndexesDefault A list of indexes, imported from other roles, that this role defaults to when no index is specified in a search.
imported_srchJobsQuota The maximum number of historical searches for this role that are imported from other roles.
imported_srchTimeWin Maximum time span of a search, in seconds.

0 indicates searches are not limited to any specific time window.

imported_srchTimeWin specifies the limit from imported roles.

rtSrchJobsQuota The maximum number of concurrent real time search jobs for this role. This count is independent from the normal search jobs limit.
srchDiskQuota The maximum disk space in MB that can be used by a user's search jobs. For example, 100 limits this role to 100 MB total.
srchFilter Search string that restricts the scope of searches run by this role.

Search results for this role only show events that also match this search string. When a user has multiple roles with different search filters, they are combined with an OR.

srchIndexesAllowed A list of indexes this role has permissions to search.
srchIndexesDefault List of search indexes that default to this role when no index is specified.
srchJobsQuota The maximum number of concurrent real time search jobs for this role.

This count is independent from the normal search jobs limit.

srchTimeWin Maximum time span of a search, in seconds.

0 indicates searches are not limited to any specific time window.

Example request and response

XML Request

curl -k -u admin:changeme https://localhost:8089/services/authorization/roles

XML Response

.
.
.
 <title>roles</title>
 <id>https://localhost:8089/services/authorization/roles</id>
 <updated>2014-06-30T13:12:17-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/authorization/roles/_new" rel="create"/>
 <opensearch:totalResults>5</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>admin</title>
   <id>https://localhost:8089/services/authorization/roles/admin</id>
   <updated>2014-06-30T13:12:17-07:00</updated>
   <link href="/services/authorization/roles/admin" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/authorization/roles/admin" rel="list"/>
   <link href="/services/authorization/roles/admin" rel="edit"/>
   <link href="/services/authorization/roles/admin" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="capabilities">
         <s:list>
           <s:item>accelerate_datamodel</s:item>
           <s:item>admin_all_objects</s:item>
           <s:item>change_authentication</s:item>
           <s:item>edit_deployment_client</s:item>
           <s:item>edit_deployment_server</s:item>
           <s:item>edit_dist_peer</s:item>
           <s:item>edit_forwarders</s:item>
           <s:item>edit_httpauths</s:item>
           <s:item>edit_input_defaults</s:item>
           <s:item>edit_monitor</s:item>
           <s:item>edit_roles</s:item>
           <s:item>edit_scripted</s:item>
           <s:item>edit_search_server</s:item>
           <s:item>edit_server</s:item>
           <s:item>edit_splunktcp</s:item>
           <s:item>edit_splunktcp_ssl</s:item>
           <s:item>edit_tcp</s:item>
           <s:item>edit_udp</s:item>
           <s:item>edit_user</s:item>
           <s:item>edit_view_html</s:item>
           <s:item>edit_web_settings</s:item>
           <s:item>edit_win_admon</s:item>
           <s:item>edit_win_eventlogs</s:item>
           <s:item>edit_win_perfmon</s:item>
           <s:item>edit_win_regmon</s:item>
           <s:item>edit_win_wmiconf</s:item>
           <s:item>get_diag</s:item>
           <s:item>indexes_edit</s:item>
           <s:item>license_edit</s:item>
           <s:item>license_tab</s:item>
           <s:item>list_deployment_client</s:item>
           <s:item>list_deployment_server</s:item>
           <s:item>list_forwarders</s:item>
           <s:item>list_httpauths</s:item>
           <s:item>list_pdfserver</s:item>
           <s:item>list_win_localavailablelogs</s:item>
           <s:item>rest_apps_management</s:item>
           <s:item>restart_splunkd</s:item>
           <s:item>run_debug_commands</s:item>
           <s:item>write_pdfserver</s:item>
         </s:list>
       </s:key>
       <s:key name="cumulativeRTSrchJobsQuota">400</s:key>
       <s:key name="cumulativeSrchJobsQuota">200</s:key>
       <s:key name="defaultApp"></s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="imported_capabilities">
         <s:list>
           <s:item>accelerate_search</s:item>
           <s:item>change_own_password</s:item>
           <s:item>embed_report</s:item>
           <s:item>get_metadata</s:item>
           <s:item>get_typeahead</s:item>
           <s:item>input_file</s:item>
           <s:item>list_inputs</s:item>
           <s:item>output_file</s:item>
           <s:item>request_remote_tok</s:item>
           <s:item>rest_apps_view</s:item>
           <s:item>rest_properties_get</s:item>
           <s:item>rest_properties_set</s:item>
           <s:item>rtsearch</s:item>
           <s:item>schedule_rtsearch</s:item>
           <s:item>schedule_search</s:item>
           <s:item>search</s:item>
         </s:list>
       </s:key>
       <s:key name="imported_roles">
         <s:list>
           <s:item>power</s:item>
           <s:item>user</s:item>
         </s:list>
       </s:key>
       <s:key name="imported_rtSrchJobsQuota">20</s:key>
       <s:key name="imported_srchDiskQuota">500</s:key>
       <s:key name="imported_srchFilter"></s:key>
       <s:key name="imported_srchIndexesAllowed">
         <s:list>
           <s:item>*</s:item>
         </s:list>
       </s:key>
       <s:key name="imported_srchIndexesDefault">
         <s:list>
           <s:item>main</s:item>
         </s:list>
       </s:key>
       <s:key name="imported_srchJobsQuota">10</s:key>
       <s:key name="imported_srchTimeWin">-1</s:key>
       <s:key name="rtSrchJobsQuota">100</s:key>
       <s:key name="srchDiskQuota">10000</s:key>
       <s:key name="srchFilter">*</s:key>
       <s:key name="srchIndexesAllowed">
         <s:list>
           <s:item>*</s:item>
           <s:item>_*</s:item>
         </s:list>
       </s:key>
       <s:key name="srchIndexesDefault">
         <s:list>
           <s:item>main</s:item>
           <s:item>os</s:item>
         </s:list>
       </s:key>
       <s:key name="srchJobsQuota">50</s:key>
       <s:key name="srchTimeWin">0</s:key>
     </s:dict>
   </content>
 </entry>
 <entry>
   <title>can_delete</title>
   <id>https://localhost:8089/services/authorization/roles/can_delete</id>
   <updated>2014-06-30T13:12:17-07:00</updated>
   <link href="/services/authorization/roles/can_delete" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/authorization/roles/can_delete" rel="list"/>
   <link href="/services/authorization/roles/can_delete" rel="edit"/>
   <link href="/services/authorization/roles/can_delete" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="capabilities">
         <s:list>
           <s:item>delete_by_keyword</s:item>
           <s:item>schedule_rtsearch</s:item>
         </s:list>
       </s:key>
       <s:key name="cumulativeRTSrchJobsQuota">0</s:key>
       <s:key name="cumulativeSrchJobsQuota">0</s:key>
       <s:key name="defaultApp"></s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="imported_capabilities">
         <s:list/>
       </s:key>
       <s:key name="imported_roles">
         <s:list/>
       </s:key>
       <s:key name="imported_rtSrchJobsQuota">0</s:key>
       <s:key name="imported_srchDiskQuota">0</s:key>
       <s:key name="imported_srchFilter"></s:key>
       <s:key name="imported_srchIndexesAllowed">
         <s:list/>
       </s:key>
       <s:key name="imported_srchIndexesDefault">
         <s:list/>
       </s:key>
       <s:key name="imported_srchJobsQuota">0</s:key>
       <s:key name="imported_srchTimeWin">-1</s:key>
       <s:key name="rtSrchJobsQuota">6</s:key>
       <s:key name="srchDiskQuota">100</s:key>
       <s:key name="srchFilter"></s:key>
       <s:key name="srchIndexesAllowed">
         <s:list/>
       </s:key>
       <s:key name="srchIndexesDefault">
         <s:list/>
       </s:key>
       <s:key name="srchJobsQuota">3</s:key>
       <s:key name="srchTimeWin">-1</s:key>
     </s:dict>
   </content>
 </entry>
 <entry>
   <title>power</title>
   <id>https://localhost:8089/services/authorization/roles/power</id>
   <updated>2014-06-30T13:12:17-07:00</updated>
   <link href="/services/authorization/roles/power" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/authorization/roles/power" rel="list"/>
   <link href="/services/authorization/roles/power" rel="edit"/>
   <link href="/services/authorization/roles/power" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="capabilities">
         <s:list>
           <s:item>embed_report</s:item>
           <s:item>rtsearch</s:item>
           <s:item>schedule_search</s:item>
         </s:list>
       </s:key>
       <s:key name="cumulativeRTSrchJobsQuota">200</s:key>
       <s:key name="cumulativeSrchJobsQuota">100</s:key>
       <s:key name="defaultApp"></s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="imported_capabilities">
         <s:list>
           <s:item>accelerate_search</s:item>
           <s:item>change_own_password</s:item>
           <s:item>get_metadata</s:item>
           <s:item>get_typeahead</s:item>
           <s:item>input_file</s:item>
           <s:item>list_inputs</s:item>
           <s:item>output_file</s:item>
           <s:item>request_remote_tok</s:item>
           <s:item>rest_apps_view</s:item>
           <s:item>rest_properties_get</s:item>
           <s:item>rest_properties_set</s:item>
           <s:item>schedule_rtsearch</s:item>
           <s:item>search</s:item>
         </s:list>
       </s:key>
       <s:key name="imported_roles">
         <s:list>
           <s:item>user</s:item>
         </s:list>
       </s:key>
       <s:key name="imported_rtSrchJobsQuota">6</s:key>
       <s:key name="imported_srchDiskQuota">100</s:key>
       <s:key name="imported_srchFilter"></s:key>
       <s:key name="imported_srchIndexesAllowed">
         <s:list>
           <s:item>*</s:item>
         </s:list>
       </s:key>
       <s:key name="imported_srchIndexesDefault">
         <s:list>
           <s:item>main</s:item>
         </s:list>
       </s:key>
       <s:key name="imported_srchJobsQuota">3</s:key>
       <s:key name="imported_srchTimeWin">-1</s:key>
       <s:key name="rtSrchJobsQuota">20</s:key>
       <s:key name="srchDiskQuota">500</s:key>
       <s:key name="srchFilter"></s:key>
       <s:key name="srchIndexesAllowed">
         <s:list>
           <s:item>*</s:item>
         </s:list>
       </s:key>
       <s:key name="srchIndexesDefault">
         <s:list>
           <s:item>main</s:item>
         </s:list>
       </s:key>
       <s:key name="srchJobsQuota">10</s:key>
       <s:key name="srchTimeWin">-1</s:key>
     </s:dict>
   </content>
 </entry>
 <entry>
   <title>splunk-system-role</title>
   <id>https://localhost:8089/services/authorization/roles/splunk-system-role</id>
   <updated>2014-06-30T13:12:17-07:00</updated>
   <link href="/services/authorization/roles/splunk-system-role" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/authorization/roles/splunk-system-role" rel="list"/>
   <link href="/services/authorization/roles/splunk-system-role" rel="edit"/>
   <link href="/services/authorization/roles/splunk-system-role" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="capabilities">
         <s:list/>
       </s:key>
       <s:key name="cumulativeRTSrchJobsQuota">100</s:key>
       <s:key name="cumulativeSrchJobsQuota">50</s:key>
       <s:key name="defaultApp"></s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="imported_capabilities">
         <s:list>
           <s:item>accelerate_datamodel</s:item>
           <s:item>accelerate_search</s:item>
           <s:item>admin_all_objects</s:item>
           <s:item>change_authentication</s:item>
           <s:item>change_own_password</s:item>
           <s:item>edit_deployment_client</s:item>
           <s:item>edit_deployment_server</s:item>
           <s:item>edit_dist_peer</s:item>
           <s:item>edit_forwarders</s:item>
           <s:item>edit_httpauths</s:item>
           <s:item>edit_input_defaults</s:item>
           <s:item>edit_monitor</s:item>
           <s:item>edit_roles</s:item>
           <s:item>edit_scripted</s:item>
           <s:item>edit_search_server</s:item>
           <s:item>edit_server</s:item>
           <s:item>edit_splunktcp</s:item>
           <s:item>edit_splunktcp_ssl</s:item>
           <s:item>edit_tcp</s:item>
           <s:item>edit_udp</s:item>
           <s:item>edit_user</s:item>
           <s:item>edit_view_html</s:item>
           <s:item>edit_web_settings</s:item>
           <s:item>edit_win_admon</s:item>
           <s:item>edit_win_eventlogs</s:item>
           <s:item>edit_win_perfmon</s:item>
           <s:item>edit_win_regmon</s:item>
           <s:item>edit_win_wmiconf</s:item>
           <s:item>embed_report</s:item>
           <s:item>get_diag</s:item>
           <s:item>get_metadata</s:item>
           <s:item>get_typeahead</s:item>
           <s:item>indexes_edit</s:item>
           <s:item>input_file</s:item>
           <s:item>license_edit</s:item>
           <s:item>license_tab</s:item>
           <s:item>list_deployment_client</s:item>
           <s:item>list_deployment_server</s:item>
           <s:item>list_forwarders</s:item>
           <s:item>list_httpauths</s:item>
           <s:item>list_inputs</s:item>
           <s:item>list_pdfserver</s:item>
           <s:item>list_win_localavailablelogs</s:item>
           <s:item>output_file</s:item>
           <s:item>request_remote_tok</s:item>
           <s:item>rest_apps_management</s:item>
           <s:item>rest_apps_view</s:item>
           <s:item>rest_properties_get</s:item>
           <s:item>rest_properties_set</s:item>
           <s:item>restart_splunkd</s:item>
           <s:item>rtsearch</s:item>
           <s:item>run_debug_commands</s:item>
           <s:item>schedule_rtsearch</s:item>
           <s:item>schedule_search</s:item>
           <s:item>search</s:item>
           <s:item>write_pdfserver</s:item>
         </s:list>
       </s:key>
       <s:key name="imported_roles">
         <s:list>
           <s:item>admin</s:item>
         </s:list>
       </s:key>
       <s:key name="imported_rtSrchJobsQuota">100</s:key>
       <s:key name="imported_srchDiskQuota">10000</s:key>
       <s:key name="imported_srchFilter">*</s:key>
       <s:key name="imported_srchIndexesAllowed">
         <s:list>
           <s:item>*</s:item>
           <s:item>_*</s:item>
         </s:list>
       </s:key>
       <s:key name="imported_srchIndexesDefault">
         <s:list>
           <s:item>main</s:item>
           <s:item>os</s:item>
         </s:list>
       </s:key>
       <s:key name="imported_srchJobsQuota">50</s:key>
       <s:key name="imported_srchTimeWin">-1</s:key>
       <s:key name="rtSrchJobsQuota">6</s:key>
       <s:key name="srchDiskQuota">100</s:key>
       <s:key name="srchFilter"></s:key>
       <s:key name="srchIndexesAllowed">
         <s:list/>
       </s:key>
       <s:key name="srchIndexesDefault">
         <s:list/>
       </s:key>
       <s:key name="srchJobsQuota">3</s:key>
       <s:key name="srchTimeWin">-1</s:key>
     </s:dict>
   </content>
 </entry>
 <entry>
   <title>user</title>
   <id>https://localhost:8089/services/authorization/roles/user</id>
   <updated>2014-06-30T13:12:17-07:00</updated>
   <link href="/services/authorization/roles/user" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/authorization/roles/user" rel="list"/>
   <link href="/services/authorization/roles/user" rel="edit"/>
   <link href="/services/authorization/roles/user" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="capabilities">
         <s:list>
           <s:item>accelerate_search</s:item>
           <s:item>change_own_password</s:item>
           <s:item>get_metadata</s:item>
           <s:item>get_typeahead</s:item>
           <s:item>input_file</s:item>
           <s:item>list_inputs</s:item>
           <s:item>output_file</s:item>
           <s:item>request_remote_tok</s:item>
           <s:item>rest_apps_view</s:item>
           <s:item>rest_properties_get</s:item>
           <s:item>rest_properties_set</s:item>
           <s:item>schedule_rtsearch</s:item>
           <s:item>search</s:item>
         </s:list>
       </s:key>
       <s:key name="cumulativeRTSrchJobsQuota">100</s:key>
       <s:key name="cumulativeSrchJobsQuota">50</s:key>
       <s:key name="defaultApp"></s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="imported_capabilities">
         <s:list/>
       </s:key>
       <s:key name="imported_roles">
         <s:list/>
       </s:key>
       <s:key name="imported_rtSrchJobsQuota">0</s:key>
       <s:key name="imported_srchDiskQuota">0</s:key>
       <s:key name="imported_srchFilter"></s:key>
       <s:key name="imported_srchIndexesAllowed">
         <s:list/>
       </s:key>
       <s:key name="imported_srchIndexesDefault">
         <s:list/>
       </s:key>
       <s:key name="imported_srchJobsQuota">0</s:key>
       <s:key name="imported_srchTimeWin">-1</s:key>
       <s:key name="rtSrchJobsQuota">6</s:key>
       <s:key name="srchDiskQuota">100</s:key>
       <s:key name="srchFilter"></s:key>
       <s:key name="srchIndexesAllowed">
         <s:list>
           <s:item>*</s:item>
         </s:list>
       </s:key>
       <s:key name="srchIndexesDefault">
         <s:list>
           <s:item>main</s:item>
         </s:list>
       </s:key>
       <s:key name="srchJobsQuota">3</s:key>
       <s:key name="srchTimeWin">-1</s:key>
     </s:dict>
   </content>
 </entry>


POST

Create a user role.

Request parameters

Name Type Description
capabilities String List of capabilities assigned to role. To send multiple capabilities, send this argument multiple times.

Roles inherit all capabilities from imported roles.

cumulativeRTSrchJobsQuota Number Maximum number of concurrently running real-time searches that all members of this role can have.

Note: If a user belongs to multiple roles then the user first consumes searches from the roles with the largest cumulative search quota. When the quota of a role is completely used up then roles with lower quotas are examined.

cumulativeSrchJobsQuota Number Maximum number of concurrently running searches for all role members. Warning message logged when limit is reached.

Note: If a user belongs to multiple roles then the user first consumes searches from the roles with the largest cumulative search quota. When the quota of a role is completely used up then roles with lower quotas are examined.

defaultApp String Specify the folder name of the default app to use for this role. A user-specific default app overrides this.
imported_roles String Specify a role to import attributes from. To import multiple roles, specify them separately. By default a role imports no other roles.

Importing other roles imports all aspects of that role, such as capabilities and allowed indexes to search. In combining multiple roles, the effective value for each attribute is the value with the broadest permissions.

Default roles

  • admin
  • can_delete
  • power
  • user

You can specify additional roles created.

name
required
String Required. The name of the user role to create.
rtSrchJobsQuota Number Specify the maximum number of concurrent real-time search jobs for this role.

This count is independent from the normal search jobs limit.

srchDiskQuota Number Specifies the maximum disk space in MB that can be used by a user's search jobs. For example, a value of 100 limits this role to 100 MB total.
srchFilter String Specify a search string that restricts the scope of searches run by this role. Search results for this role only show events that also match the search string you specify. In the case that a user has multiple roles with different search filters, they are combined with an OR.

The search string can include search fields and the following terms.

  • source
  • host
  • index
  • eventtype
  • sourcetype
  • *
  • OR
  • AND

Example: "host=web* OR source=/var/log/*"

Note: You can also use the srchIndexesAllowed and srchIndexesDefault parameters to limit the search on indexes.

srchIndexesAllowed String Index that this role has permissions to search. Pass this argument once for each index that you want to specify. These may be wildcarded, but the index name must begin with an underscore to match internal indexes.

Search indexes available by default include the following.

  • All internal indexes
  • All non-internal indexes
  • _audit
  • _blocksignature
  • _internal
  • _thefishbucket
  • history
  • main

You can also specify other search indexes added to the server.

srchIndexesDefault String For this role, indexes to search when no index is specified.

These indexes can be wildcarded, with the exception that '*' does not match internal indexes. To match internal indexes, start with '_'. All internal indexes are represented by '_*'.

A user with this role can search other indexes using "index= "

For example, "index=special_index".

Search indexes available by default include the following.

  • All internal indexes
  • All non-internal indexes
  • _audit
  • _blocksignature
  • _internal
  • _thefishbucket
  • history
  • main
  • other search indexes added to the server
srchJobsQuota Number The maximum number of concurrent searches a user with this role is allowed to run. For users with multiple roles, the maximum quota value among all of the roles applies.
srchTimeWin Number Maximum time span of a search, in seconds.

By default, searches are not limited to any specific time window. To override any search time windows from imported roles, set srchTimeWin to '0', as the 'admin' role does.

Response keys
None

Example request and response

XML Request

curl -k -u admin:changeme https://localhost:8089/services/authorization/roles -d name=newrole1 -d imported_roles=user

XML Response

.
.
.
<title>roles</title>
 <id>https://localhost:8089/services/authorization/roles</id>
 <updated>2014-06-30T13:21:50-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/authorization/roles/_new" rel="create"/>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>newrole1</title>
   <id>https://localhost:8089/services/authorization/roles/newrole1</id>
   <updated>2014-06-30T13:21:50-07:00</updated>
   <link href="/services/authorization/roles/newrole1" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/authorization/roles/newrole1" rel="list"/>
   <link href="/services/authorization/roles/newrole1" rel="edit"/>
   <link href="/services/authorization/roles/newrole1" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="capabilities">
         <s:list/>
       </s:key>
       <s:key name="cumulativeRTSrchJobsQuota">0</s:key>
       <s:key name="cumulativeSrchJobsQuota">0</s:key>
       <s:key name="defaultApp"></s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="imported_capabilities">
         <s:list>
           <s:item>accelerate_search</s:item>
           <s:item>change_own_password</s:item>
           <s:item>get_metadata</s:item>
           <s:item>get_typeahead</s:item>
           <s:item>input_file</s:item>
           <s:item>list_inputs</s:item>
           <s:item>output_file</s:item>
           <s:item>request_remote_tok</s:item>
           <s:item>rest_apps_view</s:item>
           <s:item>rest_properties_get</s:item>
           <s:item>rest_properties_set</s:item>
           <s:item>schedule_rtsearch</s:item>
           <s:item>search</s:item>
         </s:list>
       </s:key>
       <s:key name="imported_roles">
         <s:list>
           <s:item>user</s:item>
         </s:list>
       </s:key>
       <s:key name="imported_rtSrchJobsQuota">6</s:key>
       <s:key name="imported_srchDiskQuota">100</s:key>
       <s:key name="imported_srchFilter"></s:key>
       <s:key name="imported_srchIndexesAllowed">
         <s:list>
           <s:item>*</s:item>
         </s:list>
       </s:key>
       <s:key name="imported_srchIndexesDefault">
         <s:list>
           <s:item>main</s:item>
         </s:list>
       </s:key>
       <s:key name="imported_srchJobsQuota">3</s:key>
       <s:key name="imported_srchTimeWin">-1</s:key>
       <s:key name="rtSrchJobsQuota">6</s:key>
       <s:key name="srchDiskQuota">100</s:key>
       <s:key name="srchFilter"></s:key>
       <s:key name="srchIndexesAllowed">
         <s:list/>
       </s:key>
       <s:key name="srchIndexesDefault">
         <s:list/>
       </s:key>
       <s:key name="srchJobsQuota">3</s:key>
       <s:key name="srchTimeWin">-1</s:key>
     </s:dict>
   </content>
 </entry>

authorization/roles/{name}

https://<host>:<mPort>/services/authorization/roles/<name>

Access, create, or delete properties for the {name} role.

For additional information, see the List of available capabilities in Securing Splunk Enterprise.


DELETE

Delete the specified role.

Request parameters
None

Response keys
None

Example request and response


XML Request

curl -k -u admin:changeme --request DELETE https://localhost:8089/services/authorization/roles/newrole1

XML Response

.
.
.
<title>roles</title>
 <id>https://localhost:8089/services/authorization/roles</id>
 <updated>2014-06-30T13:21:50-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/authorization/roles/_new" rel="create"/>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>newrole1</title>
   <id>https://localhost:8089/services/authorization/roles/newrole1</id>
   <updated>2014-06-30T13:21:50-07:00</updated>
   <link href="/services/authorization/roles/newrole1" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/authorization/roles/newrole1" rel="list"/>
   <link href="/services/authorization/roles/newrole1" rel="edit"/>
   <link href="/services/authorization/roles/newrole1" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="capabilities">
         <s:list/>
       </s:key>
       <s:key name="cumulativeRTSrchJobsQuota">0</s:key>
       <s:key name="cumulativeSrchJobsQuota">0</s:key>
       <s:key name="defaultApp"></s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="imported_capabilities">
         <s:list>
           <s:item>accelerate_search</s:item>
           <s:item>change_own_password</s:item>
           <s:item>get_metadata</s:item>
           <s:item>get_typeahead</s:item>
           <s:item>input_file</s:item>
           <s:item>list_inputs</s:item>
           <s:item>output_file</s:item>
           <s:item>request_remote_tok</s:item>
           <s:item>rest_apps_view</s:item>
           <s:item>rest_properties_get</s:item>
           <s:item>rest_properties_set</s:item>
           <s:item>schedule_rtsearch</s:item>
           <s:item>search</s:item>
         </s:list>
       </s:key>
       <s:key name="imported_roles">
         <s:list>
           <s:item>user</s:item>
         </s:list>
       </s:key>
       <s:key name="imported_rtSrchJobsQuota">6</s:key>
       <s:key name="imported_srchDiskQuota">100</s:key>
       <s:key name="imported_srchFilter"></s:key>
       <s:key name="imported_srchIndexesAllowed">
         <s:list>
           <s:item>*</s:item>
         </s:list>
       </s:key>
       <s:key name="imported_srchIndexesDefault">
         <s:list>
           <s:item>main</s:item>
         </s:list>
       </s:key>
       <s:key name="imported_srchJobsQuota">3</s:key>
       <s:key name="imported_srchTimeWin">-1</s:key>
       <s:key name="rtSrchJobsQuota">6</s:key>
       <s:key name="srchDiskQuota">100</s:key>
       <s:key name="srchFilter"></s:key>
       <s:key name="srchIndexesAllowed">
         <s:list/>
       </s:key>
       <s:key name="srchIndexesDefault">
         <s:list/>
       </s:key>
       <s:key name="srchJobsQuota">3</s:key>
       <s:key name="srchTimeWin">-1</s:key>
     </s:dict>
   </content>
 </entry>

GET

Access the specified role.


Request parameters
None

Response keys

Name Description
capabilities List of capabilities assigned to this role.
cumulativeRTSrchJobsQuota Maximum number of concurrently running real-time searches for all role members. A warning message is logged when this limit is reached.
cumulativeSrchJobsQuota Maximum number of concurrently running searches for all role members. A warning message is logged when this limit is reached.
defaultApp The name of the app to use as the default app for this role.

A user-specific default app overrides this.

fieldFilterExemption A list of field filters from which this role is exempt. If a role is exempt from a field filter, the field filter is not run at search time for any users holding this role. Roles inherit all field filter exemptions from imported roles. You can't remove inherited field filter exemptions.
imported_capabilities List of capabilities assigned to the role that were made available from imported roles.
imported_roles List of imported roles for this role.

Importing other roles imports all aspects of that role, such as capabilities and allowed indexes to search. In combining multiple roles, the effective value for each attribute is value with the broadest permissions.

imported_rtSrchJobsQuota The maximum number of concurrent real-time search jobs for this role. This count is independent from the normal search jobs limit.

imported_rtSrchJObsQuota specifies the quota imported from other roles.

imported_srchDiskQuota The maximum disk space in MB that can be used by a user's search jobs. For example, 100 limits this role to 100 MB total.

imported_rtSrchJObsQuota specifies the quota imported from other roles.

imported_srchFilter Search string, imported from other roles, that restricts the scope of searches run by this role.

Search results for this role show only events that also match this search string. When a user has multiple roles with different search filters, they are combined with an OR.

imported_srchIndexesAllowed A list of indexes, imported from other roles, that this role has permissions to search.
imported_srchIndexesDefault A list of indexes, imported from other roles, that this role defaults to when no index is specified in a search.
imported_srchJobsQuota The maximum number of historical searches for this role that are imported from other roles.
imported_srchTimeWin Maximum time span of a search, in seconds.

0 indicates searches are not limited to any specific time window.

imported_srchTimeWin specifies the limit from imported roles.

rtSrchJobsQuota The maximum number of concurrent real-time search jobs for this role. This count is independent from the normal search jobs limit.
srchDiskQuota The maximum disk space in MB that can be used by a user's search jobs. For example, 100 limits this role to 100 MB total.
srchFilter Search string that restricts the scope of searches run by this role.

Search results for this role show only events that also match this search string. When a user has multiple roles with different search filters, they are combined with an OR.

srchIndexesAllowed A list of indexes this role has permissions to search.
srchIndexesDefault List of search indexes that default to this role when no index is specified.
srchIndexesDisallowed A list of indexes that this role does not have permission to search on or delete.
srchJobsQuota The maximum number of concurrent real-time search jobs for this role.

This count is independent from the normal search jobs limit.

srchTimeWin Maximum time span of a search, in seconds.

0 indicates searches are not limited to any specific time window.

Example request and response

XML Request

curl -k -u admin:changeme https://localhost:8089/services/authorization/roles/user

XML Request

curl -k -u admin:changeme https://localhost:8089/services/authorization/roles/user

XML Response

    <title>user</title>
    <id>/services/authorization/roles/user</id>
    <updated>1969-12-31T16:00:00-08:00</updated>
    <link href="/services/authorization/roles/user" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/authorization/roles/user" rel="list"/>
    <link href="/services/authorization/roles/user" rel="edit"/>
    <link href="/services/authorization/roles/user" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="capabilities">
          <s:list>
            <s:item>change_own_password</s:item>
            <s:item>get_metadata</s:item>
            <s:item>get_typeahead</s:item>
            <s:item>list_inputs</s:item>
            <s:item>list_tokens_own</s:item>
            <s:item>request_remote_tok</s:item>
            <s:item>rest_apps_view</s:item>
            <s:item>rest_properties_get</s:item>
            <s:item>rest_properties_set</s:item>
            <s:item>search</s:item>
          </s:list>
        </s:key>
        <s:key name="cumulativeRTSrchJobsQuota">20</s:key>
        <s:key name="cumulativeSrchJobsQuota">10</s:key>
        <s:key name="defaultApp"></s:key>
        <s:key name="deleteIndexesAllowed">
          <s:list/>
        </s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>capabilities</s:item>
                <s:item>cumulativeRTSrchJobsQuota</s:item>
                <s:item>cumulativeSrchJobsQuota</s:item>
                <s:item>defaultApp</s:item>
                <s:item>deleteIndexesAllowed</s:item>
                <s:item>federatedProviders</s:item>
                <s:item>fieldFilterLimit</s:item>
                <s:item>grantable_roles</s:item>
                <s:item>imported_roles</s:item>
                <s:item>rtSrchJobsQuota</s:item>
                <s:item>srchDiskQuota</s:item>
                <s:item>srchFilter</s:item>
                <s:item>srchIndexesAllowed</s:item>
                <s:item>srchIndexesDefault</s:item>
                <s:item>srchIndexesDisallowed</s:item>
                <s:item>srchJobsQuota</s:item>
                <s:item>srchTimeEarliest</s:item>
                <s:item>srchTimeWin</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list>
                <s:item>fieldFilter\-.*</s:item>
              </s:list>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="fieldFilter-bar">NULL</s:key>
        <s:key name="fieldFilter-foo">sha256</s:key>
        <s:key name="fieldFilterLimit">sourcetype::foobar</s:key>
        <s:key name="grantable_roles">
          <s:list/>
        </s:key>
        <s:key name="imported_capabilities">
          <s:list/>
        </s:key>
        <s:key name="imported_roles">
          <s:list/>
        </s:key>
        <s:key name="imported_rtSrchJobsQuota">0</s:key>
        <s:key name="imported_srchDiskQuota">0</s:key>
        <s:key name="imported_srchFilter"></s:key>
        <s:key name="imported_srchIndexesAllowed">
          <s:list/>
        </s:key>
        <s:key name="imported_srchIndexesDefault">
          <s:list/>
        </s:key>
        <s:key name="imported_srchIndexesDisallowed">
          <s:list/>
        </s:key>
        <s:key name="imported_srchJobsQuota">0</s:key>
        <s:key name="imported_srchTimeEarliest">-1</s:key>
        <s:key name="imported_srchTimeWin">-1</s:key>
        <s:key name="rtSrchJobsQuota">17</s:key>
        <s:key name="srchDiskQuota">100</s:key>
        <s:key name="srchFilter"></s:key>
        <s:key name="srchIndexesAllowed">
          <s:list>
            <s:item>*</s:item>
          </s:list>
        </s:key>
        <s:key name="srchIndexesDefault">
          <s:list>
            <s:item>main</s:item>
          </s:list>
        </s:key>
        <s:key name="srchIndexesDisallowed">
          <s:list/>
        </s:key>
        <s:key name="srchJobsQuota">16</s:key>
        <s:key name="srchTimeEarliest">-1</s:key>
        <s:key name="srchTimeWin">-1</s:key>
      </s:dict>
    </content>
  </entry>

POST

Update the specified role.


Request parameters

Name Type Description
capabilities String List of capabilities assigned to this role.
cumulativeRTSrchJobsQuota Number Maximum number of concurrently running real-time searches for all role members. A warning message is logged when this limit is reached.
cumulativeSrchJobsQuota Number Maximum number of concurrently running searches for all role members. A warning message is logged when this limit is reached.
defaultApp String The folder name for the app to use as the default app for this role.

A user-specific default app overrides this.

imported_capabilities String List of capabilities assigned to the role that were made available from imported roles.
imported_roles String Add an imported role one at a time.

Importing other roles imports all aspects of that role, such as capabilities and allowed indexes to search. In combining multiple roles, the effective value for each attribute is value with the broadest permissions.

imported_rtSrchJobsQuota String The maximum number of concurrent real-time search jobs for this role. This count is independent from the normal search jobs limit.

imported_rtSrchJObsQuota specifies the quota imported from other roles.

imported_srchDiskQuota String The maximum disk space in MB that can be used by a user's search jobs. For example, 100 limits this role to 100 MB total.

imported_rtSrchJObsQuota specifies the quota imported from other roles.

imported_srchFilter String Search string, imported from other roles, that restricts the scope of searches run by this role.

Search results for this role show only events that also match this search string. When a user has multiple roles with different search filters, they are combined with an OR.

imported_srchIndexesAllowed String A list of indexes, imported from other roles, that this role has permissions to search.
imported_srchIndexesDefault String A list of indexes, imported from other roles, that this role defaults to when no index is specified in a search.
imported_srchJobsQuota String The maximum number of historical searches for this role that are imported from other roles.
imported_srchTimeWin String Maximum time span of a search, in seconds.

0 indicates searches are not limited to any specific time window.

imported_srchTimeWin specifies the limit from imported roles.

rtSrchJobsQuota Number The maximum number of concurrent real-time search jobs for this role. This count is independent from the normal search jobs limit.
srchDiskQuota Number The maximum disk space in MB that can be used by a user's search jobs. For example, 100 limits this role to 100 MB total.
srchFilter String Search string that restricts the scope of searches run by this role.

Search results for this role show only events that also match this search string. When a user has multiple roles with different search filters, they are combined with an OR.

srchIndexesAllowed String A list of indexes this role has permissions to search.
srchIndexesDefault String List of search indexes that default to this role when no index is specified.
srchIndexesDisallowed String A list of indexes that this role does not have permission to search on or delete.
srchJobsQuota Number The maximum number of concurrent real-time search jobs for this role.

This count is independent from the normal search jobs limit.

srchTimeWin Number Maximum time span of a search, in seconds.

0 indicates searches are not limited to any specific time window.


Response keys
None

Example request and response


XML Request

curl -k -u admin:changeme https://localhost:8089/services/authentication/users/user fieldFilter-foo=sha256&fieldFilter-bar=NULL&fieldFilterLimit=sourcetype::foobar

XML Request

curl -k -u admin:changeme https://localhost:8089/services/authorization/roles/newrole1 -d defaultApp=launcher

XML Response

 <title>roles</title>
  <id>/services/authorization/roles</id>
  <updated>2022-01-26T15:46:33-08:00</updated>
  <generator build="c96e1830f423ed31e033be95a0703e944ae27d25" version="20220124"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/authorization/roles/_new" rel="create"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>user</title>
    <id>/services/authorization/roles/user</id>
    <updated>1969-12-31T16:00:00-08:00</updated>
    <link href="/services/authorization/roles/user" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/authorization/roles/user" rel="list"/>
    <link href="/services/authorization/roles/user" rel="edit"/>
    <link href="/services/authorization/roles/user" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="capabilities">
          <s:list>
            <s:item>change_own_password</s:item>
            <s:item>get_metadata</s:item>
            <s:item>get_typeahead</s:item>
            <s:item>list_inputs</s:item>
            <s:item>list_tokens_own</s:item>
            <s:item>request_remote_tok</s:item>
            <s:item>rest_apps_view</s:item>
            <s:item>rest_properties_get</s:item>
            <s:item>rest_properties_set</s:item>
            <s:item>search</s:item>
          </s:list>
        </s:key>
        <s:key name="cumulativeRTSrchJobsQuota">20</s:key>
        <s:key name="cumulativeSrchJobsQuota">10</s:key>
        <s:key name="defaultApp"></s:key>
        <s:key name="deleteIndexesAllowed">
          <s:list/>
        </s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="fieldFilter-bar">NULL</s:key>
        <s:key name="fieldFilter-foo">sha256</s:key>
        <s:key name="fieldFilterLimit">sourcetype::foobar</s:key>
        <s:key name="grantable_roles">
          <s:list/>
        </s:key>
        <s:key name="imported_capabilities">
          <s:list/>
        </s:key>
        <s:key name="imported_roles">
          <s:list/>
        </s:key>
        <s:key name="imported_rtSrchJobsQuota">0</s:key>
        <s:key name="imported_srchDiskQuota">0</s:key>
        <s:key name="imported_srchFilter"></s:key>
        <s:key name="imported_srchIndexesAllowed">
          <s:list/>
        </s:key>
        <s:key name="imported_srchIndexesDefault">
          <s:list/>
        </s:key>
        <s:key name="imported_srchIndexesDisallowed">
          <s:list/>
        </s:key>
        <s:key name="imported_srchJobsQuota">0</s:key>
        <s:key name="imported_srchTimeEarliest">-1</s:key>
        <s:key name="imported_srchTimeWin">-1</s:key>
        <s:key name="rtSrchJobsQuota">17</s:key>
        <s:key name="srchDiskQuota">100</s:key>
        <s:key name="srchFilter"></s:key>
        <s:key name="srchIndexesAllowed">
          <s:list>
            <s:item>*</s:item>
          </s:list>
        </s:key>
        <s:key name="srchIndexesDefault">
          <s:list>
            <s:item>main</s:item>
          </s:list>
        </s:key>
        <s:key name="srchIndexesDisallowed">
          <s:list/>
        </s:key>
        <s:key name="srchJobsQuota">16</s:key>
        <s:key name="srchTimeEarliest">-1</s:key>
        <s:key name="srchTimeWin">-1</s:key>
      </s:dict>
    </content>
  </entry>

Any Splunk roles that you create using this method will inherit a default set of capabilities. This inheritance occurs when you reload the authentication system. In search head clusters, this happens as part of configuration replication. You must manually reload the authentication system on standalone search heads for this inheritance to take effect.


authorization/tokens

https://<host>:<mPort>/services/authorization/tokens


Create, get information on, or modify tokens for authentication.

For additional information, see the following resources in Securing Splunk Enterprise.


GET

List information on tokens.


Request parameters
Pagination and filtering parameters can be used with this method.

Response keys

Name Description
username The username whose tokens you want to see. Optional. If not provided, all tokens are displayed.
id The ID of the token whose information you want to see. Optional.
status Show only tokens of a specific status. Optional. Valid values are enabled or disabled.

Example request and response

XML Request

curl -k -u admin:changeme https://localhost:8089/services/authorization/tokens

XML Response

.
.
.
  <title>tokens</title>
  <id>https://splunkaday-linux-current:8089/services/authorization/tokens</id>
  <updated>2019-04-28T15:04:30-07:00</updated>
  <generator build="6c6f0a269b91" version="7.3.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/authorization/tokens/_new" rel="create"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>60ccc93ef090ca6746cc56d5dd5c6c38359bcae2d0e8ddecc9dc3b21a93ad7f9</title>
    <id>https://splunkaday-linux-current:8089/services/authorization/tokens/60ccc93ef090ca6746cc56d5dd5c6c38359bcae2d0e8ddecc9dc3b21a93ad7f9</id>
    <updated>1969-12-31T16:00:00-08:00</updated>
    <link href="/services/authorization/tokens/60ccc93ef090ca6746cc56d5dd5c6c38359bcae2d0e8ddecc9dc3b21a93ad7f9" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/authorization/tokens/60ccc93ef090ca6746cc56d5dd5c6c38359bcae2d0e8ddecc9dc3b21a93ad7f9" rel="list"/>
    <link href="/services/authorization/tokens/60ccc93ef090ca6746cc56d5dd5c6c38359bcae2d0e8ddecc9dc3b21a93ad7f9" rel="edit"/>
    <link href="/services/authorization/tokens/60ccc93ef090ca6746cc56d5dd5c6c38359bcae2d0e8ddecc9dc3b21a93ad7f9" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="claims">
          <s:dict>
            <s:key name="aud">Tokentown</s:key>
            <s:key name="exp">0</s:key>
            <s:key name="iat">1556488991</s:key>
            <s:key name="idp">splunk</s:key>
            <s:key name="iss">admin from docs-unix-4</s:key>
            <s:key name="nbr">1556488991</s:key>
            <s:key name="roles">
              <s:list>
                <s:item>*</s:item>
              </s:list>
            </s:key>
            <s:key name="sub">admin</s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="headers">
          <s:dict>
            <s:key name="alg">HS512</s:key>
            <s:key name="kid">splunk.secret</s:key>
            <s:key name="ttyp">static</s:key>
            <s:key name="ver">v1</s:key>
          </s:dict>
        </s:key>
        <s:key name="lastUsed">0</s:key>
        <s:key name="lastUsedIp"></s:key>
        <s:key name="status">enabled</s:key>
      </s:dict>
    </content>
  </entry>
</feed>


POST

Change the status of one or more tokens.

Request parameters

Name Type Description
name String The user of the token. Can be up to 1024 characters.
audience String The purpose for the token. Can be up to 256 characters.
expires_on String The time that the token expires. Can be either of an absolute time (ex.: 2019-02-09T07:35:00+07:00) or a relative time (ex.: +90d). This time cannot be in the past.

Note: If you specify not_before in addition to expires_on, not_before cannot be after expires_on..

not_before String The time that the token becomes valid. Can be an absolute time or a relative time. This time cannot be in the past.

Note: If you specify not_before in addition to expires_on, not_before cannot be after expires_on..

Response keys
None

Example request and response

XML Request

curl -k -u admin:changeme https://localhost:8089/services/authorization/tokens -d name=user12 -d audience=Users

XML Response

.
.
.
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>tokens</title>
  <id>https://splunkaday-linux-current:8089/services/authorization/tokens</id>
  <updated>2019-04-28T15:26:52-07:00</updated>
  <generator build="6c6f0a269b91" version="7.3.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/authorization/tokens/_new" rel="create"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>tokens</title>
    <id>https://splunkaday-linux-current:8089/services/authorization/tokens/tokens</id>
    <updated>1969-12-31T16:00:00-08:00</updated>
    <link href="/services/authorization/tokens/tokens" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/authorization/tokens/tokens" rel="list"/>
    <link href="/services/authorization/tokens/tokens" rel="edit"/>
    <link href="/services/authorization/tokens/tokens" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="id">a1afa1a74528731191ab3e597889b2013c57cc301e06a9cf4e86f8282144ba09</s:key>
        <s:key name="token"><![CDATA[eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnIjoiSFM1MTIiLCJ2ZXIiOiJ2MSIsInR0eXAiOiJzdGF0aWMifQ.eyJpc3MiOiJhZG1pbiBmcm9tIGRvY3MtdW5peC00Iiwic3ViIjoidXNlcjEyIiwiYXVkIjoiVXNlcnMiLCJpZHAiOiJzcGx1bmsiLCJqdGkiOiJhMWFmYTFhNzQ1Mjg3MzExOTFhYjNlNTk3ODg5YjIwMTNjNTdjYzMwMWUwNmE5Y2Y0ZTg2ZjgyODIxNDRiYTA5IiwiaWF0IjoxNTU2NDkwNDEyLCJleHAiOjAsIm5iciI6MTU1NjQ5MDQxMn0.KQhlN5bdiEPVB_m85VV3CVIA_Ux5CI24AHoer6iElAbGLLPrwvN0ntHsagUFyrhk6edvDofRvG6Z1o5F4NS8Cg]]></s:key>
      </s:dict>
    </content>
  </entry>
</feed>


authorization/tokens/{name}

https://<host>:<mPort>/services/authorization/tokens/name>


Get information on, modify, or delete authentication tokens for the {name} user.

For additional information, see the following resources in Securing Splunk Enterprise.


DELETE

Delete a token for the specified user.


Request parameters
Pagination and filtering parameters can be used with this method.

Name Description
id The ID of the token you want to delete. Optional. If not specified, then all tokens that belong to {username} are deleted.

Example request and response

XML Request

curl -k -u admin:changeme -X DELETE https://localhost:8089/services/authorization/tokens/user12

XML Response

.
.
.
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>tokens</title>
  <id>https://splunkaday-linux-current:8089/services/authorization/tokens</id>
  <updated>2019-04-28T16:13:45-07:00</updated>
  <generator build="6c6f0a269b91" version="7.3.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/authorization/tokens/_new" rel="create"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages>
    <s:msg type="INFO">Token(s), removed.</s:msg>
  </s:messages>
  <entry>
    <title>cdc2f1ddc0e240695feb977c5474d27d6224eb49e4bb70d6a7dad1b7041b66bf</title>
    <id>https://splunkaday-linux-current:8089/services/authorization/tokens/cdc2f1ddc0e240695feb977c5474d27d6224eb49e4bb70d6a7dad1b7041b66bf</id>
    <updated>1969-12-31T16:00:00-08:00</updated>
    <link href="/services/authorization/tokens/cdc2f1ddc0e240695feb977c5474d27d6224eb49e4bb70d6a7dad1b7041b66bf" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/authorization/tokens/cdc2f1ddc0e240695feb977c5474d27d6224eb49e4bb70d6a7dad1b7041b66bf" rel="list"/>
    <link href="/services/authorization/tokens/cdc2f1ddc0e240695feb977c5474d27d6224eb49e4bb70d6a7dad1b7041b66bf" rel="edit"/>
    <link href="/services/authorization/tokens/cdc2f1ddc0e240695feb977c5474d27d6224eb49e4bb70d6a7dad1b7041b66bf" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="claims">
          <s:dict>
            <s:key name="aud">Tokentown</s:key>
            <s:key name="exp">0</s:key>
            <s:key name="iat">1556490311</s:key>
            <s:key name="idp">splunk</s:key>
            <s:key name="iss">admin from docs-unix-4</s:key>
            <s:key name="nbr">1556490311</s:key>
            <s:key name="roles">
              <s:list>
                <s:item>*</s:item>
              </s:list>
            </s:key>
            <s:key name="sub">admin</s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="headers">
          <s:dict>
            <s:key name="alg">HS512</s:key>
            <s:key name="kid">splunk.secret</s:key>
            <s:key name="ttyp">static</s:key>
            <s:key name="ver">v1</s:key>
          </s:dict>
        </s:key>
        <s:key name="lastUsed">0</s:key>
        <s:key name="lastUsedIp"></s:key>
        <s:key name="status">enabled</s:key>
      </s:dict>
    </content>
  </entry>
</feed>


POST

Create a token for the specified username.

Request parameters

Name Type Description
name String The user of the token. Can be up to 1024 characters.
audience String The purpose for the token. Can be up to 256 characters.
expires_on String The time that the token expires. Can be either of an absolute time (ex.: 2019-02-09T07:35:00+07:00) or a relative time (ex.: +90d). This time cannot be in the past.

Note: If you specify not_before in addition to expires_on, not_before cannot be after expires_on..

not_before String The time that the token becomes valid. Can be an absolute time or a relative time. This time cannot be in the past.

Note: If you specify not_before in addition to expires_on, not_before cannot be after expires_on..

Response keys
None

Example request and response

XML Request

curl -k -u admin:changeme https://localhost:8089/services/authorization/tokens/user12 -d audience=Users -d expires_on=+90d@d

XML Response

.
.
.
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>tokens</title>
  <id>https://splunkaday-linux-current:8089/services/authorization/tokens</id>
  <updated>2019-04-28T15:26:52-07:00</updated>
  <generator build="6c6f0a269b91" version="7.3.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/authorization/tokens/_new" rel="create"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>tokens</title>
    <id>https://splunkaday-linux-current:8089/services/authorization/tokens/tokens</id>
    <updated>1969-12-31T16:00:00-08:00</updated>
    <link href="/services/authorization/tokens/tokens" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/authorization/tokens/tokens" rel="list"/>
    <link href="/services/authorization/tokens/tokens" rel="edit"/>
    <link href="/services/authorization/tokens/tokens" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="id">a1afa1a74528731191ab3e597889b2013c57cc301e06a9cf4e86f8282144ba09</s:key>
        <s:key name="token"><![CDATA[eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnIjoiSFM1MTIiLCJ2ZXIiOiJ2MSIsInR0eXAiOiJzdGF0aWMifQ.eyJpc3MiOiJhZG1pbiBmcm9tIGRvY3MtdW5peC00Iiwic3ViIjoidXNlcjEyIiwiYXVkIjoiVXNlcnMiLCJpZHAiOiJzcGx1bmsiLCJqdGkiOiJhMWFmYTFhNzQ1Mjg3MzExOTFhYjNlNTk3ODg5YjIwMTNjNTdjYzMwMWUwNmE5Y2Y0ZTg2ZjgyODIxNDRiYTA5IiwiaWF0IjoxNTU2NDkwNDEyLCJleHAiOjAsIm5iciI6MTU1NjQ5MDQxMn0.KQhlN5bdiEPVB_m85VV3CVIA_Ux5CI24AHoer6iElAbGLLPrwvN0ntHsagUFyrhk6edvDofRvG6Z1o5F4NS8Cg]]></s:key>
      </s:dict>
    </content>
  </entry>
</feed>


storage/passwords

https://<host>:<mPort>/services/storage/passwords

Create or update user credentials, or list credentials for all users.

Authorization
The list_storage_passwords capability is required for the GET operation. The edit_storage_passwords capability is required for the POST operation.

Usage details
The password credential is the only part of the user credentials that is stored securely. It is encrypted with a secure key resident on the same server.


GET

List available credentials.


Request parameters
Pagination and filtering parameters can be used with this method.

Response keys

Name Description
clear_password Clear text password.
encr_password Encrypted, stored password.
password Password mask, always ********.
realm Realm in which credentials are valid.
username User name associated with credentials.


Example request and response


XML Request

curl -k -u admin:changeme https://localhost:8089/services/storage/passwords

XML Response

.
.
.
<title>passwords</title>
 <id>https://localhost:8089/services/storage/passwords</id>
 <updated>2014-06-30T13:43:06-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/storage/passwords/_new" rel="create"/>
 <link href="/services/storage/passwords/_reload" rel="_reload"/>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>:testuser:</title>
   <id>https://localhost:8089/servicesNS/nobody/search/storage/passwords/%3Atestuser%3A</id>
   <updated>2014-06-30T13:43:06-07:00</updated>
   <link href="/servicesNS/nobody/search/storage/passwords/%3Atestuser%3A" rel="alternate"/>
   <author>
     <name>admin</name>
   </author>
   <link href="/servicesNS/nobody/search/storage/passwords/%3Atestuser%3A" rel="list"/>
   <link href="/servicesNS/nobody/search/storage/passwords/%3Atestuser%3A/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/search/storage/passwords/%3Atestuser%3A" rel="edit"/>
   <link href="/servicesNS/nobody/search/storage/passwords/%3Atestuser%3A" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="clear_password">newpwd</s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app">search</s:key>
           <s:key name="can_change_perms">1</s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_share_app">1</s:key>
           <s:key name="can_share_global">1</s:key>
           <s:key name="can_share_user">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">1</s:key>
           <s:key name="owner">admin</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>power</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">1</s:key>
           <s:key name="sharing">app</s:key>
         </s:dict>
       </s:key>
       <s:key name="encr_password">$1$prTUy3vRWg==</s:key>
       <s:key name="password">********</s:key>
       <s:key name="realm"></s:key>
       <s:key name="username">testuser</s:key>
     </s:dict>
   </content>
 </entry>


POST

Create/update new credentials.


Request parameters

Name Type Description
name String Required. Credentials username.
password String Required. Credentials user password.
realm String Credentials realm.

Response keys

Name Description
encr_password Encrypted, stored password.
password Password mask, always ********.
realm Realm in which credentials are valid.
username Username associated with credentials.


Example request and response


XML Request

curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/search/storage/passwords -d name=user1 -d password=changeme2

XML Response

.
.
.
<title>passwords</title>
 <id>https://localhost:8089/services/storage/passwords</id>
 <updated>2014-06-30T13:51:44-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/storage/passwords/_new" rel="create"/>
 <link href="/services/storage/passwords/_reload" rel="_reload"/>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>:user1:</title>
   <id>https://localhost:8089/servicesNS/nobody/search/storage/passwords/%3Auser1%3A</id>
   <updated>2014-06-30T13:51:44-07:00</updated>
   <link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="alternate"/>
   <author>
     <name>admin</name>
   </author>
   <link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="list"/>
   <link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="edit"/>
   <link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="clear_password">changeme2</s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app">search</s:key>
           <s:key name="can_change_perms">1</s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_share_app">1</s:key>
           <s:key name="can_share_global">1</s:key>
           <s:key name="can_share_user">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">1</s:key>
           <s:key name="owner">admin</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>power</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">1</s:key>
           <s:key name="sharing">app</s:key>
         </s:dict>
       </s:key>
       <s:key name="encr_password">$1$q7nC1WvQY/pGcQ==</s:key>
       <s:key name="password">********</s:key>
       <s:key name="realm"></s:key>
       <s:key name="username">user1</s:key>
     </s:dict>
   </content>
 </entry>

storage/passwords/{name}

https://<host>:<mPort>/services/storage/passwords/<name>

Update, delete, or list credentials for the {name} user.

Authorization
The edit_storage_passwords capability is required for the DELETE and POST operations. The list_storage_passwords capability is required for the GET operation.


DELETE

Delete the specified user credentials.

Usage details
The {name} portion of the URL must be bounded by the colon ( : ) symbol as in this example.

/services/storage/passwords/:uname:

Request parameters
None

Response keys
Returns a list of the remaining credentials in the {name} namespace.

Example request and response


XML Request

curl -k -u admin:changeme --request DELETE https://localhost:8089/servicesNS/nobody/search/storage/passwords/:user1:

XML Response

 <title>passwords</title>
 <id>https://localhost:8089/services/storage/passwords</id>
 <updated>2014-06-30T14:21:11-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/storage/passwords/_new" rel="create"/>
 <link href="/services/storage/passwords/_reload" rel="_reload"/>
 <opensearch:totalResults>0</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>


GET

Access the specified user credentials.


Request parameters
None

Response keys

Name Description
clear_password Clear text password.
encr_password Encrypted, stored password.
password Password mask, always ********.
realm Realm in which credentials are valid.
username User name associated with credentials.

Example request and response


XML Request

curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/search/storage/passwords/user1

XML Response

 <title>passwords</title>
 <id>https://localhost:8089/services/storage/passwords</id>
 <updated>2014-06-30T14:06:04-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/storage/passwords/_new" rel="create"/>
 <link href="/services/storage/passwords/_reload" rel="_reload"/>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>:user1:</title>
   <id>https://localhost:8089/servicesNS/nobody/search/storage/passwords/%3Auser1%3A</id>
   <updated>2014-06-30T14:06:04-07:00</updated>
   <link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="alternate"/>
   <author>
     <name>admin</name>
   </author>
   <link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="list"/>
   <link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="edit"/>
   <link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="clear_password">changeme2</s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app">search</s:key>
           <s:key name="can_change_perms">1</s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_share_app">1</s:key>
           <s:key name="can_share_global">1</s:key>
           <s:key name="can_share_user">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">1</s:key>
           <s:key name="owner">admin</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>power</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">1</s:key>
           <s:key name="sharing">app</s:key>
         </s:dict>
       </s:key>
       <s:key name="eai:attributes">
         <s:dict>
           <s:key name="optionalFields">
             <s:list/>
           </s:key>
           <s:key name="requiredFields">
             <s:list>
               <s:item>password</s:item>
             </s:list>
           </s:key>
           <s:key name="wildcardFields">
             <s:list/>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="encr_password">$1$q7nC1WvQY/pGcQ==</s:key>
       <s:key name="password">********</s:key>
       <s:key name="realm"></s:key>
       <s:key name="username">user1</s:key>
     </s:dict>
   </content>
 </entry>


POST

Update the specified user credentials.

Request parameters

Name Type Description
password String User password credential.

Response keys

Name Description
clear_password Clear text password.
encr_password Encrypted, stored password.
password Password mask, always ********.
realm Realm in which credentials are valid.
username User name associated with credentials.

Example request and response


XML Request

curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/search/storage/passwords/splunker -d password=changemeAgain

XML Response

.
.
.
<title>passwords</title>
 <id>https://localhost:8089/services/storage/passwords</id>
 <updated>2014-06-30T14:13:57-07:00</updated>
 <generator build="200839" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/storage/passwords/_new" rel="create"/>
 <link href="/services/storage/passwords/_reload" rel="_reload"/>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>:user1:</title>
   <id>https://localhost:8089/servicesNS/nobody/search/storage/passwords/%3Auser1%3A</id>
   <updated>2014-06-30T14:13:57-07:00</updated>
   <link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="alternate"/>
   <author>
     <name>admin</name>
   </author>
   <link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="list"/>
   <link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A/_reload" rel="_reload"/>
   <link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="edit"/>
   <link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="clear_password">changemeAgain</s:key>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app">search</s:key>
           <s:key name="can_change_perms">1</s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_share_app">1</s:key>
           <s:key name="can_share_global">1</s:key>
           <s:key name="can_share_user">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">1</s:key>
           <s:key name="owner">admin</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>*</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>power</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">1</s:key>
           <s:key name="sharing">app</s:key>
         </s:dict>
       </s:key>
       <s:key name="encr_password">$1$q7nC1WvQY/p0UtMdIVM=</s:key>
       <s:key name="password">********</s:key>
       <s:key name="realm"></s:key>
       <s:key name="username">user1</s:key>
     </s:dict>
   </content>
 </entry>

Last modified on 05 December, 2024
Endpoints reference list   Application endpoint descriptions

This documentation applies to the following versions of Splunk® Enterprise: 9.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters