Introspection endpoint descriptions
Access server and instance information.
Usage details
Review ACL information for an endpoint
To check Access Control List (ACL) properties for an endpoint, append /acl
to the path. For more information see Access Control List in the REST API User Manual.
Authentication and Authorization
Username and password authentication is required for access to endpoints and REST operations.
Splunk users must have role and/or capability-based authorization to use REST endpoints. Users with an administrative role, such as admin
, can access authorization information in Splunk Web. To view the roles assigned to a user, select Settings > Access controls and click Users. To determine the capabilities assigned to a role, select Settings > Access controls and click Roles.
App and user context
Typically, knowledge objects, such as saved searches or event types, have an app/user context that is the namespace. For more information about specifying a namespace, see Namespace in the REST API User Manual.
Splunk Cloud limitations
If you have a managed Splunk Cloud deployment with search head clustering and index clustering, the REST API supports access to the search head only. You can use the REST API to interact with the search head in your deployment. Using the REST API to access any other cluster member nodes is not supported. For example, introspection endpoints are not applicable to Splunk Cloud deployments.
data/index-volumes
https://<host>:<mPort>/services/data/index-volumes
Get information about the volume (logical drives) in use by the Splunk deployment.
GET
List the Splunk deployment volumes.
Usage details
The default update period is 10 minutes, as defined by the collectionPeriodInSecs
attribute in the following file.
$SPLUNK_HOME/etc/apps/introspection_generator_addon/default/server.conf
At least one observation period must pass after Splunk software startup for valid endpoint data to be available. The observation period is defined in the following $SPLUNK_HOME/etc/system/default/server.conf
stanza.
[introspection:generator:disk_objects] collectionPeriodInSecs = 600
Request parameters
Pagination and filtering parameters can be used with this method.
Returned values
Name | Description |
---|---|
max_size | Maximum name volume size limit (MB):
|
name | Volume name |
total_size | Total name volume capacity (MB). If max_size is infinite , this field is not listed.
|
Example request and response
XML Request
curl -k -u admin:passwd https://localhost:8089/services/data/index-volumes
XML Response
... <title>introspection--disk-objects--volumes</title> <id>https://localhost:8089/services/data/index-volumes</id> <updated>2014-03-25T14:41:09-07:00</updated> <generator build="200839" version="6.1"/> <author> <name>Splunk</name> </author> ... opensearch elements elided ... <s:messages/> <entry> <title>_splunk_summaries</title> <id>https://localhost:8089/services/data/index-volumes/_splunk_summaries</id> <updated>2014-03-25T14:41:09-07:00</updated> <link href="/services/data/index-volumes/_splunk_summaries" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/data/index-volumes/_splunk_summaries" rel="list"/> <content type="text/xml"> <s:dict> <s:key name="eai:acl"> ... elided ... </s:key> <s:key name="max_size">infinite</s:key> <s:key name="name">_splunk_summaries</s:key> </s:dict> </content> </entry>
data/index-volumes/{name}
https://<host>:<mPort>/services/data/index-volumes/{name}
Get information about the {name}
volume (logical drive).
GET
List {name}
volume properties.
Usage details
The default update period is 10 minutes, as defined by the collectionPeriodInSecs
attribute in the following file.
$SPLUNK_HOME/etc/apps/introspection_generator_addon/default/server.conf
At least one observation period must pass after Splunk software startup for valid endpoint data to be available. The observation period is defined in the following $SPLUNK_HOME/etc/system/default/server.conf
stanza.
[introspection:generator:disk_objects] collectionPeriodInSecs = 600
Request parameters
Pagination and filtering parameters can be used with this method.
Returned values
Name | Description |
---|---|
max_size | Maximum name volume size limit (MB).
|
name | Volume name. |
total_size | Total name volume capacity (MB). If max_size is infinite , this field is not listed.
|
Example request and response
XML Request
curl -k -u admin:passwd https://localhost:8089/services/data/index-volumes/_splunk_summaries
XML Response
... <title>introspection--disk-objects--volumes</title> <id>https://localhost:8089/services/data/index-volumes</id> <updated>2014-03-27T14:35:26-07:00</updated> <generator build="200839" version="6.1"/> <author> <name>Splunk</name> </author> ... opensearch elements elided ... <s:messages/> <entry> <title>_splunk_summaries</title> <id>https://localhost:8089/services/data/index-volumes/_splunk_summaries</id> <updated>2014-03-27T14:35:26-07:00</updated> <link href="/services/data/index-volumes/_splunk_summaries" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/data/index-volumes/_splunk_summaries" rel="list"/> <content type="text/xml"> <s:dict> <s:key name="eai:acl"> ... elided ... </s:key> <s:key name="eai:attributes">... elided ...</s:key> <s:key name="max_size">infinite</s:key> <s:key name="name">_splunk_summaries</s:key> </s:dict> </content> </entry>
data/indexes
https://<host>:<mPort>/services/data/indexes
Create and manage data indexes.
Authorization and authentication
By default, all users can list all indexes. However, if the indexes_list_all
capability is enabled in authorize.conf
, access to all indexes is limited to only those roles with this capability.
To enable indexes_list_all
capability restrictions on the data/indexes
endpoint, create a [capability::indexes_list_all]
stanza in authorize.conf
. Specify indexes_list_all=enabled
for any role permitted to list all indexes from this endpoint.
For more information, see the authorize.conf spec file in the Admin Manual.
GET
List the recognized indexes on the server.
Request parameters
Pagination and filtering parameters can be used with this method.
Name | Type | Default | Description |
---|---|---|---|
datatype | String | event | Valid values: (all | event | metric). Specifies the type of index. |
Returned values
Name | Description |
---|---|
assureUTF8 | Indicates whether all data retreived from the index is proper UTF8. If enabled (set to True), degrades indexing performance.
This is a global setting, not a per index setting. |
blockSignSize | Controls how many events make up a block for block signatures.
If this is set to 0, block signing is disabled for this index. A recommended value is 100. |
blockSignatureDatabase | The index that stores block signatures of events.
This is a global setting, not a per index setting. |
coldPath | Filepath to the cold databases for the index. |
coldPath_expanded | Absoute filepath to the cold databases. |
coldToFrozenDir | Destination path for the frozen archive. Used as an alternative to a coldToFrozenScript. Splunk software automatically puts frozen buckets in this directory.
Bucket freezing policy is as follows:
If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence. |
coldToFrozenScript | Path to the archiving script.
See the POST parameter description for details. |
compressRawdata | This value is ignored. splunkd process always compresses raw data. |
currentDBSizeMB | Total size, in MB, of data stored in the index. The total incudes data in the home, cold and thawed paths. |
datatype | The type of index (event | metric). |
defaultDatabase | If no index destination information is available in the input data, the index shown here is the destination of such data. |
disabled | Indicates if the index is disabled. |
enableRealtimeSearch | Indicates if this is a real-time search.
This is a global setting, not a per index setting. |
frozenTimePeriodInSecs | Number of seconds after which indexed data rolls to frozen. Defaults to 188697600 (6 years).
Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation. |
homePath | An absolute path that contains the hot and warm buckets for the index. |
homePath_expanded | An absolute filepath to the hot and warm buckets for the index. |
indexThreads | Number of threads used for indexing.
This is a global setting, not a per index setting. |
isInternal | Indicates if this is an internal index (for example, _internal, _audit). |
isReady | Indicates if the index is properly initialized. |
lastInitTime | Last time the index processor was successfully initialized.
This is a global setting, not a per index setting. |
maxConcurrentOptimizes | The number of concurrent optimize processes that can run against a hot bucket.
This number should be increased if instructed by Splunk Support. Typically the default value should suffice. |
maxDataSize | The maximum size in MB for a hot DB to reach before a roll to warm is triggered. Specifying "auto" or "auto_high_volume" causes Splunk software to autotune this parameter (recommended). Use "auto_high_volume" for high volume indexes (such as the main index); otherwise, use "auto". A "high volume index" is typically one that gets over 10GB of data per day.
Although the maximum value you can set this is 1048576 MB, which corresponds to 1 TB, a reasonable number ranges anywhere from 100 - 50000. Any number outside this range should be approved by Splunk Support before proceeding. If you specify an invalid number or string, maxDataSize is auto-tuned. Note: The precise size of your warm buckets may vary from maxDataSize, due to post-processing and timing issues with the rolling policy. |
maxHotBuckets | Maximum hot buckets that can exist per index. Defaults to 3.
When maxHotBuckets is exceeded, Splunk software rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll. |
maxHotIdleSecs | Maximum life, in seconds, of a hot bucket. Defaults to 0. A value of 0 turns off the idle check (equivalent to INFINITE idle time).
If a hot bucket exceeds maxHotIdleSecs, Splunk software rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll. |
maxHotSpanSecs | Upper bound of target maximum timespan of hot/warm buckets in seconds. Defaults to 7776000 seconds (90 days).
Note: If set too small, you can get an explosion of hot/warm buckets in the filesystem. The system sets a lower bound implicitly for this parameter at 3600, but this is an advanced parameter that should be set with care and understanding of the characteristics of your data. |
maxMemMB | The amount of memory, in MB, allocated for indexing.
This is a global setting, not a per index setting. |
maxMetaEntries | Sets the maximum number of unique lines in .data files in a bucket, which may help to reduce memory consumption. If set to 0, this setting is ignored (it is treated as infinite).
If exceeded, a hot bucket is rolled to prevent further increase. If your buckets are rolling due to Strings.data hitting this limit, the culprit may be the punct field in your data. If you do not use punct, it may be best to simply disable this (see props.conf.spec in $SPLUNK_HOME/etc/system/README). There is a small time delta between when maximum is exceeded and bucket is rolled. This means a bucket may end up with epsilon more lines than specified, but this is not a major concern unless excess is significant. |
maxRunningProcessGroups | Maximum number of processes that the indexer fires off at a time.
This is a global setting, not a per index setting. |
maxTime | ISO8601 timestamp of the newest event time in the index. |
maxTotalDataSizeMB | The maximum size of an index, in MB. |
maxWarmDBCount | The maximum number of warm buckets. If this number is exceeded, the warm bucket/s with the lowest value for their latest times are moved to cold. |
memPoolMB | Determines how much memory is given to the indexer memory pool.
This is a global setting, not a per-index setting. |
minRawFileSyncSecs | Can be either an integer (or "disable"). Some filesystems are very inefficient at performing sync operations, so only enable this if you are sure it is needed
The integer sets how frequently splunkd forces a filesystem sync while compressing journal slices. During this period, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files. If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete. |
minTime | ISO8601 timestamp of the oldest event time in the index. |
partialServiceMetaPeriod | Related to serviceMetaPeriod. By default it is turned off (zero).
If set, it enables metadata sync every <integer> seconds, but only for records where the sync can be done efficiently in-place, without requiring a full re-write of the metadata file. Records that require full re-write are be sync'ed at serviceMetaPeriod. partialServiceMetaPeriod specifies, in seconds, how frequently it should sync. Zero means that this feature is turned off and serviceMetaPeriod is the only time when metadata sync happens. If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect. |
quarantineFutureSecs | Events with timestamp of quarantineFutureSecs newer than "now" that are dropped into quarantine bucket. Defaults to 2592000 (30 days).
This is a mechanism to prevent main hot buckets from being polluted with fringe events. |
quarantinePastSecs | Events with timestamp of quarantinePastSecs older than "now" are dropped into quarantine bucket. Defaults to 77760000 (900 days).
This is a mechanism to prevent the main hot buckets from being polluted with fringe events. |
rawChunkSizeBytes | Target uncompressed size in bytes for individual raw slice in the rawdata journal of the index. Defaults to 131072 (128KB). 0 is not a valid value. If 0 is specified, rawChunkSizeBytes is set to the default value.
Note: rawChunkSizeBytes only specifies a target chunk size. The actual chunk size may be slightly larger by an amount proportional to an individual event size. Warning: This is an advanced parameter. Only change it if instructed to do so by Splunk Support. |
rotatePeriodInSecs | Rotation period, in seconds, that specifies how frequently to check:
|
serviceMetaPeriod | Defines how frequently metadata is synced to disk, in seconds. Defaults to 25 (seconds).
You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path. |
summarize | If true, leaves out certain index details, which provides a faster response. |
suppressBannerList | List of indexes for which we suppress "index missing" warning banner messages.
This is a global setting, not a per index setting. |
sync | Specifies the number of events that trigger the indexer to sync events.
This is a global setting, not a per index setting. |
syncMeta | When true, a sync operation is called before file descriptor is closed on metadata file updates. This functionality improves integrity of metadata files, especially in regards to operating system crashes/machine failures.
Note: Do not change this parameter without the input of Splunk Support. |
thawedPath | An absolute path that contains the thawed (resurrected) databases for the index. |
thawedPath_expanded | Absolute filepath to the thawed (resurrected) databases. |
throttleCheckPeriod | Defines how frequently Splunk software checks for index throttling condition, in seconds. Defaults to 15 (seconds).
Note: Do not change this parameter without the input of Splunk Support. |
totalEventCount | Total number of events in the index. |
tsidxDedupPostingsListMaxTermsLimit | This setting is valid only when tsidxWritingLevel is at 4 or higher. This maximum term limit sets an upper bound on the number of terms kept inside an in-memory hash table that serves to improve tsidx compression. The tsidx optimizer uses the hash table to identify terms with identical postings lists. When the first instance of a term is received, its postings list is stored. When successive terms with identical postings lists are received, the tsidx optimizer makes them refer to the first instance of the postings list rather than creating and storing term postings list duplicates.
Consider increasing this limit to improve compression for large tsidx files. For example, a tsidx file created with This setting cannot exceed 1,073,741,824 (230). Defaults to 8,388,608 (223). |
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/services/data/indexes
XML Response
. . . <title>indexes</title> <id>https://localhost:8089/services/data/indexes</id> <updated>2011-07-11T18:09:22-07:00</updated> <generator version="102807"/> <author> <name>Splunk</name> </author> <link href="/services/data/indexes/_new" rel="create"/> <link href="/services/data/indexes/_reload" rel="_reload"/> ... opensearch elements elided ... <s:messages/> <entry> <title>_audit</title> <id>https://localhost:8089/servicesNS/nobody/system/data/indexes/_audit</id> <updated>2011-07-11T18:09:22-07:00</updated> <link href="/servicesNS/nobody/system/data/indexes/_audit" rel="alternate"/> <author> <name>nobody</name> </author> <link href="/servicesNS/nobody/system/data/indexes/_audit" rel="list"/> <link href="/servicesNS/nobody/system/data/indexes/_audit/_reload" rel="_reload"/> <link href="/servicesNS/nobody/system/data/indexes/_audit" rel="edit"/> <link href="/servicesNS/nobody/system/data/indexes/_audit/disable" rel="disable"/> <content type="text/xml"> <s:dict> <s:key name="assureUTF8">0</s:key> <s:key name="blockSignSize">0</s:key> <s:key name="blockSignatureDatabase">_blocksignature</s:key> <s:key name="coldPath">$SPLUNK_DB/audit/colddb</s:key> <s:key name="coldPath_expanded">/home/amrit/temp/curl/splunk/var/lib/splunk/audit/colddb</s:key> <s:key name="coldToFrozenDir"/> <s:key name="coldToFrozenScript"/> <s:key name="compressRawdata">1</s:key> <s:key name="currentDBSizeMB">1</s:key> <s:key name="datatype">event</s:key> <s:key name="defaultDatabase">main</s:key> <s:key name="disabled">0</s:key> ... eai:acl element elided ... <s:key name="enableRealtimeSearch">1</s:key> <s:key name="frozenTimePeriodInSecs">188697600</s:key> <s:key name="homePath">$SPLUNK_DB/audit/db</s:key> <s:key name="homePath_expanded">/home/amrit/temp/curl/splunk/var/lib/splunk/audit/db</s:key> <s:key name="indexThreads">auto</s:key> <s:key name="isInternal">1</s:key> <s:key name="lastInitTime">1310432962.424512</s:key> <s:key name="maxConcurrentOptimizes">3</s:key> <s:key name="maxDataSize">auto</s:key> <s:key name="maxHotBuckets">3</s:key> <s:key name="maxHotIdleSecs">0</s:key> <s:key name="maxHotSpanSecs">7776000</s:key> <s:key name="maxMemMB">5</s:key> <s:key name="maxMetaEntries">1000000</s:key> <s:key name="maxRunningProcessGroups">20</s:key> <s:key name="maxTime">2011-07-10T22:20:53-0700</s:key> <s:key name="maxTotalDataSizeMB">500000</s:key> <s:key name="maxWarmDBCount">300</s:key> <s:key name="memPoolMB">auto</s:key> <s:key name="minRawFileSyncSecs">disable</s:key> <s:key name="minTime">2011-07-10T14:33:00-0700</s:key> <s:key name="partialServiceMetaPeriod">0</s:key> <s:key name="quarantineFutureSecs">2592000</s:key> <s:key name="quarantinePastSecs">77760000</s:key> <s:key name="rawChunkSizeBytes">131072</s:key> <s:key name="rotatePeriodInSecs">60</s:key> <s:key name="serviceMetaPeriod">25</s:key> <s:key name="suppressBannerList"/> <s:key name="sync">0</s:key> <s:key name="syncMeta">1</s:key> <s:key name="thawedPath">$SPLUNK_DB/audit/thaweddb</s:key> <s:key name="thawedPath_expanded">/home/amrit/temp/curl/splunk/var/lib/splunk/audit/thaweddb</s:key> <s:key name="throttleCheckPeriod">15</s:key> <s:key name="totalEventCount">230</s:key> </s:dict> </content> </entry>
POST
Create a new index.
Request parameters
Name | Type | Default | Description |
---|---|---|---|
blockSignSize | Number | 0 | Controls how many events make up a block for block signatures.
If this is set to 0, block signing is disabled for this index. A recommended value is 100. |
bucketRebuildMemoryHint | String | auto | Suggestion for the bucket rebuild process for the size of the time-series (tsidx) file to make.
Caution: This is an advanced parameter. Inappropriate use of this parameter causes splunkd to not start if rebuild is required. Do not set this parameter unless instructed by Splunk Support. Default value,
Values other than "auto" must be 16MB-1GB. Highest legal value (of the numerical part) is 4294967295 You can specify the value using a size suffix: "16777216" or "16MB" are equivalent. |
coldPath | String | An absolute path that contains the colddbs for the index. The path must be readable and writable. Cold databases are opened as needed when searching. May be defined in terms of a volume definition (see volume section below).
Required. Splunk software does not start if an index lacks a valid coldPath. | |
coldToFrozenDir | String | Destination path for the frozen archive. Use as an alternative to a coldToFrozenScript. Splunk software automatically puts frozen buckets in this directory.
Bucket freezing policy is as follows:
If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence | |
coldToFrozenScript | String | Path to the archiving script.
If your script requires a program to run it (for example, python), specify the program followed by the path. The script must be in $SPLUNK_HOME/bin or one of its subdirectories. Splunk software ships with an example archiving script in $SPLUNK_HOME/bin called coldToFrozenExample.py. DO NOT use this example script directly. It uses a default path, and if modified in place any changes are overwritten on upgrade. It is best to copy the example script to a new file in bin and modify it for your system. Most importantly, change the default archive path to an existing directory that fits your needs. If your new script in bin/ is named myColdToFrozen.py, set this key to the following:
By default, the example script has two possible behaviors when archiving:
| |
compressRawdata | Boolean | true | This parameter is ignored. The splunkd process always compresses raw data. |
datatype | String | event | Valid values: (event | metric). Specifies the type of index. |
enableOnlineBucketRepair | Boolean | true | Enables asynchronous "online fsck" bucket repair, which runs concurrently with Splunk software.
When enabled, you do not have to wait until buckets are repaired to start the Splunk platform. However, you might observe a slight performance degratation. |
frozenTimePeriodInSecs | Number | 188697600 | Number of seconds after which indexed data rolls to frozen. Defaults to 188697600 (6 years).
Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation. |
homePath | String | An absolute path that contains the hot and warm buckets for the index.
Required. Splunk software does not start if an index lacks a valid homePath. Caution: The path must be readable and writable. | |
maxBloomBackfillBucketAge | Number | 30d | Valid values are: Integer[m|s|h|d]
If a warm or cold bucket is older than the specified age, do not create or rebuild its bloomfilter. Specify 0 to never rebuild bloomfilters. For example, if a bucket is older than specified with maxBloomBackfillBucketAge, and the rebuilding of its bloomfilter started but did not finish, do not rebuild it. |
maxConcurrentOptimizes | Number | 6 | The number of concurrent optimize processes that can run against a hot bucket.
This number should be increased if instructed by Splunk Support. Typically the default value should suffice. |
maxDataSize | Number | auto | The maximum size in MB for a hot DB to reach before a roll to warm is triggered. Specifying "auto" or "auto_high_volume" causes Splunk software to autotune this parameter (recommended).Use "auto_high_volume" for high volume indexes (such as the main index); otherwise, use "auto". A "high volume index" would typically be considered one that gets over 10GB of data per day.
Although the maximum value you can set this is 1048576 MB, which corresponds to 1 TB, a reasonable number ranges anywhere from 100 - 50000. Any number outside this range should be approved by Splunk Support before proceeding. If you specify an invalid number or string, maxDataSize is auto-tuned. Note: The precise size of your warm buckets may vary from maxDataSize, due to post-processing and timing issues with the rolling policy. |
maxHotBuckets | Number | 3 | Maximum hot buckets that can exist per index. Defaults to 3.
When maxHotBuckets is exceeded, Splunk software rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll. |
maxHotIdleSecs | Number | 0 | Maximum life, in seconds, of a hot bucket. Defaults to 0.
If a hot bucket exceeds maxHotIdleSecs, Splunk software rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll. A value of 0 turns off the idle check (equivalent to INFINITE idle time). |
maxHotSpanSecs | Number | 7776000 | Upper bound of target maximum timespan of hot/warm buckets in seconds. Defaults to 7776000 seconds (90 days).
Note:I f you set this too small, you can get an explosion of hot/warm buckets in the filesystem. The system sets a lower bound implicitly for this parameter at 3600, but this is an advanced parameter that should be set with care and understanding of the characteristics of your data. |
maxMemMB | Number | 5 | The amount of memory, expressed in MB, to allocate for buffering a single tsidx file into memory before flushing to disk. Defaults to 5. The default is recommended for all environments.
IMPORTANT: Calculate this number carefully. Setting this number incorrectly may have adverse effects on your systems memory and/or splunkd stability/performance. |
maxMetaEntries | Number | 1000000 | Sets the maximum number of unique lines in .data files in a bucket, which may help to reduce memory consumption. If set to 0, this setting is ignored (it is treated as infinite).
If exceeded, a hot bucket is rolled to prevent further increase. If your buckets are rolling due to Strings.data hitting this limit, the culprit may be the There is a small time delta between when maximum is exceeded and bucket is rolled. This means a bucket may end up with epsilon more lines than specified, but this is not a major concern unless excess is significant. |
maxTimeUnreplicatedNoAcks | Number | 300 | Upper limit, in seconds, on how long an event can sit in raw slice. Applies only if replication is enabled for this index. Otherwise ignored.
If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies. Highest legal value is 2147483647. To disable this parameter, set to 0. Note: this is an advanced parameter. Understand the consequences before changing. |
maxTimeUnreplicatedWithAcks | Number | 60 | Upper limit, in seconds, on how long events can sit unacknowledged in a raw slice. Applies only if you have enabled acks on forwarders and have replication enabled (with clustering).
Note: This is an advanced parameter. Make sure you understand the settings on all forwarders before changing this. This number should not exceed ack timeout configured on any forwarder, and should actually be set to at most half of the minimum value of that timeout. You can find this setting in outputs.conf readTimeout setting under the tcpout stanza. To disable, set to 0, but this is NOT recommended. Highest legal value is 2147483647. |
maxTotalDataSizeMB | Number | 500000 | The maximum size of an index (in MB). If an index grows larger than the maximum size, the oldest data is frozen. |
maxWarmDBCount | Number | 300 | The maximum number of warm buckets. If this number is exceeded, the warm bucket/s with the lowest value for their latest times is moved to cold. |
minRawFileSyncSecs | Number | disable | Specify an integer (or "disable") for this parameter.
This parameter sets how frequently splunkd forces a filesystem sync while compressing journal slices. During this period, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files. If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete. Note: Some filesystems are very inefficient at performing sync operations, so only enable this if you are sure it is needed |
minStreamGroupQueueSize | Number | 2000 | Minimum size of the queue that stores events in memory before committing them to a tsidx file.
Caution: Do not set this value, except under advice from Splunk Support. |
name required |
String | The name of the index to create. | |
partialServiceMetaPeriod | Number | 0 | Related to serviceMetaPeriod. If set, it enables metadata sync every <integer> seconds, but only for records where the sync can be done efficiently in-place, without requiring a full re-write of the metadata file. Records that require full re-write are be sync'ed at serviceMetaPeriod.
If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect. By default it is turned off (zero). |
processTrackerServiceInterval | Number | 1 | Specifies, in seconds, how often the indexer checks the status of the child OS processes it launched to see if it can launch new processes for queued requests. Defaults to 15.
If set to 0, the indexer checks child process status every second. Highest legal value is 4294967295. |
quarantineFutureSecs | Number | 2592000 | Events with timestamp of quarantineFutureSecs newer than "now" are dropped into quarantine bucket. Defaults to 2592000 (30 days).
This is a mechanism to prevent main hot buckets from being polluted with fringe events. |
quarantinePastSecs | Number | 77760000 | Events with timestamp of quarantinePastSecs older than "now" are dropped into quarantine bucket. Defaults to 77760000 (900 days).
This is a mechanism to prevent the main hot buckets from being polluted with fringe events. |
rawChunkSizeBytes | Number | 131072 | Target uncompressed size in bytes for individual raw slice in the rawdata journal of the index. Defaults to 131072 (128KB). 0 is not a valid value. If 0 is specified, rawChunkSizeBytes is set to the default value.
Note: rawChunkSizeBytes only specifies a target chunk size. The actual chunk size may be slightly larger by an amount proportional to an individual event size. WARNING: This is an advanced parameter. Only change it if you are instructed to do so by Splunk Support. |
repFactor | String | 0 | Index replication control. This parameter applies to only clustering slaves.
|
rotatePeriodInSecs | Number | 60 | How frequently (in seconds) to check if a new hot bucket needs to be created. Also, how frequently to check if there are any warm/cold buckets that should be rolled/frozen. |
serviceMetaPeriod | Number | 25 | Defines how frequently metadata is synced to disk, in seconds. Defaults to 25 (seconds).
You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path. |
syncMeta | Boolean | true | When true , a sync operation is called before file descriptor is closed on metadata file updates. This functionality improves integrity of metadata files, especially in regards to operating system crashes/machine failures.
Note: Do not change this parameter without the input of a Splunk Support. |
thawedPath | String | An absolute path that contains the thawed (resurrected) databases for the index.
Cannot be defined in terms of a volume definition. Required. Splunk software does not start if an index lacks a valid
| |
throttleCheckPeriod | Number | 15 | Defines how frequently Splunk software checks for index throttling condition, in seconds. Defaults to 15 (seconds).
Note: Do not change this parameter without the input of Splunk Support. |
tstatsHomePath | String | Location to store datamodel acceleration TSIDX data for this index. Restart splunkd after changing this parameter.
If specified, it must be defined in terms of a volume definition. Caution: Path must be writable. Default value: volume:_splunk_summaries/$_index_name/tstats | |
warmToColdScript | String | Path to a script to run when moving data from warm to cold.
This attribute is supported for backwards compatibility with Splunk software versions older than 4.0. Contact Splunk support if you need help configuring this setting. Caution: Migrating data across filesystems is now handled natively by splunkd. If you specify a script here, the script becomes responsible for moving the event data, and Splunk-native data migration is not used. |
Returned values
Name | Description |
---|---|
assureUTF8 | Boolean value indicating wheter all data retreived from the index is proper UTF8.
If enabled (set to True), degrades indexing performance Can only be set globally. |
blockSignSize | Controls how many events make up a block for block signatures.
If this is set to 0, block signing is disabled for this index. A recommended value is 100. |
blockSignatureDatabase | The index that stores block signatures of events.
This is a global setting, not a per index setting. |
bucketRebuildMemoryHint | Suggestion for the bucket rebuild process for the size of the time-series (tsidx) file to make. |
coldPath | Filepath to the cold databases for the index. |
coldPath_expanded | Absoute filepath to the cold databases. |
coldToFrozenDir | Destination path for the frozen archive. Used as an alternative to a coldToFrozenScript. Splunk software automatically puts frozen buckets in this directory.
Bucket freezing policy is as follows:
If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence. |
coldToFrozenScript | Path to the archiving script.
See the POST parameter description for details. |
compressRawdata | This value is ignored. splunkd process always compresses raw data. |
currentDBSizeMB | Total size, in MB, of data stored in the index. The total incudes data in the home, cold and thawed paths. |
datatype | The type of index (event | metric). |
defaultDatabase | If no index destination information is available in the input data, the index shown here is the destination of such data. |
enableOnlineBucketRepair | Indicates whether to run asynchronous "online fsck" bucket repair, which runs in a process concurrently with Splunk software. |
enableRealtimeSearch | Indicates if this is a real-time search.
This is a global setting, not a per index setting. |
frozenTimePeriodInSecs | Number of seconds after which indexed data rolls to frozen. Defaults to 188697600 (6 years).
Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation. |
homePath | An absolute path that contains the hot and warm buckets for the index. |
homePath_expanded | An absolute filepath to the hot and warm buckets for the index. |
indexThreads | Number of threads used for indexing.
This is a global setting, not a per index setting. |
isInternal | Indicates if this is an internal index (for example, _internal, _audit). |
isReady | Indicates if an index is properly initialized. |
lastInitTime | Last time the index processor was successfully initialized.
This is a global setting, not a per index setting. |
maxBloomBackfillBucketAge | If a bucket (warm or cold) is older than this, Splunk software does not create (or re-create) its bloom filter. |
maxConcurrentOptimizes | The number of concurrent optimize processes that can run against a hot bucket.
This number should be increased if instructed by Splunk Support. Typically the default value should suffice. |
maxDataSize | The maximum size in MB for a hot DB to reach before a roll to warm is triggered. Specifying "auto" or "auto_high_volume" causes Splunk software to autotune this parameter (recommended). Use "auto_high_volume" for high volume indexes (such as the main index); otherwise, use "auto". A "high volume index" is typically one that gets over 10GB of data per day.
Although the maximum value you can set this is 1048576 MB, which corresponds to 1 TB, a reasonable number ranges anywhere from 100 - 50000. Any number outside this range should be approved by Splunk Support before proceeding. If you specify an invalid number or string, maxDataSize is auto-tuned. Note: The precise size of your warm buckets may vary from maxDataSize, due to post-processing and timing issues with the rolling policy. |
maxHotBuckets | Maximum hot buckets that can exist per index. Defaults to 3.
When maxHotBuckets is exceeded, Splunk software rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll. |
maxHotIdleSecs | Maximum life, in seconds, of a hot bucket. Defaults to 0. A value of 0 turns off the idle check (equivalent to INFINITE idle time).
If a hot bucket exceeds maxHotIdleSecs, Splunk software rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll. |
maxHotSpanSecs | Upper bound of target maximum timespan of hot/warm buckets in seconds. Defaults to 7776000 seconds (90 days).
Note: If set too small, you can get an explosion of hot/warm buckets in the filesystem. The system sets a lower bound implicitly for this parameter at 3600, but this is an advanced parameter that should be set with care and understanding of the characteristics of your data. |
maxMemMB | The amount of memory, in MB, allocated for indexing.
This is a global setting, not a per index setting. |
maxMetaEntries | Sets the maximum number of unique lines in .data files in a bucket, which may help to reduce memory consumption. If set to 0, this setting is ignored (it is treated as infinite).
If exceeded, a hot bucket is rolled to prevent further increase. If your buckets are rolling due to Strings.data hitting this limit, the culprit may be the punct field in your data. If you do not use punct, it may be best to simply disable this (see props.conf.spec in $SPLUNK_HOME/etc/system/README). There is a small time delta between when maximum is exceeded and bucket is rolled. This means a bucket may end up with epsilon more lines than specified, but this is not a major concern unless excess is significant. |
maxTime | ISO8601 timestamp of the newest event time in the index. |
maxTimeUnreplicatedNoAcks | Upper limit, in seconds, on how long an event can sit in raw slice. Applies only if replication is enabled for this index. Otherwise ignored.
If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies. Highest legal value is 2147483647. To disable this parameter, set to 0. Note: this is an advanced parameter. Understand the consequences before changing. |
maxTimeUnreplicatedWithAcks | Upper limit, in seconds, on how long events can sit unacknowledged in a raw slice. Applies only if you have enabled acks on forwarders and have replication enabled (with clustering).
Note: This is an advanced parameter. Make sure you understand the settings on all forwarders before changing this. This number should not exceed ack timeout configured on any forwarder, and should actually be set to at most half of the minimum value of that timeout. You can find this setting in outputs.conf readTimeout setting under the tcpout stanza. To disable, set to 0, but this is NOT recommended. Highest legal value is 2147483647. |
maxTotalDataSizeMB | The maximum size of an index, in MB. |
maxWarmDBCount | The maximum number of warm buckets. If this number is exceeded, the warm bucket/s with the lowest value for their latest times are moved to cold. |
memPoolMB | Determines how much memory is given to the indexer memory pool.
This is a global setting, not a per-index setting. |
minRawFileSyncSecs | Can be either an integer (or "disable"). Some filesystems are very inefficient at performing sync operations, so only enable this if you are sure it is needed
The integer sets how frequently splunkd forces a filesystem sync while compressing journal slices. During this period, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files. If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete. |
minStreamGroupQueueSize | Minimum size of the queue that stores events in memory before committing them to a tsidx file. |
minTime | ISO8601 timestamp of the oldest event time in the index. |
partialServiceMetaPeriod | Related to serviceMetaPeriod. By default it is turned off (zero).
If set, it enables metadata sync every <integer> seconds, but only for records where the sync can be done efficiently in-place, without requiring a full re-write of the metadata file. Records that require full re-write are be sync'ed at serviceMetaPeriod. partialServiceMetaPeriod specifies, in seconds, how frequently it should sync. Zero means that this feature is turned off and serviceMetaPeriod is the only time when metadata sync happens. If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect. |
processTrackerServiceInterval | How often, in seconds, the indexer checks the status of the child OS processes it launched to see if it can launch new processes for queued requests. |
quarantineFutureSecs | Events with timestamp of quarantineFutureSecs newer than "now" are dropped into quarantine bucket. Defaults to 2592000 (30 days).
This is a mechanism to prevent main hot buckets from being polluted with fringe events. |
quarantinePastSecs | Events with timestamp of quarantinePastSecs older than "now" are dropped into quarantine bucket. Defaults to 77760000 (900 days).
This is a mechanism to prevent the main hot buckets from being polluted with fringe events. |
rawChunkSizeBytes | Target uncompressed size in bytes for individual raw slice in the rawdata journal of the index. Defaults to 131072 (128KB). 0 is not a valid value. If 0 is specified, rawChunkSizeBytes is set to the default value.
Note: rawChunkSizeBytes only specifies a target chunk size. The actual chunk size may be slightly larger by an amount proportional to an individual event size. Warning: This is an advanced parameter. Only change it if instructed to do so by Splunk Support. |
repFactor | Index replication control. This parameter applies to only clustering slaves.
|
rotatePeriodInSecs | Rotation period, in seconds, that specifies how frequently to check:
|
serviceMetaPeriod | Defines how frequently metadata is synced to disk, in seconds. Defaults to 25 (seconds).
You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path. |
suppressBannerList | List of indexes for which we suppress "index missing" warning banner messages.
This is a global setting, not a per index setting. |
sync | Specifies the number of events that trigger the indexer to sync events.
This is a global setting, not a per index setting. |
syncMeta | When true, a sync operation is called before file descriptor is closed on metadata file updates. This functionality improves integrity of metadata files, especially in regards to operating system crashes/machine failures.
Note: Do not change this parameter without the input of Splunk Support. |
thawedPath | Filepath to the thawed (resurrected) databases for the index. |
thawedPath_expanded | Absolute filepath to the thawed (resurrected) databases. |
throttleCheckPeriod | Defines how frequently Splunk software checks for index throttling condition, in seconds. Defaults to 15 (seconds).
Note: Do not change this parameter without the input of Splunk Support. |
totalEventCount | Total number of events in the index. |
tsidxDedupPostingsListMaxTermsLimit | This setting is valid only when tsidxWritingLevel is at 4 or higher. This maximum term limit sets an upper bound on the number of terms kept inside an in-memory hash table that serves to improve tsidx compression. The tsidx optimizer uses the hash table to identify terms with identical postings lists. When the first instance of a term is received, its postings list is stored. When successive terms with identical postings lists are received, the tsidx optimizer makes them refer to the first instance of the postings list rather than creating and storing term postings list duplicates.
Consider increasing this limit to improve compression for large tsidx files. For example, a tsidx file created with This setting cannot exceed 1,073,741,824 (230). Defaults to 8,388,608 (223). |
tstatsHomePath | Location where datamodel acceleration TSIDX data for this index is stored. |
warmToColdScript | Script to run when moving data from warm to cold. See input parameter description for details. |
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/indexes -d name=Shadow
XML Response
... <title>indexes</title> <id>https://localhost:8089/servicesNS/admin/search/data/indexes</id> <updated>2011-05-13T13:09:27-07:00</updated> <generator version="98392"/> <author> <name>Splunk</name> </author> <link href="/servicesNS/admin/search/data/indexes/_new" rel="create"/> <link href="/servicesNS/admin/search/data/indexes/_reload" rel="_reload"/> ... opensearch elements elided ... <s:messages/> <entry> <title>shadow</title> <id>https://localhost:8089/servicesNS/nobody/search/data/indexes/shadow</id> <updated>2011-05-13T13:09:27-07:00</updated> <link href="/servicesNS/nobody/search/data/indexes/shadow" rel="alternate"/> <author> <name>nobody</name> </author> <link href="/servicesNS/nobody/search/data/indexes/shadow" rel="list"/> <link href="/servicesNS/nobody/search/data/indexes/shadow/_reload" rel="_reload"/> <link href="/servicesNS/nobody/search/data/indexes/shadow" rel="edit"/> <content type="text/xml"> <s:dict> <s:key name="assureUTF8">0</s:key> <s:key name="blockSignSize">0</s:key> <s:key name="blockSignatureDatabase">_blocksignature</s:key> <s:key name="coldPath">$SPLUNK_DB/shadow/colddb</s:key> <s:key name="coldPath_expanded">/Applications/splunk/var/lib/splunk/shadow/colddb</s:key> <s:key name="coldToFrozenDir"></s:key> <s:key name="coldToFrozenScript"></s:key> <s:key name="compressRawdata">1</s:key> <s:key name="currentDBSizeMB">1</s:key> <s:key name="datatype">event</s:key> <s:key name="defaultDatabase">main</s:key> <s:key name="eai:acl">. . .</s:key> <s:key name="enableRealtimeSearch">1</s:key> <s:key name="frozenTimePeriodInSecs">188697600</s:key> <s:key name="homePath">$SPLUNK_DB/shadow/db</s:key> <s:key name="homePath_expanded">/Applications/splunk/var/lib/splunk/shadow/db</s:key> <s:key name="indexThreads">auto</s:key> <s:key name="isInternal">0</s:key> <s:key name="lastInitTime">1305317367.331268</s:key> <s:key name="maxConcurrentOptimizes">3</s:key> <s:key name="maxDataSize">auto</s:key> <s:key name="maxHotBuckets">3</s:key> <s:key name="maxHotIdleSecs">0</s:key> <s:key name="maxHotSpanSecs">7776000</s:key> <s:key name="maxMemMB">5</s:key> <s:key name="maxMetaEntries">1000000</s:key> <s:key name="maxTime"></s:key> <s:key name="maxTotalDataSizeMB">500000</s:key> <s:key name="maxWarmDBCount">300</s:key> <s:key name="memPoolMB">auto</s:key> <s:key name="minRawFileSyncSecs">disable</s:key> <s:key name="minTime"></s:key> <s:key name="partialServiceMetaPeriod">0</s:key> <s:key name="quarantineFutureSecs">2592000</s:key> <s:key name="quarantinePastSecs">77760000</s:key> <s:key name="rawChunkSizeBytes">131072</s:key> <s:key name="rotatePeriodInSecs">60</s:key> <s:key name="serviceMetaPeriod">25</s:key> <s:key name="suppressBannerList"></s:key> <s:key name="sync">0</s:key> <s:key name="syncMeta">1</s:key> <s:key name="thawedPath">$SPLUNK_DB/shadow/thaweddb</s:key> <s:key name="thawedPath_expanded">/Applications/splunk/var/lib/splunk/shadow/thaweddb</s:key> <s:key name="throttleCheckPeriod">15</s:key> <s:key name="totalEventCount">0</s:key> </s:dict> </content> </entry>
data/indexes/{name}
https://<host>:<mPort>/services/data/indexes/{name}
Access, update, or delete the {name}
index.
DELETE
Removes the {name}
index and the data contained in it.
Usage details
Before executing this operation, look through all inputs.conf
files (on the indexer and on any forwarders sending data to the indexer) and make sure that none of the stanzas are directing data to the index that you plan to delete.
For example, if you want to delete an index called nogood
, make sure the attribute/value pair index=nogood
does not appear in any input stanzas. Once the index is deleted, Splunk software discards any data sent to that index.
The method returns HTTP status code409
if the {name}
index was disabled but Splunk Enterprise was not restarted. Restart Splunk Enterprise and try again.
For information on deleting indexes and deleting data from indexes, refer to Remove indexes and indexed data in Managing Indexers and Clusters of Indexers.
Request parameters
None
Returned values
None
Example request and response
XML Request
curl -k -u admin:pass --request DELETE https://localhost:8089/services/data/indexes/shadow
XML Response
. . . <title>indexes</title> <id>https://localhost:8089/services/data/indexes</id> <updated>2012-08-02T11:10:16-07:00</updated> <generator build="131547" version="5.0"/> <author> <name>Splunk</name> </author> <link href="/services/data/indexes/_new" rel="create"/> <link href="/services/data/indexes/_reload" rel="_reload"/> ... opensearch elements elided ... <s:messages/>
GET
Access information about the {name}
index.
Request parameters
Name | Type | Default | Description |
---|---|---|---|
summarize | Boolean | false |
[Optional] Response type:
|
Returned values
Name | Description |
---|---|
assureUTF8 | Indicates whether all data retreived from the index is proper UTF8. If enabled (set to True), degrades indexing performance.
This is a global setting, not a per index setting. |
blockSignSize | Controls how many events make up a block for block signatures.
If this is set to 0, block signing is disabled for this index. A recommended value is 100. |
blockSignatureDatabase | The index that stores block signatures of events.
This is a global setting, not a per index setting. |
bloomfilterTotalSizeKB | Total size of all bloom filter files, in KB. |
coldPath | Filepath to the cold databases for the index. |
coldPath_expanded | Absoute filepath to the cold databases. |
coldToFrozenDir | Destination path for the frozen archive. Used as an alternative to a coldToFrozenScript. Splunk software automatically puts frozen buckets in this directory.
Bucket freezing policy is as follows:
If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence. |
coldToFrozenScript | Path to the archiving script.
See the POST parameter description for details. |
compressRawdata | This value is ignored. splunkd process always compresses raw data. |
currentDBSizeMB | Total size, in MB, of data stored in the index. The total incudes data in the home, cold and thawed paths. |
defaultDatabase | If no index destination information is available in the input data, the index shown here is the destination of such data. |
disabled | Indicates if the index is disabled. |
enableRealtimeSearch | Indicates if this is a real-time search.
This is a global setting, not a per index setting. |
frozenTimePeriodInSecs | Number of seconds after which indexed data rolls to frozen. Defaults to 188697600 (6 years).
Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation. |
homePath | An absolute path that contains the hot and warm buckets for the index. |
homePath_expanded | An absolute filepath to the hot and warm buckets for the index. |
indexThreads | Number of threads used for indexing.
This is a global setting, not a per index setting. |
isInternal | Indicates if this is an internal index (for example, _internal, _audit). |
lastInitTime | Last time the index processor was successfully initialized.
This is a global setting, not a per index setting. |
maxConcurrentOptimizes | The number of concurrent optimize processes that can run against a hot bucket.
This number should be increased if instructed by Splunk Support. Typically the default value should suffice. |
maxDataSize | The maximum size in MB for a hot DB to reach before a roll to warm is triggered. Specifying "auto" or "auto_high_volume" causes Splunk software to autotune this parameter (recommended). Use "auto_high_volume" for high volume indexes (such as the main index); otherwise, use "auto". A "high volume index" is typically one that gets over 10GB of data per day.
Although the maximum value you can set this is 1048576 MB, which corresponds to 1 TB, a reasonable number ranges anywhere from 100 - 50000. Any number outside this range should be approved by Splunk Support before proceeding. If you specify an invalid number or string, maxDataSize is auto-tuned. Note: The precise size of your warm buckets may vary from maxDataSize, due to post-processing and timing issues with the rolling policy. |
maxHotBuckets | Maximum hot buckets that can exist per index. Defaults to 3.
When maxHotBuckets is exceeded, Splunk software rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll. |
maxHotIdleSecs | Maximum life, in seconds, of a hot bucket. Defaults to 0. A value of 0 turns off the idle check (equivalent to INFINITE idle time).
If a hot bucket exceeds maxHotIdleSecs, Splunk software rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll. |
maxHotSpanSecs | Upper bound of target maximum timespan of hot/warm buckets in seconds. Defaults to 7776000 seconds (90 days).
Note: If set too small, you can get an explosion of hot/warm buckets in the filesystem. The system sets a lower bound implicitly for this parameter at 3600, but this is an advanced parameter that should be set with care and understanding of the characteristics of your data. |
maxMemMB | The amount of memory, in MB, allocated for indexing.
This is a global setting, not a per index setting. |
maxMetaEntries | Sets the maximum number of unique lines in .data files in a bucket, which may help to reduce memory consumption. If set to 0, this setting is ignored (it is treated as infinite).
If exceeded, a hot bucket is rolled to prevent further increase. If your buckets are rolling due to Strings.data hitting this limit, the culprit may be the punct field in your data. If you do not use punct, it may be best to simply disable this (see props.conf.spec in $SPLUNK_HOME/etc/system/README). There is a small time delta between when maximum is exceeded and bucket is rolled. This means a bucket may end up with epsilon more lines than specified, but this is not a major concern unless excess is significant. |
maxRunningProcessGroups | Maximum number of processes that the indexer fires off at a time.
This is a global setting, not a per index setting. |
maxTime | UNIX timestamp of the newest event time in the index. |
maxTotalDataSizeMB | The maximum size of an index, in MB. |
maxWarmDBCount | Maximum number of warm buckets. |
memPoolMB | Determines how much memory is given to the indexer memory pool.
This is a global setting, not a per-index setting. |
minRawFileSyncSecs | Can be either an integer (or "disable"). Some filesystems are very inefficient at performing sync operations, so only enable this if you are sure it is needed
The integer sets how frequently splunkd forces a filesystem sync while compressing journal slices. During this period, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files. If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete. |
minTime | UNIX timestamp of the oldest event time in the index. |
numBloomfilters | The number of bloom filters created for this index. |
numHotBuckets | The number of hot buckets created for this index. |
numWarmBuckets | The number of warm buckets created for this index. |
partialServiceMetaPeriod | Related to serviceMetaPeriod. By default it is turned off (zero).
If set, it enables metadata sync every <integer> seconds, but only for records where the sync can be done efficiently in-place, without requiring a full re-write of the metadata file. Records that require full re-write are be sync'ed at serviceMetaPeriod. partialServiceMetaPeriod specifies, in seconds, how frequently it should sync. Zero means that this feature is turned off and serviceMetaPeriod is the only time when metadata sync happens. If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect. |
quarantineFutureSecs | Events with timestamp of quarantineFutureSecs newer than "now" that are dropped into quarantine bucket. Defaults to 2592000 (30 days).
This is a mechanism to prevent main hot buckets from being polluted with fringe events. |
quarantinePastSecs | Events with timestamp of quarantinePastSecs older than "now" are dropped into quarantine bucket. Defaults to 77760000 (900 days).
This is a mechanism to prevent the main hot buckets from being polluted with fringe events. |
rawChunkSizeBytes | Target uncompressed size in bytes for individual raw slice in the rawdata journal of the index. Defaults to 131072 (128KB). 0 is not a valid value. If 0 is specified, rawChunkSizeBytes is set to the default value.
Note: rawChunkSizeBytes only specifies a target chunk size. The actual chunk size may be slightly larger by an amount proportional to an individual event size. Warning: This is an advanced parameter. Only change it if instructed to do so by Splunk Support. |
rotatePeriodInSecs | Rotation period, in seconds, that specifies how frequently to check:
|
serviceMetaPeriod | Defines how frequently metadata is synced to disk, in seconds. Defaults to 25 (seconds).
You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path. |
summarize | If true, leaves out certain index details, which provides a faster response. |
suppressBannerList | List of indexes for which we suppress "index missing" warning banner messages.
This is a global setting, not a per index setting. |
sync | Specifies the number of events that trigger the indexer to sync events.
This is a global setting, not a per index setting. |
syncMeta | When true, a sync operation is called before file descriptor is closed on metadata file updates. This functionality improves integrity of metadata files, especially in regards to operating system crashes/machine failures.
Note: Do not change this parameter without the input of Splunk Support. |
thawedPath | An absolute path that contains the thawed (resurrected) databases for the index. |
thawedPath_expanded | Absolute filepath to the thawed (resurrected) databases. |
throttleCheckPeriod | Defines how frequently Splunk software checks for index throttling condition, in seconds. Defaults to 15 (seconds).
Note: Do not change this parameter without the input of Splunk Support. |
totalEventCount | Total number of events in the index. |
tsidxDedupPostingsListMaxTermsLimit | This setting is valid only when tsidxWritingLevel is at 4 or higher. This maximum term limit sets an upper bound on the number of terms kept inside an in-memory hash table that serves to improve tsidx compression. The tsidx optimizer uses the hash table to identify terms with identical postings lists. When the first instance of a term is received, its postings list is stored. When successive terms with identical postings lists are received, the tsidx optimizer makes them refer to the first instance of the postings list rather than creating and storing term postings list duplicates.
Consider increasing this limit to improve compression for large tsidx files. For example, a tsidx file created with This setting cannot exceed 1,073,741,824 (230). Defaults to 8,388,608 (223). |
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/indexes/shadow
XML Response
... <title>indexes</title> <id>https://localhost:8089/servicesNS/nobody/search/data/indexes</id> <updated>2011-08-01T12:25:34-07:00</updated> <generator version="105103"/> <author> <name>Splunk</name> </author> <link href="/servicesNS/nobody/search/data/indexes/_new" rel="create"/> <link href="/servicesNS/nobody/search/data/indexes/_reload" rel="_reload"/> ... opensearch elements elided ... <s:messages/> <entry> <title>shadow</title> <id>https://localhost:8089/servicesNS/nobody/search/data/indexes/shadow</id> <updated>2011-08-01T11:47:55-07:00</updated> <link href="/servicesNS/nobody/search/data/indexes/shadow" rel="alternate"/> <author> <name>nobody</name> </author> <link href="/servicesNS/nobody/search/data/indexes/shadow" rel="list"/> <link href="/servicesNS/nobody/search/data/indexes/shadow/_reload" rel="_reload"/> <link href="/servicesNS/nobody/search/data/indexes/shadow" rel="edit"/> <link href="/servicesNS/nobody/search/data/indexes/shadow/disable" rel="disable"/> <content type="text/xml"> <s:dict> <s:key name="assureUTF8">0</s:key> <s:key name="blockSignSize">0</s:key> <s:key name="blockSignatureDatabase">_blocksignature</s:key> <s:key name="bloomfilterTotalSizeKB">0</s:key> <s:key name="coldPath">$SPLUNK_DB/shadow/colddb</s:key> <s:key name="coldPath_expanded">/home/amrit/bin/splunk-current/var/lib/splunk/shadow/colddb</s:key> <s:key name="coldToFrozenDir"/> <s:key name="coldToFrozenScript"/> <s:key name="compressRawdata">1</s:key> <s:key name="currentDBSizeMB">1</s:key> <s:key name="defaultDatabase">main</s:key> <s:key name="disabled">0</s:key> ...eai:acl element elided ... <s:key name="eai:attributes"> <s:dict> <s:key name="optionalFields"> <s:list> <s:item>assureUTF8</s:item> <s:item>blockSignSize</s:item> <s:item>coldToFrozenDir</s:item> <s:item>coldToFrozenScript</s:item> <s:item>compressRawdata</s:item> <s:item>frozenTimePeriodInSecs</s:item> <s:item>maxConcurrentOptimizes</s:item> <s:item>maxDataSize</s:item> <s:item>maxHotBuckets</s:item> <s:item>maxHotIdleSecs</s:item> <s:item>maxHotSpanSecs</s:item> <s:item>maxMemMB</s:item> <s:item>maxMetaEntries</s:item> <s:item>maxRunningProcessGroups</s:item> <s:item>maxTotalDataSizeMB</s:item> <s:item>maxWarmDBCount</s:item> <s:item>minRawFileSyncSecs</s:item> <s:item>partialServiceMetaPeriod</s:item> <s:item>quarantineFutureSecs</s:item> <s:item>quarantinePastSecs</s:item> <s:item>rawChunkSizeBytes</s:item> <s:item>rotatePeriodInSecs</s:item> <s:item>serviceMetaPeriod</s:item> <s:item>suppressBannerList</s:item> <s:item>syncMeta</s:item> <s:item>throttleCheckPeriod</s:item> </s:list> </s:key> <s:key name="requiredFields"> <s:list/> </s:key> <s:key name="wildcardFields"> <s:list/> </s:key> </s:dict> </s:key> <s:key name="enableRealtimeSearch">1</s:key> <s:key name="frozenTimePeriodInSecs">188697600</s:key> <s:key name="homePath">$SPLUNK_DB/shadow/db</s:key> <s:key name="homePath_expanded">/home/amrit/bin/splunk-current/var/lib/splunk/shadow/db</s:key> <s:key name="indexThreads">auto</s:key> <s:key name="isInternal">0</s:key> <s:key name="lastInitTime">1312226552.102920</s:key> <s:key name="maxConcurrentOptimizes">3</s:key> <s:key name="maxDataSize">auto</s:key> <s:key name="maxHotBuckets">3</s:key> <s:key name="maxHotIdleSecs">0</s:key> <s:key name="maxHotSpanSecs">7776000</s:key> <s:key name="maxMemMB">5</s:key> <s:key name="maxMetaEntries">1000000</s:key> <s:key name="maxRunningProcessGroups">20</s:key> <s:key name="maxTime"/> <s:key name="maxTotalDataSizeMB">500000</s:key> <s:key name="maxWarmDBCount">300</s:key> <s:key name="memPoolMB">auto</s:key> <s:key name="minRawFileSyncSecs">disable</s:key> <s:key name="minTime"/> <s:key name="numBloomfilters">0</s:key> <s:key name="numHotBuckets">0</s:key> <s:key name="numWarmBuckets">0</s:key> <s:key name="partialServiceMetaPeriod">0</s:key> <s:key name="quarantineFutureSecs">2592000</s:key> <s:key name="quarantinePastSecs">77760000</s:key> <s:key name="rawChunkSizeBytes">131072</s:key> <s:key name="rotatePeriodInSecs">60</s:key> <s:key name="serviceMetaPeriod">25</s:key> <s:key name="suppressBannerList"/> <s:key name="sync">0</s:key> <s:key name="syncMeta">1</s:key> <s:key name="thawedPath">$SPLUNK_DB/shadow/thaweddb</s:key> <s:key name="thawedPath_expanded">/home/amrit/bin/splunk-current/var/lib/splunk/shadow/thaweddb</s:key> <s:key name="throttleCheckPeriod">15</s:key> <s:key name="totalEventCount">0</s:key> </s:dict> </content> </entry>
POST
Updates the {name} index.
Request parameters
Name | Type | Default | Description |
---|---|---|---|
blockSignSize | Number | 0 | Controls how many events make up a block for block signatures.
If this is set to 0, block signing is disabled for this index. A recommended value is 100. |
bucketRebuildMemoryHint | String | auto | Suggestion for the bucket rebuild process for the size of the time-series (tsidx) file to make.
Caution: This is an advanced parameter. Inappropriate use of this parameter causes splunkd to not start if rebuild is required. Do not set this parameter unless instructed by Splunk Support. Default value,
Values other than "auto" must be 16MB-1GB. Highest legal value (of the numerical part) is 4294967295 You can specify the value using a size suffix: "16777216" or "16MB" are equivalent. |
coldToFrozenDir | String | Destination path for the frozen archive. Use as an alternative to a coldToFrozenScript. Splunk software automatically puts frozen buckets in this directory.
Bucket freezing policy is as follows:
If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence | |
coldToFrozenScript | String | Path to the archiving script.
If your script requires a program to run it (for example, python), specify the program followed by the path. The script must be in $SPLUNK_HOME/bin or one of its subdirectories. Splunk software ships with an example archiving script in $SPLUNK_HOME/bin called coldToFrozenExample.py. DO NOT use this example script directly. It uses a default path, and if modified in place any changes are overwritten on upgrade. It is best to copy the example script to a new file in bin and modify it for your system. Most importantly, change the default archive path to an existing directory that fits your needs. If your new script in bin/ is named myColdToFrozen.py, set this key to the following:
By default, the example script has two possible behaviors when archiving:
| |
compressRawdata | Boolean | true | This parameter is ignored. The splunkd process always compresses raw data. |
enableOnlineBucketRepair | Boolean | true | Enables asynchronous "online fsck" bucket repair, which runs concurrently with Splunk software.
When enabled, you do not have to wait until buckets are repaired to start Splunk Enterprise. However, you might observe a slight performance degratation. |
frozenTimePeriodInSecs | Number | 188697600 | Number of seconds after which indexed data rolls to frozen. Defaults to 188697600 (6 years).
Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation. |
maxBloomBackfillBucketAge | Number | 30d | Valid values are: Integer[m|s|h|d]
If a warm or cold bucket is older than the specified age, do not create or rebuild its bloomfilter. Specify 0 to never rebuild bloomfilters. For example, if a bucket is older than specified with maxBloomBackfillBucketAge, and the rebuilding of its bloomfilter started but did not finish, do not rebuild it. |
maxConcurrentOptimizes | Number | 6 | The number of concurrent optimize processes that can run against a hot bucket.
This number should be increased if instructed by Splunk Support. Typically the default value should suffice. |
maxDataSize | Number | auto | The maximum size in MB for a hot DB to reach before a roll to warm is triggered. Specifying "auto" or "auto_high_volume" causes Splunk software to autotune this parameter (recommended).Use "auto_high_volume" for high volume indexes (such as the main index); otherwise, use "auto". A "high volume index" would typically be considered one that gets over 10GB of data per day.
Although the maximum value you can set this is 1048576 MB, which corresponds to 1 TB, a reasonable number ranges anywhere from 100 - 50000. Any number outside this range should be approved by Splunk Support before proceeding. If you specify an invalid number or string, maxDataSize is auto-tuned. Note: The precise size of your warm buckets may vary from maxDataSize, due to post-processing and timing issues with the rolling policy. |
maxHotBuckets | Number | 3 | Maximum hot buckets that can exist per index. Defaults to 3.
When maxHotBuckets is exceeded, Splunk software rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll. |
maxHotIdleSecs | Number | 0 | Maximum life, in seconds, of a hot bucket. Defaults to 0.
If a hot bucket exceeds maxHotIdleSecs, Splunk software rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll. A value of 0 turns off the idle check (equivalent to INFINITE idle time). |
maxHotSpanSecs | Number | 7776000 | Upper bound of target maximum timespan of hot/warm buckets in seconds. Defaults to 7776000 seconds (90 days).
Note:I f you set this too small, you can get an explosion of hot/warm buckets in the filesystem. The system sets a lower bound implicitly for this parameter at 3600, but this is an advanced parameter that should be set with care and understanding of the characteristics of your data. |
maxMemMB | Number | 5 | The amount of memory, expressed in MB, to allocate for buffering a single tsidx file into memory before flushing to disk. Defaults to 5. The default is recommended for all environments.
IMPORTANT: Calculate this number carefully. Setting this number incorrectly may have adverse effects on your systems memory and/or splunkd stability/performance. |
maxMetaEntries | Number | 1000000 | Sets the maximum number of unique lines in .data files in a bucket, which may help to reduce memory consumption. If set to 0, this setting is ignored (it is treated as infinite).
If exceeded, a hot bucket is rolled to prevent further increase. If your buckets are rolling due to Strings.data hitting this limit, the culprit may be the There is a small time delta between when maximum is exceeded and bucket is rolled. This means a bucket may end up with epsilon more lines than specified, but this is not a major concern unless excess is significant. |
maxTimeUnreplicatedNoAcks | Number | 300 | Upper limit, in seconds, on how long an event can sit in raw slice. Applies only if replication is enabled for this index. Otherwise ignored.
If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies. Highest legal value is 2147483647. To disable this parameter, set to 0. Note: this is an advanced parameter. Understand the consequences before changing. |
maxTimeUnreplicatedWithAcks | Number | 60 | Upper limit, in seconds, on how long events can sit unacknowledged in a raw slice. Applies only if you have enabled acks on forwarders and have replication enabled (with clustering).
Note: This is an advanced parameter. Make sure you understand the settings on all forwarders before changing this. This number should not exceed ack timeout configured on any forwarder, and should actually be set to at most half of the minimum value of that timeout. You can find this setting in outputs.conf readTimeout setting under the tcpout stanza. To disable, set to 0, but this is NOT recommended. Highest legal value is 2147483647. |
maxTotalDataSizeMB | Number | 500000 | The maximum size of an index (in MB). If an index grows larger than the maximum size, the oldest data is frozen. |
maxWarmDBCount | Number | 300 | The maximum number of warm buckets. If this number is exceeded, the warm bucket/s with the lowest value for their latest times are moved to cold. |
minRawFileSyncSecs | Number | disable | Specify an integer (or "disable") for this parameter.
This parameter sets how frequently splunkd forces a filesystem sync while compressing journal slices. During this period, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files. If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete. Note: Some filesystems are very inefficient at performing sync operations, so only enable this if you are sure it is needed |
minStreamGroupQueueSize | Number | 2000 | Minimum size of the queue that stores events in memory before committing them to a tsidx file.
Caution: Do not set this value, except under advice from Splunk Support. |
partialServiceMetaPeriod | Number | 0 | Related to serviceMetaPeriod. If set, it enables metadata sync every <integer> seconds, but only for records where the sync can be done efficiently in-place, without requiring a full re-write of the metadata file. Records that require full re-write are be sync'ed at serviceMetaPeriod.
If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect. By default it is turned off (zero). |
processTrackerServiceInterval | Number | 1 | Specifies, in seconds, how often the indexer checks the status of the child OS processes it launched to see if it can launch new processes for queued requests. Defaults to 15.
If set to 0, the indexer checks child process status every second. Highest legal value is 4294967295. |
quarantineFutureSecs | Number | 2592000 | Events with timestamp of quarantineFutureSecs newer than "now" are dropped into quarantine bucket. Defaults to 2592000 (30 days).
This is a mechanism to prevent main hot buckets from being polluted with fringe events. |
quarantinePastSecs | Number | 77760000 | Events with timestamp of quarantinePastSecs older than "now" are dropped into quarantine bucket. Defaults to 77760000 (900 days).
This is a mechanism to prevent the main hot buckets from being polluted with fringe events. |
rawChunkSizeBytes | Number | 131072 | Target uncompressed size in bytes for individual raw slice in the rawdata journal of the index. Defaults to 131072 (128KB). 0 is not a valid value. If 0 is specified, rawChunkSizeBytes is set to the default value.
Note: rawChunkSizeBytes only specifies a target chunk size. The actual chunk size may be slightly larger by an amount proportional to an individual event size. WARNING: This is an advanced parameter. Only change it if you are instructed to do so by Splunk Support. |
repFactor | String | 0 | Index replication control. This parameter applies to only clustering slaves.
|
rotatePeriodInSecs | Number | 60 | How frequently (in seconds) to check if a new hot bucket needs to be created. Also, how frequently to check if there are any warm/cold buckets that should be rolled/frozen. |
serviceMetaPeriod | Number | 25 | Defines how frequently metadata is synced to disk, in seconds. Defaults to 25 (seconds).
You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path. |
syncMeta | Boolean | true | When true , a sync operation is called before file descriptor is closed on metadata file updates. This functionality improves integrity of metadata files, especially in regards to operating system crashes/machine failures.
Note: Do not change this parameter without the input of a Splunk Support. |
throttleCheckPeriod | Number | 15 | Defines how frequently Splunk software checks for index throttling condition, in seconds. Defaults to 15 (seconds).
Note: Do not change this parameter without the input of Splunk Support. |
tstatsHomePath | String | Location to store datamodel acceleration TSIDX data for this index. Restart splunkd after changing this parameter.
If specified, it must be defined in terms of a volume definition. Caution: Path must be writable. Default value: volume:_splunk_summaries/$_index_name/tstats | |
warmToColdScript | String | Path to a script to run when moving data from warm to cold.
This attribute is supported for backwards compatibility with Splunk software versions older than 4.0. Contact Splunk support if you need help configuring this setting. Caution: Migrating data across filesystems is now handled natively by splunkd. If you specify a script here, the script becomes responsible for moving the event data, and Splunk-native data migration are not used. |
Returned values
Name | Description |
---|---|
assureUTF8 | Boolean value indicating wheter all data retreived from the index is proper UTF8.
If enabled (set to True), degrades indexing performance Can only be set globally. |
blockSignSize | Controls how many events make up a block for block signatures.
If this is set to 0, block signing is disabled for this index. A recommended value is 100. |
blockSignatureDatabase | The index that stores block signatures of events.
This is a global setting, not a per index setting. |
bucketRebuildMemoryHint | Suggestion for the bucket rebuild process for the size of the time-series (tsidx) file to make. |
coldPath | Filepath to the cold databases for the index. |
coldPath_expanded | Absoute filepath to the cold databases. |
coldToFrozenDir | Destination path for the frozen archive. Used as an alternative to a coldToFrozenScript. Splunk Enterprise automatically puts frozen buckets in this directory.
Bucket freezing policy is as follows:
If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence. |
coldToFrozenScript | Path to the archiving script.
See the POST parameter description for details. |
compressRawdata | This value is ignored. splunkd process always compresses raw data. |
currentDBSizeMB | Total size, in MB, of data stored in the index. The total incudes data in the home, cold and thawed paths. |
defaultDatabase | If no index destination information is available in the input data, the index shown here is the destination of such data. |
enableOnlineBucketRepair | Indicates whether to run asynchronous "online fsck" bucket repair, which runs in a process concurrently with Splunk software. |
enableRealtimeSearch | Indicates if this is a real-time search.
This is a global setting, not a per index setting. |
frozenTimePeriodInSecs | Number of seconds after which indexed data rolls to frozen. Defaults to 188697600 (6 years).
Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation. |
homePath | An absolute path that contains the hot and warm buckets for the index. |
homePath_expanded | An absolute filepath to the hot and warm buckets for the index. |
indexThreads | Number of threads used for indexing.
This is a global setting, not a per index setting. |
isInternal | Indicates if this is an internal index (for example, _internal, _audit). |
lastInitTime | Last time the index processor was successfully initialized.
This is a global setting, not a per index setting. |
maxBloomBackfillBucketAge | If a bucket (warm or cold) is older than this, Splunk Enterprise does not create (or re-create) its bloom filter. |
maxConcurrentOptimizes | The number of concurrent optimize processes that can run against a hot bucket.
This number should be increased if instructed by Splunk Support. Typically the default value should suffice. |
maxDataSize | The maximum size in MB for a hot DB to reach before a roll to warm is triggered. Specifying "auto" or "auto_high_volume" causes Splunk software to autotune this parameter (recommended). Use "auto_high_volume" for high volume indexes (such as the main index); otherwise, use "auto". A "high volume index" is typically one that gets over 10GB of data per day.
Although the maximum value you can set this is 1048576 MB, which corresponds to 1 TB, a reasonable number ranges anywhere from 100 - 50000. Any number outside this range should be approved by Splunk Support before proceeding. If you specify an invalid number or string, maxDataSize is auto-tuned. Note: The precise size of your warm buckets may vary from maxDataSize, due to post-processing and timing issues with the rolling policy. |
maxHotBuckets | Maximum hot buckets that can exist per index. Defaults to 3.
When maxHotBuckets is exceeded, Splunk software rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll. |
maxHotIdleSecs | Maximum life, in seconds, of a hot bucket. Defaults to 0. A value of 0 turns off the idle check (equivalent to INFINITE idle time).
If a hot bucket exceeds maxHotIdleSecs, Splunk software rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll. |
maxHotSpanSecs | Upper bound of target maximum timespan of hot/warm buckets in seconds. Defaults to 7776000 seconds (90 days).
Note: If set too small, you can get an explosion of hot/warm buckets in the filesystem. The system sets a lower bound implicitly for this parameter at 3600, but this is an advanced parameter that should be set with care and understanding of the characteristics of your data. |
maxMemMB | The amount of memory, in MB, allocated for indexing.
This is a global setting, not a per index setting. |
maxMetaEntries | Sets the maximum number of unique lines in .data files in a bucket, which may help to reduce memory consumption. If set to 0, this setting is ignored (it is treated as infinite).
If exceeded, a hot bucket is rolled to prevent further increase. If your buckets are rolling due to Strings.data hitting this limit, the culprit may be the punct field in your data. If you do not use punct, it may be best to simply disable this (see props.conf.spec in $SPLUNK_HOME/etc/system/README). There is a small time delta between when maximum is exceeded and bucket is rolled. This means a bucket may end up with epsilon more lines than specified, but this is not a major concern unless excess is significant. |
maxTime | UNIX timestamp of the newest event time in the index. |
maxTimeUnreplicatedNoAcks | Upper limit, in seconds, on how long an event can sit in raw slice. Applies only if replication is enabled for this index. Otherwise ignored.
If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies. Highest legal value is 2147483647. To disable this parameter, set to 0. Note: this is an advanced parameter. Understand the consequences before changing. |
maxTimeUnreplicatedWithAcks | Upper limit, in seconds, on how long events can sit unacknowledged in a raw slice. Applies only if you have enabled acks on forwarders and have replication enabled (with clustering).
Note: This is an advanced parameter. Make sure you understand the settings on all forwarders before changing this. This number should not exceed ack timeout configured on any forwarder, and should actually be set to at most half of the minimum value of that timeout. You can find this setting in outputs.conf readTimeout setting under the tcpout stanza. To disable, set to 0, but this is NOT recommended. Highest legal value is 2147483647. |
maxTotalDataSizeMB | The maximum size of an index, in MB. |
maxWarmDBCount | The maximum number of warm buckets. If this number is exceeded, the warm bucket/s with the lowest value for their latest times are moved to cold. |
memPoolMB | Determines how much memory is given to the indexer memory pool.
This is a global setting, not a per-index setting. |
minRawFileSyncSecs | Can be either an integer (or "disable"). Some filesystems are very inefficient at performing sync operations, so only enable this if you are sure it is needed
The integer sets how frequently splunkd forces a filesystem sync while compressing journal slices. During this period, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files. If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete. |
minStreamGroupQueueSize | Minimum size of the queue that stores events in memory before committing them to a tsidx file. |
minTime | UNIX timestamp of the oldest event time in the index. |
partialServiceMetaPeriod | Related to serviceMetaPeriod. By default it is turned off (zero).
If set, it enables metadata sync every <integer> seconds, but only for records where the sync can be done efficiently in-place, without requiring a full re-write of the metadata file. Records that require full re-write are be sync'ed at serviceMetaPeriod. partialServiceMetaPeriod specifies, in seconds, how frequently it should sync. Zero means that this feature is turned off and serviceMetaPeriod is the only time when metadata sync happens. If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect. |
processTrackerServiceInterval | How often, in seconds, the indexer checks the status of the child OS processes it launched to see if it can launch new processes for queued requests. |
quarantineFutureSecs | Events with timestamp of quarantineFutureSecs newer than "now" are dropped into quarantine bucket. Defaults to 2592000 (30 days).
This is a mechanism to prevent main hot buckets from being polluted with fringe events. |
quarantinePastSecs | Events with timestamp of quarantinePastSecs older than "now" are dropped into quarantine bucket. Defaults to 77760000 (900 days).
This is a mechanism to prevent the main hot buckets from being polluted with fringe events. |
rawChunkSizeBytes | Target uncompressed size in bytes for individual raw slice in the rawdata journal of the index. Defaults to 131072 (128KB). 0 is not a valid value. If 0 is specified, rawChunkSizeBytes is set to the default value.
Note: rawChunkSizeBytes only specifies a target chunk size. The actual chunk size may be slightly larger by an amount proportional to an individual event size. Warning: This is an advanced parameter. Only change it if instructed to do so by Splunk Support. |
repFactor | Index replication control. This parameter applies to only clustering slaves.
|
rotatePeriodInSecs | Rotation period, in seconds, that specifies how frequently to check:
|
serviceMetaPeriod | Defines how frequently metadata is synced to disk, in seconds. Defaults to 25 (seconds).
You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path. |
suppressBannerList | List of indexes for which we suppress "index missing" warning banner messages.
This is a global setting, not a per index setting. |
sync | Specifies the number of events that trigger the indexer to sync events.
This is a global setting, not a per index setting. |
syncMeta | When true, a sync operation is called before file descriptor is closed on metadata file updates. This functionality improves integrity of metadata files, especially in regards to operating system crashes/machine failures.
Note: Do not change this parameter without the input of Splunk Support. |
thawedPath | Filepath to the thawed (resurrected) databases for the index. |
thawedPath_expanded | Absolute filepath to the thawed (resurrected) databases. |
throttleCheckPeriod | Defines how frequently Splunk software checks for index throttling condition, in seconds. Defaults to 15 (seconds).
Note: Do not change this parameter without the input of Splunk Support. |
totalEventCount | Total number of events in the index. |
tsidxDedupPostingsListMaxTermsLimit | This setting is valid only when tsidxWritingLevel is at 4 or higher. This maximum term limit sets an upper bound on the number of terms kept inside an in-memory hash table that serves to improve tsidx compression. The tsidx optimizer uses the hash table to identify terms with identical postings lists. When the first instance of a term is received, its postings list is stored. When successive terms with identical postings lists are received, the tsidx optimizer makes them refer to the first instance of the postings list rather than creating and storing term postings list duplicates.
Consider increasing this limit to improve compression for large tsidx files. For example, a tsidx file created with This setting cannot exceed 1,073,741,824 (230). Defaults to 8,388,608 (223). |
tstatsHomePath | Location where datamodel acceleration TSIDX data for this index is stored. |
warmToColdScript | Script to run when moving data from warm to cold. See input parameter description for details. |
Example request and response
XML Request
curl -k -u admin:pass -d maxTotalDataSizeMB=400000 https://localhost:8089/servicesNS/nobody/search/data/indexes/shadow
XML Response
... <title>indexes</title> <id>https://localhost:8089/servicesNS/nobody/search/data/indexes</id> <updated>2011-05-16T12:20:06-07:00</updated> <generator version="98392"/> <author> <name>Splunk</name> </author> <link href="/servicesNS/nobody/search/data/indexes/_new" rel="create"/> <link href="/servicesNS/nobody/search/data/indexes/_reload" rel="_reload"/> ... opensearch elements elided ... <s:messages/> <entry> <title>shadow</title> <id>https://localhost:8089/servicesNS/nobody/search/data/indexes/shadow</id> <updated>2011-05-16T12:18:56-07:00</updated> <link href="/servicesNS/nobody/search/data/indexes/shadow" rel="alternate"/> <author> <name>nobody</name> </author> <link href="/servicesNS/nobody/search/data/indexes/shadow" rel="list"/> <link href="/servicesNS/nobody/search/data/indexes/shadow/_reload" rel="_reload"/> <link href="/servicesNS/nobody/search/data/indexes/shadow" rel="edit"/> <content type="text/xml"> <s:dict> <s:key name="assureUTF8">0</s:key> <s:key name="blockSignSize">0</s:key> <s:key name="blockSignatureDatabase">_blocksignature</s:key> <s:key name="coldPath">$SPLUNK_DB/shadow/colddb</s:key> <s:key name="coldPath_expanded">/Applications/splunk4.3/var/lib/splunk/shadow/colddb</s:key> <s:key name="coldToFrozenDir"></s:key> <s:key name="coldToFrozenScript"></s:key> <s:key name="compressRawdata">1</s:key> <s:key name="currentDBSizeMB">1</s:key> <s:key name="defaultDatabase">main</s:key> <s:key name="eai:acl">. . .</s:key> <s:key name="enableRealtimeSearch">1</s:key> <s:key name="frozenTimePeriodInSecs">188697600</s:key> <s:key name="homePath">$SPLUNK_DB/shadow/db</s:key> <s:key name="homePath_expanded">/Applications/splunk4.3/var/lib/splunk/shadow/db</s:key> <s:key name="indexThreads">auto</s:key> <s:key name="isInternal">0</s:key> <s:key name="lastInitTime">1305573611.118477</s:key> <s:key name="maxConcurrentOptimizes">3</s:key> <s:key name="maxDataSize">auto</s:key> <s:key name="maxHotBuckets">3</s:key> <s:key name="maxHotIdleSecs">0</s:key> <s:key name="maxHotSpanSecs">7776000</s:key> <s:key name="maxMemMB">5</s:key> <s:key name="maxMetaEntries">1000000</s:key> <s:key name="maxTime"></s:key> <s:key name="maxTotalDataSizeMB">400000</s:key> <s:key name="maxWarmDBCount">300</s:key> <s:key name="memPoolMB">auto</s:key> <s:key name="minRawFileSyncSecs">disable</s:key> <s:key name="minTime"></s:key> <s:key name="partialServiceMetaPeriod">0</s:key> <s:key name="quarantineFutureSecs">2592000</s:key> <s:key name="quarantinePastSecs">77760000</s:key> <s:key name="rawChunkSizeBytes">131072</s:key> <s:key name="rotatePeriodInSecs">60</s:key> <s:key name="serviceMetaPeriod">25</s:key> <s:key name="suppressBannerList"></s:key> <s:key name="sync">0</s:key> <s:key name="syncMeta">1</s:key> <s:key name="thawedPath">$SPLUNK_DB/shadow/thaweddb</s:key> <s:key name="thawedPath_expanded">/Applications/splunk4.3/var/lib/splunk/shadow/thaweddb</s:key> <s:key name="throttleCheckPeriod">15</s:key> <s:key name="totalEventCount">0</s:key> </s:dict> </content> </entry>
data/indexes-extended
https://<host>:<mPort>/services/data/indexes-extended
Access index bucket-level information. There are three bucket super-directories per index.
- home
- cold
- thawed
GET
List bucket attributes for all indexes.
Usage details
The default update period is 10 minutes, as defined by the collectionPeriodInSecs
attribute in the $SPLUNK_HOME/etc/apps/introspection_generator_addon/default/server.conf
file.
Note: At least one observation period must pass after startup for valid endpoint data to be available. The observation period is defined in the following $SPLUNK_HOME/etc/system/default/server.conf
stanza.
[introspection:generator:disk_objects] collectionPeriodInSecs = 600
The default period is 10 seconds, but 10 minutes (600 seconds) on a Universal Forwarder.
Request parameters
Pagination and filtering parameters can be used with this method.
Name | Type | Default | Description |
---|---|---|---|
datatype | String | all | Valid values: (all | event | metric). Specifies the type of index. |
Returned values
Name | Description | ||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
bucket_dirs | (If total_size > 0 ) Lists the following attributes for each index bucket super-directory (home , cold , thawed ).
| ||||||||||||||||||||||||||||||||||||||||
name | Index name. | ||||||||||||||||||||||||||||||||||||||||
total_bucket_count | (If total_size > 0 ) Number of index buckets.
| ||||||||||||||||||||||||||||||||||||||||
total_event_count | (If total_size > 0 ) Number of events for index, excluding frozen events. Approximately equal to the event_count sum of all buckets.
| ||||||||||||||||||||||||||||||||||||||||
total_raw_size | (If total_size > 0 ) Cumulative size (fractional MB) on disk of the <bucket>/rawdata/ directories of all buckets in this index, excluding frozen .
| ||||||||||||||||||||||||||||||||||||||||
total_size | Size (fractional MB) on disk of this index. |
Example request and response
XML Request
curl -k -u admin:passwd https://localhost:8089/services/data/indexes-extended
XML Response
... <title>introspection--disk-objects--indexes</title> <id>https://localhost:8089/services/data/indexes-extended</id> <updated>2014-03-31T12:41:09-07:00</updated> <generator build="200839" version="6.1"/> <author> <name>Splunk</name> </author> ... opensearch elements elided ... <s:messages/> <entry> <title>_audit</title> <id>https://localhost:8089/services/data/indexes-extended/_audit</id> <updated>2014-03-31T12:41:09-07:00</updated> <link href="/services/data/indexes-extended/_audit" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/data/indexes-extended/_audit" rel="list"/> <content type="text/xml"> <s:dict> <s:key name="bucket_dirs"> <s:dict> <s:key name="cold"> <s:dict> <s:key name="bucket_count">0</s:key> <s:key name="size">0.000</s:key> </s:dict> </s:key> <s:key name="home"> <s:dict> <s:key name="event_count">6169</s:key> <s:key name="event_max_time">1395246673</s:key> <s:key name="event_min_time">1394732683</s:key> <s:key name="hot_bucket_count">1</s:key> <s:key name="size">1.000</s:key> <s:key name="warm_bucket_count">5</s:key> </s:dict> </s:key> <s:key name="thawed"> <s:dict> <s:key name="bucket_count">0</s:key> <s:key name="size">0.000</s:key> </s:dict> </s:key> </s:dict> </s:key> <s:key name="eai:acl"> ... elided ... </s:key> <s:key name="name">_audit</s:key> <s:key name="total_bucket_count">6</s:key> <s:key name="total_event_count">18096</s:key> <s:key name="total_raw_size">1.000</s:key> <s:key name="total_size">1.000</s:key> </s:dict> </content> </entry> . . . elided . . . <entry> <title>summary</title> <id>https://localhost:8089/services/data/indexes-extended/summary</id> <updated>2014-03-31T12:41:09-07:00</updated> <link href="/services/data/indexes-extended/summary" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/data/indexes-extended/summary" rel="list"/> <content type="text/xml"> <s:dict> <s:key name="eai:acl"> ... elided ... </s:key> <s:key name="name">summary</s:key> <s:key name="total_size">0.000</s:key> </s:dict> </content> </entry>
data/indexes-extended/{name}
https://<host>:<mPort>/services/data/indexes-extended/{name}
Access bucket-level information for the {name}
index. There are three bucket super-directories per index.
- home
- cold
- thawed
GET
Get {name}
bucket information.
Usage details
The default update period is 10 minutes, as defined by the collectionPeriodInSecs
attribute in the $SPLUNK_HOME/etc/apps/introspection_generator_addon/default/server.conf
file.
Note: At least one observation period must pass after startup for valid endpoint data to be available. The observation period is defined in the following $SPLUNK_HOME/etc/system/default/server.conf
stanza.
[introspection:generator:disk_objects] collectionPeriodInSecs = 600
Request parameters
None
Returned values
Name | Description | ||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
bucket_dirs | (If total_size > 0 ) List the following attributes for each index bucket super-directory (home , cold , thawed ) as indicated:
| ||||||||||||||||||||||||||||||||||||||||
name | Index name. | ||||||||||||||||||||||||||||||||||||||||
total_bucket_count | (If total_size > 0 ) Number of index buckets.
| ||||||||||||||||||||||||||||||||||||||||
total_event_count | (If total_size > 0 ) Number of events for index, excluding frozen events. Approximately equal to the event_count sum of all buckets.
| ||||||||||||||||||||||||||||||||||||||||
total_raw_size | (If total_size > 0 ) Cumulative size (fractional MB) on disk of the <bucket>/rawdata/ directories of all buckets in this index, excluding frozen .
| ||||||||||||||||||||||||||||||||||||||||
total_size | Size (fractional MB) on disk of this index. |
Example request and response
XML Request
curl -k -u admin:passwd https://localhost:8089/services/data/indexes-extended/history
XML Response
... <title>introspection--disk-objects--indexes</title> <id>https://localhost:8089/services/data/indexes-extended</id> <updated>2014-03-31T12:42:29-07:00</updated> <generator build="200839" version="6.1"/> <author> <name>Splunk</name> </author> ... opensearch elements elided ... <s:messages/> <entry> <title>_internal</title> <id>https://localhost:8089/services/data/indexes-extended/_internal</id> <updated>2014-03-31T12:42:29-07:00</updated> <link href="/services/data/indexes-extended/_internal" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/data/indexes-extended/_internal" rel="list"/> <content type="text/xml"> <s:dict> <s:key name="bucket_dirs"> <s:dict> <s:key name="cold"> <s:dict> <s:key name="bucket_count">0</s:key> <s:key name="size">0.000</s:key> </s:dict> </s:key> <s:key name="home"> <s:dict> <s:key name="event_count">180492</s:key> <s:key name="event_max_time">1395246673</s:key> <s:key name="event_min_time">1392167582</s:key> <s:key name="hot_bucket_count">3</s:key> <s:key name="size">9.000</s:key> <s:key name="warm_bucket_count">6</s:key> </s:dict> </s:key> <s:key name="thawed"> <s:dict> <s:key name="bucket_count">0</s:key> <s:key name="size">0.000</s:key> </s:dict> </s:key> </s:dict> </s:key> <s:key name="eai:acl"> ... elided ... </s:key> <s:key name="eai:attributes"> ... elided ... </s:key> <s:key name="name">_internal</s:key> <s:key name="total_bucket_count">9</s:key> <s:key name="total_event_count">556322</s:key> <s:key name="total_raw_size">28.000</s:key> <s:key name="total_size">22.000</s:key> </s:dict> </content> </entry>
data/summaries
https://<host>:<mPort>/services/data/summaries
Get disk usage information about all summaries in an indexer.
GET
Gets current summary disk usage information.
Usage details
By default, this information is available five minutes after starting the Splunk deployment. Adjust this availability timing in server.conf.
Request parameters
Name | Description |
---|---|
report_acceleration | Optional. Use "report_acceleration=1" to access disk usage by report acceleration summary.
|
data_model_acceleration | Optional. Use "data_model_acceleration=1" to access disk usage by data model acceleration summary.
|
Pagination and filtering parameters can be used with this method.
Returned values
For each summary, the following values are returned.
Name | Description |
---|---|
name | Summary name. |
related_indexes | Lists up to 10 indexes that contribute to this summary. |
related_indexes_count | Provides total count of related indexes for this summary. |
search_head_guid | GUID for the search head that created the summary data. |
total_bucket_count | Number of buckets for this summary. |
total_size | Total disk size for this summary, in MB. |
type | Summary type, either "report_acceleration" or "data_model_acceleration" .
|
Example request and response
XML Request
curl -k -u username:password https://localhost:8089/services/data/summaries
XML Response
... <title>introspection--disk-objects--summaries</title> <id>https://localhost:8089/services/data/summaries</id> <updated>2015-09-16T16:05:35-07:00</updated> <generator build="8a67aa2a9bd9cced535484eb781ded292ae81b7a" version="20150914"/> <author> <name>Splunk</name> </author> <link href="/services/data/summaries/_acl" rel="_acl"/> <opensearch:totalResults>3</opensearch:totalResults> <opensearch:itemsPerPage>30</opensearch:itemsPerPage> <opensearch:startIndex>0</opensearch:startIndex> <s:messages/> <entry> <title>DM_launcher_mydatamodel</title> <id>https://localhost:8089/services/data/summaries/DM_launcher_mydatamodel</id> <updated>2015-09-16T16:05:35-07:00</updated> <link href="/services/data/summaries/DM_launcher_mydatamodel" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/data/summaries/DM_launcher_mydatamodel" rel="list"/> <content type="text/xml"> <s:dict> <s:key name="eai:acl"> <s:dict> <s:key name="app"></s:key> <s:key name="can_list">1</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">0</s:key> <s:key name="owner">system</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="write"> <s:list/> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">system</s:key> </s:dict> </s:key> <s:key name="name">DM_launcher_mydatamodel</s:key> <s:key name="related_indexes">_internal</s:key> <s:key name="related_indexes_count">1</s:key> <s:key name="search_head_guid">A6FF485E-7AA5-412D-8E03-BE3ED42BA327</s:key> <s:key name="total_bucket_count">13</s:key> <s:key name="total_size">2.000</s:key> <s:key name="type">data_model_acceleration</s:key> </s:dict> </content> </entry> <entry> <title>search_admin_NS13c34e21cf577d62</title> <id>https://localhost:8089/services/data/summaries/search_admin_NS13c34e21cf577d62</id> <updated>2015-09-16T16:05:35-07:00</updated> <link href="/services/data/summaries/search_admin_NS13c34e21cf577d62" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/data/summaries/search_admin_NS13c34e21cf577d62" rel="list"/> <content type="text/xml"> <s:dict> <s:key name="eai:acl"> <s:dict> <s:key name="app"></s:key> <s:key name="can_list">1</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">0</s:key> <s:key name="owner">system</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="write"> <s:list/> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">system</s:key> </s:dict> </s:key> <s:key name="name">search_admin_NS13c34e21cf577d62</s:key> <s:key name="related_indexes">_internal</s:key> <s:key name="related_indexes_count">1</s:key> <s:key name="search_head_guid">A6FF485E-7AA5-412D-8E03-BE3ED42BA327</s:key> <s:key name="total_bucket_count">9</s:key> <s:key name="total_size">2.000</s:key> <s:key name="type">report_acceleration</s:key> </s:dict> </content> </entry> <entry> <title>search_admin_NS6f37597da0cade4c</title> <id>https://localhost:8089/services/data/summaries/search_admin_NS6f37597da0cade4c</id> <updated>2015-09-16T16:05:35-07:00</updated> <link href="/services/data/summaries/search_admin_NS6f37597da0cade4c" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/data/summaries/search_admin_NS6f37597da0cade4c" rel="list"/> <content type="text/xml"> <s:dict> <s:key name="eai:acl"> <s:dict> <s:key name="app"></s:key> <s:key name="can_list">1</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">0</s:key> <s:key name="owner">system</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="write"> <s:list/> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">system</s:key> </s:dict> </s:key> <s:key name="name">search_admin_NS6f37597da0cade4c</s:key> <s:key name="related_indexes">_internal</s:key> <s:key name="related_indexes_count">1</s:key> <s:key name="search_head_guid">A6FF485E-7AA5-412D-8E03-BE3ED42BA327</s:key> <s:key name="total_bucket_count">9</s:key> <s:key name="total_size">4.000</s:key> <s:key name="type">report_acceleration</s:key> </s:dict> </content> </entry>
data/summaries/{summary_name}
https://<host>:<mPort>/services/data/summaries/{summary_name}
Get disk usage information about the {name}
indexer summary.
GET
Get disk usage information for the {name}
summary.
Request parameters
None.
Returned values
Name | Description |
---|---|
name | Summary name. |
related_indexes | Lists up to 10 indexes that contribute to this summary. |
related_indexes_count | Provides total count of related indexes for this summary. |
search_head_guid | GUID for search head creating the summary data. |
total_bucket_count | Number of buckets for this summary. |
total_size | Total summary disk size in MB. |
Example request and response
XML Request
curl -k -u username:password https://localhost:8089/services/data/summaries/my_summary
XML Response
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"> <title>introspection--disk-objects--summaries</title> <id>https://localhost:8089/services/data/summaries</id> <updated>2015-09-11T15:27:46-07:00</updated> <generator build="049b19239844e1f7e09be3d55713c1aae663e7ae" version="20150910"/> <author> <name>Splunk</name> </author> <link href="/services/data/summaries/_acl" rel="_acl"/> <opensearch:totalResults>3</opensearch:totalResults> <opensearch:itemsPerPage>30</opensearch:itemsPerPage> <opensearch:startIndex>0</opensearch:startIndex> <s:messages/> ... opensearch elements elided ... <entry> <title>DM_launcher_mydatamodel</title> <id>https://localhost:8089/services/data/summaries/DM_launcher_mydatamodel</id> <updated>2015-09-11T15:27:46-07:00</updated> <link href="/services/data/summaries/DM_launcher_mydatamodel" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/data/summaries/DM_launcher_mydatamodel" rel="list"/> <content type="text/xml"> <s:dict> <s:key name="eai:acl"> <s:dict> <s:key name="app"></s:key> <s:key name="can_list">1</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">0</s:key> <s:key name="owner">system</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="write"> <s:list/> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">system</s:key> </s:dict> </s:key> <s:key name="name">DM_launcher_mydatamodel</s:key> <s:key name="related_indexes">_audit,_internal</s:key> <s:key name="related_indexes_count">2</s:key> <s:key name="search_head_guid">58F60B1E-F098-41F7-BFEC-FE285489E67D</s:key> <s:key name="total_bucket_count">88</s:key> <s:key name="total_size">312.000</s:key> </s:dict> </content> </entry> </feed>
server/health/deployment
https://<host>:<mPort>/services/server/health/deployment
Shows the overall health of a distributed deployment. The health of the deployment can be red, yellow, or green. The overall health of the deployment is based on the health of all features reporting to it.
Authentication and Authorization
Requires the admin
role or list_health
capability.
GET
Get the health status of a distributed deployment.
Request parameters
None
Returned values
Name | Datatype | Description |
---|---|---|
health | String | Indicates the overall health of the deployment. Health status can be red, yellow, or green. |
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/services/server/health/deployment
XML Response
<title>deployment</title> <id>https://localhost:8089/services/server/health/deployment</id> <updated>1969-12-31T16:00:00-08:00</updated> <link href="/services/server/health/deployment" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/server/health/deployment" rel="list"/> <link href="/services/server/health/deployment/details" rel="details"/> <content type="text/xml"> <s:dict> <s:key name="disabled">0</s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app"></s:key> <s:key name="can_list">1</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">0</s:key> <s:key name="owner">system</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>admin</s:item> <s:item>splunk-system-role</s:item> </s:list> </s:key> <s:key name="write"> <s:list/> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">system</s:key> </s:dict> </s:key> <s:key name="eai:attributes"> <s:dict> <s:key name="optionalFields"> <s:list/> </s:key> <s:key name="requiredFields"> <s:list/> </s:key> <s:key name="wildcardFields"> <s:list/> </s:key> </s:dict> </s:key> <s:key name="health">yellow</s:key> </s:dict> </content> </entry>
server/health/deployment/details
https://<host>:<mPort>/services/server/health/deployment/details
Shows the overall health of the distributed deployment, as well as each feature node and its respective color.
Authentication and Authorization
Requires the admin
role or list_health
capability.
GET
Get health status of distributed deployment features.
Request parameters
None
Returned values
Name | Datatype | Description |
---|---|---|
health | String | Indicates the color of the feature: red, yellow or green. The color of mid-level features defaults to the worst health status color of all features reporting to it. |
reason | String | Descriptive string that explains the reason the indicator is non-green. |
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/services/server/health/deployment/details
XML Response
<title>health-report</title> <id>https://localhost:8089/services/server/health</id> <updated>2019-08-01T13:04:45-07:00</updated> <generator build="8a199673a7ad87ac32419af7544dfdb1e22073ed" version="20190801"/> <author> <name>Splunk</name> </author> <opensearch:totalResults>1</opensearch:totalResults> <opensearch:itemsPerPage>30</opensearch:itemsPerPage> <opensearch:startIndex>0</opensearch:startIndex> <s:messages/> <entry> <title>deployment</title> <id>https://localhost:8089/services/server/health/deployment</id> <updated>1969-12-31T16:00:00-08:00</updated> <link href="/services/server/health/deployment" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/server/health/deployment" rel="list"/> <link href="/services/server/health/deployment/details" rel="details"/> <content type="text/xml"> <s:dict> <s:key name="disabled">0</s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app"></s:key> <s:key name="can_list">1</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">0</s:key> <s:key name="owner">system</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>admin</s:item> <s:item>splunk-system-role</s:item> </s:list> </s:key> <s:key name="write"> <s:list/> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">system</s:key> </s:dict> </s:key> <s:key name="features"> <s:dict> <s:key name="health">yellow</s:key> <s:key name="num_green">0</s:key> <s:key name="num_red">0</s:key> <s:key name="num_yellow">2</s:key> <s:key name="splunkd"> <s:dict> <s:key name="health">yellow</s:key> <s:key name="indexer_clustering"> <s:dict> <s:key name="health">yellow</s:key> <s:key name="num_green">0</s:key> <s:key name="num_red">0</s:key> <s:key name="num_yellow">2</s:key> <s:key name="slave_state"> <s:dict> <s:key name="health">yellow</s:key> <s:key name="num_green">0</s:key> <s:key name="num_red">0</s:key> <s:key name="num_yellow">2</s:key> <s:key name="slave_state"> <s:dict> <s:key name="description">description for the indicator TODO</s:key> <s:key name="health">yellow</s:key> <s:key name="instances"> <s:dict> <s:key name="51C1A657-2E66-4138-9920-597F38495B72"> <s:dict> <s:key name="guid">51C1A657-2E66-4138-9920-597F38495B72</s:key> <s:key name="health">yellow</s:key> <s:key name="measured_value">0</s:key> <s:key name="name">fool02.sv.splunk.com</s:key> <s:key name="reason">CMPeer is in manual detention.</s:key> <s:key name="timestamp">1564689878.099799</s:key> </s:dict> </s:key> <s:key name="BCC9FA7B-23F1-4A6B-AA2F-F88273CC557F"> <s:dict> <s:key name="guid">BCC9FA7B-23F1-4A6B-AA2F-F88273CC557F</s:key> <s:key name="health">yellow</s:key> <s:key name="measured_value">0</s:key> <s:key name="name">fool03.sv.splunk.com</s:key> <s:key name="reason">CMPeer is in manual detention.</s:key> <s:key name="timestamp">1564689878.086763</s:key> </s:dict> </s:key> <s:key name="health">yellow</s:key> <s:key name="num_green">0</s:key> <s:key name="num_red">0</s:key> <s:key name="num_yellow">2</s:key> </s:dict> </s:key> <s:key name="name">slave_state</s:key> <s:key name="num_green">0</s:key> <s:key name="num_red">0</s:key> <s:key name="num_yellow">2</s:key> <s:key name="path">splunkd.indexer_clustering.slave_state.slave_state</s:key> </s:dict> </s:key> </s:dict> </s:key> </s:dict> </s:key> <s:key name="num_green">0</s:key> <s:key name="num_red">0</s:key> <s:key name="num_yellow">2</s:key> </s:dict> </s:key> </s:dict> </s:key> <s:key name="health">yellow</s:key> </s:dict> </content> </entry> </feed>
server/health/splunkd
https://<host>:<mPort>/services/server/health/splunkd
Shows the overall health of splunkd
. The health of splunkd
can be red, yellow, or green. The health of splunkd
is based on the health of all features reporting to it.
Authentication and Authorization
Requires the admin
role or list_health
capability.
GET
Get the health status of splunkd
.
Request parameters
None
Returned values
Name | Datatype | Description |
---|---|---|
health | String | Indicates the overall health of splunkd . Health status can be red, yellow, or green.
|
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/services/server/health/splunkd
XML Response
<title>health-report</title> <id>https://10.141.65.195:41405/services/server/health</id> <updated>2018-04-04T21:32:40+00:00</updated> <generator build="b233a6c1ade2" version="7.2.0"/> <author> <name>Splunk</name> </author> <link href="/services/server/health/_acl" rel="_acl"/> <opensearch:totalResults>1</opensearch:totalResults> <opensearch:itemsPerPage>30</opensearch:itemsPerPage> <opensearch:startIndex>0</opensearch:startIndex> <s:messages/> <entry> <title>splunkd</title> <id>https://10.141.65.195:41405/services/server/health/splunkd</id> <updated>1970-01-01T00:00:00+00:00</updated> <link href="/services/server/health/splunkd" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/server/health/splunkd" rel="list"/> <link href="/services/server/health/splunkd/details" rel="details"/> <content type="text/xml"> <s:dict> <s:key name="eai:acl"> <s:dict> <s:key name="app"></s:key> <s:key name="can_list">1</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">0</s:key> <s:key name="owner">system</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>admin</s:item> <s:item>splunk-system-role</s:item> </s:list> </s:key> <s:key name="write"> <s:list/> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">system</s:key> </s:dict> </s:key> <s:key name="eai:attributes"> <s:dict> <s:key name="optionalFields"> <s:list/> </s:key> <s:key name="requiredFields"> <s:list/> </s:key> <s:key name="wildcardFields"> <s:list/> </s:key> </s:dict> </s:key> <s:key name="health">red</s:key> </s:dict> </content> </entry>
server/health/splunkd/details
https://<host>:<mPort>/services/server/health/splunkd/details
Shows the overall health of the splunkd
health status tree, as well as each feature node and its respective color. For unhealthy nodes (non-green), the output includes reasons, indicators, thresholds, messages, and so on.
Authentication and Authorization
Requires the admin
role or list_health
capability.
GET
Get health status of splunkd features.
Request parameters
None
Returned values
Name | Datatype | Description |
---|---|---|
health | String | Indicate the color of the feature: red, yellow or green. The color of midlevel features is the worst color of all the features reporting to it. |
messages | String | The last 50 messages from splunkd.log that might relate to the feature status change. Returned only if a feature color is not green.
|
reasons | String | Describes the indicator(s) that caused the feature's status to change to a non-green state. Returned only if a feature color is not green. |
due_to_stanza | String | Indicates the stanza name in health.conf where the configuration for the non-green indicator exists.
|
due_to_threshold | String | Indicates the threshold because of which the color of the indicator is non-green. |
due_to_threshold_value | Numeric | Indicates the value of the above threshold. |
indicator | String | Name of the indicator because of which the feature is non-green. |
reason | String | Descriptive string that explains the reason the indicator is non-green. |
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/services/server/health/splunkd/details
XML Response
<title>health-report</title> <id>https://10.141.65.213:42270/services/server/health</id> <updated>2018-04-03T20:05:34+00:00</updated> <generator build="b233a6c1ade2" version="7.2.0"/> <author> <name>Splunk</name> </author> <link href="/services/server/health/_acl" rel="_acl"/> <opensearch:totalResults>1</opensearch:totalResults> <opensearch:itemsPerPage>30</opensearch:itemsPerPage> <opensearch:startIndex>0</opensearch:startIndex> <s:messages/> <entry> <title>splunkd</title> <id>https://10.141.65.213:42270/services/server/health/splunkd</id> <updated>1970-01-01T00:00:00+00:00</updated> <link href="/services/server/health/splunkd" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/server/health/splunkd" rel="list"/> <content type="text/xml"> <s:dict> <s:key name="eai:acl"> <s:dict> <s:key name="app"></s:key> <s:key name="can_list">1</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">0</s:key> <s:key name="owner">system</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>admin</s:item> <s:item>splunk-system-role</s:item> </s:list> </s:key> <s:key name="write"> <s:list/> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">system</s:key> </s:dict> </s:key> <s:key name="features"> <s:dict> <s:key name="Data Forwarding"> <s:dict> <s:key name="features"> <s:dict> <s:key name="Splunk-2-Splunk Forwarding"> <s:dict> <s:key name="features"> <s:dict> <s:key name="TCPOutAutoLB-0"> <s:dict> <s:key name="health">green</s:key> </s:dict> </s:key> </s:dict> </s:key> <s:key name="health">green</s:key> </s:dict> </s:key> </s:dict> </s:key> <s:key name="health">green</s:key> </s:dict> </s:key> <s:key name="File Monitor Input"> <s:dict> <s:key name="features"> <s:dict> <s:key name="BatchReader-0"> <s:dict> <s:key name="health">green</s:key> </s:dict> </s:key> <s:key name="TailReader-0"> <s:dict> <s:key name="health">green</s:key> </s:dict> </s:key> </s:dict> </s:key> <s:key name="health">green</s:key> </s:dict> </s:key> <s:key name="Indexer Clustering"> <s:dict> <s:key name="features"> <s:dict> <s:key name="Cluster Bundles"> <s:dict> <s:key name="health">green</s:key> </s:dict> </s:key> <s:key name="Data Durability"> <s:dict> <s:key name="health">green</s:key> </s:dict> </s:key> <s:key name="Data Searchable"> <s:dict> <s:key name="health">green</s:key> </s:dict> </s:key> <s:key name="Indexers"> <s:dict> <s:key name="health">green</s:key> </s:dict> </s:key> <s:key name="Indexing Ready"> <s:dict> <s:key name="health">green</s:key> </s:dict> </s:key> </s:dict> </s:key> <s:key name="health">green</s:key> </s:dict> </s:key> </s:dict> </s:key> <s:key name="health">green</s:key> </s:dict> </content> </entry>
server/health-config
https://<host>:<mPort>/services/server/health-config
Endpoint to configure the splunkd health report.
Authentication and Authorization
Requires the admin
role or list_health
capability.
GET
List configuration information for the splunkd health report.
Request parameters
None
Returned values
None
Example request and response
XML Request
curl -k -u admin:password https://localhost:8089/services/server/health-config
XML Response
<entry> <title>alert_action:email</title> <id>https://localhost:8089/services/server/health-config/alert_action%3Aemail</id> <link href="/services/server/health-config/alert_action%3Aemail" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/server/health-config/alert_action%3Aemail" rel="list"/> <link href="/services/server/health-config/alert_action%3Aemail" rel="edit"/> <content type="text/xml"> <s:dict> <s:key name="action.cc">a@company.com, b@company.com</s:key> <s:key name="action.to">c@company.com</s:key> </s:dict> </content> </entry> <entry> <title>health_reporter</title> <id>https://localhost:8089/services/server/health-config/health_reporter</id> <link href="/services/server/health-config/health_reporter" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/server/health-config/health_reporter" rel="list"/> <link href="/services/server/health-config/health_reporter" rel="edit"/> <content type="text/xml"> <s:dict> <s:key name="alert.disabled">0</s:key> <s:key name="alert.actions">email, webhook</s:key> <s:key name="alert.min_duration_sec">600</s:key> <s:key name="alert.suppress_period">10m</s:key> </s:dict> </content> </entry> <entry> <title>feature:batchreader</title> <id>https://localhost:8089/services/server/health-config/feature%3Abatchreader</id> <link href="/services/server/health-config/feature%3Abatchreader" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/server/health-config/feature%3Abatchreader" rel="list"/> <link href="/services/server/health-config/feature%3Abatchreader/_reload" rel="_reload"/> <link href="/services/server/health-config/feature%3Abatchreader" rel="edit"/> <content type="text/xml"> <s:dict> <s:key name="alert.disabled">0</s:key> <s:key name="alert.min_duration_sec">600</s:key> <s:key name="alert:data_out_rate.min_duration_sec">1800</s:key> <s:key name="indicator:data_out_rate:red">2</s:key> <s:key name="indicator:data_out_rate:yellow">1</s:key> <s:key name="disabled">0</s:key> <s:key name="display_name">BatchReader</s:key> </s:dict> </content> </entry>
server/health-config/{alert_action}
https://<host>:<mPort>/services/server/health-config/alert_action:<action_name>
Configure alert actions for the splunkd health report.
Authentication and Authorization
Requires the admin
role or edit_health
capability.
POST
Configure alert actions for the splunkd health report.
Request parameters
Name | Type | Description |
---|---|---|
alert_action:<action_name> | String | Specify the alert action name. <action_name> can be one of the following: [email | PagerDuty] |
action.to | String | Primary email address to use with the email alert action. |
action.cc | String | CC email address to use with the email alert action. |
action.bcc | String | BCC email address to use with the email alert action. |
action.integration_url_override | String | Sets the <integration key> value for PagerDuty alert action. For example action.integration_url_override=78c3b6cf0a884a538410fe2812273b0b
|
disabled | Boolean | Enables/disables the alert action. Possible values are 0 and 1. A value of 1 disables the alert action. |
Returned values
None
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/services/server/health-config/alert_action:email -d action.to=admin@example.com -d action.cc=admin2@example.com -d disabled=0
XML Response
<title>health-report-config</title> <id>https://10.141.65.179:52000/services/server/health-config</id> <updated>2018-04-02T18:36:31+00:00</updated> <generator build="b233a6c1ade2" version="7.2.0"/> <author> <name>Splunk</name> </author> <link href="/services/server/health-config/_new" rel="create"/> <link href="/services/server/health-config/_reload" rel="_reload"/> <link href="/services/server/health-config/_acl" rel="_acl"/> <opensearch:totalResults>0</opensearch:totalResults> <opensearch:itemsPerPage>30</opensearch:itemsPerPage> <opensearch:startIndex>0</opensearch:startIndex> <s:messages/>
server/health-config/{feature_name}
https://<host>:<mPort>/services/server/health-config/feature:<feature_name>
Edit feature- and indicator-level settings for the splunkd health report.
Authentication and Authorization
Requires the admin
role or edit_health
capability.
POST
Edit feature- and indicator-level settings for the splunkd health report.
Request parameters
Name | Type | Description |
---|---|---|
alert.disabled | Boolean | Possible values are 0 or 1. A value of 1 disables alerting for this feature. If alerting is disabled in the [health_reporter] stanza, alerting for this feature is disabled, regardless of the value set here. If the value is set to 1, alerting or all indicators is disabled. Default: 0 (enabled). |
alert.min_duration_sec | Number | The minimum amount of time, in seconds, that the health status color must persist before an alert triggers. |
alert.threshold_color | String | The health status color that triggers an alert. Possible values are yellow and red. Default: red. |
alert:<indicator_name>.disabled | Number | Possible values are 0 or 1. A value of 1 disables alerting for this indicator. Default: 0 (enabled). |
alert:<indicator_name>.min_duration_sec | Number | The minimum amount of time, in seconds, that the health status color must persist before an alert triggers for this indicator. |
alert:<indicator_name>.threshold_color | String | The health status color that triggers an alert for this indicator. Possible values are yellow and red. Default: red. |
disable | Boolean | Disables/enables reporting the health of the feature. Use disabled=1 to disable the feature. Use disabled=0 to enable the feature.
|
distributed_disabled | Boolean | Disables/enables reporting the health of the feature in the distributed health report Use disabled=1 to disable the feature. Use disabled=0 to enable the feature.
|
feature:<feature_name> | String | Specify the feature name. feature_name can be any supported feature listed in $SPLUNK_HOME/etc/system/default/health.conf.
|
indicator:<indicator name>:<color> | Number | The indicator threshold value that triggers a health status change to the specified color for the indicator. |
Returned values
None
Example request and response
XML Request
curl -k -u admin:password https://localhost:8089/services/server/health-config/feature:batchreader -d disabled=1 -d alert.disabled=0 -d alert.min_duration_sec=100 -d alert:data_out_rate.disabled=1 -d alert:data_out_rate.threshold_color=yellow
XML Response
<title>health-report-config</title> <id>https://10.141.65.179:52000/services/server/health-config</id> <updated>2018-04-02T18:36:31+00:00</updated> <generator build="b233a6c1ade2" version="7.2.0"/> <author> <name>Splunk</name> </author> <link href="/services/server/health-config/_new" rel="create"/> <link href="/services/server/health-config/_reload" rel="_reload"/> <link href="/services/server/health-config/_acl" rel="_acl"/> <opensearch:totalResults>0</opensearch:totalResults> <opensearch:itemsPerPage>30</opensearch:itemsPerPage> <opensearch:startIndex>0</opensearch:startIndex> <s:messages/>
server/info
https://<host>:<mPort>/services/server/info?output_mode=json
Access information about the currently running Splunk instance.
Note: This endpoint provides information on the currently running Splunk instance. Some values returned in the GET response reflect server status information. However, this endpoint is meant to provide information on the currently running instance, not the machine where the instance is running. Server status values returned by this endpoint should be considered deprecated and might not continue to be accessible from this endpoint. Use server/sysinfo
to access server status instead. For more information, see server/sysinfo.
GET
Get Splunk instance information.
Request parameters
Pagination and filtering parameters can be used with this method.
Returned values
Name | Description |
---|---|
activeLicenseGroup | Type of Splunk software license.
Enterprise Forwarder Free Invalid Trial |
addOns | Names of active add-ons. |
build | The build number for this Splunk instance version. |
cpu_arch | The architecture type for the CPU hosting splunkd . The value returned in the server/info response should be considered deprecated. Use server/sysinfo to access this response key and value instead.
|
guid | Globally unique identifier for this server. |
host | Server name. |
host_fqdn | host fully-qualified domain name. |
isFree | Indicates if this server is running the Splunk instance under a free license. |
isTrial | Indicates if this server is using a trial license. |
kv_store_status | App KV store availability. |
license_labels | Labels associated with the license used on this server. |
licenseKeys | License key unique for each license. |
licenseSignature | Hash signature for the license used on this server. |
licenseState | Specifies the status of the license, which can be either OK or Expired. |
master_guid | Globally unique identifier for this server. |
max_users | Maximum number of users on the instance. |
mode | Indicates whether the server is a dedicated forwarder. Possible values are:
normal dedicated forwarder |
numberOfCores | Server number of processor cores. The value returned in the server/info response should be considered deprecated. Use server/sysinfo to access this response key and value instead.
|
os_build | Software build for the server os_version. The value returned in the server/info response should be considered deprecated. Use server/sysinfo to access this response key and value instead.
|
os_name | Server operating system. The value returned in the server/info response should be considered deprecated. Use server/sysinfo to access this response key and value instead.
|
os_version | Server operating system version. The value returned in the server/info response should be considered deprecated. Use server/sysinfo to access this response key and value instead.
|
physicalMemoryMB | Server physical memory (MB). The value returned in the server/info response should be considered deprecated. Use server/sysinfo to access this response key and value instead.
|
product_type | Splunk software product type. One of the following values.
enterprise hunk lite lite_free splunk |
rtsearch_enabled | Indicates if real-time search is enabled for the instance on this server. |
server_roles | Zero or more of the following possible server roles.
indexer universal_forwarder heavyweight_forwarder lightweight_forwarder license_master license_slave cluster_master cluster_slave cluster_search_head deployment_server deployment_client search_head search_peer shc_captain shc_deployer shc_member See also: server/roles endpoint. |
serverName | Server DNS domain name. |
startup_time | Server platform start time, in seconds since January 1, 1970 (UNIX epoch). |
version | os_build software version number. The value returned in the server/info response should be considered deprecated. Use server/sysinfo to access this response key and value instead.
|
versionControlEnabled | Indicates whether the View version history option is enabled on the instance. A value of True means that the option is enabled.
|
Example request and response
JSON Request
curl -X GET -u admin:changeme -k "https://localhost:8106/services/server/info?output_mode=json"
JSON Response
{ "links": {}, "origin": "https://localhost:8106/services/server/info", "updated": "2024-09-09T01:52:13-07:00", "generator": { "build": "b0122e4d425e5c0d37a7278576a02b962b3505f7", "version": "20240906" }, "entry": [ { "name": "server-info", "id": "https://localhost:8106/services/server/info/server-info", "updated": "1969-12-31T16:00:00-08:00", "links": { "alternate": "/services/server/info/server-info", "list": "/services/server/info/server-info" }, "author": "system", "acl": { "app": "", "can_list": true, "can_write": true, "modifiable": false, "owner": "system", "perms": { "read": [ "*" ], "write": [] }, "removable": false, "sharing": "system" }, "content": { "activeLicenseGroup": "Enterprise", "activeLicenseSubgroup": "Production", "addOns": null, "build": "b0122e4d425e5c0d37a7278576a02b962b3505f7", "conf_generation": 7, "cpu_arch": "x86_64", "eai:acl": null, "federated_search_enabled": true, "fips_mode": false, "guid": "D4DBAE70-1C60-48F5-9A91-7222FDB7C528", "health_info": "green", "health_version": 2653725249, "host": "chieftain", "host_fqdn": "chieftain", "host_resolved": "chieftain", "isConverged": false, "isForwarding": false, "isFree": false, "isTrial": false, "kvStoreStatus": "failed", "licenseKeys": [ "CF4AAB0EAB5E5CD3B2E200AC6562A4028DAD54C4E7EA61144A836200420B3ADB" ], "licenseSignature": "52468815a75e22dee8211e7afaa3c171", "licenseState": "OK", "license_labels": [ "Splunk Internal License DO NOT DISTRIBUTE" ], "manager_guid": "D4DBAE70-1C60-48F5-9A91-7222FDB7C528", "manager_uri": "self", "master_guid": "D4DBAE70-1C60-48F5-9A91-7222FDB7C528", "master_uri": "self", "max_users": 4294967295, "mode": "normal", "numberOfCores": 50, "numberOfVirtualCores": 50, "os_build": "#35-Ubuntu SMP Thu May 7 20:20:34 UTC 2020", "os_name": "Linux", "os_name_extended": "Linux", "os_version": "5.4.0-31-generic", "physicalMemoryMB": 35840, "product_type": "enterprise", "rtsearch_enabled": true, "serverName": "chieftain", "server_roles": [ "indexer", "license_master", "license_manager" ], "shutting_down": "0", "startup_time": 1725871367, "staticAssetId": "F5B763C878861D48BD7E909BF8BFCD565B8DAC50BE0F0EE09FFF9685D2505F04", "version": "20240906", "versionControlEnabled": true } } ], "paging": { "total": 1, "perPage": 30, "offset": 0 }, "messages": [] }
server/introspection
https://<host>:<mPort>/services/server/introspection
Access system introspection artifacts.
See also the following associated endpoints.
GET
List introspection resources.
Request parameters
None
Returned values
The endpoint returns a list of introspection artifacts.
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8089/services/server/introspection
XML Response
... <title></title> <id>https://localhost:8089/services/server/introspection</id> <updated>2014-08-04T11:40:23-07:00</updated> <generator build="221120" version="6.2"/> <author> <name>Splunk</name> </author> <s:messages/> <entry> <title>indexer</title> <id>https://localhost:8089/services/server/introspection/indexer</id> <updated>2014-08-04T11:40:23-07:00</updated> <link href="/services/server/introspection/indexer" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/server/introspection/indexer" rel="list"/> <content type="text/xml"> <s:dict/> </content> </entry> <entry> <title>kvstore</title> <id>https://localhost:8089/services/server/introspection/kvstore</id> <updated>2014-08-04T11:40:23-07:00</updated> <link href="/services/server/introspection/kvstore" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/server/introspection/kvstore" rel="list"/> <link href="/services/server/introspection/kvstore/_reload" rel="_reload"/> <content type="text/xml"> <s:dict/> </content> </entry> <entry> <title>pipelines</title> <id>https://localhost:8089/services/server/introspection/pipelines</id> <updated>2014-08-04T11:40:23-07:00</updated> <link href="/services/server/introspection/pipelines" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/server/introspection/pipelines" rel="list"/> <content type="text/xml"> <s:dict/> </content> </entry> <entry> <title>processors</title> <id>https://localhost:8089/services/server/introspection/processors</id> <updated>2014-08-04T11:40:23-07:00</updated> <link href="/services/server/introspection/processors" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/server/introspection/processors" rel="list"/> <content type="text/xml"> <s:dict/> </content> </entry> <entry> <title>queues</title> <id>https://localhost:8089/services/server/introspection/queues</id> <updated>2014-08-04T11:40:23-07:00</updated> <link href="/services/server/introspection/queues" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/server/introspection/queues" rel="list"/> <content type="text/xml"> <s:dict/> </content> </entry>
server/introspection/indexer
https://<host>:<mPort>/services/server/introspection/indexer
Access the current indexer status.
See also server/introspection.
GET
Get indexer status information.
Request parameters
None
Returned values
Name | Description |
---|---|
average_KBps | Average indexer throughput (kbps). |
reason | Status explanation. For a normal status, returns . . The following examples show possible abnormal status reasons.
"idx=<indexerName> Throttling indexer, too many tsidx files in bucket=<bucketName>. Is splunk-optimize working? If not, low disk space may be the cause." "You are low in disk space on partition <partitionName>. Indexing is paused. Will resume when free disk space rises above <minFreeMB>." |
status | Current indexer status. One of the following values.
|
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8089/services/server/introspection/indexer
XML Response
... <title>introspection-indexer</title> <id>https://localhost:8089/services/server/introspection/indexer</id> <updated>2014-08-04T11:43:04-07:00</updated> <generator build="221120" version="6.2"/> <author> <name>Splunk</name> </author> <opensearch:totalResults>1</opensearch:totalResults> <opensearch:itemsPerPage>30</opensearch:itemsPerPage> <opensearch:startIndex>0</opensearch:startIndex> <s:messages/> <entry> <title>indexer</title> <id>https://localhost:8089/services/server/introspection/indexer/indexer</id> <updated>2014-08-04T11:43:04-07:00</updated> <link href="/services/server/introspection/indexer/indexer" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/server/introspection/indexer/indexer" rel="list"/> <content type="text/xml"> <s:dict> <s:key name="average_KBps">0.517667</s:key> <s:key name="eai:acl">... elided ...</s:key> <s:key name="reason">.</s:key> <s:key name="status">normal</s:key> </s:dict> </content> </entry>
server/introspection/kvstore
https://<host>:<mPort>/services/server/introspection/kvstore
Access app KV store resources.
See also server/introspection.
GET
List app KV store resources.
Request parameters
None
Returned values
Lists the following app /server/introspection/kvstore
resources.
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8089/services/server/introspection/kvstore
XML Response
... <title></title> <id>https://localhost:8089/services/server/introspection/kvstore</id> <updated>2014-08-20T14:06:12-07:00</updated> <generator build="221120" version="6.2"/> <author> <name>Splunk</name> </author> <s:messages/> <entry> <title>collectionstats</title> <id>https://localhost:8089/services/server/introspection/kvstore/collectionstats</id> <updated>2014-08-20T14:06:12-07:00</updated> <link href="/services/server/introspection/kvstore/collectionstats" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/server/introspection/kvstore/collectionstats" rel="list"/> <content type="text/xml"> <s:dict/> </content> </entry> <entry> <title>replicasetstats</title> <id>https://localhost:8089/services/server/introspection/kvstore/replicasetstats</id> <updated>2014-08-20T14:06:12-07:00</updated> <link href="/services/server/introspection/kvstore/replicasetstats" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/server/introspection/kvstore/replicasetstats" rel="list"/> <content type="text/xml"> <s:dict/> </content> </entry> <entry> <title>serverstatus</title> <id>https://localhost:8089/services/server/introspection/kvstore/serverstatus</id> <updated>2014-08-20T14:06:12-07:00</updated> <link href="/services/server/introspection/kvstore/serverstatus" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/server/introspection/kvstore/serverstatus" rel="list"/> <content type="text/xml"> <s:dict/> </content> </entry>
server/introspection/kvstore/collectionstats
https://<host>:<mPort>/services/server/introspection/kvstore/collectionstats
Get storage statistics for a collection.
See also the following associated endpoints.
GET
Get collection storage statistics.
Request parameters
None
Returned values
Name | Description |
---|---|
data | Returns the following JSON document.
Note: Sizes are returned in MBs. For more information, see Performance Metrics. |
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8089/services/server/introspection/kvstore/collectionstats
XML Response
<title>kvstore-collectionstats</title> <id>https://localhost:8089/services/server/introspection/kvstore/collectionstats</id> <updated>2014-08-20T14:31:42-07:00</updated> <generator build="226873" version="6.2"/> <author> <name>Splunk</name> </author> ... opensearch nodes elided ... <title>collectionStats</title> <id>https://localhost:8089/services/server/introspection/kvstore/collectionstats/collectionStats</id> <updated>2014-08-20T14:31:42-07:00</updated> <link href="/services/server/introspection/kvstore/collectionstats/collectionStats" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/server/introspection/kvstore/collectionstats/collectionStats" rel="list"/> <content type="text/xml"> <s:dict> <s:key name="data"> <s:list> <s:item> {"ns":"search.kvstoredemo", "count":0, "size":0, "storageSize":8192, "numExtents":1, "nindexes":2, "lastExtentSize":8192, "paddingFactor":1, "systemFlags":1, "userFlags":1, "totalIndexSize":16352, "indexSizes":{"_id_":8176,"_UserAndKeyUniqueIndex":8176}, "ok":1} </s:item> </s:list> </s:key> <s:key name="eai:acl"> ... elided ...</s:key> </s:dict> </content> </entry>
server/introspection/kvstore/replicasetstats
https://<host>:<mPort>/services/server/introspection/kvstore/replicasetstats
Get the status of the replica set from the point of view of the current server.
See also the following associated endpoints.
GET
Get the status of the replica set from the point of view of the current server.
Request parameters
None
Returned values
set
- Replicate Set Name set in theserver.conf
file.date
- Current time in ISO format.myState
- Startup process, basic operations, and potential error states:0
STARTUP
Initial member state. Cannot vote.1
PRIMARY
Only member that can accept write operations. Can vote.2
SECONDARY
Data store replication member. Can vote.3
RECOVERING
Members perform startup self-checks, or transition from completing a rollback or resync. Can vote.4
FATAL
Unrecoverable error encountered. Cannot vote.5
STARTUP2
Forks replication and election threads before becoming a secondary. Cannot vote.6
UNKNOWN
Never connected to replica set. Cannot vote.7
ARBITER
Participate in elections, do not replicate data. Can vote.8
DOWN
Cannot be accessed by the set. Cannot vote.9
ROLLBACK
Performs rollback. Can vote.10
REMOVED
Removed from the replica set. Cannot vote.
members
- Descriptions of members of replica set:_id
- Member ID.name
- Server name.health
- Status:1
= up,0
= down.state
- Replica state (See MyState).stateStr
- String representation of state.uptime
- Online interval (seconds).optime
- Information about last operations log operation.t
- 32-bit timestamp of last operation.i
- Number of operations since the last timestamp.
optimeDate
- Time of last operations log operation in ISO format.lastHeartbeat
- Transmission time of last heartbeat in ISO format.lastHeartbeatRecv
- Time last heartbeat received in ISO format.pingMs
- Round-trip packet time (msec).syncingTo
- On secondary and recovering members, hostname of member from which this instance is syncing.
ok
- Command return status:1
= Success,0
= Failure.oplogInfo
- Operations log information:start
- Start time.end
- End time.collectionStats
- Collection storage statistics:ns
- Current collection namespace.count
- Number of collection documents or objects.size
- Collection records total size.avgObjSize
- Average object size in collection (bytes).storageSize
- Collection document storage allocation.numExtents
- Number of contiguously allocated data file regions.nindexes
- Number of indexes on the collection.lastExtentSize
- Size of last allocated extent.paddingFactor
- Amount of space added to each document.systemFlags
- Collection flags that reflect internal server options.userFlags
- Collection flags set by user.totalIndexSize
- Size of all indexes.indexSizes
- Key and size of every index on the collection.capped
- Capped setting:true
= capped,false
= not capped.max
- Max collection size.ok
- Command return status:1
= Success,0
= Failure.
sources
- Operations log sources.
Name | Description |
---|
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8089/services/server/introspection/kvstore/replicasetstats
XML Response
... <title>replicasetstats</title> <id>https://localhost:8089/services/server/introspection/kvstore/replicasetstats/replicasetstats</id> <updated>2014-08-20T14:31:42-07:00</updated> <link href="/services/server/introspection/kvstore/replicasetstats/replicasetstats" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/server/introspection/kvstore/replicasetstats/replicasetstats" rel="list"/> <content type="text/xml"> <s:dict> <s:key name="data"> <s:list> <s:item> { "replSetStats": { "set": "splunkrs", "date": 1412203576000, "myState": 2, "syncingTo": "54.xxx.xxx.xxx:8191", "members": [ { "_id": 2, "name": "54.xxx.xxx.xxx:8191", "health": 1, "state": 2, "stateStr": "SECONDARY", "uptime": 102409, "optime": { "t": 1412101153, "i": 1 }, "optimeDate": 1412101153000, "lastHeartbeat": 1412203575000, "lastHeartbeatRecv": 1412203575000, "pingMs": 1, "syncingTo": "54.xxx.xxx.xxx:8191" }, { "_id": 3, "name": "54.xxx.xxx.yyy:8191", "health": 1, "state": 2, "stateStr": "SECONDARY", "uptime": 102409, "optime": { "t": 1412101153, "i": 1 }, "optimeDate": 1412101153000, "lastHeartbeat": 1412203576000, "lastHeartbeatRecv": 1412203575000, "pingMs": 1, "syncingTo": "54.xxx.xxx.yyy:8191" }, . . . elided . . . { "_id": 17, "name": "54.xxx.xxx.zzz:8191", "health": 1, "state": 2, "stateStr": "SECONDARY", "uptime": 102409, "optime": { "t": 1412101153, "i": 1 }, "optimeDate": 1412101153000, "lastHeartbeat": 1412203574000, "lastHeartbeatRecv": 1412203575000, "pingMs": 1, "syncingTo": "54.xxx.xxx.zzz:8191" } ], "ok": 1 }, "oplogInfo": { "start": 1412022009000, "end": 1412101153000, "collectionStats": { "ns": "local.oplog.rs", "count": 631, "size": 166964, "avgObjSize": 264, "storageSize": 1048580080, "numExtents": 3, "nindexes": 0, "lastExtentSize": 4096, "paddingFactor": 1, "systemFlags": 0, "userFlags": 0, "totalIndexSize": 0, "indexSizes": {}, "capped": true, "max": 9223372036854775808.000000, "ok": 1 }, "sources": {} } } </s:item> </s:list> </s:key> <s:key name="eai:acl"> ... elided ...</s:key> </s:dict> </content> </entry>
server/introspection/kvstore/serverstatus
https://<host>:<mPort>/services/server/introspection/kvstore/serverstatus
Get an overview of the database process state.
Monitoring applications periodically run this command to get statistical information about the database instance.
See also the following associated endpoints.
GET
Get an overview of the database process state.
Request parameters
None
Returned values
The response data is platform-dependent.
Name | Description |
---|---|
data | Returns the following CDATA items.
|
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8089/services/server/introspection/kvstore/serverstatus
XML Response
... <title>serverStatus</title> <id>https://localhost:8089/services/server/introspection/kvstore/serverstatus/serverStatus</id> <updated>2014-08-20T14:26:42-07:00</updated> <link href="/services/server/introspection/kvstore/serverstatus/serverStatus" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/server/introspection/kvstore/serverstatus/serverStatus" rel="list"/> <content type="text/xml"> <s:dict> <s:key name="data"> <![CDATA[{ "host":"localhost:8089", "version":"2.6.3", "pid":23009, "uptime":19049, "uptimeMillis":19049447, "uptimeEstimate":18295, "localTime":{"$date":1408570002615}, "asserts":{ "regular":0, "warning":0, "msg":0, "user":0, "rollovers":0}, "backgroundFlushing":{ "flushes":317, "total_ms":11523, "average_ms":36.350158, "last_ms":0, "last_finished":{"$date":1408569973325}}, "connections":{ "current":7, "available":3269, "totalCreated":7}, "cursors":{ "note":"deprecated, use server status metrics", "clientCursors_size":0, "totalOpen":0, "pinned":0, "totalNoTimeout":0, "timedOut":0}, "dur":{ "commits":30, "journaledMB":0, "writeToDataFilesMB":0, "compression":0, "commitsInWriteLock":0, "earlyCommits":0, "timeMs":{ "dt":3072, "prepLogBuffer":0, "writeToJournal":0, "writeToDataFiles":0, "remapPrivateView":0}}, "extra_info":{ "note":"fields vary by platform", "heap_usage_bytes":67624592, "page_faults":3}, "globalLock":{ "totalTime":19049447000, "lockTime":1491098, "currentQueue":{ "total":0, "readers":0, "writers":0}, "activeClients":{ "total":0, "readers":0, "writers":0}}, "indexCounters":{ "accesses":2, "hits":2, "misses":0, "resets":0, "missRatio":0}, "locks":{ ".":{ "timeLockedMicros":{ "R":2926340, "W":1491098}, "timeAcquiringMicros":{ "R":1458997, "W":342703}}, "admin":{ "timeLockedMicros":{ "r":103638, "w":0}, "timeAcquiringMicros":{ "r":13202, "w":0}}, "local":{ "timeLockedMicros":{ "r":426518, "w":237}, "timeAcquiringMicros":{ "r":185505, "w":12}}, "search.kvstoredemo":{ "timeLockedMicros":{ "r":2832888, "w":292}, "timeAcquiringMicros":{ "r":1310820, "w":17}}}, "network":{ "bytesIn":1133611, "bytesOut":11628162, "numRequests":12070}, "opcounters":{ "insert":1, "query":4760, "update":0, "delete":0, "getmore":0, "command":8264}, "opcountersRepl":{ "insert":0, "query":0, "update":0, "delete":0, "getmore":0, "command":0}, "recordStats":{ "accessesNotInMemory":0, "pageFaultExceptionsThrown":0, "admin":{ "accessesNotInMemory":0, "pageFaultExceptionsThrown":0}, "local":{ "accessesNotInMemory":0, "pageFaultExceptionsThrown":0}, "search.kvstoredemo":{ "accessesNotInMemory":0, "pageFaultExceptionsThrown":0}}, "writeBacksQueued":false, "mem":{ "bits":64, "resident":58, "virtual":325, "supported":true, "mapped":64, "mappedWithJournal":128}, "metrics":{ "cursor":{ "timedOut":0, "open":{ "noTimeout":0, "pinned":0, "total":0}}, "document":{ "deleted":0, "inserted":1, "returned":2, "updated":0}, "getLastError":{ "wtime":{ "num":0, "totalMillis":0}, "wtimeouts":0}, "operation":{ "fastmod":0, "idhack":0, "scanAndOrder":0}, "queryExecutor":{ "scanned":0, "scannedObjects":0}, "record":{"moves":0}, "repl":{ "apply":{ "batches":{ "num":0, "totalMillis":0}, "ops":0}, "buffer":{ "count":0, "maxSizeBytes":268435456, "sizeBytes":0}, "network":{ "bytes":0, "getmores":{ "num":0, "totalMillis":0}, "ops":0, "readersCreated":0}, "preload":{ "docs":{ "num":0, "totalMillis":0}, "indexes":{ "num":0, "totalMillis":0}}}, "storage":{ "freelist":{ "search":{ "bucketExhausted":0, "requests":0, "scanned":0}}}, "ttl":{ "deletedDocuments":0, "passes":317}}, "ok":1}]]> </s:key> <s:key name="eai:acl"> ... elided ... </s:key> </s:dict> </content> </entry>
server/introspection/search/dispatch
https://<host>:<mPort>/services/server/introspection/search/dispatch
Provides vital statistics for distributed search framework, including details on search peer performance.
GET
Enumerate scheduled search details.
Request parameters
None
Returned values
Name | Description |
---|---|
Bundle_Directory_Reaper_Average_Time(ms) | Average time for dispatch reaper to walk search peer directory and reap obsolete bundles. |
Bundle_Directory_Reaper_Max_Time(ms) | Maximum time for dispatch reaper to walk search peer directory and reap obsolete bundles. |
Compute_User_Search_Quota_Average_Time(ms) | Average time for computing user search quota. |
Compute_User_Search_Quota_Max_Time(ms) | Maximum time for computing user search quota. |
Dispatch_Directory_Reaper_Average_Time(ms) | Average time for dispatch reaper to walk dispatch directory and reap stale artifacts. |
Dispatch_Directory_Reaper_Max_Time(ms) | Maximum time for dispatch reaper to walk dispatch directory and reap stale artifacts. |
Search_StartUp_Time_Average_Time(ms) | Average time for preprocessing before search startup. Counted from time search state is set to RUNNING .Startup time indicates that parsing is complete and the distributed search infrastructure is set up. At startup, the Splunk platform is ready to wait for responses from indexers. |
Search_StartUp_Time_Max_Time(ms) | Maximum time for preprocessing before search startup. Counted from time search state is set to RUNNING . Startup time indicates that parsing is complete and the distributed search infrastructure is set up. At startup, the Splunk platform is ready to wait for responses from indexers. |
Example request and response
XML Request
curl -k -u username:password https://localhost:8089/services/server/introspection/search/dispatch
XML Response
<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?> <feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"> <title>introspection-dispatchreaper</title> <id>https://localhost:8089/services/server/introspection/search/dispatch</id> <updated>2015-08-27T13:49:04-07:00</updated> <generator build="ced4408678cc212328ba3550d23cba87c24339d4" version="20150826"/> <author> <name>Splunk</name> </author> <link href="/services/server/introspection/search/dispatch/_acl" rel="_acl"/> <opensearch:totalResults>4</opensearch:totalResults> <opensearch:itemsPerPage>30</opensearch:itemsPerPage> <opensearch:startIndex>0</opensearch:startIndex> <s:messages/> <entry> <title>Bundle_Directory_Reaper</title> <id>https://localhost:8089/services/server/introspection/search/dispatch/Bundle_Directory_Reaper</id> <updated>2015-08-27T13:49:04-07:00</updated> <link href="/services/server/introspection/search/dispatch/Bundle_Directory_Reaper" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/server/introspection/search/dispatch/Bundle_Directory_Reaper" rel="list"/> <content type="text/xml"> <s:dict> <s:key name="Bundle_Directory_Reaper_Average_Time(ms)">1.000000</s:key> <s:key name="Bundle_Directory_Reaper_Max_Time(ms)">1</s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app"></s:key> <s:key name="can_list">1</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">0</s:key> <s:key name="owner">system</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="write"> <s:list> <s:item>*</s:item> </s:list> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">system</s:key> </s:dict> </s:key> </s:dict> </content> </entry> <entry> <title>Compute_User_Search_Quota</title> <id>https://localhost:8089/services/server/introspection/search/dispatch/Compute_User_Search_Quota</id> <updated>2015-08-27T13:49:04-07:00</updated> <link href="/services/server/introspection/search/dispatch/Compute_User_Search_Quota" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/server/introspection/search/dispatch/Compute_User_Search_Quota" rel="list"/> <content type="text/xml"> <s:dict> <s:key name="Compute_User_Search_Quota_Average_Time(ms)">2.500000</s:key> <s:key name="Compute_User_Search_Quota_Max_Time(ms)">4</s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app"></s:key> <s:key name="can_list">1</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">0</s:key> <s:key name="owner">system</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="write"> <s:list> <s:item>*</s:item> </s:list> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">system</s:key> </s:dict> </s:key> </s:dict> </content> </entry> <entry> <title>Dispatch_Directory_Reaper</title> <id>https://localhost:8089/services/server/introspection/search/dispatch/Dispatch_Directory_Reaper</id> <updated>2015-08-27T13:49:04-07:00</updated> <link href="/services/server/introspection/search/dispatch/Dispatch_Directory_Reaper" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/server/introspection/search/dispatch/Dispatch_Directory_Reaper" rel="list"/> <content type="text/xml"> <s:dict> <s:key name="Dispatch_Directory_Reaper_Average_Time(ms)">5.400000</s:key> <s:key name="Dispatch_Directory_Reaper_Max_Time(ms)">16</s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app"></s:key> <s:key name="can_list">1</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">0</s:key> <s:key name="owner">system</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="write"> <s:list> <s:item>*</s:item> </s:list> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">system</s:key> </s:dict> </s:key> </s:dict> </content> </entry> <entry> <title>Search_StartUp_Time</title> <id>https://localhost:8089/services/server/introspection/search/dispatch/Search_StartUp_Time</id> <updated>2015-08-27T13:49:04-07:00</updated> <link href="/services/server/introspection/search/dispatch/Search_StartUp_Time" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/server/introspection/search/dispatch/Search_StartUp_Time" rel="list"/> <content type="text/xml"> <s:dict> <s:key name="Search_StartUp_Time_Average_Time(ms)">136.750000</s:key> <s:key name="Search_StartUp_Time_Max_Time(ms)">185</s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app"></s:key> <s:key name="can_list">1</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">0</s:key> <s:key name="owner">system</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="write"> <s:list> <s:item>*</s:item> </s:list> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">system</s:key> </s:dict> </s:key> </s:dict> </content> </entry> </feed>
server/introspection/search/dispatch/Bundle_Directory_Reaper
https://<host>:<mPort>/services/server/introspection/search/dispatch/Bundle_Directory_Reaper
Get average and maximum time for the dispatch reaper to walk the search peer directory and reap obsolete bundles.
GET
Enumerate routine distributed search method execution times for each peer.
Request parameters
None
Returned values
Name | Description |
---|---|
Bundle_Directory_Reaper_Average_Time(ms) | Average time for dispatch reaper to walk search peer directory and reap obsolete bundles. |
Bundle_Directory_Reaper_Max_Time(ms) | Maximum time for dispatch reaper to walk search peer directory and reap obsolete bundles. |
Example request and response
XML Request
curl -k -u username:password https://localhost:8089/services/server/introspection/search/dispatch/Bundle_Directory_Reaper
XML Response
... <title>introspection-dispatchreaper</title> <id>https://localhost:8089/services/server/introspection/search//dispatch</id> <updated>2015-08-26T14:24:43-07:00</updated> <generator build="ced4408678cc212328ba3550d23cba87c24339d4" version="20150826"/> <author> <name>Splunk</name> </author> <link href="/services/server/introspection/search//dispatch/_acl" rel="_acl"/> <opensearch:totalResults>1</opensearch:totalResults> <opensearch:itemsPerPage>30</opensearch:itemsPerPage> <opensearch:startIndex>0</opensearch:startIndex> <s:messages/> <entry> <title>Bundle_Directory_Reaper</title> <id>https://localhost:8089/services/server/introspection/search//dispatch/Bundle_Directory_Reaper</id> <updated>2015-08-26T14:24:43-07:00</updated> <link href="/services/server/introspection/search//dispatch/Bundle_Directory_Reaper" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/server/introspection/search//dispatch/Bundle_Directory_Reaper" rel="list"/> <content type="text/xml"> <s:dict> <s:key name="Bundle_Directory_Reaper_Average_Time(ms)">1.000000</s:key> <s:key name="Bundle_Directory_Reaper_Max_Time(ms)">1</s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app"></s:key> <s:key name="can_list">0</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">0</s:key> <s:key name="owner">system</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="write"> <s:list> <s:item>*</s:item> </s:list> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">system</s:key> </s:dict> </s:key> <s:key name="eai:attributes"> <s:dict> <s:key name="optionalFields"> <s:list/> </s:key> <s:key name="requiredFields"> <s:list/> </s:key> <s:key name="wildcardFields"> <s:list/> </s:key> </s:dict> </s:key> </s:dict> </content> </entry>
server/introspection/search/dispatch/Compute_User_Search_Quota
https://<host>:<mPort>/services/server/introspection/search/dispatch/Compute_User_Search_Quota
Provides average and maximum time for computing user search quotas.
GET
Enumerate average and maximum time for user search quota computation.
Request parameters
None
Returned values
Name | Description |
---|---|
Compute_User_Search_Quota_Average_Time(ms) | Average time for computing user search quota. |
Compute_User_Search_Quota_Max_Time(ms) | Maximum time for computing user search quota. |
XML Request
curl -k -u username:password https://localhost:8089/services/server/introspection/search/dispatch/Compute_User_Search_Quota
XML Response
... <title>introspection-dispatchreaper</title> <id>https://localhost:8089/services/server/introspection/search/dispatch</id> <updated>2015-08-26T14:33:46-07:00</updated> <generator build="ced4408678cc212328ba3550d23cba87c24339d4" version="20150826"/> <author> <name>Splunk</name> </author> <link href="/services/server/introspection/search/dispatch/_acl" rel="_acl"/> <opensearch:totalResults>1</opensearch:totalResults> <opensearch:itemsPerPage>30</opensearch:itemsPerPage> <opensearch:startIndex>0</opensearch:startIndex> <s:messages/> <entry> <title>Compute_User_Search_Quota</title> <id>https://localhost:8089/services/server/introspection/search/dispatch/Compute_User_Search_Quota</id> <updated>2015-08-26T14:33:46-07:00</updated> <link href="/services/server/introspection/search/dispatch/Compute_User_Search_Quota" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/server/introspection/search/dispatch/Compute_User_Search_Quota" rel="list"/> <content type="text/xml"> <s:dict> <s:key name="Compute_User_Search_Quota_Average_Time(ms)">1.950000</s:key> <s:key name="Compute_User_Search_Quota_Max_Time(ms)">4</s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app"></s:key> <s:key name="can_list">0</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">0</s:key> <s:key name="owner">system</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="write"> <s:list> <s:item>*</s:item> </s:list> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">system</s:key> </s:dict> </s:key> <s:key name="eai:attributes"> <s:dict> <s:key name="optionalFields"> <s:list/> </s:key> <s:key name="requiredFields"> <s:list/> </s:key> <s:key name="wildcardFields"> <s:list/> </s:key> </s:dict> </s:key> </s:dict> </content> </entry>
server/introspection/search/dispatch/Dispatch_Directory_Reaper
https://<host>:<mPort>/services/server/introspection/search/dispatch/Dispatch_Directory_Reaper
Get average and maximum time for the dispatch reaper to walk the dispatch directory and reap stale artifacts.
GET
Show dispatch directory reaper times for reaping stale artifacts.
Request parameters
None
Returned values
Name | Description |
---|---|
Dispatch_Directory_Reaper_Average_Time(ms) | Average time for dispatch reaper to walk dispatch directory and reap stale artifacts. |
Dispatch_Directory_Reaper_Max_Time(ms) | Maximum time for dispatch reaper to walk dispatch directory and reap stale artifacts. |
Example request and response
XML Request
curl -k -u username:password https://localhost:8089/services/server/introspection/search/dispatch/Dispatch_Directory_Reaper
XML Response
... <title>introspection-dispatchreaper</title> <id>https://localhost:8089/services/server/introspection/search/dispatch</id> <updated>2015-08-26T14:34:41-07:00</updated> <generator build="ced4408678cc212328ba3550d23cba87c24339d4" version="20150826"/> <author> <name>Splunk</name> </author> <link href="/services/server/introspection/search/dispatch/_acl" rel="_acl"/> <opensearch:totalResults>1</opensearch:totalResults> <opensearch:itemsPerPage>30</opensearch:itemsPerPage> <opensearch:startIndex>0</opensearch:startIndex> <s:messages/> <entry> <title>Dispatch_Directory_Reaper</title> <id>https://localhost:8089/services/server/introspection/search/dispatch/Dispatch_Directory_Reaper</id> <updated>2015-08-26T14:34:41-07:00</updated> <link href="/services/server/introspection/search/dispatch/Dispatch_Directory_Reaper" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/server/introspection/search/dispatch/Dispatch_Directory_Reaper" rel="list"/> <content type="text/xml"> <s:dict> <s:key name="Dispatch_Directory_Reaper_Average_Time(ms)">4.500000</s:key> <s:key name="Dispatch_Directory_Reaper_Max_Time(ms)">10</s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app"></s:key> <s:key name="can_list">0</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">0</s:key> <s:key name="owner">system</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="write"> <s:list> <s:item>*</s:item> </s:list> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">system</s:key> </s:dict> </s:key> <s:key name="eai:attributes"> <s:dict> <s:key name="optionalFields"> <s:list/> </s:key> <s:key name="requiredFields"> <s:list/> </s:key> <s:key name="wildcardFields"> <s:list/> </s:key> </s:dict> </s:key> </s:dict> </content> </entry>
server/introspection/search/dispatch/Search_StartUp_Time
https://<host>:<mPort>/services/server/introspection/search/dispatch/Search_StartUp_Time
Get average and maximum time for search preprocessing before startup.
Startup time indicates that parsing is complete and the distributed search infrastructure is set up. At startup, Splunk software is ready to wait for responses from indexers.
GET
Enumerate average and maximum time for search preprocessing before startup.
Request parameters
None
Returned values
Name | Description |
---|---|
Search_StartUp_Time_Average_Time(ms) | Average time for preprocessing before search startup. Counted from time search state is set to RUNNING .
|
Search_StartUp_Time_Max_Time(ms) | Maximum time for preprocessing before search startup. Counted from time search state is set to RUNNING .
|
Example request and response
XML Request
curl -k -u username:password https://localhost:8089/services/server/introspection/search/dispatch/Search_StartUp_Time
XML Response
... <title>introspection-dispatchreaper</title> <id>https://localhost:8089/services/server/introspection/search//dispatch</id> <updated>2015-08-26T14:25:14-07:00</updated> <generator build="ced4408678cc212328ba3550d23cba87c24339d4" version="20150826"/> <author> <name>Splunk</name> </author> <link href="/services/server/introspection/search//dispatch/_acl" rel="_acl"/> <opensearch:totalResults>1</opensearch:totalResults> <opensearch:itemsPerPage>30</opensearch:itemsPerPage> <opensearch:startIndex>0</opensearch:startIndex> <s:messages/> <entry> <title>Search_StartUp_Time</title> <id>https://localhost:8089/services/server/introspection/search//dispatch/Search_StartUp_Time</id> <updated>2015-08-26T14:25:14-07:00</updated> <link href="/services/server/introspection/search//dispatch/Search_StartUp_Time" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/server/introspection/search//dispatch/Search_StartUp_Time" rel="list"/> <content type="text/xml"> <s:dict> <s:key name="Search_StartUp_Time_Average_Time(ms)">128.619048</s:key> <s:key name="Search_StartUp_Time_Max_Time(ms)">171</s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app"></s:key> <s:key name="can_list">0</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">0</s:key> <s:key name="owner">system</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="write"> <s:list> <s:item>*</s:item> </s:list> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">system</s:key> </s:dict> </s:key> <s:key name="eai:attributes"> <s:dict> <s:key name="optionalFields"> <s:list/> </s:key> <s:key name="requiredFields"> <s:list/> </s:key> <s:key name="wildcardFields"> <s:list/> </s:key> </s:dict> </s:key> </s:dict> </content> </entry>
server/introspection/search/distributed
https://<host>:<mPort>/services/server/introspection/search/distributed
Get information about the search knowledge bundle replication, if the current instance is the search head. Provides details about maximum and average time to execute routine distributed search methods, including peer info, peer bundles list, and authentication token requests from search heads.
GET
Enumerate routine distributed search method execution times for each peer.
Usage details
The default update period is ten minutes, as defined by the collectionPeriodInSecs
attribute in the $SPLUNK_HOME/etc/apps/introspection_generator_addon/default/server.conf
file. If startup occurs within the last ten minutes, counts are shown from startup to the current time.
Request parameters
Pagination and filtering parameters can be used with this method.
Returned values
The following values are listed for each peer.
Name | Description |
---|---|
Get_Authentication_Max_Time(ms) | Maximum time for search head to get authentication from this peer. |
Get_Authentication_Mean_Time(ms) | Average time for search head to get authentication from this peer. |
Get_BundleList_Max_Time(ms) | Maximum time for search head to get bundle list from this peer. |
Get_ServerInfo_Max_Time(ms) | Maximum time for search head to get server information back from this peer. |
Get_ServerInfo_Mean_Time(ms) | Average time for search head to get server information back from this peer. |
Example request and response
XML Request
curl -k -u username:password https://localhost:8089/services/server/introspection/search/distributed
XML Response
... <title>search-distributedmetrics</title> <id>https://localhost:8089/services/server/introspection/search/distributed</id> <updated>2015-08-26T14:35:48-07:00</updated> <generator build="ced4408678cc212328ba3550d23cba87c24339d4" version="20150826"/> <author> <name>Splunk</name> </author> <link href="/services/server/introspection/search/distributed/_acl" rel="_acl"/> <opensearch:totalResults>3</opensearch:totalResults> <opensearch:itemsPerPage>30</opensearch:itemsPerPage> <opensearch:startIndex>0</opensearch:startIndex> <s:messages/> <entry> <title>per_searchhead_metrics</title> <id>https://localhost:8089/services/server/introspection/search/distributed/per_searchhead_metrics</id> <updated>2015-08-26T14:35:48-07:00</updated> <link href="/services/server/introspection/search/distributed/per_searchhead_metrics" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/server/introspection/search/distributed/per_searchhead_metrics" rel="list"/> <content type="text/xml"> <s:dict> <s:key name="eai:acl"> <s:dict> <s:key name="app"></s:key> <s:key name="can_list">0</s:key> <s:key name="can_write">0</s:key> <s:key name="modifiable">0</s:key> <s:key name="owner">system</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="write"> <s:list/> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">system</s:key> </s:dict> </s:key> </s:dict> </content> </entry> <entry> <title>localhost:8089</title> <id>https://localhost:8089/services/server/introspection/search/distributed/peer.sv.splunk.com%3A10017</id> <updated>2015-08-26T14:35:48-07:00</updated> <link href="/services/server/introspection/search/distributed/peer.sv.splunk.com%3A10017" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/server/introspection/search/distributed/peer.sv.splunk.com%3A10017" rel="list"/> <content type="text/xml"> <s:dict> <s:key name="Get_Authentication_Max_Time(ms)">4</s:key> <s:key name="Get_Authentication_Mean_Time(ms)">3.400000</s:key> <s:key name="Get_BundleList_Max_Time(ms)">5</s:key> <s:key name="Get_BundleList_Mean_Time(ms)">3.800000</s:key> <s:key name="Get_ServerInfo_Max_Time(ms)">14</s:key> <s:key name="Get_ServerInfo_Mean_Time(ms)">9.300000</s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app"></s:key> <s:key name="can_list">0</s:key> <s:key name="can_write">0</s:key> <s:key name="modifiable">0</s:key> <s:key name="owner">system</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="write"> <s:list/> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">system</s:key> </s:dict> </s:key> </s:dict> </content> </entry> <entry> <title>window_metrics</title> <id>https://localhost:8089/services/server/introspection/search/distributed/window_metrics</id> <updated>2015-08-26T14:35:48-07:00</updated> <link href="/services/server/introspection/search/distributed/window_metrics" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/server/introspection/search/distributed/window_metrics" rel="list"/> <content type="text/xml"> <s:dict> <s:key name="average_bytes">0.000000</s:key> <s:key name="average_msecs">0.000000</s:key> <s:key name="count">0</s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app"></s:key> <s:key name="can_list">0</s:key> <s:key name="can_write">0</s:key> <s:key name="modifiable">0</s:key> <s:key name="owner">system</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="write"> <s:list/> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">system</s:key> </s:dict> </s:key> </s:dict> </content> </entry>
server/introspection/search/saved
https://<host>:<mPort>/services/server/introspection/search/saved
Access most recent scheduled search priority scores and score calculation adjustments.
GET
Enumerate scheduled search details.
Request parameters
None
Returned values
'Note: 'These response data keys are for informational purposes only. They are subject to change or removal at any time.
Name | Description |
---|---|
final_score | Most recent calculated priority score, based on adjustments and original score. |
name | Scheduled search name. |
orig_score | A score based on a search's originally scheduled run time. |
owner | Search scope or context owner. This could be a specific user or "nobody" for a search defined in an app or system-level scope. |
priority_no | Most recent calculated priority number for this search. |
real_time_adj | Real-time search priority adjustment. Real-time searches default to -80000 and continuous scheduled searches default to 0. This particular value is for internal purposes only and is subject to change. |
runtime_adj | Calculated value based on average search runtime. |
skipped_adj | Adjustment for number of times search has been skipped and search period. 0 means the search has not been skipped. |
window_adj | Adjustment for remaining time in search run window. |
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/services/server/introspection/search/saved
XML Response
<title>introspection-savedsearches</title> <id>https://localhost:8089/services/server/introspection/search/saved</id> <updated>2015-06-03T16:41:21-07:00</updated> <generator build="6cfc0237739f" version="6.3.0"/> <author> <name>Splunk</name> </author> <link href="/services/server/introspection/search/saved/_acl" rel="_acl"/> <opensearch:totalResults>2</opensearch:totalResults> <opensearch:itemsPerPage>30</opensearch:itemsPerPage> <opensearch:startIndex>0</opensearch:startIndex> <s:messages/> <entry> <title>admin;search;search_1</title> <id>https://localhost:8089/services/server/introspection/search/saved/admin%3Bsearch%3Bsearch_1</id> <updated>2015-06-03T16:41:21-07:00</updated> <link href="/services/server/introspection/search/saved/admin%3Bsearch%3Bsearch_1" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/server/introspection/search/saved/admin%3Bsearch%3Bsearch_1" rel="list"/> <content type="text/xml"> <s:dict> <s:key name="disabled">0</s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app"></s:key> <s:key name="can_list">1</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">0</s:key> <s:key name="owner">system</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>admin</s:item> <s:item>splunk-system-role</s:item> </s:list> </s:key> <s:key name="write"> <s:list/> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">system</s:key> </s:dict> </s:key> <s:key name="final_score">1433294868</s:key> <s:key name="name">search_1</s:key> <s:key name="orig_score">1433374860</s:key> <s:key name="owner">admin</s:key> <s:key name="priority_no">1</s:key> <s:key name="real_time_adj">-80000</s:key> <s:key name="runtime_adj">8</s:key> <s:key name="skipped_adj">0</s:key> <s:key name="window_adj">0</s:key> </s:dict> </content> </entry> <entry> <title>nobody;search;Errors in the last hour</title> <id>https://localhost:8089/services/server/introspection/search/saved/nobody%3Bsearch%3BErrors%20in%20the%20last%20hour</id> <updated>2015-06-03T16:41:21-07:00</updated> <link href="/services/server/introspection/search/saved/nobody%3Bsearch%3BErrors%20in%20the%20last%20hour" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/server/introspection/search/saved/nobody%3Bsearch%3BErrors%20in%20the%20last%20hour" rel="list"/> <content type="text/xml"> <s:dict> <s:key name="disabled">0</s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app"></s:key> <s:key name="can_list">1</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">0</s:key> <s:key name="owner">system</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>admin</s:item> <s:item>splunk-system-role</s:item> </s:list> </s:key> <s:key name="write"> <s:list/> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">system</s:key> </s:dict> </s:key> <s:key name="final_score">1433294980</s:key> <s:key name="name">Errors in the last hour</s:key> <s:key name="orig_score">1433374860</s:key> <s:key name="owner">nobody</s:key> <s:key name="priority_no">2</s:key> <s:key name="real_time_adj">-80000</s:key> <s:key name="runtime_adj">1</s:key> <s:key name="skipped_adj">0</s:key> <s:key name="window_adj">119</s:key> </s:dict> </content> </entry>
server/status
https://<host>:<mPort>/services/server/status
List server/status
child resources.
GET
Enumerate server/status endpoints.
Request parameters
None
Returned values
Returns /server/status/
child endpoints.
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8089/services/server/status
XML Response
... <title></title> <id>https://localhost:8089/services/server/status</id> <updated>2014-03-25T13:52:59-07:00</updated> <generator build="200839" version="6.1"/> <author> <name>Splunk</name> </author> <s:messages/> <entry> <title>dispatch-artifacts</title> <id>https://localhost:8089/services/server/status/dispatch-artifacts</id> <updated>2014-03-25T13:52:59-07:00</updated> <link href="/services/server/status/dispatch-artifacts" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/server/status/dispatch-artifacts" rel="list"/> <content type="text/xml"> <s:dict/> </content> </entry> <entry> <title>fishbucket</title> <id>https://localhost:8089/services/server/status/fishbucket</id> <updated>2014-03-25T13:52:59-07:00</updated> <link href="/services/server/status/fishbucket" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/server/status/fishbucket" rel="list"/> <content type="text/xml"> <s:dict/> </content> </entry> <entry> <title>partitions-space</title> <id>https://localhost:8089/services/server/status/partitions-space</id> <updated>2014-03-25T13:52:59-07:00</updated> <link href="/services/server/status/partitions-space" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/server/status/partitions-space" rel="list"/> <content type="text/xml"> <s:dict/> </content> </entry>
server/status/dispatch-artifacts
https://<host>:<mPort>/services/server/status/dispatch-artifacts
Access search job information.
GET
Get information about dispatched search jobs.
Usage details
At least one observation period must pass after startup for valid endpoint data to be available. The observation period is defined in the following $SPLUNK_HOME/etc/system/default/server.conf
stanza.
[introspection:generator:disk_objects] collectionPeriodInSecs = 600
The default period is 10 seconds, but 10 minutes (600 seconds) on a Universal Forwarder.
Request parameters
None
Returned values
Name | Description |
---|---|
count_realtime | Jobs active in the immediate past observation period, not including historical jobs. |
count_scheduled | Jobs active in the immediate past observation period, not including real-time jobs. |
count_summary | Jobs active in the immediate past observation period, not including non-summary jobs. |
top_apps | Top 15 apps in the past observation period, inapp:count key-value pair format. |
top_named_searches | Top 15 named searches in the past observation period, in savedSearchName:count key-value pair format. |
top_users | Top 15 users in the past observation period, in username:count key-value pair format, with count as the number of app contexts for the user. |
total_count | Number of dispatched search jobs since start-up. |
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8089/services/server/status/dispatch-artifacts
XML Response
... <title>introspection--disk-objects--search-dispatch-artifacts</title> <id>https://localhost:8089/services/server/status/dispatch-artifacts</id> <updated>2014-03-25T11:10:33-07:00</updated> <generator build="200839" version="6.1"/> <author> <name>Splunk</name> </author> ... opensearch elements elided ... <s:messages/> <entry> <title>result</title> <id>https://localhost:8089/services/server/status/dispatch-artifacts/result</id> <updated>2014-03-25T11:10:33-07:00</updated> <link href="/services/server/status/dispatch-artifacts/result" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/server/status/dispatch-artifacts/result" rel="list"/> <content type="text/xml"> <s:dict> <s:key name="count_realtime">0</s:key> <s:key name="count_scheduled">0</s:key> <s:key name="count_summary">0</s:key> <s:key name="eai:acl"> ... elided ... </s:key> <s:key name="top_apps"/> <s:key name="top_named_searches"/> <s:key name="top_users"/> <s:key name="total_count">0</s:key> </s:dict> </content> </entry>
server/status/fishbucket
https://<host>:<mPort>/services/server/status/fishbucket
Access information about the private BTree database.
GET
Access private BTree database information.
Usage details
At least one observation period must pass after startup for valid endpoint data to be available. The observation period is defined in the following $SPLUNK_HOME/etc/system/default/server.conf
stanza.
[introspection:generator:disk_objects] collectionPeriodInSecs = 600
The default period is 10 seconds, but 10 minutes (600 seconds) on a Universal Forwarder.
Request parameters
None
Returned values
Name | Description |
---|---|
key_count | Number of file input records (keys) seen since start-up. |
total_size | Total number of file input records (keys). |
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8089/services/server/status/fishbucket
XML Response
... <title>introspection--disk-objects--fishbucket</title> <id>https://localhost:8089/services/server/status/fishbucket</id> <updated>2014-03-25T11:31:10-07:00</updated> <generator build="200839" version="6.1"/> <author> <name>Splunk</name> </author> ... opensearch elements elided ... <s:messages/> <entry> <title>result</title> <id>https://localhost:8089/services/server/status/fishbucket/result</id> <updated>2014-03-25T11:31:10-07:00</updated> <link href="/services/server/status/fishbucket/result" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/server/status/fishbucket/result" rel="list"/> <content type="text/xml"> <s:dict> <s:key name="eai:acl"> ... elided ... </s:key> <s:key name="key_count">0</s:key> <s:key name="total_size">0.000</s:key> </s:dict> </content> </entry>
server/status/installed-file-integrity
Check for system file irregularities.
https://<host>:<mPort>/services/server/status/installed-file-integrity
GET
Check file integrity status.
Usage details
The GET request returns cached results for an automatic check of all files installed with the currently running Splunk software version. The check compares currently installed files against the manifest file located in the $SPLUNK_HOME
directory. Based on this comparison, the GET response shows an integrity status indicator for each installed file.
By default, this check runs at startup and results are cached when the check completes. The check takes a few minutes to run and results are available after it completes. The response indicates if initial results are not yet ready when the GET request is performed or if the check is disabled.
You can prompt a new check to run by passing in ?refresh=true
with the GET request.
To disable the file integrity check, edit the installed_files_integrity
setting in the limits.conf
file.
Note: Changing or removing the manifest file prevents the check from working.
Request parameters
Name | Type | Description |
---|---|---|
refresh | Boolean | Set to true to perform a new file integrity check. Only one such check can be performed at a time.
|
regex_filter | PCRE regular expression | Specify a regular expression to filter results of the check. For example, use regex_filter=\.conf$ to filter results for configuration files.
|
Returned values
For each installed file, one of the following integrity status indicators is returned.
Indicator | Description |
---|---|
<empty> | Indicates complete file integrity. No irregularities were found. |
access_failed | The splunkd process does not have permissions to read the file.
|
differs | The installed file differs from the manifest file. |
missing | The installed file was not found. |
read_failed | The installed file comparison failed. |
other_open_failed | A failure other than failure to access or read was encountered when trying to open the file. |
Example request and response
XML Request
curl -k -u admin:changed https://localhost:8089/services/server/status/installed-file-integrity?refresh=true
XML Response
The following example is a portion of the response data. The full response lists all installed files and their integrity status.
... <s:key name="/opt/splunktest/etc/system/README/inputs.conf.example">differs</s:key> <s:key name="/opt/splunktest/etc/system/README/inputs.conf.spec">differs</s:key> <s:key name="/opt/splunktest/etc/system/README/limits.conf.example">differs</s:key> <s:key name="/opt/splunktest/etc/system/README/limits.conf.spec">differs</s:key> <s:key name="/opt/splunktest/etc/system/README/messages.conf.example">differs</s:key> <s:key name="/opt/splunktest/etc/system/README/props.conf.spec">differs</s:key> <s:key name="/opt/splunktest/etc/system/README/savedsearches.conf.spec">differs</s:key> <s:key name="/opt/splunktest/etc/system/README/server.conf.spec">differs</s:key> <s:key name="/opt/splunktest/etc/system/README/user-prefs.conf.spec">differs</s:key> <s:key name="/opt/splunktest/etc/system/README/web.conf.spec">differs</s:key> <s:key name="/opt/splunktest/etc/system/bin/field_extractor.py">differs</s:key> <s:key name="/opt/splunktest/etc/system/default/app.conf">differs</s:key> <s:key name="/opt/splunktest/etc/system/default/authorize.conf">differs</s:key> <s:key name="/opt/splunktest/etc/system/default/indexes.conf">differs</s:key> <s:key name="/opt/splunktest/etc/system/default/inputs.conf">differs</s:key> <s:key name="/opt/splunktest/etc/system/default/limits.conf">differs</s:key> ...
server/status/limits/search-concurrency
https://<host>:<mPort>/services/server/status/limits/search-concurrency
Access search concurrency metrics for a standalone Splunk Enterprise instance.
GET
Get search concurrency limits for a standalone Splunk Enterprise instance.
Request parameters
None
Returned values
Name | Description |
---|---|
max_auto_summary_searches | Maximum number of auto summary searches. |
max_hist_scheduled_searches | Maximum number of historical scheduled searches. |
max_hist_searches | Maximum number of historical searches. |
max_rt_scheduled_searches | Maximum number of scheduled searches. |
max_rt_searches | Maximum number of real-time searches. |
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8089/services/server/status/limits/search-concurrency
XML Response
... <title>server-status-limits-concurrency</title> <id>https://localhost:8089/services/server/status/limits/search-concurrency</id> <updated>2014-03-25T11:40:16-07:00</updated> <generator build="200839" version="6.1"/> <author> <name>Splunk</name> </author> ... opensearch elements elided ... <s:messages/> <entry> <title>search-concurrency</title> <id>https://localhost:8089/services/server/status/limits/search-concurrency/search-concurrency</id> <updated>2014-03-25T11:40:16-07:00</updated> <link href="/services/server/status/limits/search-concurrency/search-concurrency" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/server/status/limits/search-concurrency/search-concurrency" rel="list"/> <content type="text/xml"> <s:dict> <s:key name="eai:acl"> ... elided ... </s:key> <s:key name="max_auto_summary_searches">2</s:key> <s:key name="max_hist_scheduled_searches">5</s:key> <s:key name="max_hist_searches">10</s:key> <s:key name="max_rt_scheduled_searches">5</s:key> <s:key name="max_rt_searches">10</s:key> </s:dict> </content> </entry>
server/status/partitions-space
https://<host>:<mPort>/services/server/status/partitions-space
Access disk utilization information for filesystems that have Splunk objects, such as indexes, volumes, and logs. A filesystem can span multiple physical disk partitions.
GET
Get disk utilization information.
Usage details
At least one observation period must pass after startup for valid endpoint data to be available. The observation period is defined in the following $SPLUNK_HOME/etc/system/default/server.conf
stanza.
[introspection:generator:disk_objects] collectionPeriodInSecs = 600
The default period is 10 seconds, but 10 minutes (600 seconds) on a Universal Forwarder.
Request parameters
Pagination and filtering parameters can be used with this method.
Returned values
Name | Description |
---|---|
capacity | Disk capacity (MB). |
free | Disk free space (MB). |
fs_type | File system type. Example values:
|
mount_point | Absolute path of the directory where this partition is mounted. |
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8089/services/server/status/partitions-space
XML Response
... <title>introspection--disk-objects--partitions-space</title> <id>https://localhost:8089/services/server/status/partitions-space</id> <updated>2014-03-25T11:43:39-07:00</updated> <generator build="200839" version="6.1"/> <author> <name>Splunk</name> </author> ... opensearch elements elided ... <s:messages/> <entry> <title>0</title> <id>https://localhost:8089/services/server/status/partitions-space/0</id> <updated>2014-03-25T11:43:39-07:00</updated> <link href="/services/server/status/partitions-space/0" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/server/status/partitions-space/0" rel="list"/> <content type="text/xml"> <s:dict> <s:key name="capacity">104901.000</s:key> <s:key name="eai:acl"> ... elided ... </s:key> <s:key name="free">7774.000</s:key> <s:key name="fs_type">ntfs</s:key> <s:key name="mount_point">C:\</s:key> </s:dict> </content> </entry>
server/status/resource-usage
https://<host>:<mPort>/services/server/status/resource-usage
Get current resource (CPU, RAM, VM, I/O, file handle) utilization for entire host, and per Splunk-related processes.
GET
Get resource utilization information.
Usage details
At least one observation period must pass after startup for valid endpoint data to be available. The observation period is defined in the following $SPLUNK_HOME/etc/system/default/server.conf
stanza.
[introspection:generator:disk_objects] collectionPeriodInSecs = 600
The default period is 10 seconds, but 10 minutes (600 seconds) on a Universal Forwarder.
Request parameters
Pagination and filtering parameters can be used with this method.
Returned values
Returns a list of server/status/resource-usage/
endpoints.
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8089/services/server/status/resource-usage
XML Response
... <title></title> <id>https://localhost:8089/services/server/status/resource-usage</id> <updated>2014-03-25T11:53:26-07:00</updated> <generator build="200839" version="6.1"/> <author> <name>Splunk</name> </author> <s:messages/> <entry> <title>hostwide</title> <id>https://localhost:8089/services/server/status/resource-usage/hostwide</id> <updated>2014-03-25T11:53:26-07:00</updated> <link href="/services/server/status/resource-usage/hostwide" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/server/status/resource-usage/hostwide" rel="list"/> <content type="text/xml"> <s:dict/> </content> </entry> <entry> <title>splunk-processes</title> <id>https://localhost:8089/services/server/status/resource-usage/splunk-processes</id> <updated>2014-03-25T11:53:26-07:00</updated> <link href="/services/server/status/resource-usage/splunk-processes" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/server/status/resource-usage/splunk-processes" rel="list"/> <content type="text/xml"> <s:dict/> </content> </entry>
server/status/resource-usage/hostwide
https://<host>:<mPort>/services/server/status/resource-usage/hostwide
Access host-level dynamic CPU utilization and paging information.
GET
Get host-level, dynamic CPU utilization and paging information.
Usage details
At least one observation period must pass after startup for valid endpoint data to be available. The observation period is defined in the following $SPLUNK_HOME/etc/system/default/server.conf
stanza.
[introspection:generator:disk_objects] collectionPeriodInSecs = 600
The default period is 10 seconds, but 10 minutes (600 seconds) on a Universal Forwarder.
Request parameters
None
Returned values
Name | Description |
---|---|
cpu_arch | CPU architecture |
cpu_count | CPU count |
cpu_idle_pct | Percentage of time CPU is idle. |
cpu_system_pct | Percentage of time CPU is running in system mode. |
cpu_user_pct | Percentage of time CPU is running in user mode. |
forks | Cumulative number of forked processes since OS startup. |
mem | Total physical memory available (MB) |
mem_used | Total physical memory used (MB). This value represents the amount of actual physical memory minus the amount of physical memory currently available. This is the amount of physical memory that can be immediately reused without having to first write its contents to disk. On Unix, mem_used = total_phys_ram - (free_mem + buffer_mem + cached_mem) On Windows, mem_used = (memoryStatus.ullTotalPhys - memoryStatus.ullAvailPhys)See GlobalMemoryStatusEx function for more information. |
normalized_load_avg_1min | Normalized load average of runnable_process_count across all cores (cumulative_load_avg / number_of_cores). This value is not reliable for a VM guest. |
os_build | Software build for the os_version |
os_name | Operating system name |
os_name_ext | Extended operating system name |
os_version | Operating system version |
pg_paged_out | Cumulative VM page count paged since OS startup. Not available on Windows. |
pg_swapped_out | Cumulative pages swapped out since OS startup. Not available on Windows. |
runnable_process_count | Number of process running or in the runnable queue. Value reported as 1 on Windows except for Vista+ and XP/Win2003 English-only operating systems. |
splunk_version | Currently installed Splunk software version |
swap | Amount of disk allocated to swap (fractional MB) |
swap_used | Swap space currently in use (fractional MB) |
virtual_cpu_count | Virtual CPU count |
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8089/services/server/status/resource-usage/hostwide
XML Response
<title>introspection--resource-usage--hostwide</title> <id>https://localhost:8089/services/server/status/resource-usage/hostwide</id> <updated>2016-09-19T12:56:56-07:00</updated> <generator build="bf83e168dd2e" version="6.5.0"/> <author> <name>Splunk</name> </author> <link href="/services/server/status/resource-usage/hostwide/_acl" rel="_acl"/> <opensearch:totalResults>1</opensearch:totalResults> <opensearch:itemsPerPage>30</opensearch:itemsPerPage> <opensearch:startIndex>0</opensearch:startIndex> <s:messages/> <entry> <title>result</title> <id>https://localhost:8089/services/server/status/resource-usage/hostwide/result</id> <updated>2016-09-19T12:56:56-07:00</updated> <link href="/services/server/status/resource-usage/hostwide/result" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/server/status/resource-usage/hostwide/result" rel="list"/> <content type="text/xml"> <s:dict> <s:key name="cpu_arch">x86_64</s:key> <s:key name="cpu_count">4</s:key> <s:key name="cpu_idle_pct">99.37</s:key> <s:key name="cpu_system_pct">0.25</s:key> <s:key name="cpu_user_pct">0.38</s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app"></s:key> <s:key name="can_list">1</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">0</s:key> <s:key name="owner">system</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="write"> <s:list/> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">system</s:key> </s:dict> </s:key> <s:key name="forks">16462040</s:key> <s:key name="instance_guid">88F85972-368E-45F8-A123-FDB14AE9701E</s:key> <s:key name="mem">7872.781</s:key> <s:key name="mem_used">929.883</s:key> <s:key name="normalized_load_avg_1min">0.00</s:key> <s:key name="os_build">#1 SMP Fri Aug 24 01:07:11 UTC 2012</s:key> <s:key name="os_name">Linux</s:key> <s:key name="os_name_ext">Linux</s:key> <s:key name="os_version">2.6.32-279.5.2.el6.x86_64</s:key> <s:key name="pg_paged_out">732923572</s:key> <s:key name="pg_swapped_out">0</s:key> <s:key name="runnable_process_count">1</s:key> <s:key name="splunk_version">6.5.0</s:key> <s:key name="swap">4031.992</s:key> <s:key name="swap_used">0.000</s:key> <s:key name="virtual_cpu_count">4</s:key> </s:dict> </content> </entry>
server/status/resource-usage/iostats
https://<host>:<mPort>/services/server/status/resource-usage/iostats
Access the most recent disk I/O statistics for each disk. This endpoint is currently supported for Linux, Windows, and Solaris. By default this endpoint is updated every 60s seconds.
GET
Get disk I/O statistics.
Request parameters
None
Returned values
Name | Description |
---|---|
avg_service_ms | Average time requests caused the CPU to be in use, in milliseconds. |
avg_total_ms | Average queue + execution time for requests to be completed, in milliseconds. |
cpu_pct | Percentage of time the CPU was servicing requests. |
device | Device name (e.g., as listed under /dev on UNIX). |
fs_type | Mounted device file system type. |
interval | Interval over which sampling occurred, in seconds. |
mount_point | Mount point(s) of the underlying device. |
reads_kb_ps | Total number of kb read per second. |
reads_ps | Number of read requests per second. |
writes_kb_ps | Total number of kb written per second. |
writes_ps | Number of write requests per second. |
Example request and response
XML Request
curl -k -u username:password https://localhost:8089/services/server/status/resource-usage/iostats
XML Response
... <title>introspection--resource-usage--iostats</title> <id>https://localhost:8089/services/server/status/resource-usage/iostats</id> <updated>2015-09-11T14:10:45-04:00</updated> <generator build="78167cb4239c44472aa42425ebc83481b2d83433" version="20150910"/> <author> <name>Splunk</name> </author> <link href="/services/server/status/resource-usage/iostats/_acl" rel="_acl"/> <opensearch:totalResults>2</opensearch:totalResults> <opensearch:itemsPerPage>30</opensearch:itemsPerPage> <opensearch:startIndex>0</opensearch:startIndex> <s:messages/> <entry> <title>0</title> <id>https://localhost:8089/services/server/status/resource-usage/iostats/0</id> <updated>2015-09-11T14:10:45-04:00</updated> <link href="/services/server/status/resource-usage/iostats/0" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/server/status/resource-usage/iostats/0" rel="list"/> <content type="text/xml"> <s:dict> <s:key name="avg_service_ms">0.142</s:key> <s:key name="avg_total_ms">4.110</s:key> <s:key name="cpu_pct">0.05</s:key> <s:key name="device">dm-1</s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app"></s:key> <s:key name="can_list">1</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">0</s:key> <s:key name="owner">system</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="write"> <s:list/> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">system</s:key> </s:dict> </s:key> <s:key name="fs_type">xfs</s:key> <s:key name="interval">60</s:key> <s:key name="mount_point">/</s:key> <s:key name="reads_kb_ps">0.000</s:key> <s:key name="reads_ps">0.000</s:key> <s:key name="writes_kb_ps">43.050</s:key> <s:key name="writes_ps">3.633</s:key> </s:dict> </content> </entry>
server/status/resource-usage/splunk-processes
https://<host>:<mPort>/services/server/status/resource-usage/splunk-processes
Access operating system resource utilization information.
GET
Get process operating system resource utilization information.
Usage details
At least one observation period must pass after startup for valid endpoint data to be available. The observation period is defined in the following $SPLUNK_HOME/etc/system/default/server.conf
stanza.
[introspection:generator:disk_objects] collectionPeriodInSecs = 600
The default period is 10 seconds, but 10 minutes (600 seconds) on a Universal Forwarder.
Request parameters
None
Returned values
Name | Description |
---|---|
args | Non-search process arguments. |
cpu_system_time | Cumulative time this process has spent executing in kernel (incl. system calls). Extra field. |
cpu_user_time | Cumulative time this process has spent executing in user space (incl. library functions). Extra field. |
elapsed | Elapsed wall time, accurate to within the collection period. |
fd_used | Number of currently open files used by this process. |
label | Human-readable label for the saved search. |
mem_unshared_data_used | Amount of heap and stack used. Not available on Windows. Extra field. |
mem_used | Current amount of resident physical memory used (KB). (Usually far less deceiving than virtual memory because operating systems can be liberal with virtual memory size but never with resident memory size.) On Windows, mem_used is obtained by reading the WorkingSetSize property returned by the GetProcessMemoryInfo() function (see GetProcessMemoryInfo function and PROCESS_MEMORY_COUNTERS structure). |
normalized_pct_cpu | Percentage of CPU usage across all cores. 100% is equivalent to all CPU resources on the machine.
|
page_faults | Number of major page faults. Extra field. |
pct_cpu | Percentage of CPU usage, relative to one core. 100% is equivalent to 1 core.
|
pct_memory | Percentage of physical memory used hostwide ((mem_used/available_host_memory) * 100). |
pid | Process ID. |
ppid | Parent process ID. Not available for all processes. |
process | Process name. The .exe suffix is stripped on Windows operating systems.
|
read_mb | Amount of data read (MB), excluding cache reads. |
search_head | Dispatching search head for processes running saved searches. |
search_props | Search properties map of the following key value pairs.
|
status | Status from the OS scheduler. Can be R (runnable or running), W (waiting), stopped, Z (zombie), or O (other). W includes voluntary sleep or blocking on I/O. O means status is knowable but does not fit into one of those categories. Not available on Windows. |
t_count | Current number of threads. |
written_mb | Amount of data written (MB), excluding canceled writes. |
Example request and response
XML Request
curl -k -u admin:changeme https://localhost:8089/services/server/status/resource-usage/splunk-processes/0
XML Response
<title>introspection--resource-usage--splunk-processes</title> <id>https://localhost:8089/services/server/status/resource-usage/splunk-processes</id> <updated>2014-03-26T13:35:52-07:00</updated> <generator build="200839" version="6.1"/> <author> <name>Splunk</name> </author> ... opensearch elements elided ... <s:messages/> <entry> <title>0</title> <id>https://localhost:8089/services/server/status/resource-usage/splunk-processes/0</id> <updated>2014-03-26T13:35:52-07:00</updated> <link href="/services/server/status/resource-usage/splunk-processes/0" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/server/status/resource-usage/splunk-processes/0" rel="list"/> <content type="text/xml"> <s:dict> <s:key name="args"> instrument-resource-usage</s:key> <s:key name="eai:acl"> ... elided ... </s:key> <s:key name="eai:attributes"> <s:dict> <s:key name="optionalFields"> <s:list/> </s:key> <s:key name="requiredFields"> <s:list/> </s:key> <s:key name="wildcardFields"> <s:list/> </s:key> </s:dict> </s:key> <s:key name="elapsed">619262.3610</s:key> <s:key name="mem_used">15.762</s:key> <s:key name="page_faults">12001684</s:key> <s:key name="pct_memory">0.40</s:key> <s:key name="pid">4256</s:key> <s:key name="ppid">2476</s:key> <s:key name="process">splunkd</s:key> <s:key name="t_count">4</s:key> </s:dict> </content> </entry>
server/sysinfo
https://<host>:<mPort>/services/server/sysinfo
Exposes relevant information about the resources and OS settings of the machine where Splunk Enterprise is running.
Usage details
This endpoint provides status information for the server where the current Splunk instance is running. The GET request response includes Kernel Transparent Huge Pages (THP) and ulimit
status.
Note: Some properties returned by this endpoint are also returned by server/info
. However, the server/info
endpoint is meant to provide information on the currently running Splunk instance and not the machine where the instance is running. Server status values returned by server/info
should be considered deprecated and might not continue to be accessible from this endpoint. Use the server/sysinfo
endpoint for server information instead.
GET
Access server details.
Request parameters
None.
Returned values
Name | Description |
---|---|
cpu_arch | Server CPU architecture. |
numberOfCores | Number of server processor cores. Not applicable if host is a VM guest. A value of 0 is returned if the number cannot be accessed and the access failure reason is logged to splunkd.log .
|
numberOfVirtualCores | Number of server virtual cores. |
os_build | Software build for the server os_version. |
os_name | Server operating system name. |
os_name_extended | Server operating system name. |
os_version | Server operating system version. |
physicalMemoryMB | Server physical memory (MB). The same value is returned as the mem field from server/status/resource-usage/hostwide . A value of 0 is returned if the number cannot be accessed and the access failure reason is logged to splunkd.log .
|
transparent_hugepages | For Linux systems, includes the following THP status indicators.
For non-Linux systems, |
ulimits | On all UNIX systems, lists settings for the following ulimits in place on splunkd at runtime.
|
Example request and response
XML Request
curl -k -u admin:changed https://localhost:8089/services/server/sysinfo
XML Response
... <title>system-info</title> <id>https://localhost:8089/services/server/sysinfo</id> <updated>2016-09-08T15:28:11-07:00</updated> <generator build="19e4b5854495" version="6.5.0"/> <author> <name>Splunk</name> </author> <link href="/services/server/sysinfo/_acl" rel="_acl"/> <opensearch:totalResults>1</opensearch:totalResults> <opensearch:itemsPerPage>30</opensearch:itemsPerPage> <opensearch:startIndex>0</opensearch:startIndex> <s:messages/> <entry> <title>system-info</title> <id>https://localhost:8089/services/server/sysinfo/system-info</id> <updated>2016-09-08T15:28:11-07:00</updated> <link href="/services/server/sysinfo/system-info" rel="alternate"/> <author> <name>system</name> </author> <link href="/services/server/sysinfo/system-info" rel="list"/> <content type="text/xml"> <s:dict> <s:key name="cpu_arch">x86_64</s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app"></s:key> <s:key name="can_list">1</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">0</s:key> <s:key name="owner">system</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>admin</s:item> <s:item>splunk-system-role</s:item> </s:list> </s:key> <s:key name="write"> <s:list/> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">system</s:key> </s:dict> </s:key> <s:key name="numberOfCores">8</s:key> <s:key name="numberOfVirtualCores">8</s:key> <s:key name="os_build">#1 SMP Thu Feb 9 12:45:44 EST 2012</s:key> <s:key name="os_name">Linux</s:key> <s:key name="os_name_extended">Linux</s:key> <s:key name="os_version">2.6.18-274.18.1.el5</s:key> <s:key name="physicalMemoryMB">7982</s:key> <s:key name="transparent_hugepages"> <s:dict> <s:key name="defrag"></s:key> <s:key name="effective_state">ok</s:key> <s:key name="enabled"></s:key> </s:dict> </s:key> <s:key name="ulimits"> <s:dict> <s:key name="core_file_size">0</s:key> <s:key name="cpu_time">-1</s:key> <s:key name="data_file_size">-1</s:key> <s:key name="data_segment_size">-1</s:key> <s:key name="nice">0</s:key> <s:key name="open_files">1024</s:key> <s:key name="resident_memory_size">-1</s:key> <s:key name="stack_size">10485760</s:key> <s:key name="user_processes">73728</s:key> <s:key name="virtual_address_space_size">-1</s:key> </s:dict> </s:key> </s:dict> </content> </entry>
services/saved/bookmarks/monitoring_console
https://<host>:<mPort>/services/saved/bookmarks/monitoring_console
Add URLs that link to monitoring consoles of your other deployments. For example, if you're admin overseeing multiple separate Splunk deployments for different teams.
GET
List deployment bookmarks.
Request parameters
Optional request parameters:
Name | Type | Description |
---|---|---|
count | Number | Number of bookmark URLs to list. |
offset | Number | Lists bookmark URLs, offset from the first bookmark. |
search | String | Items to search for, must be valid as SPL. |
sort_dir | Enum | asc or desc; ascending or descending |
sort_key | String | Key to sort on, must be existing key in the stanza |
Returned values
None
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/services/saved/bookmarks/monitoring_console
XML Response
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"> <title>bookmarks-mc</title> <id>https://qa-ubuntu-022:8089/services/saved/bookmarks/monitoring_console</id> <updated>2019-10-13T16:47:42-07:00</updated> <generator build="324da9f5a506" version="8.0.0"/> <author> <name>Splunk</name> </author> <link href="/services/saved/bookmarks/monitoring_console/_new" rel="create"/> <link href="/services/saved/bookmarks/monitoring_console/_reload" rel="_reload"/> <link href="/services/saved/bookmarks/monitoring_console/_acl" rel="_acl"/> <opensearch:totalResults>2</opensearch:totalResults> <opensearch:itemsPerPage>30</opensearch:itemsPerPage> <opensearch:startIndex>0</opensearch:startIndex> <s:messages/> <entry> <title>deployment-2</title> <id>https://qa-ubuntu-022:8089/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2</id> <updated>1969-12-31T16:00:00-08:00</updated> <link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2" rel="alternate"/> <author> <name>nobody</name> </author> <link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2" rel="list"/> <link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2/_reload" rel="_reload"/> <link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2" rel="edit"/> <link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2" rel="remove"/> <link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2/disable" rel="disable"/> <content type="text/xml"> <s:dict> <s:key name="eai:acl"> <s:dict> <s:key name="app">search</s:key> <s:key name="can_change_perms">1</s:key> <s:key name="can_list">1</s:key> <s:key name="can_share_app">1</s:key> <s:key name="can_share_global">1</s:key> <s:key name="can_share_user">0</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">1</s:key> <s:key name="owner">nobody</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="write"> <s:list> <s:item>*</s:item> </s:list> </s:key> </s:dict> </s:key> <s:key name="removable">1</s:key> <s:key name="sharing">app</s:key> </s:dict> </s:key> <s:key name="url">https://deployment-2-host:8000/en-US/app/splunk_monitoring_console</s:key> </s:dict> </content> </entry> <entry> <title>deployment-3</title> <id>https://localhost:8089/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-3</id> <updated>1969-12-31T16:00:00-08:00</updated> <link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-3" rel="alternate"/> <author> <name>nobody</name> </author> <link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-3" rel="list"/> <link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-3/_reload" rel="_reload"/> <link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-3" rel="edit"/> <link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-3" rel="remove"/> <link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-3/disable" rel="disable"/> <content type="text/xml"> <s:dict> <s:key name="eai:acl"> <s:dict> <s:key name="app">search</s:key> <s:key name="can_change_perms">1</s:key> <s:key name="can_list">1</s:key> <s:key name="can_share_app">1</s:key> <s:key name="can_share_global">1</s:key> <s:key name="can_share_user">0</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">1</s:key> <s:key name="owner">nobody</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="write"> <s:list> <s:item>*</s:item> </s:list> </s:key> </s:dict> </s:key> <s:key name="removable">1</s:key> <s:key name="sharing">app</s:key> </s:dict> </s:key> <s:key name="url">https://deployment-3-host:8000/en-US/app/splunk_monitoring_console</s:key> </s:dict> </content> </entry> </feed>
POST
Add deployment bookmark URLs.
Request parameters
Name | Type | Description |
---|---|---|
name | String | Name of the deployment bookmark. |
url | string | Full URL to the monitoring console of a different Splunk deployment. |
Returned values
None
Example request and response
XML Request
curl -k -u admin:pass https://localhost:8089/services/saved/bookmarks/monitoring_console -d name=deployment-2 -d url=https://deployment-2-host:8000/en-US/app/splunk_monitoring_console
XML Response
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"> <feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"> <title>bookmarks-mc</title> <id>https://localhost:8089/services/saved/bookmarks/monitoring_console</id> <updated>2019-10-13T16:16:38-07:00</updated> <generator build="324da9f5a506" version="8.0.0"/> <author> <name>Splunk</name> </author> <link href="/services/saved/bookmarks/monitoring_console/_new" rel="create"/> <link href="/services/saved/bookmarks/monitoring_console/_reload" rel="_reload"/> <link href="/services/saved/bookmarks/monitoring_console/_acl" rel="_acl"/> <opensearch:totalResults>1</opensearch:totalResults> <opensearch:itemsPerPage>30</opensearch:itemsPerPage> <opensearch:startIndex>0</opensearch:startIndex> <s:messages/> <entry> <title>deployment-2</title> <id>https://localhost:8089/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2</id> <updated>1969-12-31T16:00:00-08:00</updated> <link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2" rel="alternate"/> <author> <name>nobody</name> </author> <link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2" rel="list"/> <link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2/_reload" rel="_reload"/> <link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2" rel="edit"/> <link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2" rel="remove"/> <link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2/disable" rel="disable"/> <content type="text/xml"> <s:dict> <s:key name="eai:acl"> <s:dict> <s:key name="app">search</s:key> <s:key name="can_change_perms">1</s:key> <s:key name="can_list">1</s:key> <s:key name="can_share_app">1</s:key> <s:key name="can_share_global">1</s:key> <s:key name="can_share_user">0</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">1</s:key> <s:key name="owner">nobody</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="write"> <s:list> <s:item>*</s:item> </s:list> </s:key> </s:dict> </s:key> <s:key name="removable">1</s:key> <s:key name="sharing">app</s:key> </s:dict> </s:key> <s:key name="url">https://deployment-2-host:8000/en-US/app/splunk_monitoring_console</s:key> </s:dict> </content> </entry> </feed>
DELETE
Remove deployment bookmark URLs.
Request parameters
None
Returned values
None
Example request and response
XML Request
curl -k -u admin:pass --request DELETE https://localhost:8089/services/saved/bookmarks/monitoring_console/{name}
XML Response
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"> <title>bookmarks-mc</title> <id>https://localhost:8089/services/saved/bookmarks/monitoring_console</id> <updated>2019-10-13T16:25:38-07:00</updated> <generator build="324da9f5a506" version="8.0.0"/> <author> <name>Splunk</name> </author> <link href="/services/saved/bookmarks/monitoring_console/_new" rel="create"/> <link href="/services/saved/bookmarks/monitoring_console/_reload" rel="_reload"/> <link href="/services/saved/bookmarks/monitoring_console/_acl" rel="_acl"/> <opensearch:totalResults>1</opensearch:totalResults> <opensearch:itemsPerPage>30</opensearch:itemsPerPage> <opensearch:startIndex>0</opensearch:startIndex> <s:messages/> <entry> <title>deployment-2</title> <id>https://localhost:8089/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2</id> <updated>1969-12-31T16:00:00-08:00</updated> <link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2" rel="alternate"/> <author> <name>nobody</name> </author> <link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2" rel="list"/> <link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2/_reload" rel="_reload"/> <link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2" rel="edit"/> <link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2" rel="remove"/> <link href="/servicesNS/nobody/search/saved/bookmarks/monitoring_console/deployment-2/disable" rel="disable"/> <content type="text/xml"> <s:dict> <s:key name="eai:acl"> <s:dict> <s:key name="app">search</s:key> <s:key name="can_change_perms">1</s:key> <s:key name="can_list">1</s:key> <s:key name="can_share_app">1</s:key> <s:key name="can_share_global">1</s:key> <s:key name="can_share_user">0</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">1</s:key> <s:key name="owner">nobody</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="write"> <s:list> <s:item>*</s:item> </s:list> </s:key> </s:dict> </s:key> <s:key name="removable">1</s:key> <s:key name="sharing">app</s:key> </s:dict> </s:key> <s:key name="url">https://deployment-2-host:8000/en-US/app/splunk_monitoring_console</s:key> </s:dict> </content> </entry> </feed>
Input endpoint descriptions | Knowledge endpoint descriptions |
This documentation applies to the following versions of Splunk® Enterprise: 9.4.0
Feedback submitted, thanks!