Splunk® Enterprise

REST API Tutorials

Accessing and updating Splunk Enterprise configurations

This section describes how to use the Splunk Enterprise REST API to access and update information contained in configuration files (*.conf files). For more information on configuration files, see About Configuration Files and Configuration File Precedence in the Splunk Admin manual.

If you have Splunk Cloud Platform, you cannot change the configuration files in your Splunk Cloud Platform deployment using text editors. Splunk Cloud Platform admins, however, can change configuration files by using the properties set of endpoints. You can also change configuration files in forwarders that you manage in your network.

Two sets of endpoints give access to configuration files.

properties/
configs/conf-{file}/

These endpoints do the same task for updating configurations, but their implementation differs. In most cases, you can use properties endpoints for updating configurations. But, there are times where you can use only the configs/conf-{file} endpoints. For example, use the configs/conf-{file} endpoints for,

Setting permissions
Enabling or disabling a stanza in a configuration
Moving a resource

For reference information on these endpoints, see Configuration endpoint descriptions in the REST API Reference Manual.

Reading configuration files

The way you read configurations files differs between properties/ and configs/conf-{file}/ endpoints.

properties endpoints

The properties set of endpoints give various options for listing configurations. GET operations are available to drill down from the list of configuration files to the key/value pairs.

GET properties
Returns the names of configuration files.
GET properties/{file_name}
Returns the stanza names in {file_name}.conf.
GET properties/{file_name}/{stanza_name}
Returns the key/value pairs for the named stanza.
GET properties/{file_name}/{stanza_name}/{key_name}
Returns the key value.

For example, the search/properties/props GET operation returns all the stanza names for props.conf:

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/properties/props

The response:

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest">
  <title>props</title>
  <id>https://localhost:8089/servicesNS/nobody/search/properties/props/</id>
  . . .
  <entry>
    <title>ActiveDirectory</title>
    <id>https://localhost:8089/servicesNS/nobody/search/properties/props/ActiveDirectory</id>
    <updated>2011-09-14T15:48:40-07:00</updated>
    <link href="/servicesNS/nobody/search/properties/props/ActiveDirectory" rel="alternate"/>
  </entry>
  <entry>
    <title>PerformanceMonitor</title>
    <id>https://localhost:8089/servicesNS/nobody/search/properties/props/PerformanceMonitor</id>
    <updated>2011-09-14T15:48:40-07:00</updated>
    <link href="/servicesNS/nobody/search/properties/props/PerformanceMonitor" rel="alternate"/>
  </entry>
  . . .
  <entry>
    <title>wmi</title>
    <id>https://localhost:8089/servicesNS/nobody/search/properties/props/wmi</id>
    <updated>2011-09-14T15:48:40-07:00</updated>
    <link href="/servicesNS/nobody/search/properties/props/wmi" rel="alternate"/>
  </entry>
  <entry>
    <title>wtmp</title>
    <id>https://localhost:8089/servicesNS/nobody/search/properties/props/wtmp</id>
    <updated>2011-09-14T15:48:40-07:00</updated>
    <link href="/servicesNS/nobody/search/properties/props/wtmp" rel="alternate"/>
  </entry>
</feed>

The /search/properties/props/websphere_core GET operation returns the key/value pairs for the props.conf file websphere_core stanza.

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/properties/props/websphere_core

The response:

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest">
  <title>websphere_core</title>
  <id>https://localhost:8089/servicesNS/nobody/search/properties/props/websphere_core</id>
  . . .
  <entry>
    <title>ANNOTATE_PUNCT</title>
    <id>https://localhost:8089/servicesNS/nobody/search/properties/props/websphere_core/ANNOTATE_PUNCT</id>
    <updated>2011-09-14T15:55:01-07:00</updated>
    <link href="/servicesNS/nobody/search/properties/props/websphere_core/ANNOTATE_PUNCT" rel="alternate"/>
    <content type="text">True</content>
  </entry>
  <entry>
    <title>BREAK_ONLY_BEFORE</title>
    <id>https://localhost:8089/servicesNS/nobody/search/properties/props/websphere_core/BREAK_ONLY_BEFORE</id>
    <updated>2011-09-14T15:55:01-07:00</updated>
    <link href="/servicesNS/nobody/search/properties/props/websphere_core/BREAK_ONLY_BEFORE" rel="alternate"/>
    <content type="text">^NULL\s</content>
  </entry>
  . . .
  <entry>
    <title>maxDist</title>
    <id>https://localhost:8089/servicesNS/nobody/search/properties/props/websphere_core/maxDist</id>
    <updated>2011-09-14T15:55:01-07:00</updated>
    <link href="/servicesNS/nobody/search/properties/props/websphere_core/maxDist" rel="alternate"/>
    <content type="text">70</content>
  </entry>
</feed>

configs/conf-{file} endpoints

GET operations for these endpoints return entries for the stanzas in the named configuration file, detailing the contents of the stanza as key/value pairs.

For example, the /search/configs/conf-props GET operation lists the props.conf configuration for the default search application.

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/configs/conf-props

The response, showing elided fragments of a few stanzas in props.conf.

<feed xmlns="http://www.w3.org/2005/Atom" 
  xmlns:s="http://dev.splunk.com/ns/rest" 
  xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>conf-props</title>
  <id>https://localhost:8089/servicesNS/nobody/search/configs/conf-props</id>
  <updated>2011-09-14T15:31:24-07:00</updated>
  . . .
  <entry>
    <title>access_combined</title>
    <id>https://localhost:8089/servicesNS/nobody/system/configs/conf-props/access_combined</id>
    . . .
    <content type="text/xml">
      <s:dict>
        <s:key name="ANNOTATE_PUNCT">1</s:key>
        <s:key name="BREAK_ONLY_BEFORE"></s:key>
        <s:key name="BREAK_ONLY_BEFORE_DATE">1</s:key>
        . . .
        <s:key name="maxDist">28</s:key>
        <s:key name="pulldown_type">1</s:key>
      </s:dict>
    </content>
  </entry>
  . . .
  <entry>
    <title>exchange</title>
    <id>https://localhost:8089/servicesNS/nobody/system/configs/conf-props/exchange</id>
    <updated>2011-09-14T15:31:24-07:00</updated>
   . . .
   <content type="text/xml">
      <s:dict>
        <s:key name="ANNOTATE_PUNCT">1</s:key>
        <s:key name="BREAK_ONLY_BEFORE"></s:key>
        <s:key name="BREAK_ONLY_BEFORE_DATE">1</s:key>
        . . .
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:userName">nobody</s:key>
        <s:key name="maxDist">100</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

Updating Configuration Files

You update a configuration file by adding or editing stanzas to the file. How you do this differs between properties and configs/conf-{file} endpoints. Do DELETE operations from only the configs/conf-{file} endpoints.

The DELETE operation is available from the properties endpoint, but is deprecated. Instead, use the DELETE operations from configs/conf-{file} endpoints.

When you update a configuration, updates are written to the local version of the file. The default version of configurations can be overwritten when you update to a new Splunk version.

properties

Use the POST operation with various properties endpoints to update configuration files.

Use DELETE operations from the configs/conf-{file} endpoints.

configs/conf-{file}

Use the POST operation to add a stanza to the named configuration file. You can also specify key/value pairs for the newly added stanza. For example, the /search/configs/conf-props POST operation creates a new stanza and key/value pairs in props.conf for the default search application.

curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/configs/conf-props \
	-d name=myweblogs \
	-d CHARSET=UTF-8 \
	-d SHOULD_LINEMERGE=false

configs/conf-{file}/{name}

Use the POST operation to create or update key/value pairs in the {name} stanza.

Use the DELETE operation to remove a stanza from a configuration file.

Last modified on 12 October, 2021
Managing knowledge objects   Creating searches using the REST API

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters