Introspection endpoint descriptions

Access server and instance information.

Usage details

Review ACL information for an endpoint

To check Access Control List (ACL) properties for an endpoint, append /acl to the path. For more information see Access Control List in the REST API User Manual.

Authentication and Authorization

Username and password authentication is required for access to endpoints and REST operations.

Splunk users must have role and/or capability-based authorization to use REST endpoints. Users with an administrative role, such as admin, can access authorization information in Splunk Web. To view the roles assigned to a user, select Settings > Access controls and click Users. To determine the capabilities assigned to a role, select Settings > Access controls and click Roles.

App and user context

Typically, knowledge objects, such as saved searches or event types, have an app/user context that is the namespace. For more information about specifying a namespace, see Namespace in the REST API User Manual.

Splunk Cloud limitations

If you have a managed Splunk Cloud deployment with search head clustering and index clustering, the REST API supports access to the search head only. You can use the REST API to interact with the search head in your deployment. Using the REST API to access any other cluster member nodes is not supported. For example, introspection endpoints are not applicable to Splunk Cloud deployments.

data/index-volumes

https://<host>:<mPort>/services/data/index-volumes

Get information about the volume (logical drives) in use by the Splunk deployment.

Name	Description
max_size	Maximum name volume size limit (MB): `infinite` = No maximum specified.
name	Volume name
total_size	Total name volume capacity (MB). If max_size is `infinite`, this field is not listed.

Name	Description
max_size	Maximum name volume size limit (MB). `infinite` = No maximum specified (i.e., 0, the default)
name	Volume name.
total_size	Total name volume capacity (MB). If max_size is `infinite`, this field is not listed.

Name	Description
assureUTF8	Indicates whether all data retreived from the index is proper UTF8. If enabled (set to True), degrades indexing performance. This is a global setting, not a per index setting.
blockSignSize	Controls how many events make up a block for block signatures. If this is set to 0, block signing is disabled for this index. A recommended value is 100.
blockSignatureDatabase	The index that stores block signatures of events. This is a global setting, not a per index setting.
coldPath	Filepath to the cold databases for the index.
coldPath_expanded	Absoute filepath to the cold databases.
coldToFrozenDir	Destination path for the frozen archive. Used as an alternative to a coldToFrozenScript. Splunk software automatically puts frozen buckets in this directory. Bucket freezing policy is as follows: New style buckets (4.2 and on): removes all files but the rawdata To thaw, run `splunk rebuild <bucket dir>` on the bucket, then move to the thawed directory Old style buckets (Pre-4.2): gzip all the .data and .tsidx files To thaw, unzip the zipped files and move the bucket into the thawed directory If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence.
coldToFrozenScript	Path to the archiving script. See the POST parameter description for details.
compressRawdata	This value is ignored. splunkd process always compresses raw data.
currentDBSizeMB	Total size, in MB, of data stored in the index. The total incudes data in the home, cold and thawed paths.
datatype	The type of index (event \| metric).
defaultDatabase	If no index destination information is available in the input data, the index shown here is the destination of such data.
disabled	Indicates if the index is disabled.
enableRealtimeSearch	Indicates if this is a real-time search. This is a global setting, not a per index setting.
frozenTimePeriodInSecs	Number of seconds after which indexed data rolls to frozen. Defaults to 188697600 (6 years). Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation.
homePath	An absolute path that contains the hot and warm buckets for the index.
homePath_expanded	An absolute filepath to the hot and warm buckets for the index.
indexThreads	Number of threads used for indexing. This is a global setting, not a per index setting.
isInternal	Indicates if this is an internal index (for example, _internal, _audit).
isReady	Indicates if the index is properly initialized.
lastInitTime	Last time the index processor was successfully initialized. This is a global setting, not a per index setting.
maxConcurrentOptimizes	The number of concurrent optimize processes that can run against a hot bucket. This number should be increased if instructed by Splunk Support. Typically the default value should suffice.
maxDataSize	The maximum size in MB for a hot DB to reach before a roll to warm is triggered. Specifying "auto" or "auto_high_volume" causes Splunk software to autotune this parameter (recommended). Use "auto_high_volume" for high volume indexes (such as the main index); otherwise, use "auto". A "high volume index" is typically one that gets over 10GB of data per day. "auto" sets the size to 750MB. "auto_high_volume" sets the size to 10GB on 64-bit, and 1GB on 32-bit systems. Although the maximum value you can set this is 1048576 MB, which corresponds to 1 TB, a reasonable number ranges anywhere from 100 - 50000. Any number outside this range should be approved by Splunk Support before proceeding. If you specify an invalid number or string, maxDataSize is auto-tuned. Note: The precise size of your warm buckets may vary from maxDataSize, due to post-processing and timing issues with the rolling policy.
maxHotBuckets	Maximum hot buckets that can exist per index. Defaults to 3. When maxHotBuckets is exceeded, Splunk software rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll.
maxHotIdleSecs	Maximum life, in seconds, of a hot bucket. Defaults to 0. A value of 0 turns off the idle check (equivalent to INFINITE idle time). If a hot bucket exceeds maxHotIdleSecs, Splunk software rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll.
maxHotSpanSecs	Upper bound of target maximum timespan of hot/warm buckets in seconds. Defaults to 7776000 seconds (90 days). Note: If set too small, you can get an explosion of hot/warm buckets in the filesystem. The system sets a lower bound implicitly for this parameter at 3600, but this is an advanced parameter that should be set with care and understanding of the characteristics of your data.
maxMemMB	The amount of memory, in MB, allocated for indexing. This is a global setting, not a per index setting.
maxMetaEntries	Sets the maximum number of unique lines in .data files in a bucket, which may help to reduce memory consumption. If set to 0, this setting is ignored (it is treated as infinite). If exceeded, a hot bucket is rolled to prevent further increase. If your buckets are rolling due to Strings.data hitting this limit, the culprit may be the punct field in your data. If you do not use punct, it may be best to simply disable this (see props.conf.spec in $SPLUNK_HOME/etc/system/README). There is a small time delta between when maximum is exceeded and bucket is rolled. This means a bucket may end up with epsilon more lines than specified, but this is not a major concern unless excess is significant.
maxRunningProcessGroups	Maximum number of processes that the indexer fires off at a time. This is a global setting, not a per index setting.
maxTime	ISO8601 timestamp of the newest event time in the index.
maxTotalDataSizeMB	The maximum size of an index, in MB.
maxWarmDBCount	The maximum number of warm buckets. If this number is exceeded, the warm bucket/s with the lowest value for their latest times are moved to cold.
memPoolMB	Determines how much memory is given to the indexer memory pool. This is a global setting, not a per-index setting.
minRawFileSyncSecs	Can be either an integer (or "disable"). Some filesystems are very inefficient at performing sync operations, so only enable this if you are sure it is needed The integer sets how frequently splunkd forces a filesystem sync while compressing journal slices. During this period, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files. If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete.
minTime	ISO8601 timestamp of the oldest event time in the index.
partialServiceMetaPeriod	Related to serviceMetaPeriod. By default it is turned off (zero). If set, it enables metadata sync every <integer> seconds, but only for records where the sync can be done efficiently in-place, without requiring a full re-write of the metadata file. Records that require full re-write are be sync'ed at serviceMetaPeriod. partialServiceMetaPeriod specifies, in seconds, how frequently it should sync. Zero means that this feature is turned off and serviceMetaPeriod is the only time when metadata sync happens. If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect.
quarantineFutureSecs	Events with timestamp of `quarantineFutureSecs` newer than "now" that are dropped into quarantine bucket. Defaults to 2592000 (30 days). This is a mechanism to prevent main hot buckets from being polluted with fringe events.
quarantinePastSecs	Events with timestamp of quarantinePastSecs older than "now" are dropped into quarantine bucket. Defaults to 77760000 (900 days). This is a mechanism to prevent the main hot buckets from being polluted with fringe events.
rawChunkSizeBytes	Target uncompressed size in bytes for individual raw slice in the rawdata journal of the index. Defaults to 131072 (128KB). 0 is not a valid value. If 0 is specified, rawChunkSizeBytes is set to the default value. Note: rawChunkSizeBytes only specifies a target chunk size. The actual chunk size may be slightly larger by an amount proportional to an individual event size. Warning: This is an advanced parameter. Only change it if instructed to do so by Splunk Support.
rotatePeriodInSecs	Rotation period, in seconds, that specifies how frequently to check: If a new hot bucket needs to be created. If there are any cold buckets that should be frozen. If there are any buckets that need to be moved out hot and cold DBs, due to size constraints.
serviceMetaPeriod	Defines how frequently metadata is synced to disk, in seconds. Defaults to 25 (seconds). You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path.
summarize	If true, leaves out certain index details, which provides a faster response.
suppressBannerList	List of indexes for which we suppress "index missing" warning banner messages. This is a global setting, not a per index setting.
sync	Specifies the number of events that trigger the indexer to sync events. This is a global setting, not a per index setting.
syncMeta	When true, a sync operation is called before file descriptor is closed on metadata file updates. This functionality improves integrity of metadata files, especially in regards to operating system crashes/machine failures. Note: Do not change this parameter without the input of Splunk Support.
thawedPath	An absolute path that contains the thawed (resurrected) databases for the index.
thawedPath_expanded	Absolute filepath to the thawed (resurrected) databases.
throttleCheckPeriod	Defines how frequently Splunk software checks for index throttling condition, in seconds. Defaults to 15 (seconds). Note: Do not change this parameter without the input of Splunk Support.
totalEventCount	Total number of events in the index.
tsidxDedupPostingsListMaxTermsLimit	This setting is valid only when `tsidxWritingLevel` is at 4 or higher. This maximum term limit sets an upper bound on the number of terms kept inside an in-memory hash table that serves to improve tsidx compression. The tsidx optimizer uses the hash table to identify terms with identical postings lists. When the first instance of a term is received, its postings list is stored. When successive terms with identical postings lists are received, the tsidx optimizer makes them refer to the first instance of the postings list rather than creating and storing term postings list duplicates. Consider increasing this limit to improve compression for large tsidx files. For example, a tsidx file created with `tsidxTargetSizeMB` over 1500MB can contain a large number of terms with identical postings lists. Reducing this limit helps conserve memory consumed by optimization processes, at the cost of reduced tsidx compression. Set this limit to 0 to disable deduplicated postings list compression. This setting cannot exceed 1,073,741,824 (2³⁰). Defaults to 8,388,608 (2²³).

Name	Type	Default	Description
blockSignSize	Number	0	Controls how many events make up a block for block signatures. If this is set to 0, block signing is disabled for this index. A recommended value is 100.
bucketRebuildMemoryHint	String	auto	Suggestion for the bucket rebuild process for the size of the time-series (tsidx) file to make. Caution: This is an advanced parameter. Inappropriate use of this parameter causes splunkd to not start if rebuild is required. Do not set this parameter unless instructed by Splunk Support. Default value, `auto`, varies by the amount of physical RAM on the host less than 2GB RAM = 67108864 (64MB) tsidx 2GB to 8GB RAM = 134217728 (128MB) tsidx more than 8GB RAM = 268435456 (256MB) tsidx Values other than "auto" must be 16MB-1GB. Highest legal value (of the numerical part) is 4294967295 You can specify the value using a size suffix: "16777216" or "16MB" are equivalent.
coldPath	String		An absolute path that contains the colddbs for the index. The path must be readable and writable. Cold databases are opened as needed when searching. May be defined in terms of a volume definition (see volume section below). Required. Splunk software does not start if an index lacks a valid coldPath.
coldToFrozenDir	String		Destination path for the frozen archive. Use as an alternative to a coldToFrozenScript. Splunk software automatically puts frozen buckets in this directory. Bucket freezing policy is as follows: New style buckets (4.2 and on): removes all files but the rawdata To thaw, run `splunk rebuild <bucket dir>` on the bucket, then move to the thawed directory Old style buckets (Pre-4.2): gzip all the .data and .tsidx files To thaw, gunzip the zipped files and move the bucket into the thawed directory If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence
coldToFrozenScript	String		Path to the archiving script. If your script requires a program to run it (for example, python), specify the program followed by the path. The script must be in $SPLUNK_HOME/bin or one of its subdirectories. Splunk software ships with an example archiving script in $SPLUNK_HOME/bin called coldToFrozenExample.py. DO NOT use this example script directly. It uses a default path, and if modified in place any changes are overwritten on upgrade. It is best to copy the example script to a new file in bin and modify it for your system. Most importantly, change the default archive path to an existing directory that fits your needs. If your new script in bin/ is named myColdToFrozen.py, set this key to the following: `coldToFrozenScript = "$SPLUNK_HOME/bin/python" "$SPLUNK_HOME/bin/myColdToFrozen.py"` By default, the example script has two possible behaviors when archiving: For buckets created from version 4.2 and on, it removes all files except for rawdata. To thaw: cd to the frozen bucket and type `splunk rebuild .`, then copy the bucket to thawed for that index. We recommend using the coldToFrozenDir parameter unless you need to perform a more advanced operation upon freezing buckets. For older-style buckets, we simply gzip all the .tsidx files. To thaw: cd to the frozen bucket and unzip the tsidx files, then copy the bucket to thawed for that index
compressRawdata	Boolean	true	This parameter is ignored. The splunkd process always compresses raw data.
datatype	String	event	Valid values: (event \| metric). Specifies the type of index.
enableOnlineBucketRepair	Boolean	true	Enables asynchronous "online fsck" bucket repair, which runs concurrently with Splunk software. When enabled, you do not have to wait until buckets are repaired to start the Splunk platform. However, you might observe a slight performance degratation.
frozenTimePeriodInSecs	Number	188697600	Number of seconds after which indexed data rolls to frozen. Defaults to 188697600 (6 years). Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation.
homePath	String		An absolute path that contains the hot and warm buckets for the index. Required. Splunk software does not start if an index lacks a valid homePath. Caution: The path must be readable and writable.
maxBloomBackfillBucketAge	Number	30d	Valid values are: Integer[m\|s\|h\|d] If a warm or cold bucket is older than the specified age, do not create or rebuild its bloomfilter. Specify 0 to never rebuild bloomfilters. For example, if a bucket is older than specified with maxBloomBackfillBucketAge, and the rebuilding of its bloomfilter started but did not finish, do not rebuild it.
maxConcurrentOptimizes	Number	6	The number of concurrent optimize processes that can run against a hot bucket. This number should be increased if instructed by Splunk Support. Typically the default value should suffice.
maxDataSize	Number	auto	The maximum size in MB for a hot DB to reach before a roll to warm is triggered. Specifying "auto" or "auto_high_volume" causes Splunk software to autotune this parameter (recommended).Use "auto_high_volume" for high volume indexes (such as the main index); otherwise, use "auto". A "high volume index" would typically be considered one that gets over 10GB of data per day. "auto" sets the size to 750MB. "auto_high_volume" sets the size to 10GB on 64-bit, and 1GB on 32-bit systems. Although the maximum value you can set this is 1048576 MB, which corresponds to 1 TB, a reasonable number ranges anywhere from 100 - 50000. Any number outside this range should be approved by Splunk Support before proceeding. If you specify an invalid number or string, maxDataSize is auto-tuned. Note: The precise size of your warm buckets may vary from maxDataSize, due to post-processing and timing issues with the rolling policy.
maxHotBuckets	Number	3	Maximum hot buckets that can exist per index. Defaults to 3. When maxHotBuckets is exceeded, Splunk software rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll.
maxHotIdleSecs	Number	0	Maximum life, in seconds, of a hot bucket. Defaults to 0. If a hot bucket exceeds maxHotIdleSecs, Splunk software rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll. A value of 0 turns off the idle check (equivalent to INFINITE idle time).
maxHotSpanSecs	Number	7776000	Upper bound of target maximum timespan of hot/warm buckets in seconds. Defaults to 7776000 seconds (90 days). Note:I f you set this too small, you can get an explosion of hot/warm buckets in the filesystem. The system sets a lower bound implicitly for this parameter at 3600, but this is an advanced parameter that should be set with care and understanding of the characteristics of your data.
maxMemMB	Number	5	The amount of memory, expressed in MB, to allocate for buffering a single tsidx file into memory before flushing to disk. Defaults to 5. The default is recommended for all environments. IMPORTANT: Calculate this number carefully. Setting this number incorrectly may have adverse effects on your systems memory and/or splunkd stability/performance.
maxMetaEntries	Number	1000000	Sets the maximum number of unique lines in .data files in a bucket, which may help to reduce memory consumption. If set to 0, this setting is ignored (it is treated as infinite). If exceeded, a hot bucket is rolled to prevent further increase. If your buckets are rolling due to Strings.data hitting this limit, the culprit may be the `punct` field in your data. If you do not use punct, it may be best to simply disable this (see props.conf.spec in $SPLUNK_HOME/etc/system/README). There is a small time delta between when maximum is exceeded and bucket is rolled. This means a bucket may end up with epsilon more lines than specified, but this is not a major concern unless excess is significant.
maxTimeUnreplicatedNoAcks	Number	300	Upper limit, in seconds, on how long an event can sit in raw slice. Applies only if replication is enabled for this index. Otherwise ignored. If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies. Highest legal value is 2147483647. To disable this parameter, set to 0. Note: this is an advanced parameter. Understand the consequences before changing.
maxTimeUnreplicatedWithAcks	Number	60	Upper limit, in seconds, on how long events can sit unacknowledged in a raw slice. Applies only if you have enabled acks on forwarders and have replication enabled (with clustering). Note: This is an advanced parameter. Make sure you understand the settings on all forwarders before changing this. This number should not exceed ack timeout configured on any forwarder, and should actually be set to at most half of the minimum value of that timeout. You can find this setting in outputs.conf readTimeout setting under the tcpout stanza. To disable, set to 0, but this is NOT recommended. Highest legal value is 2147483647.
maxTotalDataSizeMB	Number	500000	The maximum size of an index (in MB). If an index grows larger than the maximum size, the oldest data is frozen.
maxWarmDBCount	Number	300	The maximum number of warm buckets. If this number is exceeded, the warm bucket/s with the lowest value for their latest times is moved to cold.
minRawFileSyncSecs	Number	disable	Specify an integer (or "disable") for this parameter. This parameter sets how frequently splunkd forces a filesystem sync while compressing journal slices. During this period, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files. If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete. Note: Some filesystems are very inefficient at performing sync operations, so only enable this if you are sure it is needed
minStreamGroupQueueSize	Number	2000	Minimum size of the queue that stores events in memory before committing them to a tsidx file. Caution: Do not set this value, except under advice from Splunk Support.
name required	String		The name of the index to create.
partialServiceMetaPeriod	Number	0	Related to serviceMetaPeriod. If set, it enables metadata sync every <integer> seconds, but only for records where the sync can be done efficiently in-place, without requiring a full re-write of the metadata file. Records that require full re-write are be sync'ed at serviceMetaPeriod. `partialServiceMetaPeriod` specifies, in seconds, how frequently it should sync. Zero means that this feature is turned off and serviceMetaPeriod is the only time when metadata sync happens. If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect. By default it is turned off (zero).
processTrackerServiceInterval	Number	1	Specifies, in seconds, how often the indexer checks the status of the child OS processes it launched to see if it can launch new processes for queued requests. Defaults to 15. If set to 0, the indexer checks child process status every second. Highest legal value is 4294967295.
quarantineFutureSecs	Number	2592000	Events with timestamp of `quarantineFutureSecs` newer than "now" are dropped into quarantine bucket. Defaults to 2592000 (30 days). This is a mechanism to prevent main hot buckets from being polluted with fringe events.
quarantinePastSecs	Number	77760000	Events with timestamp of `quarantinePastSecs` older than "now" are dropped into quarantine bucket. Defaults to 77760000 (900 days). This is a mechanism to prevent the main hot buckets from being polluted with fringe events.
rawChunkSizeBytes	Number	131072	Target uncompressed size in bytes for individual raw slice in the rawdata journal of the index. Defaults to 131072 (128KB). 0 is not a valid value. If 0 is specified, `rawChunkSizeBytes` is set to the default value. Note: rawChunkSizeBytes only specifies a target chunk size. The actual chunk size may be slightly larger by an amount proportional to an individual event size. WARNING: This is an advanced parameter. Only change it if you are instructed to do so by Splunk Support.
repFactor	String	0	Index replication control. This parameter applies to only clustering slaves. `auto` = Use the master index replication configuration value. `0` = Turn off replication for this index.
rotatePeriodInSecs	Number	60	How frequently (in seconds) to check if a new hot bucket needs to be created. Also, how frequently to check if there are any warm/cold buckets that should be rolled/frozen.
serviceMetaPeriod	Number	25	Defines how frequently metadata is synced to disk, in seconds. Defaults to 25 (seconds). You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path.
syncMeta	Boolean	true	When `true`, a sync operation is called before file descriptor is closed on metadata file updates. This functionality improves integrity of metadata files, especially in regards to operating system crashes/machine failures. Note: Do not change this parameter without the input of a Splunk Support.
thawedPath	String		An absolute path that contains the thawed (resurrected) databases for the index. Cannot be defined in terms of a volume definition. Required. Splunk software does not start if an index lacks a valid `thawedPath`.
throttleCheckPeriod	Number	15	Defines how frequently Splunk software checks for index throttling condition, in seconds. Defaults to 15 (seconds). Note: Do not change this parameter without the input of Splunk Support.
tstatsHomePath	String		Location to store datamodel acceleration TSIDX data for this index. Restart splunkd after changing this parameter. If specified, it must be defined in terms of a volume definition. Caution: Path must be writable. Default value: volume:_splunk_summaries/$_index_name/tstats
warmToColdScript	String		Path to a script to run when moving data from warm to cold. This attribute is supported for backwards compatibility with Splunk software versions older than 4.0. Contact Splunk support if you need help configuring this setting. Caution: Migrating data across filesystems is now handled natively by splunkd. If you specify a script here, the script becomes responsible for moving the event data, and Splunk-native data migration is not used.

Name	Description
assureUTF8	Boolean value indicating wheter all data retreived from the index is proper UTF8. If enabled (set to True), degrades indexing performance Can only be set globally.
blockSignSize	Controls how many events make up a block for block signatures. If this is set to 0, block signing is disabled for this index. A recommended value is 100.
blockSignatureDatabase	The index that stores block signatures of events. This is a global setting, not a per index setting.
bucketRebuildMemoryHint	Suggestion for the bucket rebuild process for the size of the time-series (tsidx) file to make.
coldPath	Filepath to the cold databases for the index.
coldPath_expanded	Absoute filepath to the cold databases.
coldToFrozenDir	Destination path for the frozen archive. Used as an alternative to a coldToFrozenScript. Splunk software automatically puts frozen buckets in this directory. Bucket freezing policy is as follows: New style buckets (4.2 and on): removes all files but the rawdata To thaw, run `splunk rebuild <bucket dir>` on the bucket, then move to the thawed directory Old style buckets (Pre-4.2): gzip all the .data and .tsidx files To thaw, unzip the zipped files and move the bucket into the thawed directory If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence.
coldToFrozenScript	Path to the archiving script. See the POST parameter description for details.
compressRawdata	This value is ignored. splunkd process always compresses raw data.
currentDBSizeMB	Total size, in MB, of data stored in the index. The total incudes data in the home, cold and thawed paths.
datatype	The type of index (event \| metric).
defaultDatabase	If no index destination information is available in the input data, the index shown here is the destination of such data.
enableOnlineBucketRepair	Indicates whether to run asynchronous "online fsck" bucket repair, which runs in a process concurrently with Splunk software.
enableRealtimeSearch	Indicates if this is a real-time search. This is a global setting, not a per index setting.
frozenTimePeriodInSecs	Number of seconds after which indexed data rolls to frozen. Defaults to 188697600 (6 years). Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation.
homePath	An absolute path that contains the hot and warm buckets for the index.
homePath_expanded	An absolute filepath to the hot and warm buckets for the index.
indexThreads	Number of threads used for indexing. This is a global setting, not a per index setting.
isInternal	Indicates if this is an internal index (for example, _internal, _audit).
isReady	Indicates if an index is properly initialized.
lastInitTime	Last time the index processor was successfully initialized. This is a global setting, not a per index setting.
maxBloomBackfillBucketAge	If a bucket (warm or cold) is older than this, Splunk software does not create (or re-create) its bloom filter.
maxConcurrentOptimizes	The number of concurrent optimize processes that can run against a hot bucket. This number should be increased if instructed by Splunk Support. Typically the default value should suffice.
maxDataSize	The maximum size in MB for a hot DB to reach before a roll to warm is triggered. Specifying "auto" or "auto_high_volume" causes Splunk software to autotune this parameter (recommended). Use "auto_high_volume" for high volume indexes (such as the main index); otherwise, use "auto". A "high volume index" is typically one that gets over 10GB of data per day. "auto" sets the size to 750MB. "auto_high_volume" sets the size to 10GB on 64-bit, and 1GB on 32-bit systems. Although the maximum value you can set this is 1048576 MB, which corresponds to 1 TB, a reasonable number ranges anywhere from 100 - 50000. Any number outside this range should be approved by Splunk Support before proceeding. If you specify an invalid number or string, maxDataSize is auto-tuned. Note: The precise size of your warm buckets may vary from maxDataSize, due to post-processing and timing issues with the rolling policy.
maxHotBuckets	Maximum hot buckets that can exist per index. Defaults to 3. When maxHotBuckets is exceeded, Splunk software rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll.
maxHotIdleSecs	Maximum life, in seconds, of a hot bucket. Defaults to 0. A value of 0 turns off the idle check (equivalent to INFINITE idle time). If a hot bucket exceeds maxHotIdleSecs, Splunk software rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll.
maxHotSpanSecs	Upper bound of target maximum timespan of hot/warm buckets in seconds. Defaults to 7776000 seconds (90 days). Note: If set too small, you can get an explosion of hot/warm buckets in the filesystem. The system sets a lower bound implicitly for this parameter at 3600, but this is an advanced parameter that should be set with care and understanding of the characteristics of your data.
maxMemMB	The amount of memory, in MB, allocated for indexing. This is a global setting, not a per index setting.
maxMetaEntries	Sets the maximum number of unique lines in .data files in a bucket, which may help to reduce memory consumption. If set to 0, this setting is ignored (it is treated as infinite). If exceeded, a hot bucket is rolled to prevent further increase. If your buckets are rolling due to Strings.data hitting this limit, the culprit may be the punct field in your data. If you do not use punct, it may be best to simply disable this (see props.conf.spec in $SPLUNK_HOME/etc/system/README). There is a small time delta between when maximum is exceeded and bucket is rolled. This means a bucket may end up with epsilon more lines than specified, but this is not a major concern unless excess is significant.
maxTime	ISO8601 timestamp of the newest event time in the index.
maxTimeUnreplicatedNoAcks	Upper limit, in seconds, on how long an event can sit in raw slice. Applies only if replication is enabled for this index. Otherwise ignored. If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies. Highest legal value is 2147483647. To disable this parameter, set to 0. Note: this is an advanced parameter. Understand the consequences before changing.
maxTimeUnreplicatedWithAcks	Upper limit, in seconds, on how long events can sit unacknowledged in a raw slice. Applies only if you have enabled acks on forwarders and have replication enabled (with clustering). Note: This is an advanced parameter. Make sure you understand the settings on all forwarders before changing this. This number should not exceed ack timeout configured on any forwarder, and should actually be set to at most half of the minimum value of that timeout. You can find this setting in outputs.conf readTimeout setting under the tcpout stanza. To disable, set to 0, but this is NOT recommended. Highest legal value is 2147483647.
maxTotalDataSizeMB	The maximum size of an index, in MB.
maxWarmDBCount	The maximum number of warm buckets. If this number is exceeded, the warm bucket/s with the lowest value for their latest times are moved to cold.
memPoolMB	Determines how much memory is given to the indexer memory pool. This is a global setting, not a per-index setting.
minRawFileSyncSecs	Can be either an integer (or "disable"). Some filesystems are very inefficient at performing sync operations, so only enable this if you are sure it is needed The integer sets how frequently splunkd forces a filesystem sync while compressing journal slices. During this period, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files. If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete.
minStreamGroupQueueSize	Minimum size of the queue that stores events in memory before committing them to a tsidx file.
minTime	ISO8601 timestamp of the oldest event time in the index.
partialServiceMetaPeriod	Related to serviceMetaPeriod. By default it is turned off (zero). If set, it enables metadata sync every <integer> seconds, but only for records where the sync can be done efficiently in-place, without requiring a full re-write of the metadata file. Records that require full re-write are be sync'ed at serviceMetaPeriod. partialServiceMetaPeriod specifies, in seconds, how frequently it should sync. Zero means that this feature is turned off and serviceMetaPeriod is the only time when metadata sync happens. If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect.
processTrackerServiceInterval	How often, in seconds, the indexer checks the status of the child OS processes it launched to see if it can launch new processes for queued requests.
quarantineFutureSecs	Events with timestamp of quarantineFutureSecs newer than "now" are dropped into quarantine bucket. Defaults to 2592000 (30 days). This is a mechanism to prevent main hot buckets from being polluted with fringe events.
quarantinePastSecs	Events with timestamp of quarantinePastSecs older than "now" are dropped into quarantine bucket. Defaults to 77760000 (900 days). This is a mechanism to prevent the main hot buckets from being polluted with fringe events.
rawChunkSizeBytes	Target uncompressed size in bytes for individual raw slice in the rawdata journal of the index. Defaults to 131072 (128KB). 0 is not a valid value. If 0 is specified, rawChunkSizeBytes is set to the default value. Note: rawChunkSizeBytes only specifies a target chunk size. The actual chunk size may be slightly larger by an amount proportional to an individual event size. Warning: This is an advanced parameter. Only change it if instructed to do so by Splunk Support.
repFactor	Index replication control. This parameter applies to only clustering slaves. `auto` = Use the master index replication configuration value. `0` = Turn off replication for this index.
rotatePeriodInSecs	Rotation period, in seconds, that specifies how frequently to check: If a new hot bucket needs to be created. If there are any cold buckets that should be frozen. If there are any buckets that need to be moved out hot and cold DBs, due to size constraints.
serviceMetaPeriod	Defines how frequently metadata is synced to disk, in seconds. Defaults to 25 (seconds). You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path.
suppressBannerList	List of indexes for which we suppress "index missing" warning banner messages. This is a global setting, not a per index setting.
sync	Specifies the number of events that trigger the indexer to sync events. This is a global setting, not a per index setting.
syncMeta	When true, a sync operation is called before file descriptor is closed on metadata file updates. This functionality improves integrity of metadata files, especially in regards to operating system crashes/machine failures. Note: Do not change this parameter without the input of Splunk Support.
thawedPath	Filepath to the thawed (resurrected) databases for the index.
thawedPath_expanded	Absolute filepath to the thawed (resurrected) databases.
throttleCheckPeriod	Defines how frequently Splunk software checks for index throttling condition, in seconds. Defaults to 15 (seconds). Note: Do not change this parameter without the input of Splunk Support.
totalEventCount	Total number of events in the index.
tsidxDedupPostingsListMaxTermsLimit	This setting is valid only when `tsidxWritingLevel` is at 4 or higher. This maximum term limit sets an upper bound on the number of terms kept inside an in-memory hash table that serves to improve tsidx compression. The tsidx optimizer uses the hash table to identify terms with identical postings lists. When the first instance of a term is received, its postings list is stored. When successive terms with identical postings lists are received, the tsidx optimizer makes them refer to the first instance of the postings list rather than creating and storing term postings list duplicates. Consider increasing this limit to improve compression for large tsidx files. For example, a tsidx file created with `tsidxTargetSizeMB` over 1500MB can contain a large number of terms with identical postings lists. Reducing this limit helps conserve memory consumed by optimization processes, at the cost of reduced tsidx compression. Set this limit to 0 to disable deduplicated postings list compression. This setting cannot exceed 1,073,741,824 (2³⁰). Defaults to 8,388,608 (2²³).
tstatsHomePath	Location where datamodel acceleration TSIDX data for this index is stored.
warmToColdScript	Script to run when moving data from warm to cold. See input parameter description for details.

Name	Description
report_acceleration	Optional. Use `"report_acceleration=1"` to access disk usage by report acceleration summary.
data_model_acceleration	Optional. Use `"data_model_acceleration=1"` to access disk usage by data model acceleration summary.

Name	Description
name	Summary name.
related_indexes	Lists up to 10 indexes that contribute to this summary.
related_indexes_count	Provides total count of related indexes for this summary.
search_head_guid	GUID for the search head that created the summary data.
total_bucket_count	Number of buckets for this summary.
total_size	Total disk size for this summary, in MB.
type	Summary type, either `"report_acceleration"` or `"data_model_acceleration"`.

Name	Datatype	Description
health	String	Indicates the color of the feature: red, yellow or green. The color of mid-level features defaults to the worst health status color of all features reporting to it.
reason	String	Descriptive string that explains the reason the indicator is non-green.

Name	Datatype	Description
health	String	Indicate the color of the feature: red, yellow or green. The color of midlevel features is the worst color of all the features reporting to it.
messages	String	The last 50 messages from `splunkd.log` that might relate to the feature status change. Returned only if a feature color is not green.
reasons	String	Describes the indicator(s) that caused the feature's status to change to a non-green state. Returned only if a feature color is not green.
due_to_stanza	String	Indicates the stanza name in `health.conf` where the configuration for the non-green indicator exists.
due_to_threshold	String	Indicates the threshold because of which the color of the indicator is non-green.
due_to_threshold_value	Numeric	Indicates the value of the above threshold.
indicator	String	Name of the indicator because of which the feature is non-green.
reason	String	Descriptive string that explains the reason the indicator is non-green.

Name	Type	Description
alert_action:<action_name>	String	Specify the alert action name. `<action_name>` can be one of the following: [email \| PagerDuty]
action.to	String	Primary email address to use with the email alert action.
action.cc	String	CC email address to use with the email alert action.
action.bcc	String	BCC email address to use with the email alert action.
action.integration_url_override	String	Sets the `<integration key>` value for PagerDuty alert action. For example `action.integration_url_override=78c3b6cf0a884a538410fe2812273b0b`
disabled	Boolean	Enables/disables the alert action. Possible values are 0 and 1. A value of 1 disables the alert action.

Name	Description
activeLicenseGroup	Type of Splunk software license. Enterprise Forwarder Free Invalid Trial
addOns	Names of active add-ons.
build	The build number for this Splunk instance version.
cpu_arch	The architecture type for the CPU hosting `splunkd`. The value returned in the `server/info` response should be considered deprecated. Use server/sysinfo to access this response key and value instead.
guid	Globally unique identifier for this server.
host	Server name.
host_fqdn	host fully-qualified domain name.
isFree	Indicates if this server is running the Splunk instance under a free license.
isTrial	Indicates if this server is using a trial license.
kv_store_status	App KV store availability.
license_labels	Labels associated with the license used on this server.
licenseKeys	License key unique for each license.
licenseSignature	Hash signature for the license used on this server.
licenseState	Specifies the status of the license, which can be either OK or Expired.
master_guid	Globally unique identifier for this server.
max_users	Maximum number of users on the instance.
mode	Indicates whether the server is a dedicated forwarder. Possible values are: normal dedicated forwarder
numberOfCores	Server number of processor cores. The value returned in the `server/info` response should be considered deprecated. Use server/sysinfo to access this response key and value instead.
os_build	Software build for the server os_version. The value returned in the `server/info` response should be considered deprecated. Use server/sysinfo to access this response key and value instead.
os_name	Server operating system. The value returned in the `server/info` response should be considered deprecated. Use server/sysinfo to access this response key and value instead.
os_version	Server operating system version. The value returned in the `server/info` response should be considered deprecated. Use server/sysinfo to access this response key and value instead.
physicalMemoryMB	Server physical memory (MB). The value returned in the `server/info` response should be considered deprecated. Use server/sysinfo to access this response key and value instead.
product_type	Splunk software product type. One of the following values. enterprise hunk lite lite_free splunk
rtsearch_enabled	Indicates if real-time search is enabled for the instance on this server.
server_roles	Zero or more of the following possible server roles. indexer universal_forwarder heavyweight_forwarder lightweight_forwarder license_master license_slave cluster_master cluster_slave cluster_search_head deployment_server deployment_client search_head search_peer shc_captain shc_deployer shc_member See also: server/roles endpoint.
serverName	Server DNS domain name.
startup_time	Server platform start time, in seconds since January 1, 1970 (UNIX epoch).
version	Displays the Splunk platform version.
versionControlEnabled	Indicates whether the View version history option is enabled on the instance. A value of `True` means that the option is enabled.

Name	Description
Bundle_Directory_Reaper_Average_Time(ms)	Average time for dispatch reaper to walk search peer directory and reap obsolete bundles.
Bundle_Directory_Reaper_Max_Time(ms)	Maximum time for dispatch reaper to walk search peer directory and reap obsolete bundles.
Compute_User_Search_Quota_Average_Time(ms)	Average time for computing user search quota.
Compute_User_Search_Quota_Max_Time(ms)	Maximum time for computing user search quota.
Dispatch_Directory_Reaper_Average_Time(ms)	Average time for dispatch reaper to walk dispatch directory and reap stale artifacts.
Dispatch_Directory_Reaper_Max_Time(ms)	Maximum time for dispatch reaper to walk dispatch directory and reap stale artifacts.
Search_StartUp_Time_Average_Time(ms)	Average time for preprocessing before search startup. Counted from time search state is set to `RUNNING`. Startup time indicates that parsing is complete and the distributed search infrastructure is set up. At startup, the Splunk platform is ready to wait for responses from indexers.
Search_StartUp_Time_Max_Time(ms)	Maximum time for preprocessing before search startup. Counted from time search state is set to `RUNNING`. Startup time indicates that parsing is complete and the distributed search infrastructure is set up. At startup, the Splunk platform is ready to wait for responses from indexers.

Name	Description
Bundle_Directory_Reaper_Average_Time(ms)	Average time for dispatch reaper to walk search peer directory and reap obsolete bundles.
Bundle_Directory_Reaper_Max_Time(ms)	Maximum time for dispatch reaper to walk search peer directory and reap obsolete bundles.

Name	Description
Dispatch_Directory_Reaper_Average_Time(ms)	Average time for dispatch reaper to walk dispatch directory and reap stale artifacts.
Dispatch_Directory_Reaper_Max_Time(ms)	Maximum time for dispatch reaper to walk dispatch directory and reap stale artifacts.

Name	Type	Description
alert.disabled	Boolean	Possible values are 0 or 1. A value of 1 disables alerting for this feature. If alerting is disabled in the [health_reporter] stanza, alerting for this feature is disabled, regardless of the value set here. If the value is set to 1, alerting or all indicators is disabled. Default: 0 (enabled).
alert.min_duration_sec	Number	The minimum amount of time, in seconds, that the health status color must persist before an alert triggers.
alert.threshold_color	String	The health status color that triggers an alert. Possible values are yellow and red. Default: red.
alert:<indicator_name>.disabled	Number	Possible values are 0 or 1. A value of 1 disables alerting for this indicator. Default: 0 (enabled).
alert:<indicator_name>.min_duration_sec	Number	The minimum amount of time, in seconds, that the health status color must persist before an alert triggers for this indicator.
alert:<indicator_name>.threshold_color	String	The health status color that triggers an alert for this indicator. Possible values are yellow and red. Default: red.
disable	Boolean	Disables/enables reporting the health of the feature. Use `disabled=1` to disable the feature. Use `disabled=0` to enable the feature.
distributed_disabled	Boolean	Disables/enables reporting the health of the feature in the distributed health report Use `disabled=1` to disable the feature. Use `disabled=0` to enable the feature.
feature:<feature_name>	String	Specify the feature name. `feature_name` can be any supported feature listed in $SPLUNK_HOME/etc/system/default/health.conf.
indicator:<indicator name>:<color>	Number	The indicator threshold value that triggers a health status change to the specified color for the indicator.

Name	Description
Get_Authentication_Max_Time(ms)	Maximum time for search head to get authentication from this peer.
Get_Authentication_Mean_Time(ms)	Average time for search head to get authentication from this peer.
Get_BundleList_Max_Time(ms)	Maximum time for search head to get bundle list from this peer.
Get_ServerInfo_Max_Time(ms)	Maximum time for search head to get server information back from this peer.
Get_ServerInfo_Mean_Time(ms)	Average time for search head to get server information back from this peer.

Name	Description
final_score	Most recent calculated priority score, based on adjustments and original score.
name	Scheduled search name.
orig_score	A score based on a search's originally scheduled run time.
owner	Search scope or context owner. This could be a specific user or "nobody" for a search defined in an app or system-level scope.
priority_no	Most recent calculated priority number for this search.
real_time_adj	Real-time search priority adjustment. Real-time searches default to -80000 and continuous scheduled searches default to 0. This particular value is for internal purposes only and is subject to change.
runtime_adj	Calculated value based on average search runtime.
skipped_adj	Adjustment for number of times search has been skipped and search period. 0 means the search has not been skipped.
window_adj	Adjustment for remaining time in search run window.

Name	Description
count_realtime	Jobs active in the immediate past observation period, not including historical jobs.
count_scheduled	Jobs active in the immediate past observation period, not including real-time jobs.
count_summary	Jobs active in the immediate past observation period, not including non-summary jobs.
top_apps	Top 15 apps in the past observation period, inapp:count key-value pair format.
top_named_searches	Top 15 named searches in the past observation period, in savedSearchName:count key-value pair format.
top_users	Top 15 users in the past observation period, in username:count key-value pair format, with count as the number of app contexts for the user.
total_count	Number of dispatched search jobs since start-up.

Name	Description
key_count	Number of file input records (keys) seen since start-up.
total_size	Total number of file input records (keys).

Name	Type	Description
refresh	Boolean	Set to `true` to perform a new file integrity check. Only one such check can be performed at a time.
regex_filter	PCRE regular expression	Specify a regular expression to filter results of the check. For example, use `regex_filter=\.conf$` to filter results for configuration files.

Indicator	Description
<empty>	Indicates complete file integrity. No irregularities were found.
access_failed	The `splunkd` process does not have permissions to read the file.
differs	The installed file differs from the manifest file.
missing	The installed file was not found.
read_failed	The installed file comparison failed.
other_open_failed	A failure other than failure to access or read was encountered when trying to open the file.

Name	Description
max_auto_summary_searches	Maximum number of auto summary searches.
max_hist_scheduled_searches	Maximum number of historical scheduled searches.
max_hist_searches	Maximum number of historical searches.
max_rt_scheduled_searches	Maximum number of scheduled searches.
max_rt_searches	Maximum number of real-time searches.

Name	Description
capacity	Disk capacity (MB).
free	Disk free space (MB).
fs_type	File system type. Example values: Linux: ext2, ext3, ext4, qnx4 Solaris: ufs, zfs Windows: ntfs, fat32 AIX: jfs (not OS-specific) WORM: ISO9660, UDF13346 (not OS-specific); network-shared: SMB, CIFS, NFS (not OS-specific) Veritas: VxFS.
mount_point	Absolute path of the directory where this partition is mounted.

Name	Description
cpu_arch	CPU architecture
cpu_count	CPU count
cpu_idle_pct	Percentage of time CPU is idle.
cpu_system_pct	Percentage of time CPU is running in system mode.
cpu_user_pct	Percentage of time CPU is running in user mode.
forks	Cumulative number of forked processes since OS startup.
mem	Total physical memory available (MB)
mem_used	Total physical memory used (MB). This value represents the amount of actual physical memory minus the amount of physical memory currently available. This is the amount of physical memory that can be immediately reused without having to first write its contents to disk. On Unix, mem_used = total_phys_ram - (free_mem + buffer_mem + cached_mem) On Windows, mem_used = (memoryStatus.ullTotalPhys - memoryStatus.ullAvailPhys) See GlobalMemoryStatusEx function for more information.
normalized_load_avg_1min	Normalized load average of runnable_process_count across all cores (cumulative_load_avg / number_of_cores). This value is not reliable for a VM guest.
os_build	Software build for the os_version
os_name	Operating system name
os_name_ext	Extended operating system name
os_version	Operating system version
pg_paged_out	Cumulative VM page count paged since OS startup. Not available on Windows.
pg_swapped_out	Cumulative pages swapped out since OS startup. Not available on Windows.
runnable_process_count	Number of process running or in the runnable queue. Value reported as 1 on Windows except for Vista+ and XP/Win2003 English-only operating systems.
splunk_version	Currently installed Splunk software version
swap	Amount of disk allocated to swap (fractional MB)
swap_used	Swap space currently in use (fractional MB)
virtual_cpu_count	Virtual CPU count

Related answers from Splunk Community

Introspection endpoint descriptions

Usage details

Review ACL information for an endpoint

Authentication and Authorization

App and user context

Splunk Cloud limitations

data/index-volumes

GET

data/index-volumes/{name}

GET

data/indexes

GET

POST

data/indexes/{name}

DELETE

GET

POST

data/indexes-extended

GET

data/indexes-extended/{name}

GET

data/summaries

GET

data/summaries/{summary_name}

GET

server/health/deployment

GET

server/health/deployment/details

GET

server/health/splunkd

GET

server/health/splunkd/details

GET

server/health-config

GET

server/health-config/{alert_action}

POST

server/health-config/{feature_name}

POST

server/info

GET

server/introspection

GET

server/introspection/indexer

GET

server/introspection/kvstore

GET

server/introspection/kvstore/collectionstats

GET

server/introspection/kvstore/replicasetstats

GET

server/introspection/kvstore/serverstatus

GET

server/introspection/search/dispatch

GET

Name	Description
avg_service_ms	Average time requests caused the CPU to be in use, in milliseconds.
avg_total_ms	Average queue + execution time for requests to be completed, in milliseconds.
cpu_pct	Percentage of time the CPU was servicing requests.
device	Device name (e.g., as listed under /dev on UNIX).
fs_type	Mounted device file system type.
interval	Interval over which sampling occurred, in seconds.
mount_point	Mount point(s) of the underlying device.
reads_kb_ps	Total number of kb read per second.
reads_ps	Number of read requests per second.
writes_kb_ps	Total number of kb written per second.
writes_ps	Number of write requests per second.

Name	Description
args	Non-search process arguments.
cpu_system_time	Cumulative time this process has spent executing in kernel (incl. system calls). Extra field.
cpu_user_time	Cumulative time this process has spent executing in user space (incl. library functions). Extra field.
elapsed	Elapsed wall time, accurate to within the collection period.
fd_used	Number of currently open files used by this process.
label	Human-readable label for the saved search.
mem_unshared_data_used	Amount of heap and stack used. Not available on Windows. Extra field.
mem_used	Current amount of resident physical memory used (MB). (Usually far less deceiving than virtual memory because operating systems can be liberal with virtual memory size but never with resident memory size.) On Windows, mem_used is obtained by reading the `WorkingSetSize` property returned by the `GetProcessMemoryInfo()` function (see GetProcessMemoryInfo function and PROCESS_MEMORY_COUNTERS structure).
normalized_pct_cpu	Percentage of CPU usage across all cores. `100%` is equivalent to all CPU resources on the machine.
page_faults	Number of major page faults. Extra field.
pct_cpu	Percentage of CPU usage, relative to one core. `100%` is equivalent to 1 core.
pct_memory	Percentage of physical memory used hostwide ((mem_used/available_host_memory) * 100).
pid	Process ID.
ppid	Parent process ID. Not available for all processes.
process	Process name. The `.exe` suffix is stripped on Windows operating systems.
read_mb	Amount of data read (MB), excluding cache reads.
search_head	Dispatching search head for processes running saved searches.
search_props	Search properties map of the following key value pairs. `acceleration_id`: Acceleration ID `app`: App name `mode`: One of the following search modes. `historical` `historical batch` `RT` `RT indexed` `provenance`: One of the following search sources. `cli` `rest` `ui:<App>:<View>` `role`: Splunk Enterprise platform role. Either `head` or `peer`. `scan_count`: Event scan count for running process. Available only in Linux systems. This property is offered experimentally and might be changed or removed in a future release. `delta_scan_count`: Delta event scan count for running process. Available only in Linux systems. This property is offered experimentally and might be changed or removed in a future release. `sid`: Search ID (SID). `type`: One of the following search types. `ad-hoc` `datamodel acceleration` `other` `report acceleration` `scheduled` `summary indexing` `user`: Splunk username who initiated the search
status	Status from the OS scheduler. Can be R (runnable or running), W (waiting), stopped, Z (zombie), or O (other). W includes voluntary sleep or blocking on I/O. O means status is knowable but does not fit into one of those categories. Not available on Windows.
t_count	Current number of threads.
written_mb	Amount of data written (MB), excluding canceled writes.

Name	Description
cpu_arch	Server CPU architecture.
numberOfCores	Number of server processor cores. Not applicable if host is a VM guest. A value of `0` is returned if the number cannot be accessed and the access failure reason is logged to `splunkd.log`.
numberOfVirtualCores	Number of server virtual cores.
os_build	Software build for the server os_version.
os_name	Server operating system name.
os_name_extended	Server operating system name.
os_version	Server operating system version.
physicalMemoryMB	Server physical memory (MB). The same value is returned as the `mem` field from `server/status/resource-usage/hostwide`. A value of `0` is returned if the number cannot be accessed and the access failure reason is logged to `splunkd.log`.
transparent_hugepages	For Linux systems, includes the following THP status indicators. `defrag` `effective_state` `enabled` For non-Linux systems, `effective_state` is set to `ok`
ulimits	On all UNIX systems, lists settings for the following `ulimits` in place on `splunkd` at runtime. `core_file_size` `cpu_time` `data_file_size` `data_segment_size` `nice` `open_files` `resident_memory_size` `stack_size` `user_processes` `virtual_address_space_size`

Name	Type	Description
count	Number	Number of bookmark URLs to list.
offset	Number	Lists bookmark URLs, offset from the first bookmark.
search	String	Items to search for, must be valid as SPL.
sort_dir	Enum	asc or desc; ascending or descending
sort_key	String	Key to sort on, must be existing key in the stanza

Name	Type	Description
name	String	Name of the deployment bookmark.
url	string	Full URL to the monitoring console of a different Splunk deployment.