Splunk Cloud Platform

Splunk Cloud Platform Admin Manual

Manage indexes on Splunk Cloud Platform Classic Experience

Splunk Cloud Platform Classic Experience now provides full support for managing indexes programmatically using the ACS (Admin Config Service) API. For more information, see Manage indexes in Splunk Cloud Platform in the Admin Config Service Manual.

If your Splunk Cloud Platform deployment is on Classic Experience, you can manage your indexes programmatically using the Splunk REST API cluster_blaster_indexes/sh_indexes_manager endpoint. To determine if your Splunk Cloud Platform deployment is on Classic Experience:

  1. In Splunk Web, click Support & Services > About.
  2. In the About panel, under Splunk Cloud, find your Experience: Classic or Victoria.

For more information on Splunk Cloud Platform Experiences, see Determine your Splunk Cloud Platform Experience.

Requirements

  • Splunk Cloud Platform version 8.0.2007 or higher.
  • You must have the sc_admin (Splunk Cloud Administrator) role.

Authentication and authorization

There are two methods you can use to authenticate and authorize endpoint requests:

  • Authentication token. You can create a valid JWT authentication token in the Splunk Cloud Platform UI.
  • Username and password.

For more information on authentication and authorization, see Basic Concepts about the Splunk platform REST API in the Splunk Enterprise REST API User Manual.

Manage indexes

You can perform the following index management actions on Splunk Cloud Platform deployments running on Classic Experience.

List all indexes

To list all indexes, send an HTTP GET request to the following endpoint: 

localhost:8089/services/cluster_blaster_indexes/sh_indexes_manager

For example: 

curl -k -H "Authorization: Bearer ${TOKEN}" https://agile-albatross-4ej.stg.splunkcloud.com:8089/services/cluster_blaster_indexes/sh_indexes_manager?output_mode=json

The request output lists existing indexes, including configuration parameter values for each index. For example: 

{"links":{"create":"/services/cluster_blaster_indexes/sh_indexes_manager/_new","disabled":"/services/cluster_blaster_indexes/sh_indexes_manager/disabled"},"origin":"https://agile-albatross-4ej.stg.splunkcloud.com:8089/services/cluster_blaster_indexes/sh_indexes_manager","updated":"2021-10-06T22:44:52+00:00","generator":{"build":"2e4da17c2b37","version":"8.2.2107"},"entry":[{"name":"christian","id":"https://agile-albatross-4ej.stg.splunkcloud.com:8089/servicesNS/nobody/cloud_administration/cluster_blaster_indexes/sh_indexes_manager/christian","updated":"1970-01-01T00:00:00+00:00",

...

"content":{"archiver.enableDataArchive":"0","archiver.maxDataArchiveRetentionPeriod":"315360000","datatype":"event","disabled":"0","eai:acl":null,"eai:acl.app":"cloud_administration","eai:acl.appDisplayName":"_cluster_admin","frozenTimePeriodInSecs":"30000","isS2Mode":"true","isVirtual":"0","maxGlobalDataSizeMB":"0","maxGlobalRawDataSizeMB":"5000","maxTotalDataSizeMB":"0","metric.timestampResolution":"s","totalEventCount":"0","totalRawSizeMB":"0"}},{"name":"cryt","id":"https://agile-albatross-4ej.stg.splunkcloud.com:8089/servicesNS/nobody/cloud_administration/cluster_blaster_indexes/sh_indexes_manager/cryt","updated":"1970-01-01T00:00:00+00:00",

...

"messages":[]}

Create a new index

To create a new index, send an HTTP POST request to the cluster_blaster_indexes/sh_indexes_manager endpoint, specifying the following index parameters: name, maxTotalDataSizeMB, frozenTimePeriodInSecs, and maxGlobalRawDataSizeMB. For example: 

curl -k -H "Authorization: Bearer ${TOKEN}" https://agile-albatross-4ej.stg.splunkcloud.com:8089/services/cluster_blaster_indexes/sh_indexes_manager -d name=my_name -d maxTotalDataSizeMB=500 -d frozenTimePeriodInSecs=30000 -d maxGlobalRawDataSizeMB=6000

Sample request output: 

...
  <title></title>
  <id>https://agile-albatross-4ej.stg.splunkcloud.com:8089/services/cluster_blaster_indexes/sh_indexes_manager</id>
  <updated>2021-10-06T22:38:13+00:00</updated>
  <generator build="2e4da17c2b37" version="8.2.2107"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/cluster_blaster_indexes/sh_indexes_manager/_new" rel="create"/>
  <link href="/services/cluster_blaster_indexes/sh_indexes_manager/disabled" rel="disabled"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>

View an individual index

To view an individual index, send an HTTP GET request to the cluster_blaster_indexes/sh_indexes_manager/{name} endpoint, specifying the name of the index. For example: 

curl -k -H "Authorization: Bearer ${TOKEN}" https://agile-albatross-4ej.stg.splunkcloud.com:8089/services/cluster_blaster_indexes/sh_indexes_manager/christian

Sample request output: 

...
    <title>christian</title>
    <id>https://agile-albatross-4ej.stg.splunkcloud.com:8089/servicesNS/nobody/cloud_administration/cluster_blaster_indexes/sh_indexes_manager/christian</id>
    <updated>1970-01-01T00:00:00+00:00</updated>
    <link href="/servicesNS/nobody/cloud_administration/cluster_blaster_indexes/sh_indexes_manager/christian" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/servicesNS/nobody/cloud_administration/cluster_blaster_indexes/sh_indexes_manager/christian" rel="list"/>
    <link href="/servicesNS/nobody/cloud_administration/cluster_blaster_indexes/sh_indexes_manager/christian" rel="edit"/>
    <link href="/servicesNS/nobody/cloud_administration/cluster_blaster_indexes/sh_indexes_manager/christian" rel="remove"/>
    <link href="/servicesNS/nobody/cloud_administration/cluster_blaster_indexes/sh_indexes_manager/christian/clean" rel="clean"/>
    <link href="/servicesNS/nobody/cloud_administration/cluster_blaster_indexes/sh_indexes_manager/christian/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="archiver.enableDataArchive">0</s:key>
        <s:key name="archiver.maxDataArchiveRetentionPeriod">315360000</s:key>
        <s:key name="datatype">event</s:key>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">cloud_administration</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms"/>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:acl.app">cloud_administration</s:key>
        <s:key name="eai:acl.appDisplayName">_cluster_admin</s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>datatype</s:item>
                <s:item>maxGlobalDataSizeMB</s:item>
                <s:item>maxTotalDataSizeMB</s:item>
                <s:item>metric.timestampResolution</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>frozenTimePeriodInSecs</s:item>
                <s:item>maxGlobalRawDataSizeMB</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list>
                <s:item>archiver\..*</s:item>
              </s:list>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="frozenTimePeriodInSecs">30000</s:key>
        <s:key name="isS2Mode">true</s:key>
        <s:key name="isVirtual">0</s:key>
        <s:key name="maxGlobalDataSizeMB">0</s:key>
        <s:key name="maxGlobalRawDataSizeMB">5000</s:key>
        <s:key name="maxTotalDataSizeMB">0</s:key>
        <s:key name="metric.timestampResolution">s</s:key>
        <s:key name="totalEventCount">0</s:key>
        <s:key name="totalRawSizeMB">0</s:key>
      </s:dict>
    </content>
  </entry>

Update an index

To update an index, send an HTTP POST request to the cluster_blaster_indexes/sh_indexes_manager/{name} endpoint, specifying the name of the index you want to update, along with the updated index parameter values. The POST request support updates to maxTotalDataSizeMB, frozenTimePeriodInSecs, and maxGlobalRawDataSizeMB parameters. For example: 

curl -k -H "Authorization: Bearer ${TOKEN}" -X 'POST' https://agile-albatross-4ej.stg.splunkcloud.com:8089/services/cluster_blaster_indexes/sh_indexes_manager/christian -d maxTotalDataSizeMB=500 -d frozenTimePeriodInSecs=30000 -d maxGlobalRawDataSizeMB=6000

Sample request output: 

...
  <entry>
    <title>christian</title>
    <id>https://agile-albatross-4ej.stg.splunkcloud.com:8089/servicesNS/nobody/cloud_administration/cluster_blaster_indexes/sh_indexes_manager/christian</id>
    <updated>1970-01-01T00:00:00+00:00</updated>
    <link href="/servicesNS/nobody/cloud_administration/cluster_blaster_indexes/sh_indexes_manager/christian" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/servicesNS/nobody/cloud_administration/cluster_blaster_indexes/sh_indexes_manager/christian" rel="list"/>
    <link href="/servicesNS/nobody/cloud_administration/cluster_blaster_indexes/sh_indexes_manager/christian" rel="edit"/>
    <link href="/servicesNS/nobody/cloud_administration/cluster_blaster_indexes/sh_indexes_manager/christian" rel="remove"/>
    <link href="/servicesNS/nobody/cloud_administration/cluster_blaster_indexes/sh_indexes_manager/christian/clean" rel="clean"/>
    <link href="/servicesNS/nobody/cloud_administration/cluster_blaster_indexes/sh_indexes_manager/christian/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="archiver.enableDataArchive">0</s:key>
        <s:key name="archiver.maxDataArchiveRetentionPeriod">315360000</s:key>
        <s:key name="datatype">event</s:key>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">cloud_administration</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms"/>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:acl.app">cloud_administration</s:key>
        <s:key name="eai:acl.appDisplayName">_cluster_admin</s:key>
        <s:key name="frozenTimePeriodInSecs">70000</s:key>
        <s:key name="isS2Mode">true</s:key>
        <s:key name="isVirtual">0</s:key>
        <s:key name="maxGlobalDataSizeMB">0</s:key>
        <s:key name="maxGlobalRawDataSizeMB">6000</s:key>
        <s:key name="maxTotalDataSizeMB">0</s:key>
        <s:key name="metric.timestampResolution">s</s:key>
        <s:key name="totalEventCount">0</s:key>
        <s:key name="totalRawSizeMB">0</s:key>
      </s:dict>
    </content>
  </entry>

Delete an index

To delete an index, send an HTTP DELETE request to the cluster_blaster_indexes/sh_indexes_manager/{name} endpoint, specifying the name of the index you want to delete. For example: 

curl -k -H "Authorization: Bearer ${TOKEN}" -X 'DELETE' https://agile-albatross-4ej.stg.splunkcloud.com:8089/services/cluster_blaster_indexes/sh_indexes_manager/christian
Last modified on 07 February, 2023
Store expired Splunk Cloud Platform data in a Splunk-managed archive   Install apps on your Splunk Cloud Platform deployment

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release)

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters