Admin Config Service (ACS) API endpoint reference

Use the ACS API endpoint reference to learn about the endpoints and operations that provide programmatic self-service administration for Splunk Cloud Platform.

You must have the sc_admin (Splunk Cloud Platform Administrator) role to use the ACS API.

For more information on ACS API requirements, see ACS requirements and compatibility matrix.

For information on ACS API setup and usage, see Basic setup and usage concepts for the ACS API.

ACS endpoint categories

ACS API endpoints are grouped into the following categories based on feature use case:

Feature	Endpoints
Configure IP allow lists	access/{feature}/ipallowlists
Configure outbound ports	access/outbound-ports access/outbound-ports/{port}
Enable private connectivity	private-connectivity/eligibility private-connectivity/endpoints
Manage app permissions	permissions/apps permissions/apps/{app-name}
Manage authentication tokens	tokens tokens/{tokenID}
Manage DDSS self storage locations	cloud-resources/self-storage-locations/buckets cloud-resources/self-storage-locations/buckets/{bucketPath} cloud-resources/self-storage-locations/configs/prefix cloud-resources/self-storage-locations/buckets/{bucketName}/policy cloud-resources/self-storage-locations/configs/service-accounts
Manage HTTP Event Collector (HEC) tokens	inputs/http-event-collectors inputs/http-event-collectors/{hec-token-name}
Manage indexes	indexes indexes/{name}
Manage limits.conf configurations	limits limits/{stanza} limits/{stanza}/{setting} limits/{stanza}/{reset}
Manage private apps and Splunkbase apps (Victoria Experience)	apps/victoria apps/victoria/{app_name}
Manage private apps and Splunkbase apps (Classic Experience)	apps apps/{app_name}
Manage restarts	restart-now restart/status
Retry failed operations	deployment/status deployment/retry deployment/status/{deploymentID}
View maintenance windows	maintenance-windows/schedules maintenance-windows/schedules/{scheduleID}

Authentication and authorization

The ACS API requires a JSON Web Token (JWT) for authentication. You can create this token in the Splunk Cloud Platform UI or using the ACS API. For more information see Create an authentication token.

In addition, a user's role must contain the capabilities required to access the ACS API endpoint. The sc_admin role has all required capabilities by default. For more information on using Splunk Cloud Platform role-based access controls with ACS, see Manage ACS API access with capabilities.

Configure IP allowlists

The ACS API provides the following endpoints to configure IP allowlists. For more information on how to configure IP allowlists using the ACS API, see Configure IP allowlists for Splunk Cloud Platform.

access/{feature}/ipallowlists

https://admin.splunk.com/{stack}/adminconfig/v2/access/{feature}/ipallowlists

List, update, and delete IP allow lists.

GET

List subnets on the existing IP allow list for a feature.

Request parameters

Name	Type	Description
stack	String	The URL prefix of the Splunk Cloud Platform deployment.
feature	String	The IP allow list feature type.

Returned values

Name	Type	Description
subnets	String	The IP subnets currently listed on the IP allow list for a given feature.

Example request and response

JSON Request

curl https://admin.splunk.com/mystack/adminconfig/v2/access/s2s/ipallowlists

JSON Response

{
  "subnets": [
     ": #.0.0.0/24",
     ": #.0.0.0/24",
     ": #.0.10.6/32"
  ]
}

POST

Add subnets to the IP allow list for a feature.

Request parameters

Name	Type	Description
stack	String	The URL prefix of the Splunk Cloud Platform deployment.
feature	String	The IP allow list feature type.
subnets	String	List of subnets to add to IP allow list

Returned values
None

Example request and response

JSON Request

curl -X POST 'https://admin.splunk.com/mystack/adminconfig/v2/access/s2s/ipallowlists' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiw...' \
--data '{
"subnets": [
"###.0.0.0/24",
"##.0.10.6/32"
]
}'

JSON Response

{
"code": "200"
}

DELETE

Delete subnets from the IP allow list for a feature

Request parameters

Name	Type	Description
stack	String	The URL prefix of the Splunk Cloud Platform deployment.
feature	String	The IP allow list feature type.
subnets	String	List of subnets to delete from IP allow list

Returned values
None

Example request and response

JSON Request

curl -X DELETE 'https://admin.splunk.com/mystack/adminconfig/v2/access/s2s/ipallowlists' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2Vj...' \
--header 'Content-Type: application/json' \
--data '{
"subnets": [
"###.0.0.0/24",
"##.0.10.6/32"
]
}'

JSON Response

{
"code": "200"
}

Configure outbound ports

access/outbound-ports

https://admin.splunk.com/{stack}/adminconfig/v2/access/outbound-ports

List and create outbound ports.

GET

List existing outbound ports.

Request parameters

Name	Type	Description
stack	String	The URL prefix of the Splunk Cloud Platform deployment.

Returned values

Name	Type	Description
name	String	The outbound port name.
port	Number	The outbound port number.
destinationRanges	String	The allowed destination IP subnets for the outbound port.
reason	String	The purpose for the outbound port.

Example request and response

JSON Request

curl 'https://admin.splunk.com/important-iguana-u5q/adminconfig/v2/access/outbound-ports' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnI...'

JSON Response

[
   {
       "destinationRanges": [
           "34.226.34.80/32",
           "54.226.34.80/32"
       ],
       "name": "8089",
       "port": 8089
   },
   {
       "destinationRanges": [
           "4.16.171.10/32"
       ],
       "name": "8590",
       "port": 8590
   }
]

POST

Create an outbound port.

Request parameters

Name	Type	Description
stack	String	The URL prefix of the Splunk Cloud Platform deployment.
outboundPorts	String	The outbound port number and destination subnets.
port	Number	The outbound port number.
subnets	String	The allowed destination subnets for the outbound port.
reason	String	The purpose of the outbound port.

Returned values

Name	Type	Description
outboundPorts	String	The outbound port number and destination subnets.
port	Number	The outbound port number.
subnets	String	The allowed destination subnets for the outbound port.
reason	String	The purpose of the outbound port.

Example request and response

JSON Request

curl -X POST 'https://admin.splunk.com/important-iguana-u5q/adminconfig/v2/access/outbound-ports' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnI...'  \
--data-raw '{
   "outboundPorts": [{"subnets": ["34.226.34.80/32", "54.226.34.80/32"], "port": 8089}],
   "reason": "testing federated search connection"
}'

JSON Response

{
   "outboundPorts": [
       {
           "port": 8089,
           "subnets": [
               "34.226.34.80/32",
               "54.226.34.80/32"
           ]
       }
   ],
   "reason": "testing federated search connection"

access/outbound-ports/{port}

https://admin.splunk.com/{stack}/adminconfig/v2/access/outbound-ports/{port}

Describe and delete outbound ports.

GET

Describe an outbound port.

Request parameters

Name	Type	Description
stack	String	The URL prefix of the Splunk Cloud Platform deployment.
port	Number	The outbound port number.

Returned values

Name	Type	Description
destinationRanges	String	The allowed destination IP subnets for the outbound port.
name	String	The outbound port name.
port	Number	The outbound port number.

Example request and response

JSON Request

curl 'https://admin.splunk.com/{stack}/adminconfig/v2/access/outbound-ports/8089' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiwi…'

JSON Response

{
   "destinationRanges": [
       "34.226.34.80/32",
       "54.226.34.80/32"
   ],
   "name": "8089",
   "port": 8089
}

DELETE

Delete an outbound port.

Request parameters

Name	Type	Description
stack	String	The URL prefix of the Splunk Cloud Platform deployment.
subnets	String	The allowed destination IP subnets for the outbound port.

Returned values

Name	Type	Description
subnets	String	The deleted destination IP subnets for the outbound port.

Example request and response

JSON Request

curl -X DELETE 'https://admin.splunk.com/{stack}/adminconfig/v2/access/outbound-ports/8089' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnI…' \
--header 'Content-Type: application/json' \
--data-raw '{
"subnets": ["54.203.114.197/32", "34.226.34.80/32"]
}'

JSON Response

{
   "subnets": [
       "54.203.114.197/32",
       "34.226.34.80/32"
   ]
}

Manage app permissions

permissions/apps

https://admin.splunk.com/{stack}/adminconfig/v2/permissions/apps

List app permissions.

GET

List read and write permissions assigned to roles for all apps.

Request parameters

Name	Type	Description
stack	String	The URL prefix of the Splunk Cloud Platform deployment.
count	Number	Specifies the maximum number of items to list. Maximum value is 100. Default is 30. A value of 0 lists all items.
offset	Number	Specifies a count displacement value (from the first existing item) on which to start the list. For example, if the `count` value is 100, to list items 100-200, specify an `offset` value of 100.

Returned values

Name	Type	Description
name	String	The app name.
read	String	List of roles with app read permission.
write	String	List of roles with app write permission.

Example request and response

JSON Request

curl 'https://admin.splunk.com/{stack}/adminconfig/v2/permissions/apps?count={{count}}&offset={{offset}}' \
--header 'Authorization: Bearer eyJraWQi0iJzcGX1...'

JSON Response

{
    "apps": [
        {
            "name": "app1",
            "perms": {
                "read": [
                    "*"
                ],
                "write": [
                    "*"
                ]
            }
        },
        {
            "name": "app2",
            "perms": {
                "read": [
                    "*"
                ],
                "write": [
                    "admin"
                ]
            }
        },
        {
            "name": "app3",
            "perms": {
                "read": [
                    "*"
                ],
                "write": [
                    "admin"
                ]
            }
        }
    ]
}

permissions/apps/{app-name}

https://admin.splunk.com/{stack}/adminconfig/v2/permissions/apps/{app-name}

View and configure read and write permissions for individual apps.

GET

View read and write permissions assigned to roles for an individual app.

Request parameters

Name	Type	Description
stack	String	The URL prefix of the Splunk Cloud Platform deployment.
app-name	String	The app name.

Returned values

Name	Type	Description
name	String	The app name.
read	String	List of roles assigned app read permission.
write	String	List of roles assigned app write permission.

Example request and response

JSON Request

curl 'https://admin.splunk.com/{stack}/adminconfig/v2/permissions/apps/{app-name}' \
--header 'Authorization: Bearer eyJraWQi0iJzcGX1...'

JSON Response

{
    "name": "APP-NAME",
    "perms": {
        "read": [
            "admin",
            "power"
        ],
        "write": [
            "admin"
        ]
    }
}

PATCH

Assign read and write permissions to roles for an individual app.

Request parameters

Name	Type	Description
stack	String	The URL prefix of the Splunk Cloud Platform deployment.
app-name	String	The app name.
read	String	List of roles to assign app read permission.
write	String	List of roles to assign app write permission.

Returned values

Name	Type	Description
name	String	The app name.
read	String	Updated list of roles assigned app read permission.
write	String	Updated list of roles assigned app write permission.

Example request and response

JSON Request

curl -X PATCH 'https://admin.splunk.com/{stack}//adminconfig/v2/permissions/apps/{app_name}' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer {{token}}' \
--data '{
    "read": ["admin", "power"],
    "write": ["admin"]
} 
'

JSON Response

{
    "name": "acs_test_app_1",
    "perms": {
        "read": [
            "admin",
            "power"
        ],
        "write": [
            "admin"
        ]
    }
}

Manage DDSS storage locations

cloud-resources/self-storage-locations/buckets

https://admin.splunk.com/{stack}/adminconfig/v2/cloud-resources/self-storage-locations/buckets

List self storage locations.

GET

List existing self storage locations.

Request parameters

Name	Type	Description
stack	String	The URL prefix of the Splunk Cloud Platform deployment.

Returned values

Name	Type	Description
bucketName	String	The self storage bucket name in AWS or GCP.
bucketPath	String	A unique identifier combining `bucketName` and `folder`.
title	String	The title of the self storage location in Splunk Cloud Platform.
description	String	A description of the self storage location.
folder	String	The self storage bucket folder.
uri	String	The URI of the self storage location in AWS or GCP.

Example request and response

JSON Request

curl 'https://admin.splunk.com/{stack}/adminconfig/cloud-resources/self-storage-locations/buckets' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiwi…'

JSON Response

{
    "selfStorageLocations": [
        {
            "bucketName": "acs-play-noah-aws-iycf10l9z5nl-bucket-1",
            "bucketPath": "acs-play-noah-aws-iycf10l9z5nl-bucket-1/dup-title-ui",
            "description": "Test dupilcate title from UI",
            "folder": "dup-title-ui",
            "title": "test-bucket-1-with-message",
            "uri": "s3://acs-play-noah-aws-iycf10l9z5nl-bucket-1/dup-title-ui"
        },
        {
            "bucketName": "acs-play-noah-aws-iycf10l9z5nl-bucket-1",
            "bucketPath": "acs-play-noah-aws-iycf10l9z5nl-bucket-1/some-folder",
            "description": "Test",
            "folder": "some-folder",
            "title": "test-bucket-1-with-message",
            "uri": "s3://acs-play-noah-aws-iycf10l9z5nl-bucket-1/some-folder"
        },
        {
            "bucketName": "acs-play-noah-aws-iycf10l9z5nl-bucket-1",
            "bucketPath": "acs-play-noah-aws-iycf10l9z5nl-bucket-1/with-message",
            "description": "Test configuring ddss with ACS and show async message",
            "folder": "with-message",
            "title": "test-bucket-1-with-message",
            "uri": "s3://acs-play-noah-aws-iycf10l9z5nl-bucket-1/with-message"
        }
    ]
}

POST

Configure self storage locations in AWS or GCP.

Request parameters

Name	Type	Description
stack	String	The URL prefix of the Splunk Cloud Platform deployment.
bucketName	String	The self storage bucket name in AWS or GCP.
title	String	The title of the self storage location in Splunk Cloud Platform.
description	String	(Optional) A description of the self storage location.
folder	String	(Optional) The self storage bucket folder.

Returned values

Name	Type	Description
bucketName	String	The self storage bucket name in AWS or GCP.
bucketPath	String	A unique identifier combining `bucketName` and `folder`.
title	String	The title of the self storage location in Splunk Cloud Platform.
description	String	A description of the self storage location.
folder	String	The self storage bucket folder.
uri	String	The URI of the self storage location in AWS or GCP.

Example request and response

JSON Request

curl 'https://admin.splunk.com/{stack}/adminconfig/cloud-resources/self-storage-locations/buckets' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiwi…'

JSON Response

For AWS S3:

{
    "bucketName": "acs-play-noah-aws-iycf10l9z5nl-bucket-1",
    "bucketPath": "acs-play-noah-aws-iycf10l9z5nl-bucket-1/with-message",
    "description": "Test configuring ddss with ACS and show async message",
    "folder": "with-message",
    "title": "test-bucket-1-with-message",
    "uri": "s3://acs-play-noah-aws-iycf10l9z5nl-bucket-1/with-message"
}

For GCP GCS:

{
    "bucketName": "indexes-acs-gcp-ic1l-bucket",
    "bucketPath": "indexes-acs-gcp-ic1l-bucket/untitled-folder",
    "description": "Test configuring ddss with ACS on GCP Stack",
    "folder": "untitled-folder",
    "title": "test-bucket-for-gcp",
    "uri": "gs://indexes-acs-gcp-ic1l-bucket/untitled-folder"
}

cloud-resources/self-storage-locations/buckets/{bucketPath}

https://admin.splunk.com/{stack}/adminconfig/v2/cloud-resources/self-storage-locations/buckets/{bucketPath}

Describe self storage locations.

GET

Describe a self storage location.

Request parameters

Name	Type	Description
stack	String	The URL prefix of the Splunk Cloud Platform deployment.
bucketPath	String	A unique identifier combining `bucketName` and `folder`. Must be URL encoded. For example, `acs-play-noah-aws-iycf10l9z5nl-bucket-1/some-folder` must be passed as `acs-play-noah-aws-iycf10l9z5nl-bucket-1%2Fsome-folder`.

Returned values

Name	Type	Description
bucketName	String	The self storage bucket name in AWS or GCP.
bucketPath	String	A unique identifier combining `bucketName` and `folder`.
title	String	The title of the self storage location in Splunk Cloud Platform.
description	String	A description of the self storage location.
folder	String	The self storage bucket folder.
uri	String	The URI of the self storage location in AWS or GCP.

Example request and response

JSON Request

curl 'https://admin.splunk.com/{stack}/adminconfig/cloud-resources/self-storage-locations/buckets/acs-play-noah-aws-iycf10l9z5nl-bucket-1%2Fsome-folder' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiwi…'

JSON Response

For AWS deployments:'"

{
    "bucketName": "acs-play-noah-aws-iycf10l9z5nl-bucket-1",
    "bucketPath": "acs-play-noah-aws-iycf10l9z5nl-bucket-1/some-folder",
    "description": "Test",
    "folder": "some-folder",
    "title": "test-bucket-1-with-message",
    "uri": "s3://acs-play-noah-aws-iycf10l9z5nl-bucket-1/some-folder"
}

For GCP deployments:'"

{
    "bucketName": "acs-play-noah-gcp-ic1l-bucket",
    "bucketPath": "acs-play-noah-gcp-ic1l-bucket/some-folder",
    "description": "Test",
    "folder": "some-folder",
    "title": "test-bucket-with-message",
    "uri": "gs://acs-play-noah-gcp-ic1l-bucket/some-folder"
}

cloud-resources/self-storage-locations/configs/prefix

https://admin.splunk.com/{stack}/adminconfig/v2/cloud-resources/self-storage-locations/configs/prefix

Get prefix to configure a bucket.

GET

Get prefix to configure a bucket.

Request parameters

Name	Type	Description
stack	String	The URL prefix of the Splunk Cloud Platform deployment.

Returned values

Name	Type	Description
message	String	Bucket prefix syntax reminder.
prefix	String	The predefined bucket name prefix provided by Splunk Cloud Platform.

Example request and response

JSON Request

curl 'https://admin.splunk.com/{stack}/adminconfig/cloud-resources/self-storage-locations/configs/prefix' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiwi…'

JSON Response

{
    "message": "Please create a bucket in the same region as your Splunk Cloud environment. The bucket must have 'acs-play-noah-aws-iycf10l9z5nl-' as the prefix in the name",
    "prefix": "acs-play-noah-aws-iycf10l9z5nl-"
}

cloud-resources/self-storage-locations/buckets/{bucketName}/policy

https://admin.splunk.com/{stack}/adminconfig/v2/cloud-resources/self-storage-locations/buckets/{bucketName}/policy

Get IAM policy for AWS S3 bucket.

GET

Get IAM policy for AWS S3 bucket.

Request parameters

Name	Type	Description
stack	String	The URL prefix of the Splunk Cloud Platform deployment.
bucketName	String	The name of the AWS S3 bucket.

Returned values

Name	Type	Description
message	String	Reminder that you must apply the IAM policy to your S3 bucket in AWS.
policy	String	The IAM policy for the specified AWS S3 bucket.

Example request and response

JSON Request

curl 'https://admin.splunk.com/{stack}/adminconfig/cloud-resources/self-storage-locations/buckets/{bucketName}/policy' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiwi…'

JSON Response

{
    "message": "Please copy and apply this bucket policy to your S3 bucket in AWS. Please refer to https://docs.splunk.com/Documentation/SplunkCloud/latest/Admin/DataSelfStorage for more info.",
    "policy": {
        "Statement": [
            {
                "Action": [
                    "s3:PutObject",
                    "s3:ListBucket"
                ],
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::594195655983:role/acs-play-noah-aws"
                },
                "Resource": [
                    "arn:aws:s3:::acs-play-noah-aws-iycf10l9z5nl-some-bucket",
                    "arn:aws:s3:::acs-play-noah-aws-iycf10l9z5nl-some-bucket/*"
                ]
            }
        ],
        "Version": "2012-10-17"
    }
}

cloud-resources/self-storage-locations/configs/service-accounts

https://admin.splunk.com/{stack}/adminconfig/v2/cloud-resources/self-storage-locations/configs/service-accounts

Get service accounts for GCP GCS bucket.

GET

Get service accounts for GCP GCS bucket.

Request parameters

Name	Type	Description
stack	String	The URL prefix of the Splunk Cloud Platform deployment.

Returned values

Name	Type	Description
message	String	Reminder that you must configure proper permissions for GCP service accounts.
serviceAccounts	String	The two service accounts associated with your Splunk Cloud Platform deployment in GCP.

Example request and response

JSON Request

curl 'https://admin.splunk.com/{stack}/adminconfig/cloud-resources/self-storage-locations/configs/service-accounts' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiwi…'

JSON Response

{
    "message": "Please configure proper permissions for the GCP service accounts. Please refer to https://docs.splunk.com/Documentation/SplunkCloud/latest/Admin/DataSelfStorage for more info.",
    "serviceAccounts": {
        "clusterMaster": "indexes-acs-gcp-c0m1@indexes-acs-gcp-cdf8.iam.gserviceaccount.com",
        "indexer": "indexes-acs-gcp-idx@indexes-acs-gcp-cdf8.iam.gserviceaccount.com"
    }
}

Manage authentication tokens

tokens

https://admin.splunk.com/{stack}/adminconfig/v2/tokens

View and create JWT authentication tokens.

GET

View existing JWT tokens.

Request parameters

Name	Type	Description
stack	String	The URL prefix of the Splunk Cloud Platform deployment.
count	Number	Specifies the maximum number of items to list. Maximum value is 100. Default is 30. A value of 0 lists all items.
offset	Number	Specifies a count displacement value (from the first existing item) on which to start the list. For example, if the count value is 100, to list items 100-200, specify an offset value of 100.
username	String	Specifies user whose tokens will be listed.
status	String	Specifies whether to return "enabled" or "disabled" tokens. Must be either "enabled" or "disabled".

Returned values

Name	Type	Description
user	String	The name of the token user.
audience	String	The purpose of the token.
id	String	The token ID.
status	String	The status of token authentication.
expiresOn	String	The time the token will expire. Time is UTC.
notBefore	String	The time you can start to use the token. Default is now. Time is UTC.
lastUsed	String	The time the token was last used. Time is UTC.
lastUsedIP	String	The IP address of the instance on which the token was last used.

Example request and response

JSON Request

curl -X GET 'https://admin.splunk.com/{stack}/adminconfig/v2/tokens/' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiwi...'

JSON Response

[
     {
          "id": "d9637736177efc773ec8c5c04efcc2e19859cd852af00689ef81bf9e809364a8",
          "user": "admin",
          "audience": "acs-test",
          "status": "enabled",
          "expiresOn": "2021-11-19T00:34:46Z",
          "notBefore": "2021-10-20T00:34:46Z",
          "lastUsed": "2021-10-20T03:52:53Z",
          "lastUsedIP": "50.216.96.2"
     },
     {
          "id": "a9637736177efc773ec8c5c04efcc2e19859cd852af00689ef81bf9e80936984",
          "user": "admin",
          "audience": "acs-test2",
          "status": "enabled",
          "expiresOn": "2022-05-19T00:34:46Z",
          "notBefore": "2022-04-20T00:34:46Z",
          "lastUsed": "2022-04-24T03:52:53Z",
          "lastUsedIP": "45.216.96.2"
     }
]

POST

Create a new token.

Request parameters

Name	Type	Description
username	String	The login username for the Splunk Cloud Platform instance.
password	String	The login password for the Splunk Cloud Platform instance.
user	String	The name of the token user. Must be an existing user.
audience	String	The purpose of the token.
type	String	Accepts values of "ephemeral" or "static". A value of "ephemeral" creates a token with default expiresOn value of 6 hours. A value of "static" means there is no effect on the existing expiresOn value, which defaults to +30d.
expiresOn	String	The amount of time until the token expires. You can specify this value in relative time (+<number>[s][m][h][d]) or absolute time (YYYY-MM-DDTHH:MM:SS[+HH:MM]). Default is +30d. Time is UTC.

Returned values

Name	Type	Description
stack	String	The URL prefix of the Splunk Cloud Platform deployment.
user	String	The name of the token user.
audience	String	The purpose of the token.
id	String	The token ID.
status	String	The status of token authentication.
expiresOn	String	The time the token will expire. Time is UTC.
notBefore	String	The time you can start to use the token. Default is now. Time is UTC.

Example request and response

JSON Request

curl -u username:password -X POST 'https://admin.splunk.com/keziabutterfinger/adminconfig/v2/tokens' \
--header 'Content-Type: application/json' \
--data-raw '{
  "user" : "admin",
  "audience" : "acs-test",
  "expiresOn" : "+100d"
}'
}'

JSON Response

   "user": "admin",
   "audience": "acs-test",
   "id": "0c1daac93fd01bc50cfe8ed938ce401bc168a8730c1c9e2f343671541e759fbf",
   "token": "eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnIjoiSFM1MTIiLCJ2ZXIiOiJ2MiIsInR0eXAiOiJzdGF0aWMifQ.eyJpc3MiOiJhZG1pbiBmcm9tIHNoLWktMGJlMzJiYTM1YjY4MDlhMDEiLCJzdWIiOiJhZG1pbiIsImF1ZCI6Imtlei10ZXN0IiwiaWRwIjoiU3BsdW5rIiwianRpIjoiMzA0YmEzYWQxOWMwOWRhYmYxYzljY2YzYTcxMTM3NTQ1NmFiODM0ZDljMjBjN2E3MzYzNWUyYWMxNmQ5OWFiMSIsImlhdCI6MTYzNDA2NjAzMSwiZXhwIjoxNjM2NjU4MDMxLCJuYnIiOjE2MzQwNjYwMzF9.Cml1yQMXgo18dauOuORTc4vTxm1tWuXOL6sBj0TEV1lwOIqo5sCBKv_B45Jjb34XkK-TJQgdYqcOoV0un-ARDQ",
   "status": "enabled",
   "expiresOn": "2021-12-16T21:37:11Z",
   "notBefore": "2021-11-16T21:37:11Z"

tokens/{id}

https://admin.splunk.com/{stack}/adminconfig/v2/access/tokens/{id}

View and delete individual tokens.

GET

View a token.

Request parameters

Name	Type	Description
stack	String	The URL prefix of the Splunk Cloud Platform deployment.
id	String	The token ID.

Returned values

Name	Type	Description
user	String	The name of the token user.
audience	String	The purpose of the token.
id	String	The token ID.
status	String	The status of token authentication.
expiresOn	String	The time the token will expire. Time is UTC.
notBefore	String	The time you can start to use the token. Default is now. Time is UTC.
lastUsed	String	The time the token was last used. Time is UTC.
lastUsedIP	String	The IP address of the instance on which the token was last used.

Example request and response

JSON Request

curl 'https://admin.splunk.com/{stack}/adminconfig/v2/tokens/55ee3d1c199645c330d28dcd9fa50bc6e9f74154c3d1c3d31229b6e78be77ed7' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiwi…'

JSON Response

{
   "id": "d9637736177efc773ec8c5c04efcc2e19859cd852af00689ef81bf9e809364a8",
   "user": "admin",
   "audience": "acs-test",
   "status": "enabled",
   "expiresOn": "2021-11-19T00:34:46Z",
   "notBefore": "2021-10-20T00:34:46Z",
   "lastUsed": "2021-10-20T03:52:53Z",
   "lastUsedIP": "50.216.96.2"
}

DELETE

Delete a token.

Request parameters

Name	Type	Description
stack	String	The URL prefix of the Splunk Cloud Platform deployment.
id	String	The token ID.

Returned values
None

Example request and response

JSON Request

curl -X DELETE 'https://admin.splunk.com/{stack}/adminconfig/v2/tokens/55ee3d1c199645c330d28dcd9fa50bc6e9f74154c3d1c3d31229b6e78be77ed7' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiwi…'

JSON Response

{
"code": "200"
}

Manage HTTP Event Collector (HEC) tokens

The ACS API provides the following endpoints to manage HEC tokens. For more information on how to manage HEC tokens using the ACS API, see Manage HTTP Event Collector (HEC) tokens in Splunk Cloud Platform.

ACS endpoints for HEC token management apply to deployments on Victoria Experience only. See Determine your Splunk Cloud Platform Experience.

inputs/http-event-collectors

https://admin.splunk.com/{stack}/adminconfig/v2/inputs/http-event-collectors

List and create HEC tokens.

GET

List existing HEC tokens.

Request parameters

Name	Type	Description
stack	String	The URL prefix of the Splunk Cloud Platform deployment.
count	Number	Specifies the maximum number of items to list. Maximum value is 100. Default is 30. A value of 0 lists all items.
offset	Number	Specifies a count displacement value (from the first existing item) on which to start the list. For example, if the `count` value is 100, to list items 100-200, specify an `offset` value of 100.

Returned values

Name	Type	Description
name	String	The HEC token name. This is the token ID, not the actual token value.
disabled	Boolean	The enabled/disabled status of the HEC token.
defaultindex	String	Default index to store generated events.
useACK	Boolean	(Optional) Enable/disable (true/false) indexer acknowledgement.
token	String	The full token value.

Example request and response

JSON Request

curl https://admin.splunk.com/{mystack}/adminconfig/v2/inputs/http-event-collectors

JSON Response

{
   "http-event-collectors": [
       {
           "spec": {
               "allowedIndexes": [
                   "main",
                   "summary"
               ],
               "defaultHost": "",
               "defaultIndex": "main",
               "defaultSource": "",
               "defaultSourcetype": "",
               "disabled": true,
               "name": "hec-token-name",
               "useACK": true 
           },
           "token": "9803a48f-b733-4106-8a3f-871c53ee2675"
       }
   ]
}

POST

Create a new HEC token.

Request parameters

Name	Type	Description
stack	String	The URL prefix of the Splunk Cloud Platform deployment.
name	String	The HEC token name. This is the token ID, not the actual token value.
defaultIndex	String	Default index to store generated events.
useACK	Boolean	(Optional) Enable/disable (true/false) indexer acknowledgement.
token	String	(Optional) An existing token value.

Returned values

Name	Type	Description
token	String	The full token value.

Example request and response

JSON Request

curl -X POST 'https://admin.splunk.com/mystack/adminconfig/v2/inputs/http-event-collectors' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiw...' \
--header 'Content-Type: application/json' \
--data-raw '{
   "allowedIndexes": [
       "main",
       "summary"
   ],
   "defaultHost": "",
   "defaultIndex": "main",
   "defaultSource": "",
   "defaultSourcetype": "",
   "disabled": false,
   "name": "hec-token-name",
   "useACK": true,
   "token": "this_is_my_token"
}'

JSON Response

"http-event-collector": {
       "spec": {
           "allowedIndexes": [
               "main",
               "summary"
           ],
           "defaultHost": "",
           "defaultIndex": "main",
           "defaultSource": "",
           "defaultSourcetype": "",
           "disabled": false,
           "name": "hec-token-name"
           "UseACK": true
       },
       "token": "this_is_my_token"
   }
}

inputs/http-event-collectors/{hec-token-name}

https://admin.splunk.com/{stack}/adminconfig/v2/inputs/http-event-collectors/{hec-token-name}

View, update, and delete HEC tokens.

GET

View an inidvidual HEC token.

Request parameters

Name	Type	Description
stack	String	The URL prefix of the Splunk Cloud Platform deployment.
name	String	The HEC token name. This is the token ID, not the actual token value.

Returned values

Name	Type	Description
disabled	Boolean	The enabled/disabled status of the HEC token.
defaultindex	String	Default index to store generated events.
useACK	Boolean	(Optional) Enable/disable (true/false) indexer acknowledgement.
token	String	The full token value.

Example request and response

JSON Request

curl https://admin.splunk.com/{mystack}/adminconfig/v2/inputs/http-event-collectors/{hec-token-name}

JSON Response

{
   "http-event-collectors": [
       {
           "spec": {
               "allowedIndexes": [
                   "main",
                   "summary"
               ],
               "defaultHost": "",
               "defaultIndex": "main",
               "defaultSource": "",
               "defaultSourcetype": "",
               "disabled": true,
               "name": "hec-token-name"
           },
           "token": "9803a48f-b733-4106-8a3f-871c53ee2675"
       }
   ]
}

PUT

Update an existing HEC token.

Request parameters

Name	Type	Description
stack	String	The URL prefix of the Splunk Cloud Platform deployment.
defaultHost	String	Default index to store generated events.
defaultIndex	String	Default event source.
defaultSource	String	Default index to store generated events.
defaultSourcetype	String	Default index to store generated events.
disabled	String	Default index to store generated events.
name	String	The name of the HEC token. This is the token ID, not the actual token value.
useACK	Boolean	(Optional) Enable/disable (true/false) indexer acknowledgement.

Returned values
None

Example request and response

JSON Request

curl -X PUT 'https://admin.splunk.com/{mystack}/adminconfig/v2/inputs/http-event-collectors' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiw...' \
--header 'Content-Type: application/json' \
--data-raw '{
   "allowedIndexes": [
       "main",
       "summary"
   ],
   "defaultHost": "",
   "defaultIndex": "main",
   "defaultSource": "",
   "defaultSourcetype": "",
   "disabled": false,
   "name": "hec-token-name"
}'

JSON Response

{
"code": "200"
}

DELETE

Delete an HEC token.

Request parameters

Name	Type	Description
stack	String	The URL prefix of the Splunk Cloud Platform deployment.
name	String	The HEC token name. This is the token ID, not the actual token value.

Returned values
None

Example request and response

JSON Request

curl -X DELETE 'https://admin.splunk.com/{mystack}/adminconfig/v2/inputs/http-event-collectors' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiw...' \
--header 'Content-Type: application/json' \

JSON Response

{
"code": "200"
}

Manage indexes

The ACS API provides the following endpoints to manage indexes. For more information on how to manage indexes using the ACS API, see Manage indexes in Splunk Cloud Platform.

ACS supports index management on Splunk Cloud Platform deployments on both Victoria Experience and Classic Experience.

indexes

https://admin.splunk.com/{stack}/adminconfig/v2/indexes

List and create indexes.

GET

List existing indexes.

Request parameters

Name	Type	Description
stack	String	The URL prefix of the Splunk Cloud Platform deployment.
count	Number	Specifies the maximum number of items to list. Maximum value is 100. Default is 30. A value of 0 lists all items.
offset	Number	Specifies a count displacement value (from the first existing item) on which to start the list. For example, if the `count` value is 100, to list items 100-200, specify an `offset` value of 100.

Returned values

Name	Type	Description
name	String	The index name.
datatype	String	The type of data the index holds. Possible values: `event` or `metric`
searchableDays	Number	Number of days the index is searchable.
maxDataSizeMB	Number	The maximum size of the index in megabytes.
totalEventCount	Number	The total number of events in an index.
totalRawSizeMB	Number	The total amount of raw data in an index in megabytes.
splunkArchivalRetentionDays	Number	The archive retention period for indexes enabled with Dynamic Data Active Archive (DDAA).
selfStorageBucketPath	String	The self-storage location for indexes enabled with Dynamic Data Self Storage (DDSS).

Example request and response

JSON Request

curl 'https://admin.splunk.com/{stack}/adminconfig/v2/indexes'

JSON Response

[
   {
       "name": "history",
       "datatype": "event",
       "searchableDays": 7,
       "maxDataSizeMB": 0,
       "totalEventCount": "0",
       "totalRawSizeMB": "0"
   },
   {
       "name": "lastchanceindex",
       "datatype": "event",
       "searchableDays": 1095,
       "maxDataSizeMB": 0,
       "totalEventCount": "0",
       "totalRawSizeMB": "0"
   },
   {
       "name": "main",
       "datatype": "event",
       "searchableDays": 1095,
       "maxDataSizeMB": 0,
       "totalEventCount": "0",
       "totalRawSizeMB": "0"
   },
   {
       "name": "splunklogger",
       "datatype": "event",
       "searchableDays": 1095,
       "maxDataSizeMB": 0,
       "totalEventCount": "0",
       "totalRawSizeMB": "0"
   },
   {
       "name": "summary",
       "datatype": "event",
       "searchableDays": 1095,
       "maxDataSizeMB": 0,
       "totalEventCount": "0",
       "totalRawSizeMB": "0"
   }
]

POST

Create a new index.

Request parameters

Name	Type	Description
stack	String	The URL prefix of the Splunk Cloud deployment.
name	String	The index name.
datatype	String	The type of data the index holds. Possible values: `event` or `metric`.
searchableDays	Number	Number of days the index is searchable.
maxDataSizeMB	Number	The maximum size of the index in megabytes.
splunkArchivalRetentionDays	Number	The archive retention period for indexes enabled with Dynamic Data Active Archive (DDAA). Specifying this value enables DDAA for the index.
selfStorageBucketPath	String	The self-storage location for indexes enabled with Dynamic Data Self Storage (DDSS). Specifying this value enables DDSS for the index. Note: Before you can create an index with DDSS enabled, you must configure a self-storage location for your deployment.

Returned values

Name	Type	Description
name	String	The index name.
datatype	String	The type of data the index holds. Possible values: `event` or `metric`
searchableDays	Number	Number of days the index is searchable.
maxDataSizeMB	Number	The maximum size of the index in megabytes.
totalEventCount	Number	The total number of events in an index.
totalRawSizeMB	Number	The total amount of raw data in an index in megabytes.
splunkArchivalRetentionDays	Number	The archive retention period for indexes enabled with Dynamic Data Active Archive (DDAA).
selfStorageBucketPath	String	The self-storage location for indexes enabled with Dynamic Data Self Storage (DDSS).

Example request and response

JSON Request

curl -X POST 'https://admin.splunk.com/{stack}/adminconfig/v2/indexes'
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiwi…' \
--header 'Content-Type: application/json' \
--data-raw '{
   "name": "testindex"
}'

JSON Response

{
   "name": "testindex",
   "datatype": "event",
   "searchableDays": 90,
   "maxDataSizeMB": 0,
   "totalEventCount": "0",
   "totalRawSizeMB": "0"
}

indexes/{name}

https://admin.splunk.com/{stack}/adminconfig/v2/indexes/{name}

View, update, and delete indexes.

GET

View an individual index.

Request parameters

Name	Type	Description
stack	String	The URL prefix of the Splunk Cloud Platform deployment.
name	String	The name of the index.

Returned values

Name	Type	Description
name	String	The index name.
datatype	String	The type of data the index holds. Possible values: `event` or `metric`
searchableDays	Number	Number of days the index is searchable.
maxDataSizeMB	Number	The maximum size of the index in megabytes.
totalEventCount	Number	The total number of events in an index.
totalRawSizeMB	Number	The total amount of raw data in an index in megabytes.
splunkArchivalRetentionDays	Number	The archive retention period for indexes enabled with Dynamic Data Active Archive (DDAA).
selfStorageBucketPath	String	The self-storage location for indexes enabled with Dynamic Data Self Storage (DDSS).

Example request and response

JSON Request

curl 'https://admin.splunk.com/{stack}/adminconfig/v2/indexes/testindex' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiwi…'

JSON Response

{
   "name": "testindex",
   "datatype": "event",
   "searchableDays": 90,
   "maxDataSizeMB": 1024,
   "totalEventCount": "0",
   "totalRawSizeMB": "0"
}

PATCH

Update an existing index.

Request parameters

Name	Type	Description
stack	String	The URL prefix of the Splunk Cloud Platform deployment.
name	String	The name of the index.
searchableDays	Number	Number of days the index is searchable.
maxDataSizeMB	Number	The maximum size of the index in megabytes.
splunkArchivalRetentionDays	Number	The archive retention period for indexes enabled with Dynamic Data Active Archive (DDAA). Specifying this value enables DDAA, or modifies the archive retention period value for an index already enabled with DDAA.
selfStorageBucketPath	String	The self-storage location for indexes enabled with Dynamic Data Self Storage (DDSS). Specifying this value enables DDSS, or modifies the self-storage location for an index already configured with DDSS. Note: Before you can create an index with DDSS enabled, you must configure a self-storage location for your deployment.

Returned values
None

Example request and response

JSON Request

curl -X PATCH 'https://admin.splunk.com/lighthearted-lemur-23e/adminconfig/v2/indexes/testindex' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiwi…' \
--data-raw '{
   "searchableDays": 90,
   "maxDataSizeMB": 1024
}'

JSON Response

{
   "name": "testindex",
   "datatype": "event",
   "searchableDays": 90,
   "maxDataSizeMB": 1024,
   "totalEventCount": "0",
   "totalRawSizeMB": "0"
}

DELETE

Delete an index.

Request parameters

Name	Type	Description
stack	String	The URL prefix of the Splunk Cloud Platform deployment.
name	String	The name of the index.

Returned values
None

Example request and response

JSON Request

curl -X DELETE 'https://admin.splunk.com/lighthearted-lemur-23e/adminconfig/v2/indexes/testindex' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiwi…'

JSON Response

{
"code": "200"
}

Manage limits.conf configurations

The ACS API provides the following endpoints to manage limits.conf configurations. ACS API operations apply to a subset of editable limits.conf settings only. For more information on how to manage limits.conf configurations using the ACS API, see Manage limits.conf configurations in Splunk Cloud Platform.

ACS endpoints for managing limits.conf apply to deployments on Victoria Experience only. See Determine your Splunk Cloud Platform Experience.

limits

https://admin.splunk.com/{stack}/adminconfig/v2/limits

List all limits.conf settings.

GET

List all limits.conf settings.

Request parameters

Name	Type	Description
stack	String	The URL prefix of the Splunk Cloud Platform deployment.

Returned values

Name	Type	Description
Stanza	String	Name of limits.conf stanza.
Values	String	Limits.conf settings and current values.

Example request and response

JSON Request

curl 'https://admin.splunk.com/important-iguana-u5q/adminconfig/v2/limits \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnI...'

JSON Response

[{"Stanza":"join","Values":{"subsearch_maxout":"91519","subsearch_maxtime":"111","subsearch_timeout":"120"}},{"Stanza":"kv","Values":{"limit":"100","maxchars":"182"}},{"Stanza":"subsearch","Values":{"maxout":"10000","maxtime":"60"}}]

limits/{stanza}

https://admin.splunk.com/{stack}/adminconfig/v2/limits/{stanza}

List and edit limits.conf settings under a stanza.

GET

List limits.conf settings under a stanza.

Request parameters

Name	Type	Description
stack	String	The URL prefix of the Splunk Cloud Platform deployment.
stanza	String	Name of limits.conf stanza.

Returned values

Name	Type	Description
settings	String	Limits.conf settings and values under the stanza.

Example request and response

JSON Request

curl 'https://admin.splunk.com/important-iguana-u5q/adminconfig/v2/limits/join \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnI...'

JSON Response

{"subsearch_maxout":"91519","subsearch_maxtime":"111","subsearch_timeout":"120"}

POST

Edit limits.conf settings.

Request parameters

Name	Type	Description
stack	String	The URL prefix of the Splunk Cloud Platform deployment.
stanza	String	Name of limits.conf stanza.
settings	String	Limits.conf settings and modified values under the stanza.

Returned values

Name	Type	Description
settings	String	Limits.conf settings and values under the stanza.

Example request and response

JSON Request

curl -X POST 'https://admin.splunk.com/important-iguana-u5q/adminconfig/v2/limits/join' \
--header 'Authorization: Bearer <token>' \
--header 'Content-Type: application/json' \
--data-raw '{
    "settings": {
        "subsearch_maxout": 91519,
        "subsearch_maxtime": 111
    }
}'

JSON Response

{"settings":{"subsearch_maxout":91519,"subsearch_maxtime":111}}

limits/{stanza}/{setting}

https://admin.splunk.com/{stack}/adminconfig/v2/limits/{stanza}/{setting}

List a specific limits.conf setting under a stanza.

GET

List a specific limits.conf setting under a stanza.

Request parameters

Name	Type	Description
stack	String	The URL prefix of the Splunk Cloud Platform deployment.
stanza	String	Name of limits.conf stanza.
setting	String	Name of limits.conf setting.

Returned values

Name	Type	Description
setting	String	Limits.conf setting and value.

Example request and response

JSON Request

curl 'https://admin.splunk.com/important-iguana-u5q/adminconfig/v2/limits/join/susearch_maxout \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnI...'

JSON Response

{"subsearch_maxout":"91519"}

limits/defaults

https://admin.splunk.com/{stack}/adminconfig/v2/limits/defaults

List all supported stanzas and default values for all settings within each stanza.

GET

List all supported limits.conf stanzas and default settings.

Request parameters

Name	Type	Description
stack	String	The URL prefix of the Splunk Cloud Platform deployment.

Returned values

Name	Type	Description
stanza	String	Name of limits.conf stanza.
settings	String	limits.conf settings and their default values.

Example request and response

JSON Request

curl 'https://admin.splunk.com/important-iguana-u5q/adminconfig/v2/limits/defaults \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnI...'

JSON Response

[
	{
		"stanza": "join",
		"settings": [
			{
				"setting": "subsearch_maxout",
				"minValue": 0,
				"maxValue": 100000,
				"defaultValue": 50000
			},
			{
				"setting": "subsearch_maxtime",
				"minValue": 0,
				"maxValue": 120,
				"defaultValue": 60
			},
			{
				"setting": "subsearch_timeout",
				"minValue": 0,
				"maxValue": 240,
				"defaultValue": 120
			}
		]
	},
    ...
]

limits/{stanza}/defaults

https://admin.splunk.com/{stack}/adminconfig/v2/limits/{stanza}/defaults

List default values for settings in a specific stanza.

GET

List default values for settings in a specific limits.conf stanza

Request parameters

Name	Type	Description
stack	String	The URL prefix of the Splunk Cloud Platform deployment.
stanza	String	Name of limits.conf stanza.

Returned values

Name	Type	Description
stanza	String	Name of limits.conf stanza.
settings	String	limits.conf settings and their default values.

Example request and response

JSON Request

curl 'https://admin.splunk.com/important-iguana-u5q/adminconfig/v2/limits/subsearch/defaults \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnI...'

JSON Response

{
	"stanza": "subsearch",
	"settings": [
		{
			"setting": "maxout",
			"minValue": 0,
			"maxValue": 10400,
			"defaultValue": 10000
		},
		{
			"setting": "maxtime",
			"minValue": 0,
			"maxValue": 120,
			"defaultValue": 60
		}
	]
}

limits/{stanza}/reset

https://admin.splunk.com/{stack}/adminconfig/v2/access/limits/{stanza}/reset

Reset a specific setting or all settings under a stanza.

POST

Reset a specific setting or all settings under a stanza

Request parameters

Name	Type	Description
stack	String	The URL prefix of the Splunk Cloud Platform deployment.
stanza	String	Name of limits.conf stanza.
setting	String	Specific limits.conf setting to reset (specify in request body)

Returned values

Name	Type	Description
settings	String	Limits.conf settings reset to default values

Example request and response

JSON Request

curl -X POST 'https://admin.splunk.com/important-iguana-u5q/adminconfig/v2/limits/join/reset' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiwi…'

JSON Response

{"settings":{"subsearch_maxout":50000,"subsearch_maxtime":60,"subsearch_timeout":120}}

Manage private apps and Splunkbase apps (Victoria Experience)

The ACS API provides the following endpoints to manage private apps and Splunkbase apps. For more information on how to manage private apps using the ACS API, see Manage private apps in Splunk Cloud Platform. For more information on how to manage Splunkbase apps using the ACS API, see Manage Splunkbase apps in Splunk Cloud Platform

The following ACS endpoints for managing private apps and Splunkbase apps apply to deployments on Victoria Experience only. See Determine your Splunk Cloud Platform Experience.

apps/victoria

https://admin.splunk.com/{stack}/adminconfig/v2/apps/victoria

List and install apps (Victoria Experience).

Authentication and authorization

All GET and POST operations for this endpoint require a JWT authentication token.
POST operations to install private apps also require an AppInspect authentication token and a legal acknowledgement that you accept risk for unsupported apps. For more information, see Manage private apps using the ACS API on Victoria Experience.
POST operations to install Splunkbase apps also require a Splunkbase session ID and the Splunkbase app license URL. For more information, see Manage Splunkbase apps using the ACS API.

GET

List apps.

Request parameters

Name	Type	Description
stack	String	The URL prefix of the Splunk Cloud Platform deployment.
count	Number	Specifies the maximum number of items to list. Maximum value is 100. Default is 30. A value of 0 lists all items.
offset	Number	Specifies a count displacement value (from the first existing item) on which to start the list. For example, if the `count` value is 100, to list items 100-200, specify an `offset` value of 100.
splunkbase	Boolean	Specify `splunkbase=true` to list Splunkbase apps only. Specify `splunkbase=false` to list non-Splunkbase apps only. If you do not specify this parameter, ACS lists all apps.

Returned values

Name	Type	Description
label	String	The app label.
name	String	The app name.
status	String	The app installation status.
version	Number	The app version.
appID	String	The app name. Same as name and app_name parameters.
splunkbaseID	Number	The Splunkbase app ID number

Example request and response

JSON Request

curl 'https://admin.splunk.com/{stack}/adminconfig/v2/apps/victoria'
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnI…'

JSON Response

{
   "apps": [
       {
           "label": "075-cloudworks",
           "name": "075-cloudworks",
           "status": "installed",
           "version": ""
       },
       {
           "label": "100-cloudworks-wlm",
           "name": "100-cloudworks-wlm",
           "status": "installed",
           "version": ""
       },


       {
           "label": "tos",
           "name": "tos",
           "status": "installed",
           "version": ""
       }
   ]
}

POST

Install an app.

Request parameters

stack	String	The URL prefix of the Splunk Cloud Platform deployment.
splunkbase	Boolean	You must specify `splunkbase=true` to install Splunkbase apps.
splunkbaseID	Number	The Splunkbase app ID number. You can find the `splunkbaseID` value in the URL of the Splunkbase app download page.

Returned values

Name	Type	Description
label	String	The app label.
name	String	The app name.
status	String	The app installation status.
version	Number	The app version.
appID	String	The app name. Same as name and app_name parameters.
splunkbaseID	String	The Splunkbase app ID number.

Example request and response (install private app)

JSON Request

curl -X POST 'https://admin.splunk.com/{stack}/adminconfig/v2/apps/victoria' \
--header 'X-Splunk-Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9…' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnI…' \
--data-binary '@/Users/croth/Downloads/pa1v20.tar.gz'

JSON Response

{
   "label": "pa1",
   "name": "pa1",
   "status": "installed",
   "version": "1.2.2"
}

Example request and response (install Splunkbase app)

JSON Request

curl -X POST 'https:/admin.splunk.com/{stack}/adminconfig/v2/apps/victoria?splunkbase=true' \
--header 'X-Splunkbase-Authorization: bgf4ztyxcgssgcbdrhguzl0xgousxzcq' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'ACS-Licensing-Ack: http://opensource.org/licenses/ISC' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnI…' \
--data-urlencode 'splunkbaseID=491'

JSON Response

{
   "appID": "SplunkforPaloAltoNetworks",
   "label": "Palo Alto Networks App for Splunk",
   "name": "SplunkforPaloAltoNetworks",
   "splunkbaseID": "491",
   "status": "processing",
   "version": "7.0.4"
}

apps/victoria/{app_name}

https://admin.splunk.com/{stack}/adminconfig/v2/apps/victoria/{app_name}

Describe and uninstall apps. Upgrade or downgrade Splunkbase apps. (Victoria Experience)

Authentication and authorization

All GET, PATCH, and DELETE operations for this endpoint require a JWT authentication token.
PATCH operations to upgrade or downgrade Splunkbase apps also require a Splunkbase session ID and the Splunkbase app license URL. For more information, see Manage Splunkbase apps using the ACS API.

GET

Describe an app.

Request parameters

Name	Type	Description
stack	String	The URL prefix of the Splunk Cloud Platform deployment.
app_name	String	The name of the app.

Returned values

Name	Type	Description
label	String	The app label.
name	String	The app name.
status	String	The app installation status.
version	Number	The app version.
appID	String	The app name. Same as name and app_name parameters.
splunkbaseID	String	The Splunkbase app ID number.

Example request and response

JSON Request

curl 'https://admin.splunk.com/{stack}/adminconfig/v2/apps/victoria/testapp' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiwi…'

JSON Response

{
   "label": "testapp",
   "name": "testapp",
   "status": "installed",
   "version": ""
}

PATCH

Upgrade or downgrade a Splunkbase app.

Request parameters

stack	String	The URL prefix of the Splunk Cloud Platform deployment.
splunkbase	Boolean	You must specify `splunkbase=true` in the request URL to upgrade Splunkbase apps.
splunkbaseID	Number	The Splunkbase app ID number. You can find the `splunkbaseID` value in the URL of the Splunkbase app download page.

Returned values

Name	Type	Description
label	String	The app label.
name	String	The app name.
status	String	The app installation status.
version	Number	The app version.
appID	String	The app name. Same as name and app_name parameters.
splunkbaseID	String	The Splunkbase app ID number.

Example request and response

JSON Request

curl -X PATCH 'https://admin.splunk.com/{stack}/adminconfig/v2/apps/victoria/SplunkforPaloAltoNetworks' \
--header X-Splunkbase-Authorization: bgf4ztyxcgssgcbdrhguzl0xgousxzcq' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'ACS-Licensing-Ack: http://opensource.org/licenses/ISC' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnI…' \
--data-urlencode 'version=7.0.3'

JSON Response

{
   "appID": "SplunkforPaloAltoNetworks",
   "label": "Palo Alto Networks App for Splunk",
   "name": "SplunkforPaloAltoNetworks",
   "splunkbaseID": "491",
   "status": "processing",
   "version": "7.0.3"
}

DELETE

Uninstall an app.

Request parameters

Name	Type	Description
stack	String	The URL prefix of the Splunk Cloud Platform deployment.
app_name	String	The name of the app.

Returned values
None

Example request and response

JSON Request

curl -X DELETE 'https://admin.splunk.com/{stack}/adminconfig/v2/apps/victoria/testapp' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiwi…'

JSON Response
None

Manage private apps and Splunkbase apps (Classic Experience)

apps

https://admin.splunk.com/{stack}/adminconfig/v2/apps

List and install apps (Classic Experience).

Authentication and authorization

All GET and POST operations for this endpoint require a JWT authentication token.
POST operations to install private apps also require an AppInspect authentication token and a legal acknowledgement that you accept risk for unsupported apps. For more information, see Manage private apps using the ACS API on Classic Experience.
POST operations to install Splunkbase apps also require a Splunkbase session ID and the Splunkbase app license URL. For more information, see Manage Splunkbase apps using the ACS API on Classic Experience.

GET

List apps.

Request parameters

Name	Type	Description
stack	String	The URL prefix of the Splunk Cloud Platform deployment.
count	Number	Specifies the maximum number of items to list. Maximum value is 100. Default is 30. A value of 0 lists all items.
offset	Number	Specifies a count displacement value (from the first existing item) on which to start the list. For example, if the `count` value is 100, to list items 100-200, specify an `offset` value of 100.
splunkbase	Boolean	Specify `splunkbase=true` to list Splunkbase apps only. Specify `splunkbase=false` to list non-Splunkbase apps only. If you do not specify this parameter, ACS lists all apps.

Returned values

Name	Type	Description
label	String	The app label.
name	String	The app name.
package	String	The app installation package.
status	String	The app installation status.
version	Number	The app version.
appID	String	The app name. Same as name and app_name parameters.
splunkbaseID	Number	The Splunkbase app ID number

Example request and response

JSON Request

curl 'https://admin.splunk.com/{stack}/adminconfig/v2/apps?count=100' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnI…'

JSON Response

{
   "apps": []
}

POST

Install an app.

Request parameters

stack	String	The URL prefix of the Splunk Cloud Platform deployment.
splunkbase	Boolean	You must specify `splunkbase=true` to install Splunkbase apps.
splunkbaseID	Number	The Splunkbase app ID number. You can find the `splunkbaseID` value in the URL of the Splunkbase app download page.

Returned values

Name	Type	Description
label	String	The app label.
name	String	The app name.
package	String	The app installation package.
status	String	The app installation status.
version	Number	The app version.
appID	String	The app name. Same as name and app_name parameters.
splunkbaseID	String	The Splunkbase app ID number.

Example request and response

JSON Request

curl -X POST 'https://admin.splunk.com/{stack}/adminconfig/v2/apps' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnI…' \
--form 'token="eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9…"' \
--form 'package=@"/Users/{name}/app_inspect/testapp.tar.gz"'

JSON Response

{
   "label": "testapp",
   "name": "testapp",
   "package": "testapp.tar.gz",
   "status": "installed",
   "version": "1.0.31"
}

apps/{app_name}

https://admin.splunk.com/{stack}/adminconfig/v2/apps/{app_name}

Describe, upgrade, and uninstall apps (Classic Experience).

Authentication and authorization

All GET, PATCH, and DELETE operations for this endpoint require a JWT authentication token.
PATCH operations to upgrade or downgrade Splunkbase apps also require a Splunkbase session ID and the Splunkbase app license URL. For more information, see Upgrade a Splunkbase app on Classic Experience.

GET

Describe an app.

Request parameters

Name	Type	Description
stack	String	The URL prefix of the Splunk Cloud Platform deployment.
app_name	String	The name of the app.

Returned values

Name	Type	Description
label	String	The app label.
name	String	The app name.
package	String	The app installation package.
status	String	The app installation status.
version	Number	The app version.
appID	String	The app name. Same as name and app_name parameters.
splunkbaseID	String	The Splunkbase app ID number.

Example request and response

JSON Request

curl 'https://admin.splunk.com/{stack}/adminconfig/v2/apps/victoria/testapp' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiwi…'

JSON Response

{
   "label": "testapp",
   "name": "testapp",
   "package": "testapp.tar.gz",
   "status": "installed",
   "version": ""
}

PATCH

Upgrade a Splunkbase app.

Request parameters

stack	String	The URL prefix of the Splunk Cloud Platform deployment.
splunkbaseID	Number	The Splunkbase app ID number. You can find the `splunkbaseID` value in the URL of the Splunkbase app download page.

Returned values

Name	Type	Description
label	String	The app label.
name	String	The app name.
status	String	The app installation status.
version	Number	The app version.
appID	String	The app name. Same as name and app_name parameters.
splunkbaseID	String	The Splunkbase app ID number.

Example request and response

JSON Request

curl -X PATCH 'https://admin.splunk.com/{stack}/adminconfig/v2/apps/SplunkforPaloAltoNetworks' \
--header X-Splunkbase-Authorization: bgf4ztyxcgssgcbdrhguzl0xgousxzcq' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'ACS-Licensing-Ack: http://opensource.org/licenses/ISC' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnI…' \
--data-urlencode 'splunkbaseID=491'

JSON Response

{
   "appID": "SplunkforPaloAltoNetworks",
   "label": "Palo Alto Networks App for Splunk",
   "name": "SplunkforPaloAltoNetworks",
   "splunkbaseID": "491",
   "status": "processing",
   "version": "7.0.3"
}

DELETE

Uninstall an app.

Request parameters

Name	Type	Description
stack	String	The URL prefix of the Splunk Cloud Platform deployment.
app_name	String	The name of the app.

Returned values
None

Example request and response

JSON Request

curl -X DELETE 'https://admin.splunk.com/{stack}/adminconfig/v2/apps/testapp' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnI…'

JSON Response

{
"code": "200"
}

Manage restarts

restart-now

https://admin.splunk.com/{stack}/adminconfig/v2/restart-now

Initiate a restart of the search head tier in Splunk Cloud Platform.

POST

Initiate a restart of a single search head or a rolling restart of a search head cluster.

Request parameters

Name	Type	Description
stack	String	The URL prefix of the Splunk Cloud Platform deployment.

Returned values

None

Example request and response

JSON Request

curl -X POST 'https://admin.splunk.com/{stack}/adminconfig/v2/restart-now' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYW...'

JSON Response

{
    "message": "Successfully initiated a server restart. It might take some time for completion"
}

restart/status

https://admin.splunk.com/{stack}/adminconfig/v2/restart/status

Check status of search head cluster rolling restart.

The restart/status endpoint applies to search head cluster rolling restarts only. The endpoint does not work with non-clustered search heads.

GET

Check status of search head cluster rolling restart.

Request parameters

Name	Type	Description
stack	String	The URL prefix of the Splunk Cloud Platform deployment.

Returned values

Name	Type	Description
rollingRestartInitiated	Boolean	A value of "true" means a rolling restart is in progress.
serviceReady	Boolean	A value of "true" means all cluster members have Successfully resatarted.
captain	String	URL prefix of the current search head cluster captain.

Example request and response

JSON Request

curl https://admin.splunk.com/{stack}/adminconfig/v2/restart/status \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYW...

JSON Response

{
    "shcStatus": [
{ 	   "captain": "sh-i-..",         "rollingRestartInitiated": true,
        "serviceReady": false
     }
   ]

Retry failed operations

deployment/status

https://admin.splunk.com/{stack}/adminconfig/v2/deployment/status

Check the status of the latest operation in Splunk Cloud Platform.

GET

Check the status of the latest operation in Splunk Cloud Platform

Request parameters

Name	Type	Description
stack	String	The URL prefix of the Splunk Cloud Platform deployment.

Returned values

Name	Type	Description
id	String	The latest deployment ID on the stack.
timestamp	String	The time at which the latest operation was initiated.
status	String	The status of the latest operation.

Example request and response

JSON Request

curl https://admin.splunk.com/{stack}/adminconfig/v2/deployment/status \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYW...

JSON Response

{
   "lastDeployment": {
       "id": "AD11DDF4-B13B-4EDC-9B4F-A5FF539CD196",
       "timestamp": "6/16/2023, 11:31:22 AM",
       "status": "failed"
   }
}

deployment/retry

https://admin.splunk.com/{stack}/adminconfig/v2/deployment/retry

Retry a failed operation in Splunk Cloud Platform.

ACS supports retry for private app installation and HEC token management operations only

POST

Retry a failed private app installation or HEC token management operation.

Request parameters

Name	Type	Description
stack	String	The URL prefix of the Splunk Cloud Platform deployment.

Returned values

Name	Type	Description
id	String	The new deployment ID of the retried operation.
timestamp	String	The time at which the retry operation was initiated.
status	String	The status of the retry operation.

Example request and response

JSON Request

curl -X POST 'https://admin.splunk.com/{stack}/adminconfig/v2/deployment/retry' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1...'

JSON Response

{
   "id": "30D3BC03-11AC-4A16-88F7-7924735638ED",
   "timestamp": "6/16/2023, 11:31:22 AM",
   "status": "new"
}

deployment/status/{deploymentID}

https://admin.splunk.com/{stack}/adminconfig/v2/deployment/status/{deploymentID}

Check the status of an operation in Splunk Cloud Platform.

GET

Check the status of a retry or other operation by deployment ID in Splunk Cloud Platform.

Request parameters

Name	Type	Description
stack	String	The URL prefix of the Splunk Cloud Platform deployment.
deploymentID	String	The deployment ID of the operation for which you want to check status.

Returned values

Name	Type	Description
id	String	The deployment ID specified in the request.
timestamp	String	The time at which the operation specified by the deployment ID was initiated.
status	String	The status of of the operation specified by deployment ID.

Example request and response

JSON Request

curl https://admin.splunk.com/{stack}/adminconfig/v2/deployment/status/{deploymentID} \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYW...

JSON Response

{
   "lastDeployment": {
       "id": "AD11DDF4-B13B-4EDC-9B4F-A5FF539CD196",
       "timestamp": "6/16/2023, 11:31:22 AM",
       "status": "running"
   }
}

View maintenance windows

maintenance-windows/schedules

https://admin.splunk.com/{stack}/adminconfig/v2/maintenance-windows/schedules

List maintenance windows.

GET

List multiple scheduled maintenance windows.

Request parameters

Name	Type	Description
stack	String	The URL prefix of the Splunk Cloud Platform deployment.
fromTime	String	The earliest time the maintenance window schedule starts. Acceptable format is YYYY-MM-DD or in RFC3339 (YYYY-MM--DDTHH:mm:SSZHH:mm)
toTime	String	The latest time the maintenance window schedule starts. Acceptable format is YYYY-MM-DD or in RFC3339 (YYYY-MM--DDTHH:mm:SSZHH:mm).
count	Number	The number of maintenance windows to list.
nextLink	String	Start time of the next scheduled maintenance window relative to the maintenance window count. A value of null indicates there are no more maintenance windows. UTC is the default timezone.

Returned values

Name	Type	Description
duration	String	Scheduled length of time for the maintenance window.
lastModifiedTimestamp	String	The time of the last update to a maintenance window information response field (for example, change of status, change of description, and so on).
mwType	String	The maintenance window type (purpose). It can have one of the following values: 1. Service update 2. Routine Maintenance 3. Emergency Maintenance 4. Customer Initiated Change
operationType	String	Type of operation/upgrade performed as part of this maintenance.
operationStatus	String	Current status of the operation.
startTime	String	The start time of the operation.
endTime	String	The end time of the operation.
scheduleId	String	The scheduled maintenance window ID.
scheduleStartTimestamp	String	Maintenance window start time.
status	String	Maintenance window status.
nextLink	String	Start time of the next scheduled maintenance window relative to the maintenance window count. A value of null indicates there are no more maintenance windows. UTC is the default timezone.

Example request and response

JSON Request

curl 'https://admin.splunk.com/{stack}/adminconfig/v2/maintenance-windows/schedules?fromTime=2022-08-09&toTime=2022-08-14&nextLink=2022-08-21T04:00:00Z&count=1' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsu …'

JSON Response

{
   "nextLink": "2022-08-21T04:00:00Z",
   "schedules": [
       {
           "duration": "2h",
           "lastModifiedTimestamp": "2022-11-16T19:09:53Z",
           "lastSummary": "Customer requested upgrade",
           "mwType": "Service Update",
           "operations": [
               {
                   "SFDCTickets": [
                       "string"
                   ],
                   "endTime": "2022-04-20T05:00:00Z",
                   "notes": [
                       "string"
                   ],
                   "operationDescription": "string",
                   "operationStatus": "Tentative",
                   "operationType": "Splunk Upgrade",
                  "startTime": "2022-09-20T04:00:00Z",
                   "targetVersion": "string"
               }
           ],
           "requestedEntity": "splunk",
           "scheduleId": "1e4729b4-11d0-4165-a886-a21cce7139f2",
           "scheduleStartTimestamp": "2022-08-21T04:00:00Z",
           "status": "Tentative"
       }
   ]
}

maintenance-windows/schedules/{scheduleId}

https://admin.splunk.com/{stack}/adminconfig/v2/maintenance-windows/schedules/{scheduleId}

Describe individual maintenance windows.

GET

Describe a specific scheduled maintenance window.

Request parameters

Name	Type	Description
stack	String	The URL prefix of the Splunk Cloud Platform deployment.
scheduleId	String	The scheduled maintenance window ID.

Returned values

Name	Type	Description
duration	String	Scheduled length of time for the maintenance window.
lastModifiedTimestamp	String	The time of the last update to a maintenance window information response field (for example, change of status, change of description, and so on).
mwType	String	The maintenance window type (purpose). It can have one of the following values: 1. Service update 2. Routine Maintenance 3. Emergency Maintenance 4. Customer Initiated Change
operationType	String	Type of operation/upgrade performed as part of this maintenance.
operationStatus	String	Current status of the operation.
startTime	String	The start time of the operation.
endTime	String	The end time of the operation.
scheduleId	String	The scheduled maintenance window ID.
scheduleStartTimestamp	String	Maintenance window start time.
status	String	Maintenance window status.

Example request and response

JSON Request

curl 'https://admin.splunk.com/{stack}/adminconfig/v2/maintenance-windows/schedules/{scheduleId}' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsu …'

JSON Response

{
   "duration": "2h",
   "lastModifiedTimestamp": "2022-11-16T19:09:53Z",
   "lastSummary": "Customer requested upgrade",
   "mwType": "Service Update",
   "operations": [
       {
           "SFDCTickets": [
               "string"
           ],
           "endTime": "2022-04-20T05:00:00Z",
           "notes": [
               "string"
           ],
           "operationDescription": "string",
           "operationStatus": "Tentative",
           "operationType": "Splunk Upgrade",
           "startTime": "2022-04-20T04:00:00Z",
           "targetVersion": "string"
       }
   ],
   "requestedEntity": "splunk",
   "scheduleId": "14479cd5-8ada-41f0-92c4-d234e9124569",
   "scheduleStartTimestamp": "2022-08-13T04:00:00Z",
   "status": "Tentative"
}

maintenance-windows/schedules/{scheduleId}/audits

https://admin.splunk.com/{stack}/adminconfig/v2/maintenance-windows/schedules/{scheduleId}/audits

Audit maintenance windows.

GET

View audit trail of a specified maintenance window.

Request parameters

Name	Type	Description
stack	String	The URL prefix of the Splunk Cloud Platform deployment.
scheduleId	String	The scheduled maintenance window ID.
fromTime	String	The earliest time the maintenance window schedule starts. Acceptable format is YYYY-MM-DD or in RFC3339 (YYYY-MM--DDTHH:mm:SSZHH:mm)
toTime	String	The latest time the maintenance window schedule starts. Acceptable format is YYYY-MM-DD or in RFC3339 (YYYY-MM--DDTHH:mm:SSZHH:mm).

Returned values

Name	Type	Description
duration	String	Scheduled length of time for the maintenance window.
lastModifiedTimestamp	String	The time of the last update to a maintenance window information response field (for example, change of status, change of description, and so on).
mwType	String	The maintenance window type (purpose). It can have one of the following values: 1. Service update 2. Routine Maintenance 3. Emergency Maintenance 4. Customer Initiated Change
operationType	String	Type of operation/upgrade performed as part of this maintenance.
operationStatus	String	Current status of the operation.
startTime	String	The start time of the operation.
endTime	String	The end time of the operation.
scheduleId	String	The scheduled maintenance window ID.
scheduleStartTimestamp	String	Maintenance window start time.
status	String	Maintenance window status.

Example request and response

JSON Request

curl 'https://admin.splunk.com/{stack}/adminconfig/v2/maintenance-windows/schedules/{scheduleId}/audits?fromTime=2022-08-09&toTime=2022-08-14' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsu …'

JSON Response

{
   "audits": [
       {
           "duration": "2h0m0s",
           "lastModifiedTimestamp": "2022-11-01T18:09:25Z",
           "lastSummary": "",
           "mwType": "Service Update",
           "operations": [
               {
                   "operationDescription": "Splunk version upgrade to latest/stable release",
                   "operationStatus": "Completed",
                   "operationType": "SplunkUpgrade",
                   "targetVersion": "9.0.2209.1"
               }
           ],
           "requestedEntity": "Splunk",
           "scheduleId": "66e20f3f-aea2-4096-982f-7f93a6979872",
           "scheduleStartTimestamp": "2022-10-14T04:00:00Z",
           "status": "Completed"
       },
       {
           "duration": "2h0m0s",
           "lastModifiedTimestamp": "2022-10-11T18:09:25Z",
           "lastSummary": "",
           "mwType": "Service Update",
           "operations": [
               {
                   "operationDescription": "Splunk version upgrade to latest/stable release",
                   "operationStatus": "Completed",
                   "operationType": "SplunkUpgrade",
                   "targetVersion": "9.0.2209.1"
               }
           ],
           "requestedEntity": "Splunk",
           "scheduleId": "66e20f3f-aea2-4096-982f-7f93a6979872",
           "scheduleStartTimestamp": "2022-10-14T04:00:00Z",
           "status": "Completed"
       }
   ]
}

Admin Config Service Manual

Related Answers

Admin Config Service (ACS) API endpoint reference

ACS endpoint categories

Authentication and authorization

Configure IP allowlists

access/{feature}/ipallowlists

GET

POST

DELETE

Configure outbound ports

access/outbound-ports

GET

POST

access/outbound-ports/{port}

GET

DELETE

Manage app permissions

permissions/apps

GET

permissions/apps/{app-name}

GET

PATCH

Manage DDSS storage locations

cloud-resources/self-storage-locations/buckets

GET

POST

cloud-resources/self-storage-locations/buckets/{bucketPath}

GET

cloud-resources/self-storage-locations/configs/prefix

GET

cloud-resources/self-storage-locations/buckets/{bucketName}/policy

GET

cloud-resources/self-storage-locations/configs/service-accounts

GET

Manage authentication tokens

tokens

GET

POST

tokens/{id}

GET

DELETE

Manage HTTP Event Collector (HEC) tokens

inputs/http-event-collectors

GET

POST

inputs/http-event-collectors/{hec-token-name}

GET

PUT

DELETE

Manage indexes

indexes

GET

POST

indexes/{name}

GET

PATCH

DELETE

Manage limits.conf configurations

limits

GET

limits/{stanza}

GET

POST

limits/{stanza}/{setting}

GET

limits/defaults

GET

limits/{stanza}/defaults

GET

limits/{stanza}/reset

POST

Manage private apps and Splunkbase apps (Victoria Experience)

apps/victoria

GET

POST

apps/victoria/{app_name}

GET