Manage indexes on Splunk Cloud Platform Classic Experience
Splunk Cloud Platform Classic Experience now provides full support for managing indexes programmatically using the ACS (Admin Config Service) API. For more information, see Manage indexes in Splunk Cloud Platform in the Admin Config Service Manual.
If your Splunk Cloud Platform deployment is on Classic Experience, you can manage your indexes programmatically using the Splunk REST API cluster_blaster_indexes/sh_indexes_manager
endpoint. To determine if your Splunk Cloud Platform deployment is on Classic Experience:
- In Splunk Web, click Support & Services > About.
- In the About panel, under Splunk Cloud, find your Experience: Classic or Victoria.
For more information on Splunk Cloud Platform Experiences, see Determine your Splunk Cloud Platform Experience.
Requirements
- Splunk Cloud Platform version 8.0.2007 or higher.
- You must have the
sc_admin
(Splunk Cloud Administrator) role.
Authentication and authorization
There are two methods you can use to authenticate and authorize endpoint requests:
- Authentication token. You can create a valid JWT authentication token in the Splunk Cloud Platform UI.
- Username and password.
For more information on authentication and authorization, see Basic Concepts about the Splunk platform REST API in the Splunk Enterprise REST API User Manual.
Manage indexes
You can perform the following index management actions on Splunk Cloud Platform deployments running on Classic Experience.
List all indexes
To list all indexes, send an HTTP GET request to the following endpoint:
localhost:8089/services/cluster_blaster_indexes/sh_indexes_manager
For example:
curl -k -H "Authorization: Bearer ${TOKEN}" https://agile-albatross-4ej.stg.splunkcloud.com:8089/services/cluster_blaster_indexes/sh_indexes_manager?output_mode=json
The request output lists existing indexes, including configuration parameter values for each index. For example:
{"links":{"create":"/services/cluster_blaster_indexes/sh_indexes_manager/_new","disabled":"/services/cluster_blaster_indexes/sh_indexes_manager/disabled"},"origin":"https://agile-albatross-4ej.stg.splunkcloud.com:8089/services/cluster_blaster_indexes/sh_indexes_manager","updated":"2021-10-06T22:44:52+00:00","generator":{"build":"2e4da17c2b37","version":"8.2.2107"},"entry":[{"name":"christian","id":"https://agile-albatross-4ej.stg.splunkcloud.com:8089/servicesNS/nobody/cloud_administration/cluster_blaster_indexes/sh_indexes_manager/christian","updated":"1970-01-01T00:00:00+00:00", ... "content":{"archiver.enableDataArchive":"0","archiver.maxDataArchiveRetentionPeriod":"315360000","datatype":"event","disabled":"0","eai:acl":null,"eai:acl.app":"cloud_administration","eai:acl.appDisplayName":"_cluster_admin","frozenTimePeriodInSecs":"30000","isS2Mode":"true","isVirtual":"0","maxGlobalDataSizeMB":"0","maxGlobalRawDataSizeMB":"5000","maxTotalDataSizeMB":"0","metric.timestampResolution":"s","totalEventCount":"0","totalRawSizeMB":"0"}},{"name":"cryt","id":"https://agile-albatross-4ej.stg.splunkcloud.com:8089/servicesNS/nobody/cloud_administration/cluster_blaster_indexes/sh_indexes_manager/cryt","updated":"1970-01-01T00:00:00+00:00", ... "messages":[]}
Create a new index
To create a new index, send an HTTP POST request to the cluster_blaster_indexes/sh_indexes_manager
endpoint, specifying the following index parameters: name
, maxTotalDataSizeMB
, frozenTimePeriodInSecs
, and maxGlobalRawDataSizeMB
. For example:
curl -k -H "Authorization: Bearer ${TOKEN}" https://agile-albatross-4ej.stg.splunkcloud.com:8089/services/cluster_blaster_indexes/sh_indexes_manager -d name=my_name -d maxTotalDataSizeMB=500 -d frozenTimePeriodInSecs=30000 -d maxGlobalRawDataSizeMB=6000
Sample request output:
... <title></title> <id>https://agile-albatross-4ej.stg.splunkcloud.com:8089/services/cluster_blaster_indexes/sh_indexes_manager</id> <updated>2021-10-06T22:38:13+00:00</updated> <generator build="2e4da17c2b37" version="8.2.2107"/> <author> <name>Splunk</name> </author> <link href="/services/cluster_blaster_indexes/sh_indexes_manager/_new" rel="create"/> <link href="/services/cluster_blaster_indexes/sh_indexes_manager/disabled" rel="disabled"/> <opensearch:totalResults>0</opensearch:totalResults> <opensearch:itemsPerPage>30</opensearch:itemsPerPage> <opensearch:startIndex>0</opensearch:startIndex> <s:messages/>
View an individual index
To view an individual index, send an HTTP GET request to the cluster_blaster_indexes/sh_indexes_manager/{name}
endpoint, specifying the name of the index. For example:
curl -k -H "Authorization: Bearer ${TOKEN}" https://agile-albatross-4ej.stg.splunkcloud.com:8089/services/cluster_blaster_indexes/sh_indexes_manager/christian
Sample request output:
... <title>christian</title> <id>https://agile-albatross-4ej.stg.splunkcloud.com:8089/servicesNS/nobody/cloud_administration/cluster_blaster_indexes/sh_indexes_manager/christian</id> <updated>1970-01-01T00:00:00+00:00</updated> <link href="/servicesNS/nobody/cloud_administration/cluster_blaster_indexes/sh_indexes_manager/christian" rel="alternate"/> <author> <name>system</name> </author> <link href="/servicesNS/nobody/cloud_administration/cluster_blaster_indexes/sh_indexes_manager/christian" rel="list"/> <link href="/servicesNS/nobody/cloud_administration/cluster_blaster_indexes/sh_indexes_manager/christian" rel="edit"/> <link href="/servicesNS/nobody/cloud_administration/cluster_blaster_indexes/sh_indexes_manager/christian" rel="remove"/> <link href="/servicesNS/nobody/cloud_administration/cluster_blaster_indexes/sh_indexes_manager/christian/clean" rel="clean"/> <link href="/servicesNS/nobody/cloud_administration/cluster_blaster_indexes/sh_indexes_manager/christian/disable" rel="disable"/> <content type="text/xml"> <s:dict> <s:key name="archiver.enableDataArchive">0</s:key> <s:key name="archiver.maxDataArchiveRetentionPeriod">315360000</s:key> <s:key name="datatype">event</s:key> <s:key name="disabled">0</s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app">cloud_administration</s:key> <s:key name="can_list">1</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">0</s:key> <s:key name="owner">system</s:key> <s:key name="perms"/> <s:key name="removable">0</s:key> <s:key name="sharing">system</s:key> </s:dict> </s:key> <s:key name="eai:acl.app">cloud_administration</s:key> <s:key name="eai:acl.appDisplayName">_cluster_admin</s:key> <s:key name="eai:attributes"> <s:dict> <s:key name="optionalFields"> <s:list> <s:item>datatype</s:item> <s:item>maxGlobalDataSizeMB</s:item> <s:item>maxTotalDataSizeMB</s:item> <s:item>metric.timestampResolution</s:item> </s:list> </s:key> <s:key name="requiredFields"> <s:list> <s:item>frozenTimePeriodInSecs</s:item> <s:item>maxGlobalRawDataSizeMB</s:item> </s:list> </s:key> <s:key name="wildcardFields"> <s:list> <s:item>archiver\..*</s:item> </s:list> </s:key> </s:dict> </s:key> <s:key name="frozenTimePeriodInSecs">30000</s:key> <s:key name="isS2Mode">true</s:key> <s:key name="isVirtual">0</s:key> <s:key name="maxGlobalDataSizeMB">0</s:key> <s:key name="maxGlobalRawDataSizeMB">5000</s:key> <s:key name="maxTotalDataSizeMB">0</s:key> <s:key name="metric.timestampResolution">s</s:key> <s:key name="totalEventCount">0</s:key> <s:key name="totalRawSizeMB">0</s:key> </s:dict> </content> </entry>
Update an index
To update an index, send an HTTP POST request to the cluster_blaster_indexes/sh_indexes_manager/{name}
endpoint, specifying the name of the index you want to update, along with the updated index parameter values. The POST request support updates to maxTotalDataSizeMB
, frozenTimePeriodInSecs
, and maxGlobalRawDataSizeMB
parameters. For example:
curl -k -H "Authorization: Bearer ${TOKEN}" -X 'POST' https://agile-albatross-4ej.stg.splunkcloud.com:8089/services/cluster_blaster_indexes/sh_indexes_manager/christian -d maxTotalDataSizeMB=500 -d frozenTimePeriodInSecs=30000 -d maxGlobalRawDataSizeMB=6000
Sample request output:
... <entry> <title>christian</title> <id>https://agile-albatross-4ej.stg.splunkcloud.com:8089/servicesNS/nobody/cloud_administration/cluster_blaster_indexes/sh_indexes_manager/christian</id> <updated>1970-01-01T00:00:00+00:00</updated> <link href="/servicesNS/nobody/cloud_administration/cluster_blaster_indexes/sh_indexes_manager/christian" rel="alternate"/> <author> <name>system</name> </author> <link href="/servicesNS/nobody/cloud_administration/cluster_blaster_indexes/sh_indexes_manager/christian" rel="list"/> <link href="/servicesNS/nobody/cloud_administration/cluster_blaster_indexes/sh_indexes_manager/christian" rel="edit"/> <link href="/servicesNS/nobody/cloud_administration/cluster_blaster_indexes/sh_indexes_manager/christian" rel="remove"/> <link href="/servicesNS/nobody/cloud_administration/cluster_blaster_indexes/sh_indexes_manager/christian/clean" rel="clean"/> <link href="/servicesNS/nobody/cloud_administration/cluster_blaster_indexes/sh_indexes_manager/christian/disable" rel="disable"/> <content type="text/xml"> <s:dict> <s:key name="archiver.enableDataArchive">0</s:key> <s:key name="archiver.maxDataArchiveRetentionPeriod">315360000</s:key> <s:key name="datatype">event</s:key> <s:key name="disabled">0</s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app">cloud_administration</s:key> <s:key name="can_list">1</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">0</s:key> <s:key name="owner">system</s:key> <s:key name="perms"/> <s:key name="removable">0</s:key> <s:key name="sharing">system</s:key> </s:dict> </s:key> <s:key name="eai:acl.app">cloud_administration</s:key> <s:key name="eai:acl.appDisplayName">_cluster_admin</s:key> <s:key name="frozenTimePeriodInSecs">70000</s:key> <s:key name="isS2Mode">true</s:key> <s:key name="isVirtual">0</s:key> <s:key name="maxGlobalDataSizeMB">0</s:key> <s:key name="maxGlobalRawDataSizeMB">6000</s:key> <s:key name="maxTotalDataSizeMB">0</s:key> <s:key name="metric.timestampResolution">s</s:key> <s:key name="totalEventCount">0</s:key> <s:key name="totalRawSizeMB">0</s:key> </s:dict> </content> </entry>
Delete an index
To delete an index, send an HTTP DELETE request to the cluster_blaster_indexes/sh_indexes_manager/{name}
endpoint, specifying the name of the index you want to delete. For example:
curl -k -H "Authorization: Bearer ${TOKEN}" -X 'DELETE' https://agile-albatross-4ej.stg.splunkcloud.com:8089/services/cluster_blaster_indexes/sh_indexes_manager/christian
Store expired Splunk Cloud Platform data in a Splunk-managed archive | Install apps on your Splunk Cloud Platform deployment |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408
Feedback submitted, thanks!