Splunk Stream

Installation and Configuration Manual

This documentation does not apply to the most recent version of Splunk Stream. For documentation on the most recent version, go to the latest release.

Splunk Stream REST API reference

This reference describes Splunk Stream REST API endpoints. Use these endpoints to extend the functionality and interact programmatically with Splunk Stream.

Stream REST API endpoint categories

The Splunk Stream REST API provides the following endpoint categories:

Category Description
Ping Return last app update status and API versions.
Streams Create, modify, and view stream configurations.
Stream forwarder groups Create, modify, and view Distributed Forwarder Management (DFM) groups.
Capture IP address Create and view a list of blocked and allowed IP addresses.
Indexers View list of available indexers.
HTTP inputs View list of available http inputs.

Usage Details

Authentication and Authtorization

Cookies and CSRF tokens are required for access to Splunk Stream endpoints and REST operations.

Base URL

http://localhost:8000/en-US/custom/splunk_app_stream

Sample header format

headers = {
    Cookie: splunkd_PORT=<splunkd_cookie>;splunkweb_csrf_token_PORT=<csrf_token>,
    Content-type: application/json,
    X-Requested-With: XMLHttpRequest,
    X-Splunk-Form-Key: <csrf_token>
}

Sample response format

{'status': '200', 'content-length': '329', 'x-content-type-options': 'nosniff', 'date': 'Fri, 20 Jan 2017 23:33:15 GMT', 'set-cookie':
'session_id_8000=4be31ce28b4b46b681fd909856497f58d919389c; expires=Sat, 21 Jan 2017 23:33:15 GMT; httponly; Path=/', 'x-frame-options': 
'SAMEORIGIN', 'content-type': 'text/json;charset=utf-8', 'connection': 'Close', 'vary': 'Cookie', 'server': 'Splunkd'}

How to generate tokens

If you are using curl follow these steps:

  1. Collect the "cval" set-cookie value:
    curl -c - -k http://localhost:8000/en-US/account/login
    

    Example response

    localhost FALSE /en-US/account/ FALSE 0 cval 1850823966
    localhost FALSE /en-US/account FALSE 1645485022 splunkweb_uid B0016BF4-2725-475F-9CEF-968387C83900
    
  2. Retrieve other tokens:
    curl -c - -k http://localhost:8000/en-US/account/login -H "Cookie: cval=<cval_value>" -d username=<splunk_web_username>
    -d password=<splunk_web_password> -d cval=<cval_value>
    

    Example response

    #HttpOnly_localhost FALSE / FALSE 1487808793 splunkd_8000 UDS7UqFb7Am8aHEOftYtluORlpiKom2BHf5P5H_34x2^7unZJy5xNJiNGlHNsrtoHnw6x18KKVDpCz0Qs3vgEFYFC
    cKsSYqpkJEtQjIsDguZNGsC4NuOXithfgjYkC
    localhost FALSE / FALSE 1645485193 splunkweb_csrf_token_8000 12523149765193777622
    

    The splunkweb_csrf_token_8000 is the X-Splunk-Form-Key as well.

If you use POSTMAN or similar services, the splunkd and csrf token are extracted and used automatically in subsequent requests as long as there is an active web session.

Ping

/ping

Return last app update status and API versions.

GET

Get app status and version data.

Request parameters
None.

Request payload
None.

Response
List of stats.

Response Codes

Status Code Description
200 OK

Example request

curl -k https://localhost:8000/en-US/custom/splunk_app_stream/ping

Example response

{"id": "appsmeta", "dateLastUpdated": 1484863500128, "_key": "appsmeta", "api_versions": {"ping": 1, "captureipaddresses": 1, "httpinputs": 1,
 "streams": 1, "users": 1, "vocabularies": 1, "streamforwardergroups": 1, "indexers": 1}, "version": "7.1.0"}

Streams

/streams/{stream_id}

Create, modify, and view stream configurations.

GET

Get stream configuration data by stream id.

Request parameters
Stream id is the stream name.

Request payload
None.

Response
Stream configuration data.

Example request

curl -k https://localhost:8000/en-US/custom/splunk_app_stream/streams/test

Example response

{"id": "test", "aggregated": false, "name": "test", "isReferenceStream": false, "protocolName": "HTTP", "filters": {"comparisons": [], "matchAllComparisons": true}, "extras": {"eventType": "http.event", "interval": 60}, "streamType": "event", "enabled": false, "fields": [{"name": "bytes", "aggType": "value", "desc": "The total number of bytes transferred", "term": "flow.bytes", "enabled": true}], "_key": "test", "createdBy": "admin", "app": "Stream", "sourcetype": "stream:http", "statsOnly": false, "index": null, "category": "Web"}

DELETE

Delete stream configurations by stream id.

Request parameters
None.

Request payload
None.

Example request

curl -X DELETE -H "Cookie:
splunkd_8000=PRlg_PB8THrM8tZYOebt6K6^ooApy73FJRvJgY2RliptRtPWTeEUuUmArMi9fia5Vpw2eP7HVsE
NKnw2rag6HhPqCDDJVT52YMjEA0GIM_4opmWNJkVrtsCnqJ8wOTWlVvmLIcC; 
splunkweb_csrf_token_8000=6914067146718907469" -H "X-Splunk-Form-Key: 6914067146718907469" -H "X-
Requested-With: XMLHttpRequest" -H "Content-Type: application/json" -k http://localhost:8000/en-
US/custom/splunk_app_stream/streams/test

Example response

{"success": true, "deleted": "stream_id"}

PUT

Set stream mode to enable, disable, or stats only.

Request parameters

Name Type Description
enable String Enable stream.
disable String Disable stream.
statsOnly String Enable collection of stream volume stats only.

Request payload
None.

Example request

curl -X PUT -H "Cookie: 
splunkd_8000=PRlg_PB8THrM8tZYOebt6K6^ooApy73FJRvJgY2RliptRtPWTeEUuUmArMi9fia5Vpw2eP7HVsE
NKnw2rag6HhPqCDDJVT52YMjEA0GIM_4opmWNJkVrtsCnqJ8wOTWlVvmLIcC; 
splunkweb_csrf_token_8000=6914067146718907469" -H "X-Splunk-Form-Key: 6914067146718907469" -H "X-
Requested-With: XMLHttpRequest" -H "Content-Type: application/json" -k http://localhost:8000/en-
US/custom/splunk_app_stream/streams/test/enable

Example response

{"id": "test", "aggregated": false, "name": "test", "isReferenceStream": false, "protocolName": "HTTP", "filters": 
{"comparisons": [], "matchAllComparisons": true}, "extras": {"eventType": "http.event", "interval": 60}, "streamType": 
"event", "enabled": false, "fields": [{"name": "bytes", "aggType": "value", "desc": "The total number of bytes 
transferred", "term": "flow.bytes", "enabled": true}], "_key": "test", "createdBy": "admin", "app": "Stream", "sourcetype": 
"stream:http", "statsOnly": false, "index": null, "category": "Web"}

/streams

POST

Update stream configuration.

Request parameters
None.

Request payload
JSON dictionary of stream configuration data.

Response Codes

Status Code Description
200 OK

Example request

curl -X POST -H "Cookie: splunkd_8000=PRlg_PB8THrM8tZYOebt6K6^ooApy73FJRvJgY2RliptRtPWTeEUuUmArMi9fia5Vpw2eP7HVsENKnw2rag6HhPqCDDJVT52YMjEA0G
IM_4opmWNJkVrtsCnqJ8wOTWlVvmLIcC; splunkweb_csrf_token_8000=6914067146718907469" -H "X-Splunk-Form-Key: 6914067146718907469" -
H "X-Requested-With: XMLHttpRequest" -H "Content-Type: application/json" -k http://localhost:8000/en-US/custom/splunk_app_stream/streams -d 
'{"id": "test", "aggregated": false, "name": "test", "isReferenceStream": false, "protocolName": "HTTP", "filters": {"comparisons": [], 
"matchAllComparisons": true}, "extras": {"eventType": "http.event", "interval": 60}, "streamType": "event", "enabled": false, "fields": [{"name": "bytes", 
"aggType": "value", "desc": "The total number of bytes transferred", "term": "flow.bytes", "enabled": true}], "_key": "test", "createdBy": "admin", "app": 
"Stream", "sourcetype": "stream:http", "statsOnly": false, "index": null, "category": "Web"}'

Example response

{"id": "test", "aggregated": false, "name": "test", "isReferenceStream": false, "protocolName": "HTTP", "filters": 
{"comparisons": [], "matchAllComparisons": true}, "extras": {"eventType": "http.event", "interval": 60}, "streamType": 
"event", "enabled": false, "fields": [{"name": "bytes", "aggType": "value", "desc": "The total number of bytes 
transferred", "term": "flow.bytes", "enabled": true}], "_key": "test", "createdBy": "admin", "app": "Stream", "sourcetype": 
"stream:http", "statsOnly": false, "index": null, "category": "Web"}'

Stream forwarder groups

/streamforwardergroups/{forwarder_group_id}

Create, modify, and view DFM groups.

GET

Get stream forwarder group by group id.

Request parameters
None.

Request payload
None.

Response
Stream forwarder group configuration data.

Response Codes

Status Code Description
200 OK

Example request

curl -k https://localhost:8000/en-US/custom/splunk_app_stream/streamforwardergroups/defaultgroup

Example response

{"_user": "nobody", "_key": "defaultgroup", "id": "defaultgroup", "rule": "", "streams": ["Splunk_SSLActivity", "Splunk_Tds", "dns", "rtp", 
"Splunk_MySql", "amqp", "xmpp", "Splunk_IP", "Splunk_Tns", "sflow", "Splunk_HTTPClient", "Splunk_DNSClientQueryTypes", "http", "ldap", 
"imap", "mapi", "smtp", "diameter", "Splunk_DNSServerErrors", "Splunk_HTTPResponseTime", "Splunk_Postgres", "Splunk_Tcp", "tds", 
"netflow", "arp", "Splunk_DNSRequestResponse", "ip", "Splunk_DNSClientErrors", "Splunk_DNSServerQuery", "nfs", "udp", "dhcp", "rtcp", 
"snmp", "Splunk_HTTPStatus", "icmp", "tns", "irc", "postgres", "Splunk_DNSServerResponse", "ftp", "smpp", "pop3", "Splunk_DNSIntegrity", 
"mysql", "Splunk_HTTPURI", "Splunk_Udp", "smb", "radius", "tcp", "sip", "ephem_2"], "description": "Used when there is no matching group 
found for a given stream forwarder ID", "includeEphemeralStreams": true, "modifiedBy": "admin", "hec": {"autoConfig": true}}

DELETE

Delete stream forwarder groups by group id.

Request parameters
None.

Request payload
None.

Response Codes

Status Code Description
200 OK


Example request

curl -k https://localhost:8000/en-US/custom/splunk_app_stream/streamforwardergroups/{forwarder_group_id} -X DELETE

Example response

{"id": "{forwarder_group_id}"}

POST

Create stream forwarder groups.

Request parameters
None.

Request payload
Stream forwarder group configuration data.

Response Codes

Status Code Description
200 OK


Example request

curl -X POST -H "Cookie: splunkd_8000=PRlg_PB8THrM8tZYOebt6K6^ooApy73FJRvJgY2RliptRtPWTeEUuUmArMi9fia5Vpw2eP7HVsENKnw2rag6HhPqCDDJVT52YMjEA0GIM_4opmWNJkVrtsCnqJ8wOTWlVvmLIcC; splunkweb_csrf_token_8000=6914067146718907469" -H "X-Splunk-Form-Key: 6914067146718907469" -H "X-Requested-With: XMLHttpRequest" -H "Content-Type: application/json" -k http://localhost:8000/en-US/custom/splunk_app_stream/streamforwardergroups -d '{"rule": "test", "streams": ["http"], "includeEphemeralStreams": true, "id": "test", "hec": {"autoConfig": true}, "modifiedBy": "admin", "description": "test"}'

Example response

'{"rule": "test", "streams": ["http"], "includeEphemeralStreams": true, "id": "test", "hec": {"autoConfig": true}, "modifiedBy": "admin", "description": "test"}'

Capture IP address

Create and view a list of blocked and allowed IP addresses.

/captureipaddresses/{blacklist|whitelist}

GET

Get list of blocked and allowed IP addresses.

Request parameters

Request payload
None.

Response Codes

Status Code Description
200 OK

Example request

curl -k https://localhost:8000/en-US/custom/splunk_app_stream/captureipaddresses/whitelist

Example response

{"_user": "nobody", "_key": "whitelist", "ipAddresses": [], "id": "whitelist"}

PUT

Create list of blocked and allowed IP addresses.

Request parameters
None.

Request payload
List of blocked/allowed IP addresses.

Response Codes

Status Code Description
200 OK

Example request

curl -k https://localhost:8000/en-US/custom/splunk_app_stream/captureipaddresses/whitelist

Example response

{"ipAddresses":["192.168.0.0"]}

Indexers

View list of available indexers.

/indexers

GET

Get list of valid indexers.

Request parameters
None.

Request payload
None.

Response Codes

Status Code Description
200 OK

Example request

curl -k https://localhost:8000/en-US/custom/splunk_app_stream/indexers

Example response

{"token": "978CE241-A655-4985-BCBE-F97163FF4DFC", "headerMeta": false, "collectors": ["https://dmillis-mbp15.splunk.local:8088"]}

HTTP inputs

View list of available HTTP inputs.

/httpinputs

GET

Get list of available http inputs.

Request parameters
None.

Request payload
None.

Response Codes

Status Code Description
200 OK

Example request

curl -k https://localhost:8000/en-US/custom/splunk_app_stream/httpinputs

Example response

{
"sslVersions": "*,-ssl2",
"eai:userName": "admin",
"disabled": false,
"allowSslCompression": "true",
"maxThreads": "0",
"eai:acl": null,
"useDeploymentServer": "0",
"maxSockets": "0",
"dedicatedIoThreads": "2",
"allowSslRenegotiation": "true",
"port": "8088",
"host": "dmillis-mbp15.splunk.local",
"eai:appName": "splunk_httpinput",
"enableSSL": "1",
"indexes": [],
"tokens": [
{
"host": "dmillis-mbp15.splunk.local",
"eai:appName": "splunk_httpinput",
"disabled": false,
"indexes": [],
"eai:userName": "admin",
"eai:acl": null,
"index": "default",
"token": "978CE241-A655-4985-BCBE-F97163FF4DFC",
"_rcvbuf": 1572864,
"name": "http://streamfwd"
}
],
"index": "default",
"_rcvbuf": 1572864
}
Last modified on 03 March, 2022
Stream forwarder sizing guide   Splunk Stream search syntax

This documentation applies to the following versions of Splunk Stream: 7.3.0, 7.4.0, 8.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters