Splunk Stream

Installation and Configuration Manual

Splunk Stream REST API reference

This reference describes Splunk Stream REST API endpoints. Use these endpoints to extend the functionality and interact programmatically with Splunk Stream.

Stream REST API endpoint categories

The Splunk Stream REST API provides the following endpoint categories:

Category Description
Ping Return last app update status and API versions.
Streams Create, modify, and view stream configurations.
Stream forwarder groups Create, modify, and view Distributed Forwarder Management (DFM) groups.
Capture IP address Create and view a list of blocked and allowed IP addresses.
Indexers View list of available indexers.
HTTP inputs View list of available http inputs.

Usage Details

Authentication and Authtorization

Cookies and CSRF tokens are required for access to Splunk Stream endpoints and REST operations.

Base URL


Sample header format

headers = {
    Cookie: splunkd_PORT=<splunkd_cookie>;splunkweb_csrf_token_PORT=<csrf_token>,
    Content-type: application/json,
    X-Requested-With: XMLHttpRequest,
    X-Splunk-Form-Key: <csrf_token>

Sample response format

{'status': '200', 'content-length': '329', 'x-content-type-options': 'nosniff', 'date': 'Fri, 20 Jan 2017 23:33:15 GMT', 'set-cookie':
'session_id_8000=4be31ce28b4b46b681fd909856497f58d919389c; expires=Sat, 21 Jan 2017 23:33:15 GMT; httponly; Path=/', 'x-frame-options': 
'SAMEORIGIN', 'content-type': 'text/json;charset=utf-8', 'connection': 'Close', 'vary': 'Cookie', 'server': 'Splunkd'}

How to generate tokens

If you are using curl follow these steps:

  1. Collect the "cval" set-cookie value:
    curl -c - -k http://localhost:8000/en-US/account/login

    Example response

    localhost FALSE /en-US/account/ FALSE 0 cval 1850823966
    localhost FALSE /en-US/account FALSE 1645485022 splunkweb_uid B0016BF4-2725-475F-9CEF-968387C83900
  2. Retrieve other tokens:
    curl -c - -k http://localhost:8000/en-US/account/login -H "Cookie: cval=<cval_value>" -d username=<splunk_web_username>
    -d password=<splunk_web_password> -d cval=<cval_value>

    Example response

    #HttpOnly_localhost FALSE / FALSE 1487808793 splunkd_8000 UDS7UqFb7Am8aHEOftYtluORlpiKom2BHf5P5H_34x2^7unZJy5xNJiNGlHNsrtoHnw6x18KKVDpCz0Qs3vgEFYFC
    localhost FALSE / FALSE 1645485193 splunkweb_csrf_token_8000 12523149765193777622

    The splunkweb_csrf_token_8000 is the X-Splunk-Form-Key as well.

If you use POSTMAN or similar services, the splunkd and csrf token are extracted and used automatically in subsequent requests as long as there is an active web session.



Return last app update status and API versions.


Get app status and version data.

Request parameters

Request payload

List of stats.

Response Codes

Status Code Description
200 OK

Example request

curl -k https://localhost:8000/en-US/custom/splunk_app_stream/ping

Example response

{"id": "appsmeta", "dateLastUpdated": 1484863500128, "_key": "appsmeta", "api_versions": {"ping": 1, "captureipaddresses": 1, "httpinputs": 1,
 "streams": 1, "users": 1, "vocabularies": 1, "streamforwardergroups": 1, "indexers": 1}, "version": "7.1.0"}



Create, modify, and view stream configurations.


Get stream configuration data by stream id.

Request parameters
Stream id is the stream name.

Request payload

Stream configuration data.

Example request

curl -k https://localhost:8000/en-US/custom/splunk_app_stream/streams/test

Example response

{"id": "test", "aggregated": false, "name": "test", "isReferenceStream": false, "protocolName": "HTTP", "filters": {"comparisons": [], "matchAllComparisons": true}, "extras": {"eventType": "http.event", "interval": 60}, "streamType": "event", "enabled": false, "fields": [{"name": "bytes", "aggType": "value", "desc": "The total number of bytes transferred", "term": "flow.bytes", "enabled": true}], "_key": "test", "createdBy": "admin", "app": "Stream", "sourcetype": "stream:http", "statsOnly": false, "index": null, "category": "Web"}


Delete stream configurations by stream id.

Request parameters

Request payload

Example request

curl -X DELETE -H "Cookie:
splunkweb_csrf_token_8000=6914067146718907469" -H "X-Splunk-Form-Key: 6914067146718907469" -H "X-
Requested-With: XMLHttpRequest" -H "Content-Type: application/json" -k http://localhost:8000/en-

Example response

{"success": true, "deleted": "stream_id"}


Set stream mode to enable, disable, or stats only.

Request parameters

Name Type Description
enable String Enable stream.
disable String Disable stream.
statsOnly String Enable collection of stream volume stats only.

Request payload

Example request

curl -X PUT -H "Cookie: 
splunkweb_csrf_token_8000=6914067146718907469" -H "X-Splunk-Form-Key: 6914067146718907469" -H "X-
Requested-With: XMLHttpRequest" -H "Content-Type: application/json" -k http://localhost:8000/en-

Example response

{"id": "test", "aggregated": false, "name": "test", "isReferenceStream": false, "protocolName": "HTTP", "filters": 
{"comparisons": [], "matchAllComparisons": true}, "extras": {"eventType": "http.event", "interval": 60}, "streamType": 
"event", "enabled": false, "fields": [{"name": "bytes", "aggType": "value", "desc": "The total number of bytes 
transferred", "term": "flow.bytes", "enabled": true}], "_key": "test", "createdBy": "admin", "app": "Stream", "sourcetype": 
"stream:http", "statsOnly": false, "index": null, "category": "Web"}



Update stream configuration.

Request parameters

Request payload
JSON dictionary of stream configuration data.

Response Codes

Status Code Description
200 OK

Example request

curl -X POST -H "Cookie: splunkd_8000=PRlg_PB8THrM8tZYOebt6K6^ooApy73FJRvJgY2RliptRtPWTeEUuUmArMi9fia5Vpw2eP7HVsENKnw2rag6HhPqCDDJVT52YMjEA0G
IM_4opmWNJkVrtsCnqJ8wOTWlVvmLIcC; splunkweb_csrf_token_8000=6914067146718907469" -H "X-Splunk-Form-Key: 6914067146718907469" -
H "X-Requested-With: XMLHttpRequest" -H "Content-Type: application/json" -k http://localhost:8000/en-US/custom/splunk_app_stream/streams -d 
'{"id": "test", "aggregated": false, "name": "test", "isReferenceStream": false, "protocolName": "HTTP", "filters": {"comparisons": [], 
"matchAllComparisons": true}, "extras": {"eventType": "http.event", "interval": 60}, "streamType": "event", "enabled": false, "fields": [{"name": "bytes", 
"aggType": "value", "desc": "The total number of bytes transferred", "term": "flow.bytes", "enabled": true}], "_key": "test", "createdBy": "admin", "app": 
"Stream", "sourcetype": "stream:http", "statsOnly": false, "index": null, "category": "Web"}'

Example response

{"id": "test", "aggregated": false, "name": "test", "isReferenceStream": false, "protocolName": "HTTP", "filters": 
{"comparisons": [], "matchAllComparisons": true}, "extras": {"eventType": "http.event", "interval": 60}, "streamType": 
"event", "enabled": false, "fields": [{"name": "bytes", "aggType": "value", "desc": "The total number of bytes 
transferred", "term": "flow.bytes", "enabled": true}], "_key": "test", "createdBy": "admin", "app": "Stream", "sourcetype": 
"stream:http", "statsOnly": false, "index": null, "category": "Web"}'

Stream forwarder groups


Create, modify, and view DFM groups.


Get stream forwarder group by group id.

Request parameters

Request payload

Stream forwarder group configuration data.

Response Codes

Status Code Description
200 OK

Example request

curl -k https://localhost:8000/en-US/custom/splunk_app_stream/streamforwardergroups/defaultgroup

Example response

{"_user": "nobody", "_key": "defaultgroup", "id": "defaultgroup", "rule": "", "streams": ["Splunk_SSLActivity", "Splunk_Tds", "dns", "rtp", 
"Splunk_MySql", "amqp", "xmpp", "Splunk_IP", "Splunk_Tns", "sflow", "Splunk_HTTPClient", "Splunk_DNSClientQueryTypes", "http", "ldap", 
"imap", "mapi", "smtp", "diameter", "Splunk_DNSServerErrors", "Splunk_HTTPResponseTime", "Splunk_Postgres", "Splunk_Tcp", "tds", 
"netflow", "arp", "Splunk_DNSRequestResponse", "ip", "Splunk_DNSClientErrors", "Splunk_DNSServerQuery", "nfs", "udp", "dhcp", "rtcp", 
"snmp", "Splunk_HTTPStatus", "icmp", "tns", "irc", "postgres", "Splunk_DNSServerResponse", "ftp", "smpp", "pop3", "Splunk_DNSIntegrity", 
"mysql", "Splunk_HTTPURI", "Splunk_Udp", "smb", "radius", "tcp", "sip", "ephem_2"], "description": "Used when there is no matching group 
found for a given stream forwarder ID", "includeEphemeralStreams": true, "modifiedBy": "admin", "hec": {"autoConfig": true}}


Delete stream forwarder groups by group id.

Request parameters

Request payload

Response Codes

Status Code Description
200 OK

Example request

curl -k https://localhost:8000/en-US/custom/splunk_app_stream/streamforwardergroups/{forwarder_group_id} -X DELETE

Example response

{"id": "{forwarder_group_id}"}


Create stream forwarder groups.

Request parameters

Request payload
Stream forwarder group configuration data.

Response Codes

Status Code Description
200 OK

Example request

curl -X POST -H "Cookie: splunkd_8000=PRlg_PB8THrM8tZYOebt6K6^ooApy73FJRvJgY2RliptRtPWTeEUuUmArMi9fia5Vpw2eP7HVsENKnw2rag6HhPqCDDJVT52YMjEA0GIM_4opmWNJkVrtsCnqJ8wOTWlVvmLIcC; splunkweb_csrf_token_8000=6914067146718907469" -H "X-Splunk-Form-Key: 6914067146718907469" -H "X-Requested-With: XMLHttpRequest" -H "Content-Type: application/json" -k http://localhost:8000/en-US/custom/splunk_app_stream/streamforwardergroups -d '{"rule": "test", "streams": ["http"], "includeEphemeralStreams": true, "id": "test", "hec": {"autoConfig": true}, "modifiedBy": "admin", "description": "test"}'

Example response

'{"rule": "test", "streams": ["http"], "includeEphemeralStreams": true, "id": "test", "hec": {"autoConfig": true}, "modifiedBy": "admin", "description": "test"}'

Capture IP address

Create and view a list of blocked and allowed IP addresses.



Get list of blocked and allowed IP addresses.

Request parameters

Request payload

Response Codes

Status Code Description
200 OK

Example request

curl -k https://localhost:8000/en-US/custom/splunk_app_stream/captureipaddresses/whitelist

Example response

{"_user": "nobody", "_key": "whitelist", "ipAddresses": [], "id": "whitelist"}


Create list of blocked and allowed IP addresses.

Request parameters

Request payload
List of blocked/allowed IP addresses.

Response Codes

Status Code Description
200 OK

Example request

curl -k https://localhost:8000/en-US/custom/splunk_app_stream/captureipaddresses/whitelist

Example response



View list of available indexers.



Get list of valid indexers.

Request parameters

Request payload

Response Codes

Status Code Description
200 OK

Example request

curl -k https://localhost:8000/en-US/custom/splunk_app_stream/indexers

Example response

{"token": "978CE241-A655-4985-BCBE-F97163FF4DFC", "headerMeta": false, "collectors": ["https://dmillis-mbp15.splunk.local:8088"]}

HTTP inputs

View list of available HTTP inputs.



Get list of available http inputs.

Request parameters

Request payload

Response Codes

Status Code Description
200 OK

Example request

curl -k https://localhost:8000/en-US/custom/splunk_app_stream/httpinputs

Example response

"sslVersions": "*,-ssl2",
"eai:userName": "admin",
"disabled": false,
"allowSslCompression": "true",
"maxThreads": "0",
"eai:acl": null,
"useDeploymentServer": "0",
"maxSockets": "0",
"dedicatedIoThreads": "2",
"allowSslRenegotiation": "true",
"port": "8088",
"host": "dmillis-mbp15.splunk.local",
"eai:appName": "splunk_httpinput",
"enableSSL": "1",
"indexes": [],
"tokens": [
"host": "dmillis-mbp15.splunk.local",
"eai:appName": "splunk_httpinput",
"disabled": false,
"indexes": [],
"eai:userName": "admin",
"eai:acl": null,
"index": "default",
"token": "978CE241-A655-4985-BCBE-F97163FF4DFC",
"_rcvbuf": 1572864,
"name": "http://streamfwd"
"index": "default",
"_rcvbuf": 1572864
Last modified on 03 March, 2022
Stream forwarder sizing guide   Splunk Stream search syntax

This documentation applies to the following versions of Splunk Stream: 8.0.1, 8.0.2, 8.1.0, 8.1.1, 8.1.3

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters