Splunk Stream REST API reference
This reference describes Splunk Stream REST API endpoints. Use these endpoints to extend the functionality and interact programmatically with Splunk Stream.
Stream REST API endpoint categories
The Splunk Stream REST API provides the following endpoint categories:
| Category | Description |
|---|---|
| Ping | Return last app update status and API versions. |
| Streams | Create, modify, and view stream configurations. |
| Stream forwarder groups | Create, modify, and view Distributed Forwarder Management (DFM) groups. |
| Capture IP address | Create and view a list of blocked and allowed IP addresses. |
| Indexers | View list of available indexers. |
| HTTP inputs | View list of available http inputs. |
Usage Details
Authentication and Authtorization
Cookies and CSRF tokens are required for access to Splunk Stream endpoints and REST operations.
Base URL
http://localhost:8000/en-US/custom/splunk_app_stream
Sample header format
headers = {
Cookie: splunkd_PORT=<splunkd_cookie>;splunkweb_csrf_token_PORT=<csrf_token>,
Content-type: application/json,
X-Requested-With: XMLHttpRequest,
X-Splunk-Form-Key: <csrf_token>
}
Sample response format
{'status': '200', 'content-length': '329', 'x-content-type-options': 'nosniff', 'date': 'Fri, 20 Jan 2017 23:33:15 GMT', 'set-cookie':
'session_id_8000=4be31ce28b4b46b681fd909856497f58d919389c; expires=Sat, 21 Jan 2017 23:33:15 GMT; httponly; Path=/', 'x-frame-options':
'SAMEORIGIN', 'content-type': 'text/json;charset=utf-8', 'connection': 'Close', 'vary': 'Cookie', 'server': 'Splunkd'}
How to generate tokens
If you are using curl follow these steps:
- Collect the "cval" set-cookie value:
curl -c - -k http://localhost:8000/en-US/account/login
Example response
localhost FALSE /en-US/account/ FALSE 0 cval 1850823966 localhost FALSE /en-US/account FALSE 1645485022 splunkweb_uid B0016BF4-2725-475F-9CEF-968387C83900
- Retrieve other tokens:
curl -c - -k http://localhost:8000/en-US/account/login -H "Cookie: cval=<cval_value>" -d username=<splunk_web_username> -d password=<splunk_web_password> -d cval=<cval_value>
Example response
#HttpOnly_localhost FALSE / FALSE 1487808793 splunkd_8000 UDS7UqFb7Am8aHEOftYtluORlpiKom2BHf5P5H_34x2^7unZJy5xNJiNGlHNsrtoHnw6x18KKVDpCz0Qs3vgEFYFC cKsSYqpkJEtQjIsDguZNGsC4NuOXithfgjYkC localhost FALSE / FALSE 1645485193 splunkweb_csrf_token_8000 12523149765193777622
The splunkweb_csrf_token_8000 is the X-Splunk-Form-Key as well.
If you use POSTMAN or similar services, the splunkd and csrf token are extracted and used automatically in subsequent requests as long as there is an active web session.
Ping
/ping
Return last app update status and API versions.
GET
Get app status and version data.
Request parameters
None.
Request payload
None.
Response
List of stats.
Response Codes
| Status Code | Description |
|---|---|
| 200 | OK |
Example request
curl -k https://localhost:8000/en-US/custom/splunk_app_stream/ping
Example response
{"id": "appsmeta", "dateLastUpdated": 1484863500128, "_key": "appsmeta", "api_versions": {"ping": 1, "captureipaddresses": 1, "httpinputs": 1,
"streams": 1, "users": 1, "vocabularies": 1, "streamforwardergroups": 1, "indexers": 1}, "version": "7.1.0"}
Streams
/streams/{stream_id}
Create, modify, and view stream configurations.
GET
Get stream configuration data by stream id.
Request parameters
Stream id is the stream name.
Request payload
None.
Response
Stream configuration data.
Example request
curl -k https://localhost:8000/en-US/custom/splunk_app_stream/streams/test
Example response
{"id": "test", "aggregated": false, "name": "test", "isReferenceStream": false, "protocolName": "HTTP", "filters": {"comparisons": [], "matchAllComparisons": true}, "extras": {"eventType": "http.event", "interval": 60}, "streamType": "event", "enabled": false, "fields": [{"name": "bytes", "aggType": "value", "desc": "The total number of bytes transferred", "term": "flow.bytes", "enabled": true}], "_key": "test", "createdBy": "admin", "app": "Stream", "sourcetype": "stream:http", "statsOnly": false, "index": null, "category": "Web"}
DELETE
Delete stream configurations by stream id.
Request parameters
None.
Request payload
None.
Example request
curl -X DELETE -H "Cookie: splunkd_8000=PRlg_PB8THrM8tZYOebt6K6^ooApy73FJRvJgY2RliptRtPWTeEUuUmArMi9fia5Vpw2eP7HVsE NKnw2rag6HhPqCDDJVT52YMjEA0GIM_4opmWNJkVrtsCnqJ8wOTWlVvmLIcC; splunkweb_csrf_token_8000=6914067146718907469" -H "X-Splunk-Form-Key: 6914067146718907469" -H "X- Requested-With: XMLHttpRequest" -H "Content-Type: application/json" -k http://localhost:8000/en- US/custom/splunk_app_stream/streams/test
Example response
{"success": true, "deleted": "stream_id"}
PUT
Set stream mode to enable, disable, or stats only.
Request parameters
| Name | Type | Description |
|---|---|---|
| enable | String | Enable stream. |
| disable | String | Disable stream. |
| statsOnly | String | Enable collection of stream volume stats only. |
Request payload
None.
Example request
curl -X PUT -H "Cookie: splunkd_8000=PRlg_PB8THrM8tZYOebt6K6^ooApy73FJRvJgY2RliptRtPWTeEUuUmArMi9fia5Vpw2eP7HVsE NKnw2rag6HhPqCDDJVT52YMjEA0GIM_4opmWNJkVrtsCnqJ8wOTWlVvmLIcC; splunkweb_csrf_token_8000=6914067146718907469" -H "X-Splunk-Form-Key: 6914067146718907469" -H "X- Requested-With: XMLHttpRequest" -H "Content-Type: application/json" -k http://localhost:8000/en- US/custom/splunk_app_stream/streams/test/enable
Example response
{"id": "test", "aggregated": false, "name": "test", "isReferenceStream": false, "protocolName": "HTTP", "filters":
{"comparisons": [], "matchAllComparisons": true}, "extras": {"eventType": "http.event", "interval": 60}, "streamType":
"event", "enabled": false, "fields": [{"name": "bytes", "aggType": "value", "desc": "The total number of bytes
transferred", "term": "flow.bytes", "enabled": true}], "_key": "test", "createdBy": "admin", "app": "Stream", "sourcetype":
"stream:http", "statsOnly": false, "index": null, "category": "Web"}
/streams
POST
Update stream configuration.
Request parameters
None.
Request payload
JSON dictionary of stream configuration data.
Response Codes
| Status Code | Description |
|---|---|
| 200 | OK |
Example request
curl -X POST -H "Cookie: splunkd_8000=PRlg_PB8THrM8tZYOebt6K6^ooApy73FJRvJgY2RliptRtPWTeEUuUmArMi9fia5Vpw2eP7HVsENKnw2rag6HhPqCDDJVT52YMjEA0G
IM_4opmWNJkVrtsCnqJ8wOTWlVvmLIcC; splunkweb_csrf_token_8000=6914067146718907469" -H "X-Splunk-Form-Key: 6914067146718907469" -
H "X-Requested-With: XMLHttpRequest" -H "Content-Type: application/json" -k http://localhost:8000/en-US/custom/splunk_app_stream/streams -d
'{"id": "test", "aggregated": false, "name": "test", "isReferenceStream": false, "protocolName": "HTTP", "filters": {"comparisons": [],
"matchAllComparisons": true}, "extras": {"eventType": "http.event", "interval": 60}, "streamType": "event", "enabled": false, "fields": [{"name": "bytes",
"aggType": "value", "desc": "The total number of bytes transferred", "term": "flow.bytes", "enabled": true}], "_key": "test", "createdBy": "admin", "app":
"Stream", "sourcetype": "stream:http", "statsOnly": false, "index": null, "category": "Web"}'
Example response
{"id": "test", "aggregated": false, "name": "test", "isReferenceStream": false, "protocolName": "HTTP", "filters":
{"comparisons": [], "matchAllComparisons": true}, "extras": {"eventType": "http.event", "interval": 60}, "streamType":
"event", "enabled": false, "fields": [{"name": "bytes", "aggType": "value", "desc": "The total number of bytes
transferred", "term": "flow.bytes", "enabled": true}], "_key": "test", "createdBy": "admin", "app": "Stream", "sourcetype":
"stream:http", "statsOnly": false, "index": null, "category": "Web"}'
Stream forwarder groups
/streamforwardergroups/{forwarder_group_id}
Create, modify, and view DFM groups.
GET
Get stream forwarder group by group id.
Request parameters
None.
Request payload
None.
Response
Stream forwarder group configuration data.
Response Codes
| Status Code | Description |
|---|---|
| 200 | OK |
Example request
curl -k https://localhost:8000/en-US/custom/splunk_app_stream/streamforwardergroups/defaultgroup
Example response
{"_user": "nobody", "_key": "defaultgroup", "id": "defaultgroup", "rule": "", "streams": ["Splunk_SSLActivity", "Splunk_Tds", "dns", "rtp",
"Splunk_MySql", "amqp", "xmpp", "Splunk_IP", "Splunk_Tns", "sflow", "Splunk_HTTPClient", "Splunk_DNSClientQueryTypes", "http", "ldap",
"imap", "mapi", "smtp", "diameter", "Splunk_DNSServerErrors", "Splunk_HTTPResponseTime", "Splunk_Postgres", "Splunk_Tcp", "tds",
"netflow", "arp", "Splunk_DNSRequestResponse", "ip", "Splunk_DNSClientErrors", "Splunk_DNSServerQuery", "nfs", "udp", "dhcp", "rtcp",
"snmp", "Splunk_HTTPStatus", "icmp", "tns", "irc", "postgres", "Splunk_DNSServerResponse", "ftp", "smpp", "pop3", "Splunk_DNSIntegrity",
"mysql", "Splunk_HTTPURI", "Splunk_Udp", "smb", "radius", "tcp", "sip", "ephem_2"], "description": "Used when there is no matching group
found for a given stream forwarder ID", "includeEphemeralStreams": true, "modifiedBy": "admin", "hec": {"autoConfig": true}}
DELETE
Delete stream forwarder groups by group id.
Request parameters
None.
Request payload
None.
Response Codes
| Status Code | Description |
|---|---|
| 200 | OK |
Example request
curl -k https://localhost:8000/en-US/custom/splunk_app_stream/streamforwardergroups/{forwarder_group_id} -X DELETE
Example response
{"id": "{forwarder_group_id}"}
POST
Create stream forwarder groups.
Request parameters
None.
Request payload
Stream forwarder group configuration data.
Response Codes
| Status Code | Description |
|---|---|
| 200 | OK |
Example request
curl -X POST -H "Cookie: splunkd_8000=PRlg_PB8THrM8tZYOebt6K6^ooApy73FJRvJgY2RliptRtPWTeEUuUmArMi9fia5Vpw2eP7HVsENKnw2rag6HhPqCDDJVT52YMjEA0GIM_4opmWNJkVrtsCnqJ8wOTWlVvmLIcC; splunkweb_csrf_token_8000=6914067146718907469" -H "X-Splunk-Form-Key: 6914067146718907469" -H "X-Requested-With: XMLHttpRequest" -H "Content-Type: application/json" -k http://localhost:8000/en-US/custom/splunk_app_stream/streamforwardergroups -d '{"rule": "test", "streams": ["http"], "includeEphemeralStreams": true, "id": "test", "hec": {"autoConfig": true}, "modifiedBy": "admin", "description": "test"}'
Example response
'{"rule": "test", "streams": ["http"], "includeEphemeralStreams": true, "id": "test", "hec": {"autoConfig": true}, "modifiedBy": "admin", "description": "test"}'
Capture IP address
Create and view a list of blocked and allowed IP addresses.
/captureipaddresses/{blacklist|whitelist}
GET
Get list of blocked and allowed IP addresses.
Request parameters
Request payload
None.
Response Codes
| Status Code | Description |
|---|---|
| 200 | OK |
Example request
curl -k https://localhost:8000/en-US/custom/splunk_app_stream/captureipaddresses/whitelist
Example response
{"_user": "nobody", "_key": "whitelist", "ipAddresses": [], "id": "whitelist"}
PUT
Create list of blocked and allowed IP addresses.
Request parameters
None.
Request payload
List of blocked/allowed IP addresses.
Response Codes
| Status Code | Description |
|---|---|
| 200 | OK |
Example request
curl -k https://localhost:8000/en-US/custom/splunk_app_stream/captureipaddresses/whitelist
Example response
{"ipAddresses":["192.168.0.0"]}
Indexers
View list of available indexers.
/indexers
GET
Get list of valid indexers.
Request parameters
None.
Request payload
None.
Response Codes
| Status Code | Description |
|---|---|
| 200 | OK |
Example request
curl -k https://localhost:8000/en-US/custom/splunk_app_stream/indexers
Example response
{"token": "978CE241-A655-4985-BCBE-F97163FF4DFC", "headerMeta": false, "collectors": ["https://dmillis-mbp15.splunk.local:8088"]}
HTTP inputs
View list of available HTTP inputs.
/httpinputs
GET
Get list of available http inputs.
Request parameters
None.
Request payload
None.
Response Codes
| Status Code | Description |
|---|---|
| 200 | OK |
Example request
curl -k https://localhost:8000/en-US/custom/splunk_app_stream/httpinputs
Example response
{
"sslVersions": "*,-ssl2",
"eai:userName": "admin",
"disabled": false,
"allowSslCompression": "true",
"maxThreads": "0",
"eai:acl": null,
"useDeploymentServer": "0",
"maxSockets": "0",
"dedicatedIoThreads": "2",
"allowSslRenegotiation": "true",
"port": "8088",
"host": "dmillis-mbp15.splunk.local",
"eai:appName": "splunk_httpinput",
"enableSSL": "1",
"indexes": [],
"tokens": [
{
"host": "dmillis-mbp15.splunk.local",
"eai:appName": "splunk_httpinput",
"disabled": false,
"indexes": [],
"eai:userName": "admin",
"eai:acl": null,
"index": "default",
"token": "978CE241-A655-4985-BCBE-F97163FF4DFC",
"_rcvbuf": 1572864,
"name": "http://streamfwd"
}
],
"index": "default",
"_rcvbuf": 1572864
}
| Stream forwarder sizing guide | Splunk Stream search syntax |
This documentation applies to the following versions of Splunk Stream™: 8.0.1, 8.0.2, 8.1.0, 8.1.1, 8.1.3
Download manual
Feedback submitted, thanks!