This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13
REST is a programming method that provides simple access to Web-based resources. If you'd like to know more about REST methods, Wikipedia has an article on it titled Representational State Transfer. Configure web and server settings in web.conf and server.conf.
HTTP contains a uniform interface for accessing resources, including URIs, methods, status codes, headers, and content distinguished by MIME type.
The most important HTTP methods are POST, GET, PUT and DELETE. These are often compared with the CREATE, READ, UPDATE, DELETE (CRUD) operations associated with database technologies.
The following table associates several common HTTP verbs with similar database operations. Notice, however, that the meaning of the HTTP verbs do not correspond directly with a single database operation. For example, an HTTP PUT is used to set the value of a resource and may result in either a creation or update as needed.
| HTTP | CRUD |
| POST | Create, Update, Delete |
| GET | Read |
| PUT | Create, Update |
| DELETE | Delete |
Splunk's REST endpoints are served via SSL off the splunkd process using the URL format: https://hostname:port/services/ (where hostname is your Splunk server's hostname, and port is the port number on which the splunkd process is listening). For example, if you are logged into the Splunk server and it is running on the default ports, use https://localhost:8089/services/ to access the REST endpoints.
Note: You may need to set custom configurations for your machine's hostname, ports, registered certificates, and firewall settings. All these settings are available in server.conf.
Configure new REST endpoints with restmap.conf.
Note: All examples in this manual assume you are logged into the local machine and that Splunk is running on the default ports.
Splunk listens on the following ports:
splunkd listens on port 8089 by default
Connections to splunkd are encrypted by default.
If you are logged into the same machine as your Splunk instance and have wget installed, you can cut and paste the following command into your terminal:
wget -O - -q --no-check-certificate --http-user=admin --http-password=changeme https://localhost:8089/services/
The -O - tells wget you want the response sent to standard output. The --no-check-certificate tells wget that you want it to ignore critical certificate error, which you'll have if you don't have a valid certificate. If you run an enterprise license, you'll need to change the username and password to whatever you made them. If you run the preview version of Splunk, just use what is there - it will authenticate on any username and password.
Splunk returns an XML formatted ATOM response:
wget -O - -q --no-check-certificate --http-user=admin --http-password=changeme https://localhost:8089/services/
<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest">
<title>services</title>
<id>https://localhost:8089/services/</id>
<updated>2008-01-31T19:15:37-0600</updated>
<generator version="31749"/>
<author>
<name>Splunk</name>
</author>
<entry>
<title>streams</title>
<id>https://localhost:8089/services/streams</id>
<updated>2008-01-31T19:15:37-0600</updated>
<link href="https://localhost:8089/services/streams" rel="alternate"/>
</entry>
...
...
</feed>