• Overview
  • Introduction and overview
    • Components
    • Appearance
    • REST API
    • Applications
    • Help
• Architecture
  • Components
    • Processes
    • Configuration files
• Splunk Web appearance
  • How Splunk Uses Skins
    • Skins css Files
    • Images/skins directory
  • Add or remove themes
    • Create a new skin
    • Example
  • Dashboard customization
    • Configuration
    • List modules
    • Add search modules
    • Add html modules
    • Link dashboard to user
    • Mask default dashboards
• REST API
  • Splunk's REST API
    • Using REST Methods
    • Splunk REST endpoint mappings
    • HTTP ports Splunk uses
    • Examples
  • Get started
    • Send a request
    • Get a response
  • Output formats via XML
    • Example Generic Response
    • Example Generic Response with Messaging
    • Generic Response with Messaging (via error codes)
    • Example Atom Feed Response
    • Example Atom Feed with Messaging
    • Example Atom Entry Response
  • SDKs
    • Python SDK
  • Create a custom endpoint
    • Make a custom application directory
    • Write a handler script
    • Configure restmap.conf
    • Restrict endpoint access
    • Add supporting configuration files
• Auth
  • Authentication Methods
    • HTTP header auth
    • HTTP digest
    • URL Parameters
  • Authentication Endpoint
    • Login
  • Authentication examples
    • Command Line
    • Python SDK
    • Other Python example
• Properties
  • Properties Endpoint
    • Properties
    • $FILE_NAME
    • $STANZA_NAME
    • $KEY_NAME
    • PropertiesNS
  • Configuration file access with Python
    • Configuration
    • Example
• Search
  • Search Overview
    • Handling Search Results
    • Result Formats
  • Search Endpoint
    • Jobs
    • Search ID
    • Events
    • Results
    • Timeline
    • Summary
    • Control
  • Search with the Python SDK
    • Create a search
    • Work with search results
    • Examples
  • Custom search scripts
    • Configuration files
    • Working with results
    • Authenticate
    • Example
• Saved
  • Saved Endpoint
    • Searches
    • $SAVED_SEARCH_NAME
• Streams
  • Streams Endpoint
    • Search
    • Livetail
• Applications
  • Developer applications overview
  • Applications Endpoint
    • Local
    • $APP_NAME
    • Remote Entries
    • Remote $APP_NAME
    • Category Path
    • Remote Login
• SplunkBase
  • SplunkBase API
    • Apps
    • Types
    • Category Path
    • Entries
    • App Name
• Legacy
  • Legacy methods
    • $LEGACY_METHOD_NAME

Splunk's REST API

REST is a programming method that provides simple access to Web-based resources. If you'd like to know more about REST methods, Wikipedia has an article on it titled Representational State Transfer. Configure web and server settings in web.conf and server.conf.

Using REST Methods

HTTP contains a uniform interface for accessing resources, including URIs, methods, status codes, headers, and content distinguished by MIME type.

The most important HTTP methods are POST, GET, PUT and DELETE. These are often compared with the CREATE, READ, UPDATE, DELETE (CRUD) operations associated with database technologies.

The following table associates several common HTTP verbs with similar database operations. Notice, however, that the meaning of the HTTP verbs do not correspond directly with a single database operation. For example, an HTTP PUT is used to set the value of a resource and may result in either a creation or update as needed.

Splunk REST endpoint mappings

Splunk's REST endpoints are served via SSL off the splunkd process using the URL format: https://hostname:port/services/ (where hostname is your Splunk server's hostname, and port is the port number on which the splunkd process is listening). For example, if you are logged into the Splunk server and it is running on the default ports, use https://localhost:8089/services/ to access the REST endpoints.

Note: You may need to set custom configurations for your machine's hostname, ports, registered certificates, and firewall settings. All these settings are available in server.conf.

Configure new REST endpoints with restmap.conf.

HTTP ports Splunk uses

Note: All examples in this manual assume you are logged into the local machine and that Splunk is running on the default ports.

Splunk listens on the following ports:

• Splunk Web listens on port 8000 by default
• splunkd listens on port 8089 by default

Connections to splunkd are encrypted by default.

Examples

If you are logged into the same machine as your Splunk instance and have wget installed, you can cut and paste the following command into your terminal:

wget -O - -q --no-check-certificate --http-user=admin --http-password=changeme https://localhost:8089/services/

The -O - tells wget you want the response sent to standard output. The --no-check-certificate tells wget that you want it to ignore critical certificate error, which you'll have if you don't have a valid certificate. If you run an enterprise license, you'll need to change the username and password to whatever you made them. If you run the preview version of Splunk, just use what is there - it will authenticate on any username and password.

Splunk returns an XML formatted ATOM response:

wget -O - -q --no-check-certificate --http-user=admin --http-password=changeme https://localhost:8089/services/
<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest">
  <title>services</title>
  <id>https://localhost:8089/services/</id>
  <updated>2008-01-31T19:15:37-0600</updated>
  <generator version="31749"/>
  <author>
    <name>Splunk</name>
  </author>
  <entry>
    <title>streams</title>
    <id>https://localhost:8089/services/streams</id>
    <updated>2008-01-31T19:15:37-0600</updated>
    <link href="https://localhost:8089/services/streams" rel="alternate"/>
  </entry>
...
...
</feed>