Splunk Stream REST API reference

This reference describes Splunk Stream REST API endpoints. Use these endpoints to extend the functionality and interact programmatically with Splunk Stream.

Stream REST API endpoint categories

The Splunk Stream REST API provides the following endpoint categories:

Category Description
Ping Return last app update status and API versions.
Streams Create, modify, and view stream configurations.
Stream forwarder groups Create, modify, and view Distributed Forwarder Management (DFM) groups.
Capture IP address Create and view a list of blocked and allowed IP addresses.
Indexers View list of available indexers.
HTTP inputs View list of available http inputs.

Usage Details

Authentication and Authtorization

Cookies and CSRF tokens are required for access to Splunk Stream endpoints and REST operations.

Base URL

CODE 
http://localhost:8000/en-US/custom/splunk_app_stream

Sample header format

JSON 
headers = {
    Cookie: splunkd_PORT=<splunkd_cookie>;splunkweb_csrf_token_PORT=<csrf_token>,
    Content-type: application/json,
    X-Requested-With: XMLHttpRequest,
    X-Splunk-Form-Key: <csrf_token>
}

Sample response format

JSON 
{'status': '200', 'content-length': '329', 'x-content-type-options': 'nosniff', 'date': 'Fri, 20 Jan 2017 23:33:15 GMT', 'set-cookie':
'session_id_8000=4be31ce28b4b46b681fd909856497f58d919389c; expires=Sat, 21 Jan 2017 23:33:15 GMT; httponly; Path=/', 'x-frame-options': 
'SAMEORIGIN', 'content-type': 'text/json;charset=utf-8', 'connection': 'Close', 'vary': 'Cookie', 'server': 'Splunkd'}

How to generate tokens

If you are using curl follow these steps:

  1. Collect the "cval" set-cookie value:
    CODE 
    curl -c - -k http://localhost:8000/en-US/account/login

    Example response

    CODE 
    localhost FALSE /en-US/account/ FALSE 0 cval 1850823966
localhost FALSE /en-US/account FALSE 1645485022 splunkweb_uid B0016BF4-2725-475F-9CEF-968387C83900
  2. Retrieve other tokens:
    CODE 
    curl -c - -k http://localhost:8000/en-US/account/login -H "Cookie: cval=<cval_value>" -d username=<splunk_web_username>
-d password=<splunk_web_password> -d cval=<cval_value>

    Example response

    CODE 
    #HttpOnly_localhost FALSE / FALSE 1487808793 splunkd_8000 UDS7UqFb7Am8aHEOftYtluORlpiKom2BHf5P5H_34x2^7unZJy5xNJiNGlHNsrtoHnw6x18KKVDpCz0Qs3vgEFYFC
cKsSYqpkJEtQjIsDguZNGsC4NuOXithfgjYkC
localhost FALSE / FALSE 1645485193 splunkweb_csrf_token_8000 12523149765193777622

    Note: The splunkweb_csrf_token_8000 is the X-Splunk-Form-Key as well.

Note: If you use POSTMAN or similar services, the splunkd and csrf token are extracted and used automatically in subsequent requests as long as there is an active web session.

Ping

/ping

Return last app update status and API versions.

GET

Get app status and version data.

Request parameters

None.

Request payload

None.

Response

List of stats.

Response Codes

Status Code Description
200 OK

Example request

CODE 
curl -k https://localhost:8000/en-US/custom/splunk_app_stream/ping

Example response

JSON 
{"id": "appsmeta", "dateLastUpdated": 1484863500128, "_key": "appsmeta", "api_versions": {"ping": 1, "captureipaddresses": 1, "httpinputs": 1,
 "streams": 1, "users": 1, "vocabularies": 1, "streamforwardergroups": 1, "indexers": 1}, "version": "7.1.0"}

Streams

/streams/{stream_id}

Create, modify, and view stream configurations.

GET

Get stream configuration data by stream id.

Request parameters

Stream id is the stream name.

Request payload

None.

Response

Stream configuration data.

Example request

CODE 
curl -k https://localhost:8000/en-US/custom/splunk_app_stream/streams/test

Example response

JSON 
{"id": "test", "aggregated": false, "name": "test", "isReferenceStream": false, "protocolName": "HTTP", "filters": {"comparisons": [], "matchAllComparisons": true}, "extras": {"eventType": "http.event", "interval": 60}, "streamType": "event", "enabled": false, "fields": [{"name": "bytes", "aggType": "value", "desc": "The total number of bytes transferred", "term": "flow.bytes", "enabled": true}], "_key": "test", "createdBy": "admin", "app": "Stream", "sourcetype": "stream:http", "statsOnly": false, "index": null, "category": "Web"}

DELETE

Delete stream configurations by stream id.

Request parameters

None.

Request payload

None.

Example request

CODE 
curl -X DELETE -H "Cookie:
splunkd_8000=PRlg_PB8THrM8tZYOebt6K6^ooApy73FJRvJgY2RliptRtPWTeEUuUmArMi9fia5Vpw2eP7HVsE
NKnw2rag6HhPqCDDJVT52YMjEA0GIM_4opmWNJkVrtsCnqJ8wOTWlVvmLIcC; 
splunkweb_csrf_token_8000=6914067146718907469" -H "X-Splunk-Form-Key: 6914067146718907469" -H "X-
Requested-With: XMLHttpRequest" -H "Content-Type: application/json" -k http://localhost:8000/en-
US/custom/splunk_app_stream/streams/test

Example response

JSON 
{"success": true, "deleted": "stream_id"}

PUT

Set stream mode to enable, disable, or stats only.

Request parameters

Name Type Description
enable String Enable stream.
disable String Disable stream.
statsOnly String Enable collection of stream volume stats only.

Request payload

None.

Example request

CODE 
curl -X PUT -H "Cookie: 
splunkd_8000=PRlg_PB8THrM8tZYOebt6K6^ooApy73FJRvJgY2RliptRtPWTeEUuUmArMi9fia5Vpw2eP7HVsE
NKnw2rag6HhPqCDDJVT52YMjEA0GIM_4opmWNJkVrtsCnqJ8wOTWlVvmLIcC; 
splunkweb_csrf_token_8000=6914067146718907469" -H "X-Splunk-Form-Key: 6914067146718907469" -H "X-
Requested-With: XMLHttpRequest" -H "Content-Type: application/json" -k http://localhost:8000/en-
US/custom/splunk_app_stream/streams/test/enable

Example response

JSON 
{"id": "test", "aggregated": false, "name": "test", "isReferenceStream": false, "protocolName": "HTTP", "filters": 
{"comparisons": [], "matchAllComparisons": true}, "extras": {"eventType": "http.event", "interval": 60}, "streamType": 
"event", "enabled": false, "fields": [{"name": "bytes", "aggType": "value", "desc": "The total number of bytes 
transferred", "term": "flow.bytes", "enabled": true}], "_key": "test", "createdBy": "admin", "app": "Stream", "sourcetype": 
"stream:http", "statsOnly": false, "index": null, "category": "Web"}

/streams

POST

Update stream configuration.

Request parameters

None.

Request payload

JSON dictionary of stream configuration data.

Response Codes

Status Code Description
200 OK

Example request

JSON 
curl -X POST -H "Cookie: splunkd_8000=PRlg_PB8THrM8tZYOebt6K6^ooApy73FJRvJgY2RliptRtPWTeEUuUmArMi9fia5Vpw2eP7HVsENKnw2rag6HhPqCDDJVT52YMjEA0G
IM_4opmWNJkVrtsCnqJ8wOTWlVvmLIcC; splunkweb_csrf_token_8000=6914067146718907469" -H "X-Splunk-Form-Key: 6914067146718907469" -
H "X-Requested-With: XMLHttpRequest" -H "Content-Type: application/json" -k http://localhost:8000/en-US/custom/splunk_app_stream/streams -d 
'{"id": "test", "aggregated": false, "name": "test", "isReferenceStream": false, "protocolName": "HTTP", "filters": {"comparisons": [], 
"matchAllComparisons": true}, "extras": {"eventType": "http.event", "interval": 60}, "streamType": "event", "enabled": false, "fields": [{"name": "bytes", 
"aggType": "value", "desc": "The total number of bytes transferred", "term": "flow.bytes", "enabled": true}], "_key": "test", "createdBy": "admin", "app": 
"Stream", "sourcetype": "stream:http", "statsOnly": false, "index": null, "category": "Web"}'

Example response

JSON 
{"id": "test", "aggregated": false, "name": "test", "isReferenceStream": false, "protocolName": "HTTP", "filters": 
{"comparisons": [], "matchAllComparisons": true}, "extras": {"eventType": "http.event", "interval": 60}, "streamType": 
"event", "enabled": false, "fields": [{"name": "bytes", "aggType": "value", "desc": "The total number of bytes 
transferred", "term": "flow.bytes", "enabled": true}], "_key": "test", "createdBy": "admin", "app": "Stream", "sourcetype": 
"stream:http", "statsOnly": false, "index": null, "category": "Web"}'

Stream forwarder groups

/streamforwardergroups/{forwarder_group_id}

Create, modify, and view DFM groups.

GET

Get stream forwarder group by group id.

Request parameters

None.

Request payload

None.

Response

Stream forwarder group configuration data.

Response Codes

Status Code Description
200 OK

Example request

CODE 
curl -k https://localhost:8000/en-US/custom/splunk_app_stream/streamforwardergroups/defaultgroup

Example response

JSON 
{"_user": "nobody", "_key": "defaultgroup", "id": "defaultgroup", "rule": "", "streams": ["Splunk_SSLActivity", "Splunk_Tds", "dns", "rtp", 
"Splunk_MySql", "amqp", "xmpp", "Splunk_IP", "Splunk_Tns", "sflow", "Splunk_HTTPClient", "Splunk_DNSClientQueryTypes", "http", "ldap", 
"imap", "mapi", "smtp", "diameter", "Splunk_DNSServerErrors", "Splunk_HTTPResponseTime", "Splunk_Postgres", "Splunk_Tcp", "tds", 
"netflow", "arp", "Splunk_DNSRequestResponse", "ip", "Splunk_DNSClientErrors", "Splunk_DNSServerQuery", "nfs", "udp", "dhcp", "rtcp", 
"snmp", "Splunk_HTTPStatus", "icmp", "tns", "irc", "postgres", "Splunk_DNSServerResponse", "ftp", "smpp", "pop3", "Splunk_DNSIntegrity", 
"mysql", "Splunk_HTTPURI", "Splunk_Udp", "smb", "radius", "tcp", "sip", "ephem_2"], "description": "Used when there is no matching group 
found for a given stream forwarder ID", "includeEphemeralStreams": true, "modifiedBy": "admin", "hec": {"autoConfig": true}}

DELETE

Delete stream forwarder groups by group id.

Request parameters

None.

Request payload

None.

Response Codes

Status Code Description
200 OK

Example request

JSON 
curl -k https://localhost:8000/en-US/custom/splunk_app_stream/streamforwardergroups/{forwarder_group_id} -X DELETE

Example response

JSON 
{"id": "{forwarder_group_id}"}

POST

Create stream forwarder groups.

Request parameters

None.

Request payload

Stream forwarder group configuration data.

Response Codes

Status Code Description
200 OK

Example request

JSON 
curl -X POST -H "Cookie: splunkd_8000=PRlg_PB8THrM8tZYOebt6K6^ooApy73FJRvJgY2RliptRtPWTeEUuUmArMi9fia5Vpw2eP7HVsENKnw2rag6HhPqCDDJVT52YMjEA0GIM_4opmWNJkVrtsCnqJ8wOTWlVvmLIcC; splunkweb_csrf_token_8000=6914067146718907469" -H "X-Splunk-Form-Key: 6914067146718907469" -H "X-Requested-With: XMLHttpRequest" -H "Content-Type: application/json" -k http://localhost:8000/en-US/custom/splunk_app_stream/streamforwardergroups -d '{"rule": "test", "streams": ["http"], "includeEphemeralStreams": true, "id": "test", "hec": {"autoConfig": true}, "modifiedBy": "admin", "description": "test"}'

Example response

JSON 
'{"rule": "test", "streams": ["http"], "includeEphemeralStreams": true, "id": "test", "hec": {"autoConfig": true}, "modifiedBy": "admin", "description": "test"}'

Capture IP address

Create and view a list of blocked and allowed IP addresses.

/captureipaddresses/{blacklist|whitelist}

GET

Get list of blocked and allowed IP addresses.

Request parameters

Request payload

None.

Response Codes

Status Code Description
200 OK

Example request

CODE 
curl -k https://localhost:8000/en-US/custom/splunk_app_stream/captureipaddresses/whitelist

Example response

JSON 
{"_user": "nobody", "_key": "whitelist", "ipAddresses": [], "id": "whitelist"}

PUT

Create list of blocked and allowed IP addresses.

Request parameters

None.

Request payload

List of blocked/allowed IP addresses.

Response Codes

Status Code Description
200 OK

Example request

CODE 
curl -k https://localhost:8000/en-US/custom/splunk_app_stream/captureipaddresses/whitelist

Example response

JSON 
{"ipAddresses":["192.168.0.0"]}

Indexers

View list of available indexers.

/indexers

GET

Get list of valid indexers.

Request parameters

None.

Request payload

None.

Response Codes

Status Code Description
200 OK

Example request

CODE 
curl -k https://localhost:8000/en-US/custom/splunk_app_stream/indexers

Example response

JSON 
{"token": "978CE241-A655-4985-BCBE-F97163FF4DFC", "headerMeta": false, "collectors": ["https://dmillis-mbp15.splunk.local:8088"]}

HTTP inputs

View list of available HTTP inputs.

/httpinputs

GET

Get list of available http inputs.

Request parameters

None.

Request payload

None.

Response Codes

Status Code Description
200 OK

Example request

CODE 
curl -k https://localhost:8000/en-US/custom/splunk_app_stream/httpinputs

Example response

JSON 
{
"sslVersions": "*,-ssl2",
"eai:userName": "admin",
"disabled": false,
"allowSslCompression": "true",
"maxThreads": "0",
"eai:acl": null,
"useDeploymentServer": "0",
"maxSockets": "0",
"dedicatedIoThreads": "2",
"allowSslRenegotiation": "true",
"port": "8088",
"host": "dmillis-mbp15.splunk.local",
"eai:appName": "splunk_httpinput",
"enableSSL": "1",
"indexes": [],
"tokens": [
{
"host": "dmillis-mbp15.splunk.local",
"eai:appName": "splunk_httpinput",
"disabled": false,
"indexes": [],
"eai:userName": "admin",
"eai:acl": null,
"index": "default",
"token": "978CE241-A655-4985-BCBE-F97163FF4DFC",
"_rcvbuf": 1572864,
"name": "http://streamfwd"
}
],
"index": "default",
"_rcvbuf": 1572864
}