Splunk website screenshot

Splunk

Splunk is a platform for searching, monitoring, and analyzing machine-generated big data via a web-style interface.

13 APIs 8 Features
AnalyticsData AnalysisLoggingMachine DataMonitoringObservabilityPlatformSecuritySIEM

APIs

Splunk

API monitoring checks to see if API-connected resources are available, working properly and responding to calls.

Splunk Enterprise REST API

The Splunk Enterprise REST API provides programmatic access to the same information and functionality available to core system software and Splunk Web. It supports GET, POST, an...

Splunk Cloud Platform REST API

The Splunk Cloud Platform REST API provides a subset of the Splunk Enterprise REST API endpoints for managing and interacting with your Splunk Cloud Platform deployment. Access ...

Splunk Cloud Admin Config Service (ACS) API

The Admin Config Service (ACS) is a cloud-native API that provides programmatic self-service administration capabilities for Splunk Cloud Platform. Administrators can use the AC...

Splunk Cloud ACS OpenAPI Specification

The OpenAPI 3.0 specification for the Splunk Cloud Admin Config Service (ACS) API. It includes all parameters, response codes, and other metadata needed to send requests to the ...

Splunk Observability Cloud API

The Splunk Observability Cloud API provides REST endpoints for sending and managing metrics, traces, and events. It supports infrastructure monitoring, application performance m...

Splunk SOAR REST API

The Splunk SOAR REST API enables programmatic creation, updating, and management of security automation objects including containers, assets, playbooks, indicators, lists, and a...

Splunk Enterprise Security API

The Splunk Enterprise Security API provides REST endpoints for accessing and modifying findings, investigations, risk scores, assets, and identities in Splunk Enterprise Securit...

Splunk IT Service Intelligence (ITSI) REST API

The Splunk IT Service Intelligence (ITSI) REST API allows bulk creation and updating of ITOA interface objects such as entities, services, and KPI base searches. ITSI is a monit...

Splunk HTTP Event Collector (HEC) API

The Splunk HTTP Event Collector (HEC) is a high-performance REST API data input that accepts JSON or raw text data sent over HTTP or HTTPS. It uses token-based authentication an...

Splunk Intelligence Management API

The Splunk Intelligence Management (formerly ThreatStream) API provides REST v2.0 endpoints for managing threat intelligence data including indicators, observables, and intellig...

Splunk SOAR Playbook Automation API

The Splunk SOAR Playbook Automation API provides Python APIs for developing playbooks and automation within Splunk SOAR. It includes container, playbook, data access, vault, net...

Splunk AppInspect API

The Splunk AppInspect API validates Splunk apps and add-ons against Splunk best practices and requirements for publishing to Splunkbase or installing on Splunk Cloud Platform. I...

Collections

Arazzo Workflows

Splunk Finalize, Read, and Clean Up a Search Job

Dispatch a long search, finalize it early, read partial results, then delete the job.

ARAZZO

Splunk HEC Ingest an Event and Confirm Indexing

Provision a HEC token with acknowledgment, send a JSON event, and confirm it was indexed.

ARAZZO

Splunk Provision an Index and Attach a Monitor Input

Create an event index, verify it, then create a file monitor input that feeds it.

ARAZZO

Splunk Ingest Raw Data then Search for It

Send raw text to HEC, then run an SPL search and poll it to confirm the data landed.

ARAZZO

Splunk Run a Search Job and Retrieve Results

Dispatch an SPL search, poll the job until it finishes, then read the results.

ARAZZO

Splunk Search and Retrieve Raw Events

Run an SPL search, wait for it to finish, then pull the untransformed events.

ARAZZO

GraphQL

Splunk GraphQL Schema

Conceptual GraphQL schema for the Splunk platform, covering search, indexing, data inputs, access control, dashboards, saved searches, metrics, clustering, licensing, and diagno...

GRAPHQL

Pricing Plans

Splunk Plans Pricing

3 plans

PLANS

Rate Limits

Splunk Rate Limits

2 limits

RATE LIMITS

FinOps

Splunk Finops

FINOPS

Features

Splunk (now Cisco): hundreds of services across Observability + SIEM
Detailed pricing: see https://www.splunk.com/en_us/products/pricing.html
Service: Splunk Enterprise / Cloud (data ingest)
Service: Splunk Observability Cloud (APM, Logs, RUM, Synthetics)
Service: Splunk SOAR
Service: Splunk Enterprise Security (SIEM)
Service: Splunk ITSI
Service: Splunk SOC Platform

Use Cases

Security Information and Event Management

Centralize security event data for real-time threat detection, investigation, and compliance reporting.

IT Operations Monitoring

Monitor infrastructure health, application performance, and service availability across hybrid environments.

Log Management

Collect, index, and analyze log data from servers, applications, and network devices for troubleshooting.

Incident Response Automation

Automate security incident triage, enrichment, and response using SOAR playbooks and integrations.

Application Performance Monitoring

Trace application requests end-to-end to identify bottlenecks and optimize performance.

Compliance and Audit

Generate compliance reports and audit trails from indexed data to meet regulatory requirements.

Integrations

AWS

Ingest and analyze AWS CloudTrail, CloudWatch, VPC Flow Logs, and other AWS service data.

Azure

Collect and analyze Azure activity logs, metrics, and diagnostic data.

Google Cloud

Ingest Google Cloud audit logs, metrics, and Pub/Sub messages for cloud monitoring.

Kubernetes

Monitor Kubernetes clusters with metrics, logs, and events from containers and orchestration.

ServiceNow

Integrate Splunk alerts and incidents with ServiceNow ITSM for ticketing and workflow automation.

PagerDuty

Trigger PagerDuty incidents from Splunk alerts for on-call notification and escalation.

Cisco

Collect and analyze Cisco network device logs, firewall events, and security telemetry.

CrowdStrike

Ingest CrowdStrike Falcon endpoint detection data for correlated threat analysis.

Semantic Vocabularies

Splunk Context

0 classes · 15 properties

JSON-LD

Splunk Enterprise Rest Context

0 classes · 0 properties

JSON-LD

API Governance Rules

Splunk API Rules

7 rules · 7 errors

SPECTRAL

JSON Structure

Splunk Enterprise Rest Hec Event Structure

7 properties

JSON STRUCTURE

Splunk Enterprise Rest Hec Response Structure

4 properties

JSON STRUCTURE

Splunk Enterprise Rest Hec Token Structure

2 properties

JSON STRUCTURE

Splunk Enterprise Rest Index List Structure

3 properties

JSON STRUCTURE

Splunk Enterprise Rest Index Structure

2 properties

JSON STRUCTURE

Splunk Enterprise Rest Paging Structure

3 properties

JSON STRUCTURE

Splunk Enterprise Rest Search Job Structure

2 properties

JSON STRUCTURE

Splunk Enterprise Rest Tcp Input Structure

2 properties

JSON STRUCTURE

Splunk Enterprise Rest Udp Input Structure

2 properties

JSON STRUCTURE

Splunk Structure

0 properties

JSON STRUCTURE

Example Payloads

Splunk Createindex Example

6 fields

EXAMPLE

Splunk Getindex Example

6 fields

EXAMPLE

Splunk Getsearchjob Example

6 fields

EXAMPLE

Splunk Listindexes Example

6 fields

EXAMPLE

Splunk Listudpinputs Example

6 fields

EXAMPLE

Splunk Sendevent Example

6 fields

EXAMPLE

Splunk Sendrawevent Example

6 fields

EXAMPLE

Splunk Updateindex Example

6 fields

EXAMPLE

Visuals

View API subway map

Resources

🔗
PostmanWorkspace
PostmanWorkspace
🔗
Arazzo
Arazzo
🔗
Arazzo
Arazzo
🔗
Arazzo
Arazzo
🔗
Arazzo
Arazzo
🔗
Arazzo
Arazzo
🔗
Arazzo
Arazzo
🌐
DeveloperPortal
DeveloperPortal
📰
Blog
Blog
💬
Support
Support
🟢
StatusPage
StatusPage
🔗
Community
Documentation
👥
GitHubOrganization
GitHubOrganization
🔗
Documentation
Documentation
🔗
Help Center
Documentation
🚀
GettingStarted
GettingStarted
🔗
Developer Tools
Documentation
🔗
Downloads
Documentation
🔗
Marketplace
Marketplace
💰
Pricing
Pricing
📝
Signup
Signup
📝
Developer License
Signup
📜
TermsOfService
TermsOfService
📜
General Terms
TermsOfService
📄
ChangeLog
ChangeLog
🔑
Authentication
Authentication
📦
Python SDK
SDKs
📦
Java SDK
SDKs
📦
JavaScript SDK
SDKs
📦
C# SDK
SDKs
📦
C# SDK Documentation
SDKs
📄
What's New
ChangeLog
📄
Release Notes
ChangeLog
🔗
Custom REST Endpoints
Documentation
🔑
Auth Tokens
Authentication
📜
PrivacyPolicy
PrivacyPolicy
🔗
Security
Security
👥
OpenTelemetry Collector
GitHubRepository
🔗
LinkedIn
LinkedIn
🔗
X
X
🔗
SpectralRules
SpectralRules
🔗
MCPServer
MCPServer

Sources

Raw ↑
opencollection: 1.0.0
info:
  name: Splunk Enterprise REST API
  version: 9.4.0
request:
  auth:
    type: bearer
    token: '{{bearerToken}}'
items:
- info:
    name: Search
    type: folder
  items:
  - info:
      name: List Search Jobs
      type: http
    http:
      method: GET
      url: https://{host}:{port}/services/search/jobs
      params:
      - name: output_mode
        value: ''
        type: query
        description: Response format
      - name: count
        value: ''
        type: query
        description: Maximum number of items to return. A value of 0 returns all items.
      - name: offset
        value: ''
        type: query
        description: Index of the first item to return. Used with count for pagination.
      - name: search
        value: example_value
        type: query
        description: Filter search jobs by search string
      - name: sort_key
        value: example_value
        type: query
        description: Field to sort by
      - name: sort_dir
        value: asc
        type: query
        description: Sort direction
    docs: Returns a list of current search jobs for the authenticated user. Includes job status, progress, and metadata for
      each job.
  - info:
      name: Create a Search Job
      type: http
    http:
      method: POST
      url: https://{host}:{port}/services/search/jobs
      params:
      - name: output_mode
        value: ''
        type: query
        description: Response format
      body:
        type: form-urlencoded
        data: []
    docs: Creates a new search job. The search job runs asynchronously. Use the returned search ID (sid) to check job status
      and retrieve results. Searches use the Splunk Search Processing Language (SPL).
  - info:
      name: Get Search Job Details
      type: http
    http:
      method: GET
      url: https://{host}:{port}/services/search/jobs/:search_id
      params:
      - name: search_id
        value: ''
        type: path
        description: The search ID (sid) of the search job
      - name: output_mode
        value: ''
        type: query
        description: Response format
    docs: Returns detailed information about a specific search job including its status, progress, performance metrics, and
      configuration.
  - info:
      name: Delete a Search Job
      type: http
    http:
      method: DELETE
      url: https://{host}:{port}/services/search/jobs/:search_id
      params:
      - name: search_id
        value: ''
        type: path
        description: The search ID (sid) of the search job
    docs: Cancels and deletes the specified search job and its results.
  - info:
      name: Control a Search Job
      type: http
    http:
      method: POST
      url: https://{host}:{port}/services/search/jobs/:search_id/control
      params:
      - name: search_id
        value: ''
        type: path
        description: The search ID (sid) of the search job
      - name: output_mode
        value: ''
        type: query
        description: Response format
      body:
        type: form-urlencoded
        data:
        - name: action
          value: ''
        - name: ttl
          value: ''
        - name: priority
          value: ''
    docs: Execute a control action on a search job such as pause, unpause, finalize, cancel, or touch (extend the job lifetime).
  - info:
      name: Get Search Results
      type: http
    http:
      method: GET
      url: https://{host}:{port}/services/search/jobs/:search_id/results
      params:
      - name: search_id
        value: ''
        type: path
        description: The search ID (sid) of the search job
      - name: output_mode
        value: ''
        type: query
        description: Response format
      - name: count
        value: ''
        type: query
        description: Maximum number of items to return. A value of 0 returns all items.
      - name: offset
        value: ''
        type: query
        description: Index of the first item to return. Used with count for pagination.
      - name: search
        value: example_value
        type: query
        description: Post-processing search string to filter results
      - name: field_list
        value: example_value
        type: query
        description: Comma-separated list of fields to return
    docs: Returns the results of a completed search job. Results are available only after the search job has finished. Use
      the count and offset parameters for pagination.
  - info:
      name: Get Search Events
      type: http
    http:
      method: GET
      url: https://{host}:{port}/services/search/jobs/:search_id/events
      params:
      - name: search_id
        value: ''
        type: path
        description: The search ID (sid) of the search job
      - name: output_mode
        value: ''
        type: query
        description: Response format
      - name: count
        value: ''
        type: query
        description: Maximum number of items to return. A value of 0 returns all items.
      - name: offset
        value: ''
        type: query
        description: Index of the first item to return. Used with count for pagination.
      - name: earliest_time
        value: example_value
        type: query
        description: Earliest time boundary for events
      - name: latest_time
        value: example_value
        type: query
        description: Latest time boundary for events
      - name: search
        value: example_value
        type: query
        description: Post-processing search to filter events
      - name: field_list
        value: example_value
        type: query
        description: Comma-separated list of fields to return
      - name: truncation_mode
        value: abstract
        type: query
        description: How to truncate long lines
      - name: max_lines
        value: '10'
        type: query
        description: Maximum number of lines per event
    docs: Returns the untransformed events of a search job. Unlike results, events return the raw data before any transforming
      commands are applied. Available for searches that include non-transforming commands.
  - info:
      name: Export Search Results
      type: http
    http:
      method: GET
      url: https://{host}:{port}/services/search/jobs/export
      params:
      - name: search
        value: example_value
        type: query
        description: The SPL search query to execute
      - name: output_mode
        value: ''
        type: query
        description: Response format
      - name: earliest_time
        value: example_value
        type: query
        description: Earliest time for the search
      - name: latest_time
        value: example_value
        type: query
        description: Latest time for the search
      - name: auto_cancel
        value: '10'
        type: query
        description: Seconds of inactivity after which the search is cancelled
      - name: enable_lookups
        value: 'true'
        type: query
        description: Whether to enable lookups during the search
    docs: Runs a search and streams results back as they become available, rather than waiting for the search to complete.
      This is a streaming endpoint suitable for long-running searches or real-time searches. The search runs synchronously
      and results stream back in the response.
- info:
    name: Index
    type: folder
  items:
  - info:
      name: List Indexes
      type: http
    http:
      method: GET
      url: https://{host}:{port}/services/data/indexes
      params:
      - name: output_mode
        value: ''
        type: query
        description: Response format
      - name: count
        value: ''
        type: query
        description: Maximum number of items to return. A value of 0 returns all items.
      - name: offset
        value: ''
        type: query
        description: Index of the first item to return. Used with count for pagination.
      - name: search
        value: example_value
        type: query
        description: Filter indexes by name or properties
      - name: sort_key
        value: example_value
        type: query
        description: Field to sort by
      - name: sort_dir
        value: asc
        type: query
        description: Sort direction
      - name: datatype
        value: all
        type: query
        description: Filter by data type
    docs: Returns a list of all indexes accessible to the authenticated user. Includes index configuration, storage paths,
      and data retention settings.
  - info:
      name: Create a New Index
      type: http
    http:
      method: POST
      url: https://{host}:{port}/services/data/indexes
      params:
      - name: output_mode
        value: ''
        type: query
        description: Response format
      body:
        type: form-urlencoded
        data: []
    docs: Creates a new index with the specified configuration. The index name must be unique and conform to Splunk naming
      conventions.
  - info:
      name: Get Index Details
      type: http
    http:
      method: GET
      url: https://{host}:{port}/services/data/indexes/:name
      params:
      - name: name
        value: ''
        type: path
        description: The name of the index
      - name: output_mode
        value: ''
        type: query
        description: Response format
    docs: Returns detailed configuration and status information for a specific index including storage paths, retention settings,
      and current size.
  - info:
      name: Update Index Configuration
      type: http
    http:
      method: POST
      url: https://{host}:{port}/services/data/indexes/:name
      params:
      - name: name
        value: ''
        type: path
        description: The name of the index
      - name: output_mode
        value: ''
        type: query
        description: Response format
      body:
        type: form-urlencoded
        data: []
    docs: Updates the configuration of an existing index. Not all index properties can be modified after creation.
  - info:
      name: Delete an Index
      type: http
    http:
      method: DELETE
      url: https://{host}:{port}/services/data/indexes/:name
      params:
      - name: name
        value: ''
        type: path
        description: The name of the index
    docs: Marks an index for deletion. The index data is removed according to the configured retention policy. Requires the
      admin role.
- info:
    name: Data Inputs
    type: folder
  items:
  - info:
      name: List File and Directory Monitor Inputs
      type: http
    http:
      method: GET
      url: https://{host}:{port}/services/data/inputs/monitor
      params:
      - name: output_mode
        value: ''
        type: query
        description: Response format
      - name: count
        value: ''
        type: query
        description: Maximum number of items to return. A value of 0 returns all items.
      - name: offset
        value: ''
        type: query
        description: Index of the first item to return. Used with count for pagination.
      - name: search
        value: example_value
        type: query
        description: Filter inputs by search string
    docs: Returns a list of file and directory monitoring inputs. Monitor inputs continuously watch files and directories
      for new data.
  - info:
      name: Create a File or Directory Monitor Input
      type: http
    http:
      method: POST
      url: https://{host}:{port}/services/data/inputs/monitor
      params:
      - name: output_mode
        value: ''
        type: query
        description: Response format
      body:
        type: form-urlencoded
        data: []
    docs: Creates a new file or directory monitoring input. The specified path will be monitored for new data and ingested
      into the specified index.
  - info:
      name: Get Monitor Input Details
      type: http
    http:
      method: GET
      url: https://{host}:{port}/services/data/inputs/monitor/:name
      params:
      - name: name
        value: Example Title
        type: path
        description: The name (path) of the monitor input
      - name: output_mode
        value: ''
        type: query
        description: Response format
    docs: Returns configuration details for a specific file or directory monitoring input.
  - info:
      name: Update a Monitor Input
      type: http
    http:
      method: POST
      url: https://{host}:{port}/services/data/inputs/monitor/:name
      params:
      - name: name
        value: Example Title
        type: path
        description: The name (path) of the monitor input
      - name: output_mode
        value: ''
        type: query
        description: Response format
      body:
        type: form-urlencoded
        data: []
    docs: Updates the configuration of an existing monitor input.
  - info:
      name: Delete a Monitor Input
      type: http
    http:
      method: DELETE
      url: https://{host}:{port}/services/data/inputs/monitor/:name
      params:
      - name: name
        value: Example Title
        type: path
        description: The name (path) of the monitor input
    docs: Deletes the specified monitor input. Splunk stops monitoring the associated file or directory.
  - info:
      name: List Cooked Tcp Inputs
      type: http
    http:
      method: GET
      url: https://{host}:{port}/services/data/inputs/tcp/cooked
      params:
      - name: output_mode
        value: ''
        type: query
        description: Response format
      - name: count
        value: ''
        type: query
        description: Maximum number of items to return. A value of 0 returns all items.
      - name: offset
        value: ''
        type: query
        description: Index of the first item to return. Used with count for pagination.
    docs: Returns a list of TCP cooked data inputs. Cooked TCP inputs receive data from Splunk forwarders.
  - info:
      name: List Raw Tcp Inputs
      type: http
    http:
      method: GET
      url: https://{host}:{port}/services/data/inputs/tcp/raw
      params:
      - name: output_mode
        value: ''
        type: query
        description: Response format
      - name: count
        value: ''
        type: query
        description: Maximum number of items to return. A value of 0 returns all items.
      - name: offset
        value: ''
        type: query
        description: Index of the first item to return. Used with count for pagination.
    docs: Returns a list of raw TCP data inputs. Raw TCP inputs receive data directly over a TCP port without Splunk protocol
      framing.
  - info:
      name: List Udp Inputs
      type: http
    http:
      method: GET
      url: https://{host}:{port}/services/data/inputs/udp
      params:
      - name: output_mode
        value: ''
        type: query
        description: Response format
      - name: count
        value: ''
        type: query
        description: Maximum number of items to return. A value of 0 returns all items.
      - name: offset
        value: ''
        type: query
        description: Index of the first item to return. Used with count for pagination.
    docs: Returns a list of UDP data inputs. UDP inputs receive data over a UDP port.
  - info:
      name: List Http Event Collector Tokens
      type: http
    http:
      method: GET
      url: https://{host}:{port}/services/data/inputs/http
      params:
      - name: output_mode
        value: ''
        type: query
        description: Response format
      - name: count
        value: ''
        type: query
        description: Maximum number of items to return. A value of 0 returns all items.
      - name: offset
        value: ''
        type: query
        description: Index of the first item to return. Used with count for pagination.
    docs: Returns a list of HTTP Event Collector (HEC) tokens configured on the Splunk instance. Each token defines an input
      channel for receiving data over HTTP/HTTPS.
  - info:
      name: Create an Http Event Collector Token
      type: http
    http:
      method: POST
      url: https://{host}:{port}/services/data/inputs/http
      params:
      - name: output_mode
        value: ''
        type: query
        description: Response format
      body:
        type: form-urlencoded
        data: []
    docs: Creates a new HTTP Event Collector (HEC) token for data ingestion over HTTP/HTTPS.
  - info:
      name: Send Events via Http Event Collector
      type: http
    http:
      method: POST
      url: https://{host}:{port}/services/collector/event
      body:
        type: json
        data: '{}'
      auth:
        type: apikey
        key: Authorization
        value: '{{Authorization}}'
        placement: header
    docs: Sends one or more events to Splunk via HTTP Event Collector. Events are submitted as JSON objects. Multiple events
      can be sent in a single request by concatenating JSON objects.
  - info:
      name: Send Raw Data via Http Event Collector
      type: http
    http:
      method: POST
      url: https://{host}:{port}/services/collector/raw
      params:
      - name: channel
        value: example_value
        type: query
        description: Channel identifier (GUID) for event ordering. Required if indexer acknowledgment is enabled.
      - name: sourcetype
        value: example_value
        type: query
        description: Override the sourcetype for the event data
      - name: source
        value: example_value
        type: query
        description: Override the source for the event data
      - name: host
        value: example_value
        type: query
        description: Override the host for the event data
      - name: index
        value: example_value
        type: query
        description: Override the destination index for the event data
      auth:
        type: apikey
        key: Authorization
        value: '{{Authorization}}'
        placement: header
    docs: Sends raw event data to Splunk via HTTP Event Collector. The raw data is ingested as-is without requiring JSON formatting.
      Useful for log file data and other unstructured text.
  - info:
      name: Check Indexer Acknowledgment Status
      type: http
    http:
      method: POST
      url: https://{host}:{port}/services/collector/ack
      body:
        type: json
        data: '{}'
      auth:
        type: apikey
        key: Authorization
        value: '{{Authorization}}'
        placement: header
    docs: Queries the indexer acknowledgment status for events sent via HTTP Event Collector. Returns whether events with
      specified ack IDs have been indexed.
bundled: true