Admin Config Service (ACS) API endpoint reference
Use the ACS API endpoint reference to learn about the endpoints and operations that provide programmatic self-service administration for Splunk Cloud Platform.
sc_admin (Splunk Cloud Platform Administrator) role to use the ACS API.For more information on ACS API requirements, see ACS requirements and compatibility matrix.
For information on ACS API setup and usage, see Basic setup and usage concepts for the ACS API.
ACS endpoint categories
ACS API endpoints are grouped into the following categories based on feature use case:
| Feature | Endpoints |
|---|---|
| Configure IP allow lists | access/{feature}/ipallowlists |
| Configure outbound ports |
access/outbound-ports access/outbound-ports/{port} |
| Enable private connectivity |
private-connectivity/eligibility private-connectivity/endpoints |
| Export apps |
apps/victoria/download/{app_id} |
| Manage app permissions |
permissions/apps permissions/apps/{app-name} |
| Manage authentication tokens |
tokens tokens/{tokenID} |
| Manage DDSS self storage locations |
cloud-resources/self-storage-locations/buckets cloud-resources/self-storage-locations/buckets/{bucketPath} cloud-resources/self-storage-locations/configs/prefix cloud-resources/self-storage-locations/buckets/{bucketName}/policy cloud-resources/self-storage-locations/configs/service-accounts |
| Manage HTTP Event Collector (HEC) tokens |
inputs/http-event-collectors inputs/http-event-collectors/{hec-token-name} |
| Manage indexes |
indexes indexes/{name} |
| Manage limits.conf configurations |
limits limits/{stanza} limits/{stanza}/{setting} limits/{stanza}/{reset} |
| Manage maintenance windows |
maintenance-windows/preferences maintenance-windows/schedules maintenance-windows/schedules/{scheduleID maintenance-windows/schedules/{scheduleID}/audits |
| Manage private apps and Splunkbase apps (Victoria Experience) |
apps/victoria apps/victoria/{app_name} |
| Manage private apps and Splunkbase apps (Classic Experience) |
apps apps/{app_name} |
| Manage Python version |
python-runtime |
| Manage restarts |
restart-now restart/status |
| Provision Enterprise Managed Encryption Keys (EMEK) |
emek/waiver emek/key-policy emek/key |
| Retry failed operations |
deployment/status deployment/retry deployment/status/{deploymentID} |
| Unified Identity for Splunk Observability Cloud |
observability/sso-pairing observability/sso-pairing/{pairing-id} |
Authentication and authorization
The ACS API requires a JSON Web Token (JWT) for authentication. You can create this token in the Splunk Cloud Platform UI or using the ACS API. For more information see Create an authentication token.
In addition, a user's role must contain the capabilities required to access the ACS API endpoint. The sc_admin role has all required capabilities by default. For more information on using Splunk Cloud Platform role-based access controls with ACS, see Manage ACS API access with capabilities.
Configure IP allowlists
The ACS API provides the following endpoints to configure IP allowlists. For more information on how to configure IP allowlists using the ACS API, see Configure IP allowlists for Splunk Cloud Platform.
access/{feature}/ipallowlists
https://admin.splunk.com/{stack}/adminconfig/v2/access/{feature}/ipallowlists
List, update, and delete IP allow lists.
GET
List subnets on the existing IP allow list for a feature.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
| feature | String | The IP allow list feature type. |
Returned values
| Name | Type | Description |
|---|---|---|
| subnets | String | The IP subnets currently listed on the IP allow list for a given feature. |
Example request and response
JSON Request
curl https://admin.splunk.com/mystack/adminconfig/v2/access/s2s/ipallowlists
JSON Response
{
"subnets": [
": #.0.0.0/24",
": #.0.0.0/24",
": #.0.10.6/32"
]
}
POST
Add subnets to the IP allow list for a feature.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
| feature | String | The IP allow list feature type. |
| subnets | String | List of subnets to add to IP allow list |
Returned values None
Example request and response
JSON Request
curl -X POST 'https://admin.splunk.com/mystack/adminconfig/v2/access/s2s/ipallowlists' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiw...' \
--data '{
"subnets": [
"###.0.0.0/24",
"##.0.10.6/32"
]
}'
JSON Response
{
"code": "200"
}
DELETE
Delete subnets from the IP allow list for a feature
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
| feature | String | The IP allow list feature type. |
| subnets | String | List of subnets to delete from IP allow list |
Returned values None
Example request and response
JSON Request
curl -X DELETE 'https://admin.splunk.com/mystack/adminconfig/v2/access/s2s/ipallowlists' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2Vj...' \
--header 'Content-Type: application/json' \
--data '{
"subnets": [
"###.0.0.0/24",
"##.0.10.6/32"
]
}'
JSON Response
{
"code": "200"
}
Configure outbound ports
access/outbound-ports
https://admin.splunk.com/{stack}/adminconfig/v2/access/outbound-ports
List and create outbound ports.
GET
List existing outbound ports.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
Returned values
| Name | Type | Description |
|---|---|---|
| name | String | The outbound port name. |
| port | Number | The outbound port number. |
| destinationRanges | String | The allowed destination IP subnets for the outbound port. |
| reason | String | The purpose for the outbound port. |
Example request and response
JSON Request
curl 'https://admin.splunk.com/important-iguana-u5q/adminconfig/v2/access/outbound-ports' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnI...'
JSON Response
[
{
"destinationRanges": [
"34.226.34.80/32",
"54.226.34.80/32"
],
"name": "8089",
"port": 8089
},
{
"destinationRanges": [
"4.16.171.10/32"
],
"name": "8590",
"port": 8590
}
]
POST
Create an outbound port.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
| outboundPorts | String | The outbound port number and destination subnets. |
| port | Number | The outbound port number. |
| subnets | String | The allowed destination subnets for the outbound port. |
| reason | String | The purpose of the outbound port. |
Returned values
| Name | Type | Description |
|---|---|---|
| outboundPorts | String | The outbound port number and destination subnets. |
| port | Number | The outbound port number. |
| subnets | String | The allowed destination subnets for the outbound port. |
| reason | String | The purpose of the outbound port. |
Example request and response
JSON Request
curl -X POST 'https://admin.splunk.com/important-iguana-u5q/adminconfig/v2/access/outbound-ports' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnI...' \
--data-raw '{
"outboundPorts": [{"subnets": ["34.226.34.80/32", "54.226.34.80/32"], "port": 8089}],
"reason": "testing federated search connection"
}'
JSON Response
{
"outboundPorts": [
{
"port": 8089,
"subnets": [
"34.226.34.80/32",
"54.226.34.80/32"
]
}
],
"reason": "testing federated search connection"
access/outbound-ports/{port}
https://admin.splunk.com/{stack}/adminconfig/v2/access/outbound-ports/{port}
Describe and delete outbound ports.
GET
Describe an outbound port.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
| port | Number | The outbound port number. |
Returned values
| Name | Type | Description |
|---|---|---|
| destinationRanges | String | The allowed destination IP subnets for the outbound port. |
| name | String | The outbound port name. |
| port | Number | The outbound port number. |
Example request and response
JSON Request
curl 'https://admin.splunk.com/{stack}/adminconfig/v2/access/outbound-ports/8089' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiwi…'
JSON Response
{
"destinationRanges": [
"34.226.34.80/32",
"54.226.34.80/32"
],
"name": "8089",
"port": 8089
}
DELETE
Delete an outbound port.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
| subnets | String | The allowed destination IP subnets for the outbound port. |
Returned values
| Name | Type | Description |
|---|---|---|
| subnets | String | The deleted destination IP subnets for the outbound port. |
Example request and response
JSON Request
curl -X DELETE 'https://admin.splunk.com/{stack}/adminconfig/v2/access/outbound-ports/8089' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnI…' \
--header 'Content-Type: application/json' \
--data-raw '{
"subnets": ["54.203.114.197/32", "34.226.34.80/32"]
}'
JSON Response
{
"subnets": [
"54.203.114.197/32",
"34.226.34.80/32"
]
}
Export apps
apps/victoria/export/download/{app_id}
https://admin.splunk.com/{stack}/adminconfig/v2/apps/victoria/export/download/{app_id}
Export an individual app.
GET
Export data from app/default, app/local, and user/app directories.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
| app_id | String | App ID of the app to export. |
| default | Boolean | (Optional) Export the default configs for the app from etc/apps/<app_id>/default/*. Default: true. |
| local | Boolean | (Optional) Export the local configs for the app under etc/apps/<app_id>/local/*. Default: true. |
| users | Boolean | (Optional) Export the configs and data under etc/users/*/<app_id>/*. Default: true. |
| confs_only | Boolean | (Optional) Export only the configs as per request parameters and don't export any app data. Default: false. |
Returned values None
503: App export feature is temporarily unavailable error message indicates that the endpoint has been temporarily disabled due to a known issue that can cause credential information to be overwritten .Example request and response
JSON Request
curl -X GET 'https://admin.splunk.com/sh-i-xxx.test-export/adminconfig/v2/apps/victoria/export/download/search?local=true&default=false&users=true' \
--header 'Authorization: Bearer eyJraWQiOiJz...'
--output search.tar.gz
JSON Response
{
search.tar.tgz
}
Manage app permissions
permissions/apps
https://admin.splunk.com/{stack}/adminconfig/v2/permissions/apps
List app permissions.
GET
List read and write permissions assigned to roles for all apps.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
| count | Number | Specifies the maximum number of items to list. Maximum value is 100. Default is 30. A value of 0 lists all items. |
| offset | Number | Specifies a count displacement value (from the first existing item) on which to start the list. For example, if the count value is 100, to list items 100-200, specify an offset value of 100. |
Returned values
| Name | Type | Description |
|---|---|---|
| name | String | The app name. |
| read | String | List of roles with app read permission. |
| write | String | List of roles with app write permission. |
Example request and response
JSON Request
curl 'https://admin.splunk.com/{stack}/adminconfig/v2/permissions/apps?count={{count}}&offset={{offset}}' \
--header 'Authorization: Bearer eyJraWQi0iJzcGX1...'
JSON Response
{
"apps": [
{
"name": "app1",
"perms": {
"read": [
"*"
],
"write": [
"*"
]
}
},
{
"name": "app2",
"perms": {
"read": [
"*"
],
"write": [
"admin"
]
}
},
{
"name": "app3",
"perms": {
"read": [
"*"
],
"write": [
"admin"
]
}
}
]
}
permissions/apps/{app-name}
https://admin.splunk.com/{stack}/adminconfig/v2/permissions/apps/{app-name}
View and configure read and write permissions for individual apps.
GET
View read and write permissions assigned to roles for an individual app.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
| app-name | String | The app name. |
Returned values
| Name | Type | Description |
|---|---|---|
| name | String | The app name. |
| read | String | List of roles assigned app read permission. |
| write | String | List of roles assigned app write permission. |
Example request and response
JSON Request
curl 'https://admin.splunk.com/{stack}/adminconfig/v2/permissions/apps/{app-name}' \
--header 'Authorization: Bearer eyJraWQi0iJzcGX1...'
JSON Response
{
"name": "APP-NAME",
"perms": {
"read": [
"admin",
"power"
],
"write": [
"admin"
]
}
}
PATCH
Assign read and write permissions to roles for an individual app.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
| app-name | String | The app name. |
| read | String | List of roles to assign app read permission. |
| write | String | List of roles to assign app write permission. |
Returned values
| Name | Type | Description |
|---|---|---|
| name | String | The app name. |
| read | String | Updated list of roles assigned app read permission. |
| write | String | Updated list of roles assigned app write permission. |
Example request and response
JSON Request
curl -X PATCH 'https://admin.splunk.com/{stack}//adminconfig/v2/permissions/apps/{app_name}' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer {{token}}' \
--data '{
"read": ["admin", "power"],
"write": ["admin"]
}
'
JSON Response
{
"name": "acs_test_app_1",
"perms": {
"read": [
"admin",
"power"
],
"write": [
"admin"
]
}
}
Manage DDSS storage locations
cloud-resources/self-storage-locations/buckets
https://admin.splunk.com/{stack}/adminconfig/v2/cloud-resources/self-storage-locations/buckets
List self storage locations.
GET
List existing self storage locations.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
Returned values
| Name | Type | Description |
|---|---|---|
| bucketName | String | The self storage bucket name in AWS or GCP. |
| bucketPath | String | A unique identifier combining bucketName and folder. |
| title | String | The title of the self storage location in Splunk Cloud Platform. |
| description | String | A description of the self storage location. |
| folder | String | The self storage bucket folder. |
| uri | String | The URI of the self storage location in AWS or GCP. |
Example request and response
JSON Request
curl 'https://admin.splunk.com/{stack}/adminconfig/cloud-resources/self-storage-locations/buckets' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiwi…'
JSON Response
{
"selfStorageLocations": [
{
"bucketName": "acs-play-noah-aws-iycf10l9z5nl-bucket-1",
"bucketPath": "acs-play-noah-aws-iycf10l9z5nl-bucket-1/dup-title-ui",
"description": "Test dupilcate title from UI",
"folder": "dup-title-ui",
"title": "test-bucket-1-with-message",
"uri": "s3://acs-play-noah-aws-iycf10l9z5nl-bucket-1/dup-title-ui"
},
{
"bucketName": "acs-play-noah-aws-iycf10l9z5nl-bucket-1",
"bucketPath": "acs-play-noah-aws-iycf10l9z5nl-bucket-1/some-folder",
"description": "Test",
"folder": "some-folder",
"title": "test-bucket-1-with-message",
"uri": "s3://acs-play-noah-aws-iycf10l9z5nl-bucket-1/some-folder"
},
{
"bucketName": "acs-play-noah-aws-iycf10l9z5nl-bucket-1",
"bucketPath": "acs-play-noah-aws-iycf10l9z5nl-bucket-1/with-message",
"description": "Test configuring ddss with ACS and show async message",
"folder": "with-message",
"title": "test-bucket-1-with-message",
"uri": "s3://acs-play-noah-aws-iycf10l9z5nl-bucket-1/with-message"
}
]
}
POST
Configure self storage locations in AWS or GCP.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
| bucketName | String | The self storage bucket name in AWS or GCP. |
| title | String | The title of the self storage location in Splunk Cloud Platform. |
| description | String | (Optional) A description of the self storage location. |
| folder | String | (Optional) The self storage bucket folder. |
Returned values
| Name | Type | Description |
|---|---|---|
| bucketName | String | The self storage bucket name in AWS or GCP. |
| bucketPath | String | A unique identifier combining bucketName and folder. |
| title | String | The title of the self storage location in Splunk Cloud Platform. |
| description | String | A description of the self storage location. |
| folder | String | The self storage bucket folder. |
| uri | String | The URI of the self storage location in AWS or GCP. |
Example request and response
JSON Request
curl 'https://admin.splunk.com/{stack}/adminconfig/cloud-resources/self-storage-locations/buckets' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiwi…'
JSON Response
For AWS S3:
{
"bucketName": "acs-play-noah-aws-iycf10l9z5nl-bucket-1",
"bucketPath": "acs-play-noah-aws-iycf10l9z5nl-bucket-1/with-message",
"description": "Test configuring ddss with ACS and show async message",
"folder": "with-message",
"title": "test-bucket-1-with-message",
"uri": "s3://acs-play-noah-aws-iycf10l9z5nl-bucket-1/with-message"
}
For GCP GCS:
{
"bucketName": "indexes-acs-gcp-ic1l-bucket",
"bucketPath": "indexes-acs-gcp-ic1l-bucket/untitled-folder",
"description": "Test configuring ddss with ACS on GCP Stack",
"folder": "untitled-folder",
"title": "test-bucket-for-gcp",
"uri": "gs://indexes-acs-gcp-ic1l-bucket/untitled-folder"
}
cloud-resources/self-storage-locations/buckets/{bucketPath}
https://admin.splunk.com/{stack}/adminconfig/v2/cloud-resources/self-storage-locations/buckets/{bucketPath}
Describe self storage locations.
GET
Describe a self storage location.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
| bucketPath | String | A unique identifier combining bucketName and folder. Must be URL encoded. For example, acs-play-noah-aws-iycf10l9z5nl-bucket-1/some-folder must be passed as acs-play-noah-aws-iycf10l9z5nl-bucket-1%2Fsome-folder. |
Returned values
| Name | Type | Description |
|---|---|---|
| bucketName | String | The self storage bucket name in AWS or GCP. |
| bucketPath | String | A unique identifier combining bucketName and folder. |
| title | String | The title of the self storage location in Splunk Cloud Platform. |
| description | String | A description of the self storage location. |
| folder | String | The self storage bucket folder. |
| uri | String | The URI of the self storage location in AWS or GCP. |
Example request and response
JSON Request
curl 'https://admin.splunk.com/{stack}/adminconfig/cloud-resources/self-storage-locations/buckets/acs-play-noah-aws-iycf10l9z5nl-bucket-1%2Fsome-folder' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiwi…'
JSON Response
For AWS deployments:'"
{
"bucketName": "acs-play-noah-aws-iycf10l9z5nl-bucket-1",
"bucketPath": "acs-play-noah-aws-iycf10l9z5nl-bucket-1/some-folder",
"description": "Test",
"folder": "some-folder",
"title": "test-bucket-1-with-message",
"uri": "s3://acs-play-noah-aws-iycf10l9z5nl-bucket-1/some-folder"
}
For GCP deployments:'"
{
"bucketName": "acs-play-noah-gcp-ic1l-bucket",
"bucketPath": "acs-play-noah-gcp-ic1l-bucket/some-folder",
"description": "Test",
"folder": "some-folder",
"title": "test-bucket-with-message",
"uri": "gs://acs-play-noah-gcp-ic1l-bucket/some-folder"
}
cloud-resources/self-storage-locations/configs/prefix
https://admin.splunk.com/{stack}/adminconfig/v2/cloud-resources/self-storage-locations/configs/prefix
Get prefix to configure a bucket.
GET
Get prefix to configure a bucket.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
Returned values
| Name | Type | Description |
|---|---|---|
| message | String | Bucket prefix syntax reminder. |
| prefix | String | The predefined bucket name prefix provided by Splunk Cloud Platform. |
Example request and response
JSON Request
curl 'https://admin.splunk.com/{stack}/adminconfig/cloud-resources/self-storage-locations/configs/prefix' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiwi…'
JSON Response
{
"message": "Please create a bucket in the same region as your Splunk Cloud environment. The bucket must have 'acs-play-noah-aws-iycf10l9z5nl-' as the prefix in the name",
"prefix": "acs-play-noah-aws-iycf10l9z5nl-"
}
cloud-resources/self-storage-locations/buckets/{bucketName}/policy
https://admin.splunk.com/{stack}/adminconfig/v2/cloud-resources/self-storage-locations/buckets/{bucketName}/policy
Get IAM policy for AWS S3 bucket.
GET
Get IAM policy for AWS S3 bucket.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
| bucketName | String | The name of the AWS S3 bucket. |
Returned values
| Name | Type | Description |
|---|---|---|
| message | String | Reminder that you must apply the IAM policy to your S3 bucket in AWS. |
| policy | String | The IAM policy for the specified AWS S3 bucket. |
Example request and response
JSON Request
curl 'https://admin.splunk.com/{stack}/adminconfig/cloud-resources/self-storage-locations/buckets/{bucketName}/policy' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiwi…'
JSON Response
{
"message": "Please copy and apply this bucket policy to your S3 bucket in AWS. Please refer to https://docs.splunk.com/Documentation/SplunkCloud/latest/Admin/DataSelfStorage for more info.",
"policy": {
"Statement": [
{
"Action": [
"s3:PutObject",
"s3:ListBucket"
],
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::594195655983:role/acs-play-noah-aws"
},
"Resource": [
"arn:aws:s3:::acs-play-noah-aws-iycf10l9z5nl-some-bucket",
"arn:aws:s3:::acs-play-noah-aws-iycf10l9z5nl-some-bucket/*"
]
}
],
"Version": "2012-10-17"
}
}
cloud-resources/self-storage-locations/configs/service-accounts
https://admin.splunk.com/{stack}/adminconfig/v2/cloud-resources/self-storage-locations/configs/service-accounts
Get service accounts for GCP GCS bucket.
GET
Get service accounts for GCP GCS bucket.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
Returned values
| Name | Type | Description |
|---|---|---|
| message | String | Reminder that you must configure proper permissions for GCP service accounts. |
| serviceAccounts | String | The two service accounts associated with your Splunk Cloud Platform deployment in GCP. |
Example request and response
JSON Request
curl 'https://admin.splunk.com/{stack}/adminconfig/cloud-resources/self-storage-locations/configs/service-accounts' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiwi…'
JSON Response
{
"message": "Please configure proper permissions for the GCP service accounts. Please refer to https://docs.splunk.com/Documentation/SplunkCloud/latest/Admin/DataSelfStorage for more info.",
"serviceAccounts": {
"clusterMaster": "indexes-acs-gcp-c0m1@indexes-acs-gcp-cdf8.iam.gserviceaccount.com",
"indexer": "indexes-acs-gcp-idx@indexes-acs-gcp-cdf8.iam.gserviceaccount.com"
}
}
Manage authentication tokens
tokens
https://admin.splunk.com/{stack}/adminconfig/v2/tokens
View and create JWT authentication tokens.
GET
View existing JWT tokens.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
| count | Number | Specifies the maximum number of items to list. Maximum value is 100. Default is 30. A value of 0 lists all items. |
| offset | Number | Specifies a count displacement value (from the first existing item) on which to start the list. For example, if the count value is 100, to list items 100-200, specify an offset value of 100. |
| username | String | Specifies user whose tokens will be listed. |
| status | String | Specifies whether to return "enabled" or "disabled" tokens. Must be either "enabled" or "disabled". |
Returned values
| Name | Type | Description |
|---|---|---|
| user | String | The name of the token user. |
| audience | String | The purpose of the token. |
| id | String | The token ID. |
| status | String | The status of token authentication. |
| expiresOn | String | The time the token will expire. Time is UTC. |
| notBefore | String | The time you can start to use the token. Default is now. Time is UTC. |
| lastUsed | String | The time the token was last used. Time is UTC. |
| lastUsedIP | String | The IP address of the instance on which the token was last used. |
Example request and response
JSON Request
curl -X GET 'https://admin.splunk.com/{stack}/adminconfig/v2/tokens/' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiwi...'
JSON Response
[
{
"id": "d9637736177efc773ec8c5c04efcc2e19859cd852af00689ef81bf9e809364a8",
"user": "admin",
"audience": "acs-test",
"status": "enabled",
"expiresOn": "2021-11-19T00:34:46Z",
"notBefore": "2021-10-20T00:34:46Z",
"lastUsed": "2021-10-20T03:52:53Z",
"lastUsedIP": "50.216.96.2"
},
{
"id": "a9637736177efc773ec8c5c04efcc2e19859cd852af00689ef81bf9e80936984",
"user": "admin",
"audience": "acs-test2",
"status": "enabled",
"expiresOn": "2022-05-19T00:34:46Z",
"notBefore": "2022-04-20T00:34:46Z",
"lastUsed": "2022-04-24T03:52:53Z",
"lastUsedIP": "45.216.96.2"
}
]
POST
Create a new token.
Request parameters
| Name | Type | Description |
|---|---|---|
| username | String | The login username for the Splunk Cloud Platform instance. |
| password | String | The login password for the Splunk Cloud Platform instance. |
| user | String | The name of the token user. Must be an existing user. |
| audience | String | The purpose of the token. |
| type | String | Accepts values of "ephemeral" or "static". A value of "ephemeral" creates a token with default expiresOn value of 6 hours. A value of "static" means there is no effect on the existing expiresOn value, which defaults to +30d. |
| expiresOn | String | The amount of time until the token expires. You can specify this value in relative time (+<number>[s][m][h][d]) or absolute time (YYYY-MM-DDTHH:MM:SS[+HH:MM]). Default is +30d. Time is UTC. |
Returned values
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
| user | String | The name of the token user. |
| audience | String | The purpose of the token. |
| id | String | The token ID. |
| status | String | The status of token authentication. |
| expiresOn | String | The time the token will expire. Time is UTC. |
| notBefore | String | The time you can start to use the token. Default is now. Time is UTC. |
Example request and response
JSON Request
curl -u username:password -X POST 'https://admin.splunk.com/keziabutterfinger/adminconfig/v2/tokens' \
--header 'Content-Type: application/json' \
--data-raw '{
"user" : "admin",
"audience" : "acs-test",
"expiresOn" : "+100d"
}'
}'
JSON Response
"user": "admin",
"audience": "acs-test",
"id": "0c1daac93fd01bc50cfe8ed938ce401bc168a8730c1c9e2f343671541e759fbf",
"token": "eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnIjoiSFM1MTIiLCJ2ZXIiOiJ2MiIsInR0eXAiOiJzdGF0aWMifQ.eyJpc3MiOiJhZG1pbiBmcm9tIHNoLWktMGJlMzJiYTM1YjY4MDlhMDEiLCJzdWIiOiJhZG1pbiIsImF1ZCI6Imtlei10ZXN0IiwiaWRwIjoiU3BsdW5rIiwianRpIjoiMzA0YmEzYWQxOWMwOWRhYmYxYzljY2YzYTcxMTM3NTQ1NmFiODM0ZDljMjBjN2E3MzYzNWUyYWMxNmQ5OWFiMSIsImlhdCI6MTYzNDA2NjAzMSwiZXhwIjoxNjM2NjU4MDMxLCJuYnIiOjE2MzQwNjYwMzF9.Cml1yQMXgo18dauOuORTc4vTxm1tWuXOL6sBj0TEV1lwOIqo5sCBKv_B45Jjb34XkK-TJQgdYqcOoV0un-ARDQ",
"status": "enabled",
"expiresOn": "2021-12-16T21:37:11Z",
"notBefore": "2021-11-16T21:37:11Z"
tokens/{id}
https://admin.splunk.com/{stack}/adminconfig/v2/access/tokens/{id}
View and delete individual tokens.
GET
View a token.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
| id | String | The token ID. |
Returned values
| Name | Type | Description |
|---|---|---|
| user | String | The name of the token user. |
| audience | String | The purpose of the token. |
| id | String | The token ID. |
| status | String | The status of token authentication. |
| expiresOn | String | The time the token will expire. Time is UTC. |
| notBefore | String | The time you can start to use the token. Default is now. Time is UTC. |
| lastUsed | String | The time the token was last used. Time is UTC. |
| lastUsedIP | String | The IP address of the instance on which the token was last used. |
Example request and response
JSON Request
curl 'https://admin.splunk.com/{stack}/adminconfig/v2/tokens/55ee3d1c199645c330d28dcd9fa50bc6e9f74154c3d1c3d31229b6e78be77ed7' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiwi…'
JSON Response
{
"id": "d9637736177efc773ec8c5c04efcc2e19859cd852af00689ef81bf9e809364a8",
"user": "admin",
"audience": "acs-test",
"status": "enabled",
"expiresOn": "2021-11-19T00:34:46Z",
"notBefore": "2021-10-20T00:34:46Z",
"lastUsed": "2021-10-20T03:52:53Z",
"lastUsedIP": "50.216.96.2"
}
DELETE
Delete a token.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
| id | String | The token ID. |
Returned values None
Example request and response
JSON Request
curl -X DELETE 'https://admin.splunk.com/{stack}/adminconfig/v2/tokens/55ee3d1c199645c330d28dcd9fa50bc6e9f74154c3d1c3d31229b6e78be77ed7' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiwi…'
JSON Response
{
"code": "200"
}
Manage HTTP Event Collector (HEC) tokens
The ACS API provides the following endpoints to manage HEC tokens. For more information on how to manage HEC tokens using the ACS API, see Manage HTTP Event Collector (HEC) tokens in Splunk Cloud Platform.
inputs/http-event-collectors
https://admin.splunk.com/{stack}/adminconfig/v2/inputs/http-event-collectors
List and create HEC tokens.
GET
List existing HEC tokens.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
| count | Number | Specifies the maximum number of items to list. Maximum value is 100. Default is 30. A value of 0 lists all items. |
| offset | Number | Specifies a count displacement value (from the first existing item) on which to start the list. For example, if the count value is 100, to list items 100-200, specify an offset value of 100.
|
Returned values
| Name | Type | Description |
|---|---|---|
| name | String | The HEC token name. This is the token ID, not the actual token value. |
| disabled | Boolean | The enabled/disabled status of the HEC token. |
| defaultindex | String | Default index to store generated events. |
| useACK | Boolean | (Optional) Enable/disable (true/false) indexer acknowledgement. |
| token | String | The full token value. |
Example request and response
JSON Request
curl https://admin.splunk.com/{mystack}/adminconfig/v2/inputs/http-event-collectors
JSON Response
{
"http-event-collectors": [
{
"spec": {
"allowedIndexes": [
"main",
"summary"
],
"defaultHost": "",
"defaultIndex": "main",
"defaultSource": "",
"defaultSourcetype": "",
"disabled": true,
"name": "hec-token-name",
"useACK": true
},
"token": "9803a48f-b733-4106-8a3f-871c53ee2675"
}
]
}
POST
Create a new HEC token.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
| name | String | The HEC token name. This is the token ID, not the actual token value. |
| defaultIndex | String | Default index to store generated events. |
| useACK | Boolean | (Optional) Enable/disable (true/false) indexer acknowledgement. |
| token | String | (Optional) An existing token value. |
Returned values
| Name | Type | Description |
|---|---|---|
| token | String | The full token value. |
Example request and response
JSON Request
curl -X POST 'https://admin.splunk.com/mystack/adminconfig/v2/inputs/http-event-collectors' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiw...' \
--header 'Content-Type: application/json' \
--data-raw '{
"allowedIndexes": [
"main",
"summary"
],
"defaultHost": "",
"defaultIndex": "main",
"defaultSource": "",
"defaultSourcetype": "",
"disabled": false,
"name": "hec-token-name",
"useACK": true,
"token": "this_is_my_token"
}'
JSON Response
"http-event-collector": {
"spec": {
"allowedIndexes": [
"main",
"summary"
],
"defaultHost": "",
"defaultIndex": "main",
"defaultSource": "",
"defaultSourcetype": "",
"disabled": false,
"name": "hec-token-name"
"UseACK": true
},
"token": "this_is_my_token"
}
}
inputs/http-event-collectors/{hec-token-name}
https://admin.splunk.com/{stack}/adminconfig/v2/inputs/http-event-collectors/{hec-token-name}
View, update, and delete HEC tokens.
GET
View an inidvidual HEC token.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
| name | String | The HEC token name. This is the token ID, not the actual token value. |
Returned values
| Name | Type | Description |
|---|---|---|
| disabled | Boolean | The enabled/disabled status of the HEC token. |
| defaultindex | String | Default index to store generated events. |
| useACK | Boolean | (Optional) Enable/disable (true/false) indexer acknowledgement. |
| token | String | The full token value. |
Example request and response
JSON Request
curl https://admin.splunk.com/{mystack}/adminconfig/v2/inputs/http-event-collectors/{hec-token-name}
JSON Response
{
"http-event-collectors": [
{
"spec": {
"allowedIndexes": [
"main",
"summary"
],
"defaultHost": "",
"defaultIndex": "main",
"defaultSource": "",
"defaultSourcetype": "",
"disabled": true,
"name": "hec-token-name"
},
"token": "9803a48f-b733-4106-8a3f-871c53ee2675"
}
]
}
PUT
Update an existing HEC token.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
| defaultHost | String | Default index to store generated events. |
| defaultIndex | String | Default event source. |
| defaultSource | String | Default index to store generated events. |
| defaultSourcetype | String | Default index to store generated events. |
| disabled | String | Default index to store generated events. |
| name | String | The name of the HEC token. This is the token ID, not the actual token value. |
| useACK | Boolean | (Optional) Enable/disable (true/false) indexer acknowledgement. |
Returned values None
Example request and response
JSON Request
curl -X PUT 'https://admin.splunk.com/{mystack}/adminconfig/v2/inputs/http-event-collectors' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiw...' \
--header 'Content-Type: application/json' \
--data-raw '{
"allowedIndexes": [
"main",
"summary"
],
"defaultHost": "",
"defaultIndex": "main",
"defaultSource": "",
"defaultSourcetype": "",
"disabled": false,
"name": "hec-token-name"
}'
JSON Response
{
"code": "200"
}
DELETE
Delete an HEC token.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
| name | String | The HEC token name. This is the token ID, not the actual token value. |
Returned values None
Example request and response
JSON Request
curl -X DELETE 'https://admin.splunk.com/{mystack}/adminconfig/v2/inputs/http-event-collectors' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiw...' \
--header 'Content-Type: application/json' \
JSON Response
{
"code": "200"
}
Manage indexes
The ACS API provides the following endpoints to manage indexes. For more information on how to manage indexes using the ACS API, see Manage indexes in Splunk Cloud Platform.
indexes
https://admin.splunk.com/{stack}/adminconfig/v2/indexes
List and create indexes.
GET
List existing indexes.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
| count | Number | Specifies the maximum number of items to list. Maximum value is 100. Default is 30. A value of 0 lists all items. |
| offset | Number | Specifies a count displacement value (from the first existing item) on which to start the list. For example, if the count value is 100, to list items 100-200, specify an offset value of 100. |
Returned values
| Name | Type | Description |
|---|---|---|
| name | String | The index name. |
| datatype | String | The type of data the index holds. Possible values: event or metric
|
| searchableDays | Number | Number of days the index is searchable. |
| maxDataSizeMB | Number | The maximum size of the index in megabytes. |
| totalEventCount | Number | The total number of events in an index. |
| totalRawSizeMB | Number | The total amount of raw data in an index in megabytes. |
| splunkArchivalRetentionDays | Number | The archive retention period for indexes enabled with Dynamic Data Active Archive (DDAA). |
| selfStorageBucketPath | String | The self-storage location for indexes enabled with Dynamic Data Self Storage (DDSS). |
Example request and response
JSON Request
curl 'https://admin.splunk.com/{stack}/adminconfig/v2/indexes'
JSON Response
[
{
"name": "history",
"datatype": "event",
"searchableDays": 7,
"maxDataSizeMB": 0,
"totalEventCount": "0",
"totalRawSizeMB": "0"
},
{
"name": "lastchanceindex",
"datatype": "event",
"searchableDays": 1095,
"maxDataSizeMB": 0,
"totalEventCount": "0",
"totalRawSizeMB": "0"
},
{
"name": "main",
"datatype": "event",
"searchableDays": 1095,
"maxDataSizeMB": 0,
"totalEventCount": "0",
"totalRawSizeMB": "0"
},
{
"name": "splunklogger",
"datatype": "event",
"searchableDays": 1095,
"maxDataSizeMB": 0,
"totalEventCount": "0",
"totalRawSizeMB": "0"
},
{
"name": "summary",
"datatype": "event",
"searchableDays": 1095,
"maxDataSizeMB": 0,
"totalEventCount": "0",
"totalRawSizeMB": "0"
}
]
POST
Create a new index.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud deployment. |
| name | String | The index name. |
| datatype | String | The type of data the index holds. Possible values: event or metric. |
| searchableDays | Number | Number of days the index is searchable. |
| maxDataSizeMB | Number | The maximum size of the index in megabytes. |
| splunkArchivalRetentionDays | Number | The archive retention period for indexes enabled with Dynamic Data Active Archive (DDAA). Specifying this value enables DDAA for the index. |
| selfStorageBucketPath | String | The self-storage location for indexes enabled with Dynamic Data Self Storage (DDSS). Specifying this value enables DDSS for the index. Note: Before you can create an index with DDSS enabled, you must configure a self-storage location for your deployment. |
Returned values
| Name | Type | Description |
|---|---|---|
| name | String | The index name. |
| datatype | String | The type of data the index holds. Possible values: event or metric
|
| searchableDays | Number | Number of days the index is searchable. |
| maxDataSizeMB | Number | The maximum size of the index in megabytes. |
| totalEventCount | Number | The total number of events in an index. |
| totalRawSizeMB | Number | The total amount of raw data in an index in megabytes. |
| splunkArchivalRetentionDays | Number | The archive retention period for indexes enabled with Dynamic Data Active Archive (DDAA). |
| selfStorageBucketPath | String | The self-storage location for indexes enabled with Dynamic Data Self Storage (DDSS). |
Example request and response
JSON Request
curl -X POST 'https://admin.splunk.com/{stack}/adminconfig/v2/indexes'
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiwi…' \
--header 'Content-Type: application/json' \
--data-raw '{
"name": "testindex"
}'
JSON Response
{
"name": "testindex",
"datatype": "event",
"searchableDays": 90,
"maxDataSizeMB": 0,
"totalEventCount": "0",
"totalRawSizeMB": "0"
}
indexes/{name}
https://admin.splunk.com/{stack}/adminconfig/v2/indexes/{name}
View, update, and delete indexes.
GET
View an individual index.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
| name | String | The name of the index. |
Returned values
| Name | Type | Description |
|---|---|---|
| name | String | The index name. |
| datatype | String | The type of data the index holds. Possible values: event or metric
|
| searchableDays | Number | Number of days the index is searchable. |
| maxDataSizeMB | Number | The maximum size of the index in megabytes. |
| totalEventCount | Number | The total number of events in an index. |
| totalRawSizeMB | Number | The total amount of raw data in an index in megabytes. |
| splunkArchivalRetentionDays | Number | The archive retention period for indexes enabled with Dynamic Data Active Archive (DDAA). |
| selfStorageBucketPath | String | The self-storage location for indexes enabled with Dynamic Data Self Storage (DDSS). |
Example request and response
JSON Request
curl 'https://admin.splunk.com/{stack}/adminconfig/v2/indexes/testindex' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiwi…'
JSON Response
{
"name": "testindex",
"datatype": "event",
"searchableDays": 90,
"maxDataSizeMB": 1024,
"totalEventCount": "0",
"totalRawSizeMB": "0"
}
PATCH
Update an existing index.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
| name | String | The name of the index. |
| searchableDays | Number | Number of days the index is searchable. |
| maxDataSizeMB | Number | The maximum size of the index in megabytes. |
| splunkArchivalRetentionDays | Number | The archive retention period for indexes enabled with Dynamic Data Active Archive (DDAA). Specifying this value enables DDAA, or modifies the archive retention period value for an index already enabled with DDAA. |
| selfStorageBucketPath | String | The self-storage location for indexes enabled with Dynamic Data Self Storage (DDSS). Specifying this value enables DDSS, or modifies the self-storage location for an index already configured with DDSS. Note: Before you can create an index with DDSS enabled, you must configure a self-storage location for your deployment. |
Returned values None
Example request and response
JSON Request
curl -X PATCH 'https://admin.splunk.com/lighthearted-lemur-23e/adminconfig/v2/indexes/testindex' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiwi…' \
--data-raw '{
"searchableDays": 90,
"maxDataSizeMB": 1024
}'
JSON Response
{
"name": "testindex",
"datatype": "event",
"searchableDays": 90,
"maxDataSizeMB": 1024,
"totalEventCount": "0",
"totalRawSizeMB": "0"
}
DELETE
Delete an index.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
| name | String | The name of the index. |
Returned values None
Example request and response
JSON Request
curl -X DELETE 'https://admin.splunk.com/lighthearted-lemur-23e/adminconfig/v2/indexes/testindex' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiwi…'
JSON Response
{
"code": "200"
}
Manage limits.conf configurations
The ACS API provides the following endpoints to manage limits.conf configurations. ACS API operations apply to a subset of editable limits.conf settings only. For more information on how to manage limits.conf configurations using the ACS API, see Manage limits.conf configurations in Splunk Cloud Platform.
limits
https://admin.splunk.com/{stack}/adminconfig/v2/limits
List all limits.conf settings.
GET
List all limits.conf settings.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
Returned values
| Name | Type | Description |
|---|---|---|
| Stanza | String | Name of limits.conf stanza. |
| Values | String | Limits.conf settings and current values. |
Example request and response
JSON Request
curl 'https://admin.splunk.com/important-iguana-u5q/adminconfig/v2/limits \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnI...'
JSON Response
[{"Stanza":"join","Values":{"subsearch_maxout":"91519","subsearch_maxtime":"111","subsearch_timeout":"120"}},{"Stanza":"kv","Values":{"limit":"100","maxchars":"182"}},{"Stanza":"subsearch","Values":{"maxout":"10000","maxtime":"60"}}]
limits/{stanza}
https://admin.splunk.com/{stack}/adminconfig/v2/limits/{stanza}
List and edit limits.conf settings under a stanza.
GET
List limits.conf settings under a stanza.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
| stanza | String | Name of limits.conf stanza. |
Returned values
| Name | Type | Description |
|---|---|---|
| settings | String | Limits.conf settings and values under the stanza. |
Example request and response
JSON Request
curl 'https://admin.splunk.com/important-iguana-u5q/adminconfig/v2/limits/join \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnI...'
JSON Response
{"subsearch_maxout":"91519","subsearch_maxtime":"111","subsearch_timeout":"120"}
POST
Edit limits.conf settings.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
| stanza | String | Name of limits.conf stanza. |
| settings | String | Limits.conf settings and modified values under the stanza. |
Returned values
| Name | Type | Description |
|---|---|---|
| settings | String | Limits.conf settings and values under the stanza. |
Example request and response
JSON Request
curl -X POST 'https://admin.splunk.com/important-iguana-u5q/adminconfig/v2/limits/join' \
--header 'Authorization: Bearer <token>' \
--header 'Content-Type: application/json' \
--data-raw '{
"settings": {
"subsearch_maxout": 91519,
"subsearch_maxtime": 111
}
}'
JSON Response
{"settings":{"subsearch_maxout":91519,"subsearch_maxtime":111}}
limits/{stanza}/{setting}
https://admin.splunk.com/{stack}/adminconfig/v2/limits/{stanza}/{setting}
List a specific limits.conf setting under a stanza.
GET
List a specific limits.conf setting under a stanza.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
| stanza | String | Name of limits.conf stanza. |
| setting | String | Name of limits.conf setting. |
Returned values
| Name | Type | Description |
|---|---|---|
| setting | String | Limits.conf setting and value. |
Example request and response
JSON Request
curl 'https://admin.splunk.com/important-iguana-u5q/adminconfig/v2/limits/join/susearch_maxout \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnI...'
JSON Response
{"subsearch_maxout":"91519"}
limits/defaults
https://admin.splunk.com/{stack}/adminconfig/v2/limits/defaults
List all supported stanzas and default values for all settings within each stanza.
GET
List all supported limits.conf stanzas and default settings.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
Returned values
| Name | Type | Description |
|---|---|---|
| stanza | String | Name of limits.conf stanza. |
| settings | String | limits.conf settings and their default values. |
Example request and response
JSON Request
curl 'https://admin.splunk.com/important-iguana-u5q/adminconfig/v2/limits/defaults \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnI...'
JSON Response
[
{
"stanza": "join",
"settings": [
{
"setting": "subsearch_maxout",
"minValue": 0,
"maxValue": 100000,
"defaultValue": 50000
},
{
"setting": "subsearch_maxtime",
"minValue": 0,
"maxValue": 120,
"defaultValue": 60
},
{
"setting": "subsearch_timeout",
"minValue": 0,
"maxValue": 240,
"defaultValue": 120
}
]
},
...
]
limits/{stanza}/defaults
https://admin.splunk.com/{stack}/adminconfig/v2/limits/{stanza}/defaults
List default values for settings in a specific stanza.
GET
List default values for settings in a specific limits.conf stanza
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
| stanza | String | Name of limits.conf stanza. |
Returned values
| Name | Type | Description |
|---|---|---|
| stanza | String | Name of limits.conf stanza. |
| settings | String | limits.conf settings and their default values. |
Example request and response
JSON Request
curl 'https://admin.splunk.com/important-iguana-u5q/adminconfig/v2/limits/subsearch/defaults \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnI...'
JSON Response
{
"stanza": "subsearch",
"settings": [
{
"setting": "maxout",
"minValue": 0,
"maxValue": 10400,
"defaultValue": 10000
},
{
"setting": "maxtime",
"minValue": 0,
"maxValue": 120,
"defaultValue": 60
}
]
}
limits/{stanza}/reset
https://admin.splunk.com/{stack}/adminconfig/v2/access/limits/{stanza}/reset
Reset a specific setting or all settings under a stanza.
POST
Reset a specific setting or all settings under a stanza
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
| stanza | String | Name of limits.conf stanza. |
| setting | String | Specific limits.conf setting to reset (specify in request body) |
Returned values
| Name | Type | Description |
|---|---|---|
| settings | String | Limits.conf settings reset to default values |
Example request and response
JSON Request
curl -X POST 'https://admin.splunk.com/important-iguana-u5q/adminconfig/v2/limits/join/reset' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiwi…'
JSON Response
{"settings":{"subsearch_maxout":50000,"subsearch_maxtime":60,"subsearch_timeout":120}}
Manage maintenance windows
maintenance-windows/preferences
https://admin.splunk.com/{stack}/adminconfig/v2/maintenance-windows/preferences
Manage maintenance window change freeze requests. For more information on how to manage change freezes using the ACS API, see Manage maintenance window preferences.
GET
List maintenance window change freezes.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
Returned values
| Name | Type | Description |
|---|---|---|
| id | String | ID of the change freeze request. |
| startDate | String | Start date of the change freeze, format: YYYY/MM/DD (UTC). Change freezes start at 00:00 UTC on the start date. |
| endDate | String | End date of the change freeze, format: YYYY/MM/DD (UTC). Change freezes end at 23:59 UTC on the end date. |
| appliesTo | Enum | Applies to supported change freeze types. Supported change freeze types:
|
| reason | String | Reason for this change freeze request. |
| recordVersion | Number | Version of the record used to handle write conflicts. When updating a change freeze request, the recordVersion value that you specify in the PUT request must match the value in the latest GET request. |
Example request and response
JSON Request
curl -X GET 'https://admin.splunk.com/{stack}/adminconfig/v2/maintenance-windows/preferences' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnI...'
JSON Response
{
"changeFreezes":{
"customerInitiatedFreezes":[
{
"appliesTo":"Customer and Splunk Initiated Changes",
"createdTimestamp":"2023-01-08T22:00:57Z",
"endDate":"2023/02/14",
"id":"b84a41c4-0344-48e5-8008-33ed44c2d393",
"lastModifiedTimestamp":"2023-01-08T22:00:57Z",
"reason":"Customer Business Needs",
"startDate":"2023/02/01"
}
],
"splunkInitiatedFreezes":[
{
"appliesTo":"Customer and Splunk Initiated Changes",
"category":"Professional Services",
"createdTimestamp":"2023-01-08T22:00:57Z",
"endDate":"2023/04/05",
"id":"c5c122ee-78fc-4b4e-be6d-737396913abb",
"lastModifiedTimestamp":"2023-01-08T22:00:57Z",
"reason":"Professional Services Engagement",
"startDate":"2023/04/01"
}
]
},
"recordVersion":19
}
PUT
Update, create, delete maintenance window change freezes.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
| id | String | ID of the change freeze request. Required for update only. |
| startDate | String | Start date of the change freeze, format: YYYY/MM/DD (UTC). Change freezes start at 00:00 UTC on the start date. |
| endDate | String | End date of the change freeze, format: YYYY/MM/DD (UTC). Change freezes end at 23:59 UTC on the end date. |
| appliesTo | Enum | Applies to supported change freeze types. Supported change freeze types:
|
| reason | String | Reason for this change freeze request. |
| recordVersion | Number | Version of the record used to handle write conflicts. To obtain this value, send a GET request to the maintenance-windows/preferences endpoint prior to sending a PUT request. When updating a change freeze, the recordVersion value that you specify in the PUT request must match the value in the latest GET request. |
Returned values None
Example request and response: Update
JSON Request
curl -X PUT 'https://admin.splunk.com/{stack}/adminconfig/v2/maintenance-windows/preferences' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnI...' \
--data '{
"changeFreezes": {
"customerInitiatedFreezes": [
{
"startDate": "2024/06/28",
"endDate": "2024/07/02",
"id": "b84a41c4-0344-48e5-8008-33ed44c2d393",
"appliesTo": "Splunk Initiated Changes Only",
"reason": "End of Quarter Freeze"
},
{
"startDate": "2024/09/01",
"endDate": "2024/09/14",
"id": "3200242e-afc8-41dd-acd4-13ef41b5f3fd",
"appliesTo": "Customer and Splunk Initiated Changes",
"reason": "Business Needs"
},
]
},
"recordVersion": 2
}'
JSON Response
<empty>
Example request: Create
"id" field omitted from the object. See Create a new change freeze request.JSON Request
curl -X PUT 'https://admin.splunk.com/{stack}/adminconfig/v2/maintenance-windows/preferences' \
--header "Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnI..."
--data '{
"changeFreezes": {
"customerInitiatedFreezes": [
{
"startDate": "2024/06/28",
"endDate": "2024/07/02",
"appliesTo": "Splunk Initiated Changes Only",
"reason": "End of Quarter Freeze"
},
]
},
"recordVersion": 1
}'
Example request: Delete
curl -X PUT 'https://admin.splunk.com/{stack}/adminconfig/v2/maintenance-windows/preferences' \
--header "Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnI..."
--data '{
"changeFreezes": {
"customerInitiatedFreezes": [],
},
"recordVersion": 2
}'
maintenance-windows/schedules
https://admin.splunk.com/{stack}/adminconfig/v2/maintenance-windows/schedules
List maintenance windows.
GET
List multiple scheduled maintenance windows.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
| fromTime | String | The earliest time the maintenance window schedule starts. Acceptable format is YYYY-MM-DD or in RFC3339 (YYYY-MM--DDTHH:mm:SSZHH:mm) |
| toTime | String | The latest time the maintenance window schedule starts. Acceptable format is YYYY-MM-DD or in RFC3339 (YYYY-MM--DDTHH:mm:SSZHH:mm). |
| count | Number | The number of maintenance windows to list. |
| nextLink | String | Start time of the next scheduled maintenance window relative to the maintenance window count. A value of null indicates there are no more maintenance windows. UTC is the default timezone. |
Returned values
| Name | Type | Description |
|---|---|---|
| duration | String | Scheduled length of time for the maintenance window. |
| ExtendedDuration | String | Duration of the maintenance window extension. |
| lastModifiedTimestamp | String | The time of the last update to a maintenance window information response field (for example, change of status, change of description, and so on). |
| MaintenanceEndedAt | String | Actual end time of the maintenance window. |
| MaintenanceStartedAt | String | Actual start time of the maintenance window once it has started. |
| mwType | String | The maintenance window type (purpose). It can have one of the following values: 1. Service Update Maintenance 2. Security and Platform Maintenance 3. Emergency Maintenance 4. Customer Initiated Change |
| operationStatus | String | Current status of the operation. Valid operation status values:
|
| startTime | String | The start time of the operation. |
| endTime | String | The end time of the operation. |
| scheduleId | String | The scheduled maintenance window ID. |
| scheduleEndTimestamp | String | Scheduled end time of the maintenance window. |
| scheduleStartTimestamp | String | Scheduled start time of the maintenance window. |
| status | String | Maintenance window status. Valid status values:
|
| nextLink | String | Start time of the next scheduled maintenance window relative to the maintenance window count. A value of null indicates there are no more maintenance windows. UTC is the default timezone. |
| zeroDowntime | Boolean | Indicates whether the maintenance window operation impacts uptime on the stack. A value of "true" means the operation will not impact uptime. |
Example request and response
JSON Request
curl 'https://admin.splunk.com/{stack}/adminconfig/v2/maintenance-windows/schedules?fromTime=2022-08-09&toTime=2022-08-14&nextLink=2022-08-21T04:00:00Z&count=1' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsu …'
JSON Response
{
"nextLink": "2024-08-21T04:00:00Z",
"schedules": [
{
"duration": "2h",
"lastModifiedTimestamp": "2024-06-20T04:00:00Z",
"lastSummary": "Customer requested an upgrade",
"mwType": "Service Update Maintenance",
"operations": [
{
"SFDCTickets": ["SFDC-1234"],
"endTime": "2024-08-21T06:00:00Z",
"notes": ["Updating the stack to the latest version."],
"operationDescription": "KitKat Tock Upgradtez",
"operationStatus": "Tentative",
"startTime": "2024-08-21T04:00:00Z",
"zeroDowntime": true
}
],
"requestedEntity": "splunk",
"scheduleEndTimestamp": "2024-08-21T06:00:00Z",
"scheduleId": "1e4729b4-11d0-4165-a886-a21cce7139f2",
"scheduleStartTimestamp": "2024-08-21T04:00:00Z",
"status": "Tentative",
"zeroDowntime": true
}
]
}
maintenance-windows/schedules/{scheduleId}
https://admin.splunk.com/{stack}/adminconfig/v2/maintenance-windows/schedules/{scheduleId}
Describe individual maintenance windows.
GET
Describe a specific scheduled maintenance window.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
| scheduleId | String | The scheduled maintenance window ID. |
Returned values
| Name | Type | Description |
|---|---|---|
| duration | String | Scheduled length of time for the maintenance window. |
| ExtendedDuration | String | Duration of the maintenance window extension. |
| lastModifiedTimestamp | String | The time of the last update to a maintenance window information response field (for example, change of status, change of description, and so on). |
| MaintenanceEndedAt | String | Actual end time of the maintenance window. |
| MaintenanceStartedAt | String | Actual start time of the maintenance window once it has started. |
| mwType | String | The maintenance window type (purpose). It can have one of the following values: 1. Service Update Maintenance 2. Security and Platform Maintenance 3. Emergency Maintenance 4. Customer Initiated Change |
| operationStatus | String | Current status of the operation. Valid operation status values:
|
| startTime | String | The start time of the operation. |
| endTime | String | The end time of the operation. |
| scheduleId | String | The scheduled maintenance window ID. |
| scheduleEndTimestamp | String | Scheduled end time of the maintenance window. |
| scheduleStartTimestamp | String | Scheduled start time of the maintenance window. |
| status | String | Maintenance window status. Valid status values:
|
| zeroDowntime | Boolean | Indicates whether the maintenance window operation impacts uptime on the stack. A value of "true" means the operation will not impact uptime. |
Example request and response
JSON Request
curl 'https://admin.splunk.com/{stack}/adminconfig/v2/maintenance-windows/schedules/{scheduleId}' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsu …'
JSON Response
{
"duration": "2h",
"lastModifiedTimestamp": "2024-06-20T04:00:00Z",
"lastSummary": "Customer requested an upgrade",
"mwType": "Service Update Maintenance",
"operations": [
{
"SFDCTickets": ["SFDC-1234"],
"endTime": "2024-08-21T06:00:00Z",
"notes": ["Updating the stack to the latest version."],
"operationDescription": "KitKat Tock Upgradtez",
"operationStatus": "Tentative",
"startTime": "2024-08-21T04:00:00Z",
"zeroDowntime": true
}
],
"requestedEntity": "splunk",
"scheduleEndTimestamp": "2024-08-21T06:00:00Z",
"scheduleId": "1e4729b4-11d0-4165-a886-a21cce7139f2",
"scheduleStartTimestamp": "2024-08-21T04:00:00Z",
"status": "Tentative",
"zeroDowntime": true
}
maintenance-windows/schedules/{scheduleId}/audits
https://admin.splunk.com/{stack}/adminconfig/v2/maintenance-windows/schedules/{scheduleId}/audits
Audit maintenance windows.
GET
View audit trail of a specified maintenance window.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
| scheduleId | String | The scheduled maintenance window ID. |
| fromTime | String | The earliest time the maintenance window schedule starts. Acceptable format is YYYY-MM-DD or in RFC3339 (YYYY-MM--DDTHH:mm:SSZHH:mm) |
| toTime | String | The latest time the maintenance window schedule starts. Acceptable format is YYYY-MM-DD or in RFC3339 (YYYY-MM--DDTHH:mm:SSZHH:mm). |
Returned values
| Name | Type | Description |
|---|---|---|
| duration | String | Scheduled length of time for the maintenance window. |
| ExtendedDuration | String | Duration of the maintenance window extension. |
| lastModifiedTimestamp | String | The time of the last update to a maintenance window information response field (for example, change of status, change of description, and so on). |
| MaintenanceEndedAt | String | Actual end time of the maintenance window. |
| MaintenanceStartedAt | String | Actual start time of the maintenance window once it has started. |
| mwType | String | The maintenance window type (purpose). It can have one of the following values: 1. Service Update Maintenance 2. Security and Platform Maintenance 3. Emergency Maintenance 4. Customer Initiated Change |
| operationStatus | String | Current status of the operation. Valid operation status values:
|
| startTime | String | The start time of the operation. |
| endTime | String | The end time of the operation. |
| scheduleId | String | The scheduled maintenance window ID. |
| scheduleEndTimestamp | String | Scheduled end time of the maintenance window. |
| scheduleStartTimestamp | String | Scheduled start time of the maintenance window. |
| status | String | Maintenance window status. Valid status values:
|
| zeroDowntime | Boolean | Indicates whether the maintenance window operation impacts uptime on the stack. A value of "true" means the operation will not impact uptime. |
Example request and response
JSON Request
curl 'https://admin.splunk.com/{stack}/adminconfig/v2/maintenance-windows/schedules/{scheduleId}/audits?fromTime=2022-08-09&toTime=2022-08-14' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsu …'
JSON Response
{
"audits": [
{
"duration": "2h",
"lastModifiedTimestamp": "2024-06-20T04:00:00Z",
"lastSummary": "Customer requested an upgrade",
"mwType": "Service Update Maintenance",
"operations": [
{
"SFDCTickets": ["SFDC-1234"],
"endTime": "2024-08-21T06:00:00Z",
"notes": ["Updating the stack to the latest version."],
"operationDescription": "KitKat Tock Upgrade",
"operationStatus": "Tentative",
"startTime": "2024-08-21T04:00:00Z",
"zeroDowntime": true
}
],
"requestedEntity": "splunk",
"scheduleId": "1e4729b4-11d0-4165-a886-a21cce7139f2",
"scheduleStartTimestamp": "2024-08-21T04:00:00Z",
"status": "Tentative",
"zeroDowntime": true
},
{
"duration": "2h",
"lastModifiedTimestamp": "2024-06-22T08:00:00Z",
"lastSummary": "Customer requested an upgrade",
"mwType": "Service Update Maintenance",
"operations": [
{
"SFDCTickets": ["SFDC-1234"],
"endTime": "2024-08-21T06:00:00Z",
"notes": ["Updating the stack to the latest version."],
"operationDescription": "KitKat Tock Upgrade",
"operationStatus": "Scheduled",
"startTime": "2024-08-21T04:00:00Z",
"zeroDowntime": true
}
],
"requestedEntity": "splunk",
"scheduleEndTimestamp": "2024-08-21T06:00:00Z",
"scheduleId": "1e4729b4-11d0-4165-a886-a21cce7139f2",
"scheduleStartTimestamp": "2024-08-21T04:00:00Z",
"status": "Tentative",
"zeroDowntime": true
}
]
}
Manage private apps and Splunkbase apps (Victoria Experience)
The ACS API provides the following endpoints to manage private apps and Splunkbase apps. For more information on how to manage private apps using the ACS API, see Manage private apps in Splunk Cloud Platform. For more information on how to manage Splunkbase apps using the ACS API, see Manage Splunkbase apps in Splunk Cloud Platform
apps/victoria
https://admin.splunk.com/{stack}/adminconfig/v2/apps/victoria
List and install apps (Victoria Experience).
Authentication and authorization
- All GET and POST operations for this endpoint require a JWT authentication token.
- POST operations to install private apps also require an AppInspect authentication token and a legal acknowledgement that you accept risk for unsupported apps. For more information, see Manage private apps using the ACS API on Victoria Experience.
- POST operations to install Splunkbase apps also require a Splunkbase session ID and the Splunkbase app license URL. For more information, see Manage Splunkbase apps using the ACS API.
GET
List apps.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
| count | Number | Specifies the maximum number of apps to list. Maximum value is 100. Default is 30. A value of 0 lists all items. |
| offset | Number | Specifies a count displacement value (from the first existing item) on which to start the list. For example, if the count value is 100, to list items 100-200, specify an offset value of 100. |
| splunkbase | Boolean | Specify splunkbase=true to list Splunkbase apps only. Specify splunkbase=false to list non-Splunkbase apps only. If you do not specify this parameter, ACS lists all apps. |
Returned values
| Name | Type | Description |
|---|---|---|
| label | String | The app label. |
| name | String | The app name. |
| status | String | The app installation status. |
| version | Number | The app version. |
| appID | String | The app name. Same as name and app_name parameters. |
| splunkbaseID | Number | The Splunkbase app ID number |
Example request and response
JSON Request
curl 'https://admin.splunk.com/{stack}/adminconfig/v2/apps/victoria'
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnI…'
JSON Response
{
"apps": [
{
"label": "075-cloudworks",
"name": "075-cloudworks",
"status": "installed",
"version": ""
},
{
"label": "100-cloudworks-wlm",
"name": "100-cloudworks-wlm",
"status": "installed",
"version": ""
},
{
"label": "tos",
"name": "tos",
"status": "installed",
"version": ""
}
]
}
POST
Install an app.
Request parameters
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
| splunkbase | Boolean | You must specify splunkbase=true to install Splunkbase apps. |
| splunkbaseID | Number | The Splunkbase app ID number. You can find the splunkbaseID value in the URL of the Splunkbase app download page. |
Returned values
| Name | Type | Description |
|---|---|---|
| label | String | The app label. |
| name | String | The app name. |
| status | String | The app installation status. |
| version | Number | The app version. |
| appID | String | The app name. Same as name and app_name parameters. |
| splunkbaseID | String | The Splunkbase app ID number. |
Example request and response (install private app)
JSON Request
curl -X POST 'https://admin.splunk.com/{stack}/adminconfig/v2/apps/victoria' \
--header 'X-Splunk-Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9…' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnI…' \
--data-binary '@/Users/croth/Downloads/pa1v20.tar.gz'
JSON Response
{
"label": "pa1",
"name": "pa1",
"status": "installed",
"version": "1.2.2"
}
Example request and response (install Splunkbase app)
JSON Request
curl -X POST 'https:/admin.splunk.com/{stack}/adminconfig/v2/apps/victoria?splunkbase=true' \
--header 'X-Splunkbase-Authorization: bgf4ztyxcgssgcbdrhguzl0xgousxzcq' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'ACS-Licensing-Ack: http://opensource.org/licenses/ISC' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnI…' \
--data-urlencode 'splunkbaseID=491'
JSON Response
{
"appID": "SplunkforPaloAltoNetworks",
"label": "Palo Alto Networks App for Splunk",
"name": "SplunkforPaloAltoNetworks",
"splunkbaseID": "491",
"status": "processing",
"version": "7.0.4"
}
apps/victoria/{app_name}
https://admin.splunk.com/{stack}/adminconfig/v2/apps/victoria/{app_name}
Describe and uninstall apps. Upgrade or downgrade Splunkbase apps. (Victoria Experience)
Authentication and authorization
- All GET, PATCH, and DELETE operations for this endpoint require a JWT authentication token.
- PATCH operations to upgrade or downgrade Splunkbase apps also require a Splunkbase session ID and the Splunkbase app license URL. For more information, see Manage Splunkbase apps using the ACS API.
GET
Describe an app.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
| app_name | String | The name of the app. |
Returned values
| Name | Type | Description |
|---|---|---|
| label | String | The app label. |
| name | String | The app name. |
| status | String | The app installation status. |
| version | Number | The app version. |
| appID | String | The app name. Same as name and app_name parameters. |
| splunkbaseID | String | The Splunkbase app ID number. |
Example request and response
JSON Request
curl 'https://admin.splunk.com/{stack}/adminconfig/v2/apps/victoria/testapp' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiwi…'
JSON Response
{
"label": "testapp",
"name": "testapp",
"status": "installed",
"version": ""
}
PATCH
Upgrade or downgrade a Splunkbase app.
Request parameters
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
| splunkbase | Boolean | You must specify splunkbase=true in the request URL to upgrade Splunkbase apps. |
| splunkbaseID | Number | The Splunkbase app ID number. You can find the splunkbaseID value in the URL of the Splunkbase app download page. |
Returned values
| Name | Type | Description |
|---|---|---|
| label | String | The app label. |
| name | String | The app name. |
| status | String | The app installation status. |
| version | Number | The app version. |
| appID | String | The app name. Same as name and app_name parameters. |
| splunkbaseID | String | The Splunkbase app ID number. |
Example request and response
JSON Request
curl -X PATCH 'https://admin.splunk.com/{stack}/adminconfig/v2/apps/victoria/SplunkforPaloAltoNetworks' \
--header X-Splunkbase-Authorization: bgf4ztyxcgssgcbdrhguzl0xgousxzcq' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'ACS-Licensing-Ack: http://opensource.org/licenses/ISC' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnI…' \
--data-urlencode 'version=7.0.3'
JSON Response
{
"appID": "SplunkforPaloAltoNetworks",
"label": "Palo Alto Networks App for Splunk",
"name": "SplunkforPaloAltoNetworks",
"splunkbaseID": "491",
"status": "processing",
"version": "7.0.3"
}
DELETE
Uninstall an app.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
| app_name | String | The name of the app. |
Returned values None
Example request and response
JSON Request
curl -X DELETE 'https://admin.splunk.com/{stack}/adminconfig/v2/apps/victoria/testapp' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiwi…'
JSON Response None
Manage private apps and Splunkbase apps (Classic Experience)
apps
https://admin.splunk.com/{stack}/adminconfig/v2/apps
List and install apps (Classic Experience).
Authentication and authorization
- All GET and POST operations for this endpoint require a JWT authentication token.
- POST operations to install private apps also require an AppInspect authentication token and a legal acknowledgement that you accept risk for unsupported apps. For more information, see Manage private apps using the ACS API on Classic Experience.
- POST operations to install Splunkbase apps also require a Splunkbase session ID and the Splunkbase app license URL. For more information, see Manage Splunkbase apps using the ACS API on Classic Experience.
GET
List apps.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
| count | Number | Specifies the maximum number of apps to list. Maximum value is 100. Default is 30. A value of 0 lists all items. |
| offset | Number | Specifies a count displacement value (from the first existing item) on which to start the list. For example, if the count value is 100, to list items 100-200, specify an offset value of 100.
|
| splunkbase | Boolean | Specify splunkbase=true to list Splunkbase apps only. Specify splunkbase=false to list non-Splunkbase apps only. If you do not specify this parameter, ACS lists all apps.
|
Returned values
| Name | Type | Description |
|---|---|---|
| label | String | The app label. |
| name | String | The app name. |
| package | String | The app installation package. |
| status | String | The app installation status. |
| version | Number | The app version. |
| appID | String | The app name. Same as name and app_name parameters. |
| splunkbaseID | Number | The Splunkbase app ID number |
Example request and response
JSON Request
curl 'https://admin.splunk.com/{stack}/adminconfig/v2/apps?count=100' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnI…'
JSON Response
{
"apps": []
}
POST
Install an app.
Request parameters
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
| splunkbase | Boolean | You must specify splunkbase=true to install Splunkbase apps.
|
| splunkbaseID | Number | The Splunkbase app ID number. You can find the splunkbaseID value in the URL of the Splunkbase app download page.
|
Returned values
| Name | Type | Description |
|---|---|---|
| label | String | The app label. |
| name | String | The app name. |
| package | String | The app installation package. |
| status | String | The app installation status. |
| version | Number | The app version. |
| appID | String | The app name. Same as name and app_name parameters. |
| splunkbaseID | String | The Splunkbase app ID number. |
Example request and response
JSON Request
curl -X POST 'https://admin.splunk.com/{stack}/adminconfig/v2/apps' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnI…' \
--form 'token="eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9…"' \
--form 'package=@"/Users/{name}/app_inspect/testapp.tar.gz"'
JSON Response
{
"label": "testapp",
"name": "testapp",
"package": "testapp.tar.gz",
"status": "installed",
"version": "1.0.31"
}
apps/{app_name}
https://admin.splunk.com/{stack}/adminconfig/v2/apps/{app_name}
Describe, upgrade, and uninstall apps (Classic Experience).
Authentication and authorization
- All GET, PATCH, and DELETE operations for this endpoint require a JWT authentication token.
- PATCH operations to upgrade or downgrade Splunkbase apps also require a Splunkbase session ID and the Splunkbase app license URL. For more information, see Upgrade a Splunkbase app on Classic Experience.
GET
Describe an app.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
| app_name | String | The name of the app. |
Returned values
| Name | Type | Description |
|---|---|---|
| label | String | The app label. |
| name | String | The app name. |
| package | String | The app installation package. |
| status | String | The app installation status. |
| version | Number | The app version. |
| appID | String | The app name. Same as name and app_name parameters. |
| splunkbaseID | String | The Splunkbase app ID number. |
Example request and response
JSON Request
curl 'https://admin.splunk.com/{stack}/adminconfig/v2/apps/victoria/testapp' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiwi…'
JSON Response
{
"label": "testapp",
"name": "testapp",
"package": "testapp.tar.gz",
"status": "installed",
"version": ""
}
PATCH
Upgrade a Splunkbase app.
Request parameters
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
| splunkbaseID | Number | The Splunkbase app ID number. You can find the splunkbaseID value in the URL of the Splunkbase app download page.
|
Returned values
| Name | Type | Description |
|---|---|---|
| label | String | The app label. |
| name | String | The app name. |
| status | String | The app installation status. |
| version | Number | The app version. |
| appID | String | The app name. Same as name and app_name parameters. |
| splunkbaseID | String | The Splunkbase app ID number. |
Example request and response
JSON Request
curl -X PATCH 'https://admin.splunk.com/{stack}/adminconfig/v2/apps/SplunkforPaloAltoNetworks' \
--header X-Splunkbase-Authorization: bgf4ztyxcgssgcbdrhguzl0xgousxzcq' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'ACS-Licensing-Ack: http://opensource.org/licenses/ISC' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnI…' \
--data-urlencode 'splunkbaseID=491'
JSON Response
{
"appID": "SplunkforPaloAltoNetworks",
"label": "Palo Alto Networks App for Splunk",
"name": "SplunkforPaloAltoNetworks",
"splunkbaseID": "491",
"status": "processing",
"version": "7.0.3"
}
DELETE
Uninstall an app.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
| app_name | String | The name of the app. |
Returned values None
Example request and response
JSON Request
curl -X DELETE 'https://admin.splunk.com/{stack}/adminconfig/v2/apps/testapp' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnI…'
JSON Response
{
"code": "200"
}
Manage Python version
python-runtime
https://admin.splunk.com/{stack}/adminconfig/v2/python-runtime
Manage Python version in Splunk Cloud Platform.
GET
Check Python runtime version.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
Returned values
| Name | Type | Description |
|---|---|---|
| pythonRuntime | String | The current Python runtime version. Possible values: force_python3, python3, python3.7, python3.9, or python2
|
Example request and response
JSON Request
curl 'https://admin.splunk.com/{stack-name}/adminconfig/v2/python-runtime' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnI...'
JSON Response
{
"pythonRuntime": "force_python3"
}
POST
Change Python runtime version.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
| pythonVersion | String | Supported values: force_python3, python3, python3.7, python3.9, and python2. |
Returned values None
Example request and response
JSON Request
curl -X POST 'https://admin.splunk.com/{stack-name}/adminconfig/v2/python-runtime' \
--header 'Authorization: Bearer eyJraWQ...' \
-H "Content-Type: application/json" \
--data '{
"pythonVersion" : "unset"
}'
JSON Response
{
"message": "pythonVersion rolled back to python2"
}
Manage restarts
For instructions on how to target a specific search head or search head cluster for restart operations, see Target a specific search head for ACS operations.
restart-now
https://admin.splunk.com/{stack}/adminconfig/v2/restart-now
Initiate a restart of the search head tier in Splunk Cloud Platform.
POST
Initiate a restart of a single search head or a rolling restart of a search head cluster.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
Returned values
None
Example request and response
JSON Request
curl -X POST 'https://admin.splunk.com/{stack}/adminconfig/v2/restart-now' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYW...'
JSON Response
{
"message": "Successfully initiated a server restart. It might take some time for completion"
}
restart/status
https://admin.splunk.com/{stack}/adminconfig/v2/restart/status
Check status of search head cluster rolling restart.
restart/status endpoint applies to search head cluster rolling restarts only. The endpoint does not work with non-clustered search heads.
GET
Check status of search head cluster rolling restart.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
Returned values
| Name | Type | Description |
|---|---|---|
| rollingRestartInitiated | Boolean | A value of "true" means a rolling restart is in progress. |
| serviceReady | Boolean | A value of "true" means all cluster members have Successfully resatarted. |
| captain | String | URL prefix of the current search head cluster captain. |
Example request and response
JSON Request
curl https://admin.splunk.com/{stack}/adminconfig/v2/restart/status \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYW...
JSON Response
{
"shcStatus": [
{
 "captain": "sh-i-..",
 "rollingRestartInitiated": true,
"serviceReady": false
}
]
Provision Enterprise Managed Encryption Keys (EMEK)
emek/waiver
https://admin.splunk.com/{stack}/adminconfig/v2/emek/waiver
View EMEK legal disclaimer.
GET
View legal disclaimer.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
Returned values None
Example request and response
JSON Request
curl "https://admin.splunk.com/{stack}/adminconfig/v2/emek/waiver" \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiwi…'
Sample Response
AWS Legal Disclaimer
Thank you for subscribing to an encryption service for data at rest as an add-on to the Splunk Cloud Platform service. As you know, Splunk Cloud Platform relies on AWS Cloud Key Management Service (Cloud KMS) for key management operations, and customers who elect to use the Enterprise Managed Encryption Key (EMEK) capability assume full control of the customer master key (CMK) in Cloud KMS. Before electing to directly manage your own master in Cloud KMS, please reply to this message to confirm and acknowledge the following risks and responsibilities involved with self-management of your CMK:
* You are assuming ownership and full responsibility for the integrity and ongoing availability of your CMK in Cloud KMS.
* The CMK is required for encrypting and decrypting Splunk data in real-time.
* Loss of access to the CMK in Cloud KMS can and will result in service interruption and/or permanent loss of data access by all parties (AWS, Splunk and you).
* Unauthorized access to the CMK in Cloud KMS can result in accidental or explicit key operations (such as key deactivation and/or deletion) that could lead to service disruption and/or permanent loss of data access by all parties (AWS, Splunk and you).
* You must maintain Splunk privileged access to the CMK via Splunk mandated key policy definitions.
GCP Legal Disclaimer
Thank you for subscribing to an encryption service for data at rest as an add-on to the Splunk Cloud Platform service. As you know, Splunk Cloud Platform relies on GCP Cloud Key Management Service (Cloud KMS) for key management operations, and customers who elect to use the Enterprise Managed Encryption Key (EMEK) capability assume full control of the customer master key (CMK) in Cloud KMS. Before electing to directly manage your own master in Cloud KMS, please reply to this message to confirm and acknowledge the following risks and responsibilities involved with self-management of your CMK:
* You are assuming ownership and full responsibility for the integrity and ongoing availability of your CMK in Cloud KMS.
* The CMK is required for encrypting and decrypting Splunk data in real-time.
* Loss of access to the CMK in Cloud KMS can and will result in service interruption and/or permanent loss of data access by all parties (GCP, Splunk and you).
* Unauthorized access to the CMK in Cloud KMS can result in accidental or explicit key operations (such as key deactivation and/or deletion) that could lead to service disruption and/or permanent loss of data access by all parties (GCP, Splunk and you).
* You must maintain Splunk privileged access to the CMK via Splunk mandated key policy definitions.
emek/key-policy
https://admin.splunk.com/{stack}/adminconfig/v2/emek/key-policy
Generate a KMS key policy for your deployment.
Authentication and authorization
- You must specify
Yin theEMEK-Legal-Ackheader to acknowledge acceptance of any risks involved in using EMEK.
GET
Get KMS key policy
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
Returned values
| Name | Type | Description |
|---|---|---|
| message | String | Description of how to set up the policy. |
| policy | String | Required policy/service accounts to set up the key in your cloud provider. |
| region | String | Cloud provider region in which you must generate the key. |
Example request and response
JSON Request
curl "https://admin.splunk.com/{stack}/adminconfig/v2/emek/key-policy" \
--header 'EMEK-Legal-Ack: Y' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiwi…'
AWS sample response
{
"message": "Please copy and apply this key policy in AWS. Make sure to replace ${CUSTOMER_ACCOUNT_ID} with your corresponding AWS account ID.",
"policy": {
"Id": "key-consolepolicy-3",
"Statement": [
{
"Action": "kms:*",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${CUSTOMER_ACCOUNT_ID}:root"
},
"Resource": "*",
"Sid": "Enable IAM User Permissions"
},
{
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": "arn:aws:iam::992171771154:role/test-ibaniya-emek"
}
},
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::992171771154:root"
},
"Resource": "*",
"Sid": "Allow SplunkCloud to use the KMS Key"
},
{
"Action": [
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:ReEncrypt*",
"kms:DescribeKey"
],
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": "arn:aws:iam::992171771154:role/terraform_assumed_role-lve"
}
},
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::992171771154:root"
},
"Resource": "*",
"Sid": "Allow SplunkCloud's Infrastructure Builder to use Key"
},
{
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
},
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::992171771154:root"
]
},
"Resource": "*",
"Sid": "Allow attachment of persistent resources"
}
],
"Version": "2012-10-17"
},
"region": "us-east-1"
}
GCP sample response:
{
"message": "Create a KMS key in the following GCP region: us-central1. Apply the provided Splunk Cloud cross-account key policy template, see Using Key Policies and Allowing Cross-Account access to a CMK for more details on this. Make sure to replace any placeholder values if applicable. Once the above steps have been completed, please provide Splunk Cloud with the ARN of the KMS key created as well as the output of the KMS describe key command.",
"policy": {
"bindings": [
{
"members": [
"serviceAccount:test-ibaniya-gcp-idx@test-ibaniya-gcp-9fe6.iam.gserviceaccount.com",
"serviceAccount:service-945453386874@compute-system.iam.gserviceaccount.com"
],
"role": "roles/cloudkms.cryptoKeyEncrypterDecrypter"
},
{
"members": [
"serviceAccount:lve-stack-tf@cworks-lve-dd28.iam.gserviceaccount.com",
"serviceAccount:test-ibaniya-gcp-idx@test-ibaniya-gcp-9fe6.iam.gserviceaccount.com"
],
"role": "roles/cloudkms.viewer"
}
]
},
"region": "us-central1"
}
emek/key
https://admin.splunk.com/{stack}/adminconfig/v2/emek/key
Upload KMS key to Splunk Cloud Platform.
Authentication and authorization
- You must specify
Yin theEMEK-Legal-Ackheader to acknowledge acceptance of any risks involved in using EMEK.
PUT
Upload KMS key
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
| keyARN | String | Identifier for the KMS key.
|
Returned values NONE
Example request and response
JSON Request
curl -X PUT "https://admin.splunk.com/{stack}/adminconfig/v2/emek/key" \
--header 'EMEK-Legal-Ack: Y' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiwi…'
--data '{
"keyARN": "arn:aws:kms:us-east-1:111111111111:key/000000-xxx"
}'
Sample Response
{
"message": "EMEK Key ARN upload request accepted. To check the status of your request, use DescribeStack operation. Please contact Splunk support to use this EMEK key to re-key your stack."
}
Retry failed operations
deployment/status
https://admin.splunk.com/{stack}/adminconfig/v2/deployment/status
Check the status of the latest operation in Splunk Cloud Platform.
GET
Check the status of the latest operation in Splunk Cloud Platform
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
Returned values
| Name | Type | Description |
|---|---|---|
| id | String | The latest deployment ID on the stack. |
| timestamp | String | The time at which the latest operation was initiated. |
| status | String | The status of the latest operation. |
Example request and response
JSON Request
curl https://admin.splunk.com/{stack}/adminconfig/v2/deployment/status \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYW...
JSON Response
{
"lastDeployment": {
"id": "AD11DDF4-B13B-4EDC-9B4F-A5FF539CD196",
"timestamp": "6/16/2023, 11:31:22 AM",
"status": "failed"
}
}
deployment/retry
https://admin.splunk.com/{stack}/adminconfig/v2/deployment/retry
Retry a failed operation in Splunk Cloud Platform.
POST
Retry a failed private app installation or HEC token management operation.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
Returned values
| Name | Type | Description |
|---|---|---|
| id | String | The new deployment ID of the retried operation. |
| timestamp | String | The time at which the retry operation was initiated. |
| status | String | The status of the retry operation. |
Example request and response
JSON Request
curl -X POST 'https://admin.splunk.com/{stack}/adminconfig/v2/deployment/retry' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1...'
JSON Response
{
"id": "30D3BC03-11AC-4A16-88F7-7924735638ED",
"timestamp": "6/16/2023, 11:31:22 AM",
"status": "new"
}
deployment/status/{deploymentID}
https://admin.splunk.com/{stack}/adminconfig/v2/deployment/status/{deploymentID}
Check the status of an operation in Splunk Cloud Platform.
GET
Check the status of a retry or other operation by deployment ID in Splunk Cloud Platform.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
| deploymentID | String | The deployment ID of the operation for which you want to check status. |
Returned values
| Name | Type | Description |
|---|---|---|
| id | String | The deployment ID specified in the request. |
| timestamp | String | The time at which the operation specified by the deployment ID was initiated. |
| status | String | The status of of the operation specified by deployment ID. |
Example request and response
JSON Request
curl https://admin.splunk.com/{stack}/adminconfig/v2/deployment/status/{deploymentID} \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYW...
JSON Response
{
"lastDeployment": {
"id": "AD11DDF4-B13B-4EDC-9B4F-A5FF539CD196",
"timestamp": "6/16/2023, 11:31:22 AM",
"status": "running"
}
}
Unified Identify for Splunk Observability Cloud
ovservability/sso-pairing
https://admin.splunk.com/{stack}/adminconfig/v2/observability/sso-pairing
Set up Unified Identity for Splunk Observability Cloud and Splunk Cloud Platform.
POST
Pair your Observability organization with your Splunk Cloud stack.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
| o11y-access-token | String | O11y API access token belonging to an O11y admin. |
Returned values
| Name | Type | Description |
|---|---|---|
| id | String | A unique ID used to determine the pairing status. |
Example request and response
JSON Request
curl -X POST 'https://admin.splunk.com/<enter-stack-name>/adminconfig/v2/observability/sso-pairing' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnI
...' \
--header 'o11y-access-token': 'xyz123...'
JSON Response
{
"id": "a12b23cd"
}
observability/sso-pairing/{pairing-id}
https://admin.splunk.com/{stack}/adminconfig/v2/observability/sso-pairing/{pairing-id}
Check the pairing status of Splunk Observability Cloud and Splunk Cloud Platform.
GET
Get the pairing status of a Splunk Observability Cloud organization and Splunk Cloud Platform stack.
Request parameters
| Name | Type | Description |
|---|---|---|
| stack | String | The URL prefix of the Splunk Cloud Platform deployment. |
| o11y-access-token | String | O11y API access token belonging to an O11y admin. |
| pairing-id | String | Pairing ID returned when sending POST request to observability/sso-pairing endpoint. |
Returned values
| Name | Type | Description |
|---|---|---|
| id | String | The unique ID used to determine the pairing status. |
| status | String | The pairing status of the Splunk Observability Cloud organization and Splunk Cloud Platform stack. The status field value can be SUCCESS, FAILED, or IN_PROGRESS. |
Example request and response
JSON Request
curl --location --request GET 'https://admin.splunk.com/{stack}/adminconfig/v2/observability/sso-pairing/a12b23cd' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnI
...'
--header 'o11y-access-token': 'xyz123...'
JSON Response
{
"pairingId":"a12b23cd",
"status":"SUCCESS"
}