Topology endpoint descriptions

Retrieve a list of active components for a deployment, including identity and trust details for each node.

Usage details

Topology REST API

The topology endpoints are part of the Topology REST API available on the Splunk platform. This API provides programmatic access for administrators and applications to deployment topology and infrastructure introspection data through a unified interface. These endpoints retrieve information using the Splunk Topology sidecar. For more information about sidecars, see About Splunk sidecars.

Authentication and Authorization

Username and password authentication is required for access to endpoints and REST operations.

Splunk users must have the list_topology capability to use REST topology endpoints. By default, this capability is assigned to the admin role.

Users with an administrative role, such as admin, can access authorization information in Splunk Web. To view the roles assigned to a user, select Settings > Access controls and click Users. To determine the capabilities assigned to a role, select Settings > Access controls and click Roles. Requires the . By default, this capability is assigned to the admin role.

topology

Retrieves a complete JSON view of the Splunk platform deployment topology, including managed node roles and optional unmanaged actors.

CODE 
https://<host>:<mPort>/services/stack-explainer/v1/topology

Retrieves a complete view of the deployment topology for the Splunk platform, including all managed node roles. Use this information to visualize and analyze your deployment structure.

Available only on License Manager nodes.

Requests require the GET method.

Limitations

Note the following limitations when using the topology endpoint:

  • The topology endpoint requires a deployment with one License Manager to function correctly. If you use multiple License Managers behind a load balancer, which is a configuration supported in customer-managed Splunk deployments, the topology information might not be correct.

  • The Splunk Topology sidecar does not support FIPS mode.

Authorization

Requires the list_topology capability. By default, this capability is assigned to the admin role.

GET

Retrieves a complete view of the deployment topology for the Splunk platform.

Request parameters

Name Type Description
include_unmanaged_actors

Boolean (Flag)

Optional. If present, the response includes unmanaged nodes that communicate with the deployment, typically by ingesting data, but their details cannot be verified.

Request body

None

Returned values

Returns data in JSON format.

Field Type Description
header.timestamp String

The UTC timestamp of when the response was generated.
license_manager Object The node object for the License Manager.
cluster_manager Object The node object for the Cluster Manager
indexers Array Node objects for indexers
search_heads Array Node objects for search heads
deployers Array Node objects for deployers
unrecognized Array Node objects that could not be assigned a known role. This typically occurs when deployment peers remain undiscovered due to network or configuration constraints.
unmanaged_actors Array Only present when the request included the include_unmanaged_actors parameter.
Values returned for node objects:
Field Type Description
guid String The unique node identifier
label String Server name
fips_enabled Boolean
Whether or not the node is running in FIPS mode.

  • The value of true means that FIPS mode is turned on.

  • The value of false means that FIPS mode is turned off.
roles Array Server roles
host_info Object
A nested object that contains network connectivity details for the host node:

  • scheme - The protocol used for communication, for example, http or https.

  • ip - The IP address of the host.

  • fqdn - The Fully Qualified Domain Name (FQDN) of the host.

  • mgmt_port - The port used for management communication, for example, 8089.

  • web-port - The port used for the web interface, for example, 8000.
version_info Object
A nested object that contains the following fields:

  • build - The build number of the current Splunk Enterprise or Splunk Cloud Platform installation

  • version - The version the current Splunk Enterprise or Splunk Cloud Platform installation
os_info: Object
A nested object that contains the following fields:

  • build - The specific build identifier or kernel version of the operating system

  • name - The name of the operating system

  • version - The version of the operating system
status String Node status
last_heartbeat String The timestamp of the most recent heartbeat signal. Present only if the Topology API can retrieve it. Available only for indexers and search heads known to the Cluster Manager in customer-managed deployments.
managed_by Object
List of the managing entities that govern the current node, such as

  • cluster_manager

  • license_manager

  • search_head_cluster

  • deployer

Each field contains the GUID of the managing entity. Use this GUID to trace the management hierarchy. For example, an indexer peer populates cluster_manager with the GUID of its managing entity. Fields are omitted if the node is not managed by a specific entity.

Note: The search_head_cluster GUID identifies the search head cluster as a logical group of search head nodes. It does not represent a single managing node or entity. This GUID cannot be used with the node-identity/{guid} endpoint to retrieve a single node identity.
Values returned for the unmanaged actor objects. Unmanaged actors are nodes that communicate with the deployment, typically by ingesting data, but their data cannot be verified.
Field Type Description
guid String A unique node identifier if known
label String The hostname or display label
host_info Object
A nested object that contains network connectivity details for the host node:

  • scheme - The protocol used for communication, for example, http or https.

  • ip - The IP address of the host.

  • fqdn - The Fully Qualified Domain Name (FQDN) of the host.

  • mgmt_port - The port used for management communication, for example, 8089.

  • web-port - The port used for the web interface, for example, 8000.
indexer_guids Array A list of unique identifiers (GUIDs) for the indexers to which this node is currently connected. Use these GUIDs to map data ingestion paths and verify connectivity within the Splunk platform topology.
connection_types Array A list of the transport protocols or data connection methods currently in use by the node, for example:

  • tcp/cooked - a data format native to the Splunk platform, used for S2S communication.

  • tcp/raw - unparsed data streams sent over Transmission Control Protocol (TCP).

  • udp - Standard User Datagram Protocol streams

  • http - Data streams sent over HTTP/HTTPS, typically associated with HEC.
last_conn_time String Optional. The timestamp of the last successful connection established by the node.

Available for on-premises deployments.

Response status codes

HTTP status code Description
200 The request was successful, and the topology data is returned in the response body.
403

Failure when trying to access the endpoint from a different node than the License Manager.

Example response
JSON 
{ "error": "Access allowed only on license manager node" }
500

Failure when trying to retrieve trusted-connections.

Example response
JSON 
{ "error": "Failed to get the topology: <reason>" }

Example request and response

JSON Request
CODE 
curl -k -u <username>:<password> https://127.0.0.1:<port>/services/stack-explainer/v1/topology
Request including unmanaged nodes:
CODE 
curl -k -u <username>:<password> https://127.0.0.1:<port>/services/stack-explainer/v1/topology\?include_unmanaged_actors
JSON Response
Successful request - response:
JSON 
{
  "header": { "timestamp": "2024-01-15T10:30:00Z" },
  "license_manager": {
    "guid": "72DBBCDD-65DC-434D-82A3-D29CD899E386",
    "label": "lm1",
    "fips_enabled": false,
    "roles": ["license_manager"],
    "host_info": { "scheme": "https", "ip": "10.0.0.1", "fqdn": "lm.example.com", "mgmt_port": 8089, "web-port": 8000 },
    "version-info": { "build": "8e742d38e4b5", "version": "10.4.0" },
    "os-info": { "name": "Linux", "version": "5.15" },
    "managed_by": {}
  },
  "cluster_manager": { ... },
  "indexers": [ ... ],
  "search_heads": [ ... ],
  "deployers": [ ... ]
}

node-identity

Retrieves identity information for the local Splunk platform node.

CODE 
https://<host>:<mPort>/services/stack-explainer/v1/node-identity

Retrieves identity information for the local Splunk platform node. Use this information to uniquely identify the node within the deployment.

Available on all node types except universal forwarders.

Requests require the GET method.

Authorization

Requires the list_topology capability. By default, this capability is assigned to the admin role.

GET

Retrieves identity information for the local Splunk platform node.

Request parameters
None

Request body
None

Returned values

Returns data in JSON format.

Field Type Description
header.timestamp String

The UTC timestamp of when the response was generated.
fips_enabled Boolean
Whether or not the node is running in FIPS mode.

  • The value of true means that FIPS mode is turned on.

  • The value of false means that FIPS mode is turned off.
host_info Object
A nested object that contains network connectivity details for the remote node:

  • fqdn - The Fully Qualified Domain Name (FQDN) of the remote node.

  • mgmt_scheme - The protocol used for management interface, for example, http or https.

  • mgmt_hostname - The hostname used for the management interface.

  • mgmt_port - The port number for the management interface, for example, 8089.

  • web_scheme - The protocol used for the web interface, for example, http or https.

  • web-port - The port number for the web interface, for example, 8000.
roles Array Server roles assigned to this node
version_info Object
A nested object that contains the following fields:

  • build - The build number of the current Splunk Enterprise or Splunk Cloud Platform installation

  • version - The version of the current Splunk Enterprise or Splunk Cloud Platform installation
os_info: Object
A nested object that contains the following fields:

  • build - The specific build identifier of the host operating system

  • name - The name of the host operating system

  • version - The version of the host operating system

Response status codes

HTTP status code Description
200 Successful request was.
500

Failure when trying to retrieve the node identity data.

Example response:
JSON 
{ "error": "failed to get node identity: <reason>" }

Example request and response

JSON Request
CODE 
curl -k -u admin:<password> \
  https://127.0.0.1:<port>/services/stack-explainer/v1/node-identity
JSON Response
Successful request - response:
JSON 
{
  "header": { "timestamp": "2026-04-07T11:13:02Z" },
  "fips_enabled": false,
  "host_info": {
    "fqdn": "indexer-1.example.com",
    "mgmt_scheme": "https",
    "mgmt_hostname": "10.0.0.5",
    "mgmt_port": 8089,
    "web_scheme": "https",
    "web_port": 8000
  },
  "roles": ["indexer", "cluster_peer"],
  "version_info": { "build": "37c5143b091f", "version": "10.6.0" },
  "os_info": { "build": "build-67890", "name": "Linux", "version": "5.15" }
}

node-identity/{guid}

JSON 
https://<host>:<mPort>/services/stack-explainer/v1/node-identity/{guid}
Retrieves identity information for a remote Splunk platform node identified by its {guid}. This endpoint acts as a proxy, forwarding the request through the local node to return identity metadata for the target node.

Available only on License Manager nodes which are the only nodes capable of connecting to remote nodes.

Requests require the GET method.

Authentication and authorization

Requires the list_topology capability. By default, this capability is assigned to the admin role.

GET

Retrieves identity information for a remote Splunk platform node identified by its {guid}.

Request parameters
None

Request body
None

Returned values

Returns data in JSON format.

Field Type Description
header.timestamp String

The UTC timestamp of when the response was generated.
fips_enabled Boolean
Whether or not the remote node is running in FIPS mode.

  • The value of true means that FIPS mode is turned on.

  • The value of false means that FIPS mode is turned off.
host_info Object
A nested object that contains network connectivity details for the remote node:

  • fqdn - The Fully Qualified Domain Name (FQDN) of the remote node.

  • mgmt_scheme - The protocol used for management interface, for example, http or https.

  • mgmt_hostname - The hostname used for the management interface.

  • mgmt_port - The port number for the management interface, for example, 8089.

  • web_scheme - The protocol used for the web interface, for example, http or https.

  • web-port - The port number for the web interface, for example, 8000.
roles Array Server roles assigned to the remote node
version_info Object
A nested object that contains the following fields:

  • build - The build number of the current Splunk Enterprise or Splunk Cloud Platform installation

  • version - The version of the current Splunk Enterprise or Splunk Cloud Platform installation
os_info: Object
A nested object that contains the following fields:

  • build - The specific build identifier of the host operating system

  • name - The name of the host operating system

  • version - The version of the host operating system

Response status codes

HTTP status code Description
200 Successful request
403

Failure when trying to access the endpoint from a different node than the License Manager.

Example response:
JSON 
{ "error": "Access allowed only on license manager node" }
404

Failure when no node matches the specified GUID.
500

Failure when trying to retrieve node identity data.

Example response
JSON 
{ "error": "failed to get node identity: <reason>" }

Example request and response

JSON Request
JSON 
curl -k -u admin:<password> \
  https://127.0.0.1:<port>/services/stack-explainer/v1/node-identity/{guid}
JSON Response
Successful request - response
JSON 
{
  "header": { "timestamp": "2026-04-07T11:13:02Z" },
  "fips_enabled": false,
  "host_info": {
    "fqdn": "indexer-2.example.com",
    "mgmt_scheme": "https",
    "mgmt_hostname": "10.0.0.6",
    "mgmt_port": 8089,
    "web_scheme": "https",
    "web_port": 8000
  },
  "roles": ["indexer", "cluster_peer"],
  "version_info": { "build": "37c5143b091f", "version": "10.6.0" },
  "os_info": { "build": "build-67890", "name": "Linux", "version": "5.15" }
}

trusted-connections

Retrieves configuration details for trusted connections on the local node, including HEC inputs, S2S connections, TCP/UDP inputs, and search peer relationships.

CODE 
https://<host>:<mPort>/services/stack-explainer/v1/trusted-connections
Retrieves configuration details for the trusted connections of the local node in a Splunk platform deployment, including HTTP Event Collector (HEC) inputs, Splunk-to-Splunk (S2S) input and output configurations, and search peer relationships.

Available on all node types except universal forwarders.

Requests require the GET method.

See also

Authentication and authorization

Requires the list_topology capability. By default, this capability is assigned to the admin role.

GET

Retrieves configuration settings for the trusted connections of the local node, including HEC, S2S, and search peer relationships.

Request parameters
None

Request body
None

Returned values
Returns data in JSON format.

Name Type Description
header.timestamp String The UTC timestamp of when the response was generated.
guid String The unique identifier of the host node
hec Object
A nested object that contains configuration and status details for the HTTP Event Collector (HEC):

  • enabled - Whether or not HEC is activated. The value of <codeph>true</codeph> means that HEC is turned on. The value of <codeph>false</codeph> means that HEC is turned off.

  • port - The port number on which HEC is configured to receive data.

  • hashed_tokens - A list of SHA-256 hashed HEC tokens. Only activated tokens are included.

  • senders - A list of IP addresses of HEC senders currently connected to the node.
s2s Object
A nested objects that contains configuration details for Splunk-to-Splunk (S2S) connections:

  • receiving_ports - A mapping of TCP ports to lists of sender IP addresses for incoming S2S (cooked) TCP data. Cooked data refers to the data format native to the Splunk platform, used for S2S communication.

  • forwarding_hosts - A list of the destination host:port pairs for outgoing data.
tcp_inputs Object A mapping of Transmission Control Protocol (TCP) ports to sender IP addresses for TCP inputs.
udp_inputs Object A mapping of User Datagram Protocol (UDP) ports to sender IP addresses for UDP inputs.
searchPeers Array
A list of search peers. This field is present only when the node acts as a search head.

  • name - The hostname or display label of the search peer.

  • guid - The unique identifier (GUID) of the search peer.

Response status codes

HTTP status code Description
200 The request was successful.
500

Failure when trying to retrieve trusted-connections.

Example response
JSON 
{ "error": "failed to get trusted connections data: <reason>" }

Example request and response

JSON Request
CODE 
curl -k -u admin:<pass> \
  https://127.0.0.1:<port>/services/stack-explainer/v1/trusted-connections
JSON Response
Successful request - response
JSON 
{
  "header": { "timestamp": "2026-04-08T05:36:08Z" },
  "guid": "89773DD4-A41C-406F-9CC2-6FCB54E08C73",
  "hec": {
    "enabled": true,
    "port": 8088,
    "hashed_tokens": ["e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"],
    "senders": ["10.0.1.5", "10.0.1.6"]
  },
  "s2s": {
    "receiving_ports": { "9997": ["10.0.1.10", "10.0.1.11"] },
    "forwarding_hosts": ["downstream-indexer.example.com:9997"]
  },
  "tcp_inputs": { "5114": ["10.0.1.20"] },
  "udp_inputs": { "5115": ["10.0.1.21"] },
  "searchPeers": [
    { "name": "indexer-1.example.com:8089", "guid": "8D98B2F4-3385-4AAF-89B0-634FE60AF26A" }
  ]
}

trusted-connections/{guid}

Retrieves trusted connection configuration for a remote Splunk platform node, including HEC, S2S, TCP/UDP inputs, and search peer relationships.

JSON 
https://<host>:<mPort>/services/stack-explainer/v1/trusted-connections/{guid}
Retrieves configuration details for trusted connections of a remote Splunk platform node identified by its {guid}. This endpoint acts as a proxy, forwarding your request to the target remote node and returning the HEC, S2S, and search peer configuration data retrieved from that node.

Available only on License Manager nodes.

Requests require the GET method.

See also

Authentication and authorization

Requires the list_topology capability. By default, this capability is assigned to the admin role.

GET

Retrieves configuration settings for the trusted connections of the remote node, identified by {guid}, including HEC, S2S, and search peer relationships.

Request parameters
None

Request body
None

Returned values

Returns data in JSON format.

Name Type Description
header.timestamp String The UTC timestamp of when the response was generated.
guid String The unique identifier of the queried remote node
hec Object
A nested object that contains configuration and status details for the HTTP Event Collector (HEC) on the remote node:

  • enabled - Whether or not HEC is activated. A value of <codeph>true</codeph> means that HEC is turned on. A value of <codeph>false</codeph> means that HEC is turned off.

  • port - The port number on which HEC is configured to receive data.

  • hashed_tokens - A list of SHA-256 hashed HEC tokens. Only activated tokens are included.

  • senders - A list of IP addresses of HEC senders currently connected to the node.
s2s Object
A nested objects that contains configuration details for Splunk-to-Splunk (S2S) connections:

  • receiving_ports - A mapping of TCP ports to lists of sender IP addresses for incoming S2S (cooked) TCP data. Cooked data refers to the data format native to the Splunk platform, used for S2S communication.

  • forwarding_hosts - A list of the destination host:port pairs for outgoing data.
tcp_inputs Object A mapping of Transmission Control Protocol (TCP) ports to sender IP addresses for TCP inputs.
udp_inputs Object A mapping of User Datagram Protocol (UDP) ports to sender IP addresses for UDP inputs.
searchPeers Array
A list of search peers. This field is present only when the node acts as a search head.

  • name - The hostname or display label of the search peer.

  • guid - The unique identifier (GUID) of the search peer.

Response status codes

HTTP status code Description
200 Successful request
403

Failure when trying to access the endpoint from a different node than the License Manager.

Example response:
JSON 
{ "error": "Access allowed only on license manager node" }
404

Failure when no node matches the specified {guid}.
500

Failure when trying to retrieve trusted connection data.

Example response
JSON 
{ "error": "failed to get trusted connections: <reason>" }

Example request and response

JSON Request
JSON 
curl -k -u admin:<password> \
  https://127.0.0.1:<port>/services/stack-explainer/v1/trusted-connections/{guid}
JSON Response
Successful request - response
JSON 
{
  "header": { "timestamp": "2026-04-08T05:36:08Z" },
  "guid": "89773DD4-A41C-406F-9CC2-6FCB54E08C73",
  "hec": {
    "enabled": true,
    "port": 8088,
    "hashed_tokens": ["e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"],
    "senders": ["10.0.1.5", "10.0.1.6"]
  },
  "s2s": {
    "receiving_ports": { "9997": ["10.0.1.10", "10.0.1.11"] },
    "forwarding_hosts": ["downstream-indexer.example.com:9997"]
  },
  "tcp_inputs": { "5114": ["10.0.1.20"] },
  "udp_inputs": { "5115": ["10.0.1.21"] },
  "searchPeers": [
    { "name": "indexer-1.example.com:8089", "guid": "8D98B2F4-3385-4AAF-89B0-634FE60AF26A" }
  ]
}