REST Forwarder_groups

Splunk SOAR (On-premises) releases 6.2.0 and higher use Splunk Universal Forwarders to get SOAR data into Splunk Enterprise, Splunk Cloud, or Elastic Search.

/rest/forwarder_groups

Manage forwarder groups.

Syntax 

https://<username>:<password>@<host>/rest/forwarder_groups

GET

Get the settings for existing forwarder groups.

Example request

Get information about existing forwarder groups. 

curl -k -u soar_local_admin:<password> https://<soar_host>/rest/container_status -G -X GET

Example response

A successful GET will return a 200 response, and a JSON formatted list of forwarder groups. 

{
  "groups": [
    {
      "name": "<example_forwarder_group_name>",
      "enabled": true,
      "immutable": false,
      "output_type": "tcp",
      "indexers": [],
      "token": null,
      "hec_token": null,
      "is_credentials_app": true,
      "indexes": [
        "phantom_action_run",
        "phantom_app_run",
        "phantom_asset",
        "phantom_container",
        "phantom_container_comment",
        "phantom_decided_list",
        "phantom_note",
        "phantom_playbook_run",
        "phantom_playbook",
        "phantom_general_logs",
        "phantom_custom_function",
        "phantom_container_attachment",
        "phantom_audit",
        "phantom_artifact",
        "phantom_app"
      ],
      "client_cert_config": null,
      "client_cert": null,
      "client_cert_password": null,
      "ca_cert": null,
      "metadata": {
        "stack_url": "<SOAR_deployment_name>.splunkcloud.com",
        "client_cert": [
          {
            "valid_not_after": "2024-12-19T21:44:17+00:00",
            "issuer": "CN=Intermediate CA",
            "subject": "CN=forwarders.<SOAR_deployment_name>.splunkcloud.com",
            "serial": "<hex-encoded certificate serial number>"
          },
          {
            "valid_not_after": "2026-02-01T23:09:36+00:00",
            "issuer": "CN=Root CA",
            "subject": "CN=Intermediate CA",
            "serial": "<hex-encoded certificate serial number>"
          },
          {
            "valid_not_after": "2026-02-01T23:09:34+00:00",
            "issuer": "CN=Root CA",
            "subject": "CN=Root CA",
            "serial": "<hex-encoded certificate serial number>"
          },
          {
            "valid_not_after": "2026-02-01T23:09:34+00:00",
            "issuer": "CN=Root CA",
            "subject": "CN=Root CA",
            "serial": "<hex-encoded certificate serial number>"
          }
        ],
        "ca_cert": [
          {
            "valid_not_after": "2026-02-01T23:09:36+00:00",
            "issuer": "CN=Root CA",
            "subject": "CN=Intermediate CA",
            "serial": "<hex-encoded certificate serial number>"
          },
          {
            "valid_not_after": "2026-02-01T23:09:34+00:00",
            "issuer": "CN=Root CA",
            "subject": "CN=Root CA",
            "serial": "<hex-encoded certificate serial number>"
          },
          {
            "valid_not_after": "2031-11-10T00:00:00+00:00",
            "issuer": "CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US",
            "subject": "CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US",
            "serial": "<hex-encoded certificate serial number>"
          }
        ]
      }
    }
  ]
}