All Apps and Add-ons

Splunk Stream: How to configure streams using REST API?


Hello Splunkers

There is a partial REST API documentation.
There is a lot of information missing.

We are really interested in configuring our streams using the REST API.
Especially, since we are unable to use the SDK, because we are using python3.

Current, urgent use case
We want to create, modify and delete streams


0 Karma

Path Finder

A splunkd endpoint (Rest API) resides on port 8089 by default. In order to access these from code running in the browser, it needs to be “expose” setting in $SPLUNK_HOME/etc/system/default/web.conf. Or else it gives cross-origin prevention and CSRF protections in the browser.
To resolve this you are trying to send tokens for splunkweb_csrf_token_8000, splunkd_8000 and session_id_8000.
Actually these token are saved in your browser as cookies when u login to splunk web browser.
U need not to explicitly send in the request header. In turn, the browser will send these tokens in request header. U can see this in network section of browser.

0 Karma

Splunk Employee
Splunk Employee

hi. The Splunk Stream REST API docs have been updated with new request/response examples, parameter information, etc., for each operation. To use the /streams endpoint to create, modify, and delete streams, see:


0 Karma




What I don't understand yet is how do I get the tokens
The /streams/ GET command comments
The cookies and x-splunk-form-key can be obtained from the GET request's response headers.

But when I run it I only get

$ curl -i -k https://localhost:8000/en-US/custom/splunk_app_stream/streams/test
HTTP/1.1 404 Not Found
Date: Wed, 15 Feb 2017 14:35:14 GMT
Content-Type: text/json;charset=utf-8
X-Content-Type-Options: nosniff
Content-Length: 337
Vary: Cookie
Connection: Keep-Alive
X-Frame-Options: SAMEORIGIN
Set-Cookie: session_id_8000=ee2f22f1c69a96be792938a883934b541b503d89; expires=Thu, 16 Feb 2017 14:35:10 GMT; httponly; Path=/; secure
Server: Splunkd

{"status": 404, "error": "Stream with specified id not found", "success": false}

I assume that I can just take the sessionID for the cookie so


But when I look at the POST command I also need

  • splunkweb_csrf_token_8000=
  • X-Splunk-Form-Key:

Where do I get these from?

0 Karma

Splunk Employee
Splunk Employee

Hi. Just FYI:
The Stream REST API docs have been updated with instructions on how to generate the required tokens. See:

0 Karma
Get Updates on the Splunk Community!

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...

Announcing General Availability of Splunk Incident Intelligence!

Digital transformation is real! Across industries, companies big and small are going through rapid digital ...