All Apps and Add-ons

Splunk Stream: How to configure streams using REST API?


Hello Splunkers

There is a partial REST API documentation.
There is a lot of information missing.

We are really interested in configuring our streams using the REST API.
Especially, since we are unable to use the SDK, because we are using python3.

Current, urgent use case
We want to create, modify and delete streams


0 Karma

Path Finder

A splunkd endpoint (Rest API) resides on port 8089 by default. In order to access these from code running in the browser, it needs to be “expose” setting in $SPLUNK_HOME/etc/system/default/web.conf. Or else it gives cross-origin prevention and CSRF protections in the browser.
To resolve this you are trying to send tokens for splunkweb_csrf_token_8000, splunkd_8000 and session_id_8000.
Actually these token are saved in your browser as cookies when u login to splunk web browser.
U need not to explicitly send in the request header. In turn, the browser will send these tokens in request header. U can see this in network section of browser.

0 Karma

Splunk Employee
Splunk Employee

hi. The Splunk Stream REST API docs have been updated with new request/response examples, parameter information, etc., for each operation. To use the /streams endpoint to create, modify, and delete streams, see:


0 Karma




What I don't understand yet is how do I get the tokens
The /streams/ GET command comments
The cookies and x-splunk-form-key can be obtained from the GET request's response headers.

But when I run it I only get

$ curl -i -k https://localhost:8000/en-US/custom/splunk_app_stream/streams/test
HTTP/1.1 404 Not Found
Date: Wed, 15 Feb 2017 14:35:14 GMT
Content-Type: text/json;charset=utf-8
X-Content-Type-Options: nosniff
Content-Length: 337
Vary: Cookie
Connection: Keep-Alive
X-Frame-Options: SAMEORIGIN
Set-Cookie: session_id_8000=ee2f22f1c69a96be792938a883934b541b503d89; expires=Thu, 16 Feb 2017 14:35:10 GMT; httponly; Path=/; secure
Server: Splunkd

{"status": 404, "error": "Stream with specified id not found", "success": false}

I assume that I can just take the sessionID for the cookie so


But when I look at the POST command I also need

  • splunkweb_csrf_token_8000=
  • X-Splunk-Form-Key:

Where do I get these from?

0 Karma

Splunk Employee
Splunk Employee

Hi. Just FYI:
The Stream REST API docs have been updated with instructions on how to generate the required tokens. See:

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...