All Apps and Add-ons

Splunk Stream: How to configure streams using REST API?


Hello Splunkers

There is a partial REST API documentation.
There is a lot of information missing.

We are really interested in configuring our streams using the REST API.
Especially, since we are unable to use the SDK, because we are using python3.

Current, urgent use case
We want to create, modify and delete streams


0 Karma

Path Finder

A splunkd endpoint (Rest API) resides on port 8089 by default. In order to access these from code running in the browser, it needs to be “expose” setting in $SPLUNK_HOME/etc/system/default/web.conf. Or else it gives cross-origin prevention and CSRF protections in the browser.
To resolve this you are trying to send tokens for splunkweb_csrf_token_8000, splunkd_8000 and session_id_8000.
Actually these token are saved in your browser as cookies when u login to splunk web browser.
U need not to explicitly send in the request header. In turn, the browser will send these tokens in request header. U can see this in network section of browser.

0 Karma

Splunk Employee
Splunk Employee

hi. The Splunk Stream REST API docs have been updated with new request/response examples, parameter information, etc., for each operation. To use the /streams endpoint to create, modify, and delete streams, see:


0 Karma




What I don't understand yet is how do I get the tokens
The /streams/ GET command comments
The cookies and x-splunk-form-key can be obtained from the GET request's response headers.

But when I run it I only get

$ curl -i -k https://localhost:8000/en-US/custom/splunk_app_stream/streams/test
HTTP/1.1 404 Not Found
Date: Wed, 15 Feb 2017 14:35:14 GMT
Content-Type: text/json;charset=utf-8
X-Content-Type-Options: nosniff
Content-Length: 337
Vary: Cookie
Connection: Keep-Alive
X-Frame-Options: SAMEORIGIN
Set-Cookie: session_id_8000=ee2f22f1c69a96be792938a883934b541b503d89; expires=Thu, 16 Feb 2017 14:35:10 GMT; httponly; Path=/; secure
Server: Splunkd

{"status": 404, "error": "Stream with specified id not found", "success": false}

I assume that I can just take the sessionID for the cookie so


But when I look at the POST command I also need

  • splunkweb_csrf_token_8000=
  • X-Splunk-Form-Key:

Where do I get these from?

0 Karma

Splunk Employee
Splunk Employee

Hi. Just FYI:
The Stream REST API docs have been updated with instructions on how to generate the required tokens. See:

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...