Join the Conversation
- Find Answers
- :
- Splunk Products
- :
- Splunk Cloud Platform
- :
- Re: How do I create an index using REST API?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I create an index using REST API?
Hi All,
According to the documentation for Splunk Cloud Classic Experience
If your Splunk Cloud Platform deployment is on Classic Experience, you can manage your indexes programmatically using the Splunk REST API cluster_blaster_indexes/sh_indexes_manager endpoint.
Manage indexes on Splunk Cloud Platform Classic Experience - Splunk Documentation
When I used the command:
curl -k -H "Authorization: Bearer MyToken" https://MySplunk.splunkcloud.com:8089/services/cluster_blaster_indexes/sh_indexes_manager?output_mode=json
I get this respond:
<!doctype html><html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><meta http-equiv="refresh" content="1;url=https://XX.splunkcloud.com/en-US/servicesNS/nobody/search/data/indexes"><title>303 See Other</title></head><body><h1>See Other</h1><p>The resource has moved temporarily <a href="https://XX.splunkcloud.com/en-US/servicesNS/nobody/search/data/indexes">here</a>.</p></body></html>
This brings me to a 404 page
Basically I want to create an Index using REST API on Splunk Cloud (Classic Experience)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you certain you had the :8089 as part of your curl url? AND you used the correct url?
The redirection response you have provided is identical to the one that Splunk Web (i.e. port 443 OR no port specified with HTTPS) would give in response to a request for /servicesNS/nobody/search/data/indexes (Which would be the enterprise API url instead of the cluster blaster one you state in your post.)
Deliberately omitting the :8089 from the cluster_blaster_indexes request against my classic stack I get the following:
$ curl https://redacted.splunkcloud.com/services/cluster_blaster_indexes/sh_indexes_manager?output_mode=json
<!doctype html><html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><meta http-equiv="refresh" content="1;url=https://redacted.splunkcloud.com/en-US/services/cluster_blaster_indexes/sh_indexes_manager?output_mode=json"><title>303 See Other</title></head><body><h1>See Other</h1><p>The resource has moved temporarily <a href="https://redacted.splunkcloud.com/en-US/services/cluster_blaster_indexes/sh_indexes_manager?output_mode=json">here</a>.</p></body></html>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You probably already figured it out by now but you will can use the ACS CLI or Terraform splunk/scp provider to manage indexes in Splunk Cloud.
Splunk ACS API REST reference:
https://docs.splunk.com/Documentation/SplunkCloud/9.1.2308/Config/ACSREF#Manage_indexes
Creating a new index in Splunk Cloud example:
curl -X POST 'https://admin.splunk.com/{stack}/adminconfig/v2/indexes'
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiwi…' \
--header 'Content-Type: application/json' \
--data-raw '{
"name": "testindex"
}'ACS CLI:
https://docs.splunk.com/Documentation/SplunkCloud/latest/Config/ACSCLI
Splunk Splunk Cloud Platform Terraform provider:
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
