icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading REST API Modular Input
SHA256 checksum (rest-api-modular-input_157.tgz) 06e7cd972292eb5daea90f0263f2f50f05803d3f78711e8cfe24b9ab9dd619b0 SHA256 checksum (rest-api-modular-input_156.tgz) c60667d30f24e25766a611e1d7e5386f1f1c3bd2cbe8b28a4409d8f1f6f4a136 SHA256 checksum (rest-api-modular-input_155.tgz) fbc0e8260a76b079a7e18112ee9a513c6f2d8e1c01b8480f1c8cbdad6fc8c0a0 SHA256 checksum (rest-api-modular-input_154.tgz) dcc886d98bdd1b4162095ea4f2e3cb932020b49d43cb512963fbc229534440f8 SHA256 checksum (rest-api-modular-input_153.tgz) 2868df0bd673768917f27b62b6652c927b8a4d9d95f5a2c5eae1e917bb593e69 SHA256 checksum (rest-api-modular-input_152.tgz) 0ddd5559ed7ae61830be0d5c04f97738d5dd9cb0f356693b28ea9cc2454376f2 SHA256 checksum (rest-api-modular-input_151.tgz) fde29097bf16c9029ac84b78e25272f64e94ef71cad2da33f48d6e005d3b79a2 SHA256 checksum (rest-api-modular-input_15.tgz) e978fb5196469890e682564345ff928f97e417a8bc7e934fd70eb16858b495c6 SHA256 checksum (rest-api-modular-input_14.tgz) 091a8fa8ed05f6b748211ab36537a019bcc2294be4c5f00ace6b513512d9a7d7 SHA256 checksum (rest-api-modular-input_139.tgz) 3c5e4a5a4da456d5f02588f813360ab4fc84382721b5a371de0e6efce3efe183 SHA256 checksum (rest-api-modular-input_138.tgz) 41b4c9d29daa443a8e15ac6f7eaca1e149177173b458cc8bcd497d180bb3a574 SHA256 checksum (rest-api-modular-input_137.tgz) a04ce0b6be55c8757f829818e52734575cdd9e20dea674c9f0b6dd50201cedad SHA256 checksum (rest-api-modular-input_136.tgz) ead1c1fc7176c8afe36f34d4b9a9b98ab1c7a8ae6d1732169182cabf71bca761 SHA256 checksum (rest-api-modular-input_135.tgz) 953daa4b9d03630ad30e81ebdd9744c05f7921a5c1d049e3e02f2dfc9120adfd SHA256 checksum (rest-api-modular-input_134.tgz) f919f8b4825ec9dc263712faa213697762a2ad489edfe045d53135457acca6bd SHA256 checksum (rest-api-modular-input_133.tgz) a3c01b4f2e48f30a0e2d95929377acf9d3badca39a2e15a6cb44fde052eb3a9a SHA256 checksum (rest-api-modular-input_132.tgz) 577928ab3ab44fd934f91681c193cc1023966aaf1fd39532b9ec2490674cdbfd SHA256 checksum (rest-api-modular-input_131.tgz) beb4a1513ea119e024b55a62517d37a63f241829b36cb36f800af307c4222e0f SHA256 checksum (rest-api-modular-input_13.tgz) d842690cb56bcf5c0b01fd2fdbc508c6ae26e3de01b69d19d2719ed5bc211fff SHA256 checksum (rest-api-modular-input_12.tgz) 5519b6a76ec53877bbf1792bef985dd1a26d8ed04df1a97ec960c7f00c95ada8 SHA256 checksum (rest-api-modular-input_11.tgz) cc8711cbeafb62ab4237613aec10282a98c0395cf505ec184f8f3d1175592ee7 SHA256 checksum (rest-api-modular-input_106beta.tgz) 6d91ab92ac46c434dbeba00df74c84058839c0a9faf0755467afbba0ba586d7a SHA256 checksum (rest-api-modular-input_105beta.tgz) 20d346e32c35911cc4f8546ab97ccb68785fb12bb362afaf87e015d1c579e283 SHA256 checksum (rest-api-modular-input_104beta.tgz) d6f3b361e4ee8a96a3c3aee3deff43d15a4374b1c4bae24177d10c3fdd7ce55a SHA256 checksum (rest-api-modular-input_103beta.tgz) 28b4bc3ee32b3ce6f2f488295d572b6c2ff98c5a0ac64e1447c1a3fdead6f0e0 SHA256 checksum (rest-api-modular-input_102beta.tgz) 8fea37a683d2236ee11f706ed0e02c59b65e870c058f7a8589b007b26599df77 SHA256 checksum (rest-api-modular-input_101beta.tgz) 6be904b99e9ce578355d2bd7505474463785b850dae7c0f35f418b357705893e SHA256 checksum (rest-api-modular-input_10beta.tgz) 6a9f7d0420888a3a8d1a4b9e5f99bedbe8e249b777f5c86a86493212c3bae597
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

REST API Modular Input

This is a Splunk Modular Input for polling data from REST APIs and indexing the responses

Splunk REST API Modular Input v1.5.7


This is a Splunk modular input add-on for polling REST APIs.

Activation Key

You require an activation key to use this App. Visit http://www.baboonbones.com/#activation to obtain a non-expiring key


  • Perform HTTP(s) GET/POST/PUT/HEAD requests to REST endpoints and output the responses to Splunk
  • Multiple authentication mechanisms
  • Add custom HTTP(s) Header properties
  • Add custom URL arguments
  • HTTP(s) Streaming Requests
  • HTTP(s) Proxy support , supports HTTP CONNECT Verb
  • Response regex patterns to filter out responses
  • Configurable polling interval
  • Configurable timeouts
  • Configurable indexing of error codes
  • Persist and retrieve cookies


The following authentication mechanisms are supported:

  • None
  • HTTP Basic
  • HTTP Digest
  • OAuth1
  • OAuth2 (with auto refresh of the access token)
  • Custom

Custom Authentication Handlers

You can provide your own custom Authentication Handler. This is a Python class that you should add to the rest_ta/bin/authhandlers.py module.


You can then declare this class name and any parameters in the REST Input setup page.

Custom Response Handlers

You can provide your own custom Response Handler. This is a Python class that you should add to the rest_ta/bin/responsehandlers.py module.

You can then declare this class name and any parameters in the REST Input setup page.

Token substitution in Endpoint URL

There is support for dynamic token substitution in the endpoint URL

ie : /someurl/foo/$sometoken$/goo

$sometoken$ will get substituted with the output of the 'sometoken' function in bin/tokens.py

So you can add you own tokens simply by adding a function to bin/tokens.py

Currenty there is 1 token implemented , $datetoday$ , which will resolve to today's date in format "2014-02-18"

Token replacement functions in the URL can also return a list of values, that will cause
multiple URL's to be formed and the requests for these URL's will be executed in parallel in multiple threads.


  • Splunk 5.0+
  • Supported on Windows, Linux, MacOS, Solaris, FreeBSD, HP-UX, AIX


  • Untar the release to your $SPLUNK_HOME/etc/apps directory
  • Restart Splunk
  • If you are using a Splunk UI Browse to Settings -- Data Inputs -- REST to add a new Input stanza via the UI
  • If you are not using a Splunk UI (ie: you are running on a Universal Forwarder) , you need to add a stanza to inputs.conf directly as per the specification in README/inputs.conf.spec. The inputs.conf file should be placed in a local directory under an App or User context.


Any log entries/errors will get written to $SPLUNK_HOME/var/log/splunk/splunkd.log

These are also searchable in Splunk : index=_internal error rest.py


  • You are using Splunk 5+
  • Look for any errors in $SPLUNK_HOME/var/log/splunk/splunkd.log
  • Any firewalls blocking outgoing HTTP calls
  • Is your REST URL, headers, url arguments correct
  • Is you authentication setup correctly



Release Notes

Version 1.5.7
Aug. 13, 2019

added client certificate config options

Version 1.5.6
April 23, 2019

updated docs

Version 1.5.5
April 19, 2019

added trial key functionality

Version 1.5.4
March 6, 2019

added a triggers stanza to app.conf to prevent reloading after saving state back to inputs.conf

Version 1.5.3
June 4, 2018

Patched a bug to callbacks to Splunk for persisting state that required the activation key in the payload

Version 1.5.2
June 3, 2018

minor manager xml ui tweak for 7.1

Version 1.5.1
May 30, 2018

Corrected a build bug with responsehandlers

Version 1.5
May 27, 2018

Added an activation key requirement , visit http://www.baboonbones.com/#activation to obtain a free,non-expiring key
Added support for HEAD requests
Docs updated
Splunk 7.1 compatible

Version 1.4
Sept. 2, 2015

Delimiter fix

Version 1.3.9
July 15, 2015

Can now declare a CRON pattern for your polling interval.
Multiple requests spawned by tokenization can be declared to run in parallel or sequentially.
Multiple sequential requests can optionally have a stagger time enforced between each request.

Version 1.3.8
July 12, 2015

Minor code fix for a logging statement error

Version 1.3.7
July 3, 2015

Added support for token replacement functions in the URL to be able to return a list
of values, that will cause multiple URL's to be formed and the requests for these
URL's will be executed in parallel in multiple threads. See tokens.py

Version 1.3.6
Jan. 27, 2015

Added a custom response handler for rolling out generic JSON arrays
Refactored key=value delimited string handling to only split on the first "=" delimiter

Version 1.3.5
Aug. 20, 2014

Ensure that token substitution in the endpoint URL is dynamically applied for each
HTTP request

Version 1.3.4
Feb. 18, 2014

Added support for dynamic token substitution in the endpoint URL

ie : /someurl/foo/$sometoken$/goo

$sometoken$ will get substituted with the output of the 'sometoken' function
in bin/tokens.py

Currently have just shipped with 1 example token $datetoday$ which will dynamically resolve to today's date in format 2014-02-18

Version 1.3.3
Feb. 14, 2014

Added support for sending and persisting cookies

Version 1.3.2
Oct. 30, 2013

Changed the logic for persistence of state back to inputs.conf to occur directly after polling/event indexing has completed rather than waiting for the polling loop frequency sleep period to exit. This potentially deals with situations where you might terminate Splunk before the REST Mod Input has persisted state changes back to inputs.conf because it was in a sleep loop during shutdown.

Version 1.3.1
Oct. 24, 2013

Cosmetic fix for 1.3 release

Version 1.3
Oct. 24, 2013

Added a new feature that will automatically persist updates to URL Arguments , HTTP Header Propertys or HTTP Request Body content back to your inputs.conf stanza. Such a scenario might occur if you are using a custom response handler to dynamically calculate URL Arguments , such as a timestamp or event paging cursor, and you want this latest state to be persisted back into your configuration so that if you need to restart the REST input , it's configuration is in the latest polled state and can resume polling from where it left off.

Version 1.2
Oct. 16, 2013

Upgraded underlying python requests library to version 2.0 , primarily to support the HTTP CONNECT verb

Version 1.1
Aug. 14, 2013

Added support for user defined delimiter for multiple "key=value" fields .
Added hooks in responsehandlers.py for custom handling of responses, use cases such as URL arguments/HTTP header properties that might require a dynamic value per request , HTTP REL Header link following , dynamically changing the endpoint URL.

Version 1.0.6beta
July 10, 2013

Strip newlines from default output ++ add unbroken attribute to XML output stream so that Splunk props /transforms can be applied

Version 1.0.5beta
July 8, 2013

Added more robust exception handling

Version 1.0.4beta
June 25, 2013

Fixed minor script bug when printing http errors

Version 1.0.3beta
June 25, 2013

Added support for POST and PUT HTTP Methods for getting data. Not RESTful per say but a useful out for API's that are "REST like"

Version 1.0.2beta
June 20, 2013

Renamed the manager xml file to avoid naming clashes

Version 1.0.1beta
June 17, 2013

Fixed some spelling typos

Version 1.0beta
June 10, 2013

First release


Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2019 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.