Splunk Enterprise (version v1.*.*)

acknowledge_saved_search_alert_suppression#

Acknowledge the named saved search alert suppression and resume alerting.

Parameters

search_name (required)#

Type: string

key#

The suppression key used in field-based supression. For example, in host-based suppression, with data from 5 hosts, the key is the host, as each host could have different suppression expiration times.

Type: string

control_job#

Run a job control command.

Parameters

action (required)#

Type: string

Potential values: pause, unpause, finalize, cancel, touch, setttl, setpriority, enablepreview, disablepreview, setworkloadpool

search_id (required)#

Type: string

create_and_stream_search_job#

Start a new search and return the search ID (). Stream search results as they become available.

Parameters

$body#

Type: object

{
"force_bundle_replication" : "Specifies whether this search should cause (and wait depending on the value of sync_bundle_replication) for bundle synchronization with all search peers.",
"search_mode" : "If set to realtime, search runs over live data. A real-time search may also be indicated by earliest_time and latest_time variables starting with 'rt' even if the search_mode is set to normal or is unset. For a real-time search, if both earliest_time and latest_time are both exactly 'rt', the search represents all appropriate live data received since the start of the search. Additionally, if earliest_time and/or latest_time are 'rt' followed by a relative time specifiers then a sliding window is used where the time bounds of the window are determined by the relative time specifiers and are continuously updated based on the wall-clock time.",
"status_buckets" : "The most status buckets to generate. 0 indicates to not generate timeline information.",
"replay_lt" : "Relative end time for the replay clock. The replay stops when clock time reaches this time.",
"sync_bundle_replication" : "Specifies whether this search should wait for bundle replication to complete.",
"allow_partial_results" : "Indicates whether the search job can proceed to provide partial results if a search peer fails. When set to false, the search job fails if a search peer providing results for the search job fails.",
"auto_cancel" : "If specified, the job automatically cancels after this many seconds of inactivity. (0 means never auto-cancel)",
"auto_pause" : "If specified, the search job pauses after this many seconds of inactivity. (0 means never auto-pause.) To restart a paused search job, specify unpause as an action to POST search/jobs/{search_id}/control. Auto_pause only goes into effect once. Unpausing after auto_pause does not put auto_pause into effect again.",
"rt_queue_size" : "For a real-time search, the queue size (in events) that the indexer should use for this search.",
"timeout" : "The number of seconds to keep this search after processing has stopped.",
"spawn_process" : "Specifies whether the search should run in a separate spawned process. Default is true. Searches against indexes must run in a separate process.",
"max_count" : "The number of events that can be accessible in any given status bucket. Also, in transforming mode, the maximum number of results to store. Specifically, in all calls, codeoffset+count max_count.",
"reuse_max_seconds_ago" : "Specifies the number of seconds ago to check when an identical search is started and return the job's search ID instead of starting a new job.",
"search_listener" : "Registers a search state listener with the search.",
"reload_macros" : "Specifies whether to reload macro definitions from macros.conf.",
"rt_maxblocksecs" : "For a real-time search with rt_blocking set to true, the maximum time to block. Specify 0 to indicate no limit.",
"search" : "The search language string to execute, taking results from the local and remote servers.",
"index_earliest" : "Specify a time string. Sets the earliest (inclusive), respectively, time bounds for the search, based on the index time bounds. The time string can be either a UTC time (with fractional seconds), a relative time specifier (to now) or a formatted time string. Compare to earliest_time parameter. Also see comment for the search_mode parameter. Refer to Time modifiers for search for information and examples of specifying a time string.",
"now" : "Specify a time string to set the absolute time used for any relative time specifier in the search. Defaults to the current system time. You can specify a relative time modifier for this parameter. For example, specify +2d to specify the current time plus two days. If you specify a relative time modifier both in this parameter and in the search string, the search string modifier takes precedence. Refer to Time modifiers for search for details on specifying relative time modifiers.",
"indexedRealtimeOffset" : "Set disk sync delay for indexed real-time search (seconds).",
"id" : "Optional string to specify the search ID (). If unspecified, a random ID is generated.",
"max_time" : "The number of seconds to run this search before finalizing. Specify 0 to never finalize.",
"indexedRealtime" : "Indicate whether or not to used indexed-realtime mode for real-time searches.",
"replay_et" : "Relative \"wall clock\" start time for the replay.",
"time_format" : "Used to convert a formatted time string from {start,end}_time into UTC seconds. The default value is the ISO-8601 format.",
"adhoc_search_level" : "Use one of the following search modes.",
"exec_mode" : "If set to normal, runs an asynchronous search. If set to blocking, returns the sid when the job is complete. If set to oneshot, returns results in the same call. In this case, you can specify the format for the output (for example, json output) using the output_mode parameter as described in GET search/jobs/export. Default format for output is xml.",
"workload_pool" : "Specifies the new workload pool where the existing running search should be placed.",
"replay_speed" : "Indicate a real-time search replay speed factor. For example, 1 indicates normal speed. 0.5 indicates half of normal speed, and 2 indicates twice as fast as normal. Earliest_time and latest_time arguments must indicate a real-time time range to use replay options. Use replay_speed with replay_et and replay_lt relative times to indicate a speed and time range for the replay. For more information about using relative time modifiers, see Search time modifiers in the Search reference.",
"reduce_freq" : "Determines how frequently to run the MapReduce reduce phase on accumulated map values.",
"enable_lookups" : "Indicates whether lookups should be applied to events. Specifying true (the default) may slow searches significantly depending on the nature of the lookups.",
"index_latest" : "Specify a time string. Sets the latest (exclusive), respectively, time bounds for the search, based on the index time bounds. The time string can be either a UTC time (with fractional seconds), a relative time specifier (to now) or a formatted time string. Refer to Time modifiers for search for information and examples of specifying a time string. Compare to latest_time parameter. Also see comment for the search_mode parameter.",
"rf" : "Adds a required field to the search. There can be multiple rf POST arguments to the search. These fields, even if not referenced or used directly by the search, are still included by the events and summary endpoints. Splunk Web uses these fields to prepopulate panels in the Search view. Consider using this form of passing the required fields to the search instead of the deprecated required_field_list. If both rf and required_field_list are provided, the union of the two lists is used.",
"earliest_time" : "Specify a time string. Sets the earliest (inclusive), respectively, time bounds for the search. The time string can be either a UTC time (with fractional seconds), a relative time specifier (to now) or a formatted time string. Refer to Time modifiers for search for information and examples of specifying a time string. Compare to index_earliest parameter. Also see comment for the search_mode parameter.",
"rt_blocking" : "For a real-time search, indicates if the indexer blocks if the queue for this search is full.",
"namespace" : "The application namespace in which to restrict searches. The namespace corresponds to the identifier recognized in the /services/apps/local endpoint.",
"auto_finalize_ec" : "Auto-finalize the search after at least this many events are processed. Specify 0 to indicate no limit.",
"rt_indexfilter" : "For a real-time search, indicates if the indexer prefilters events.",
"latest_time" : "Specify a time string. Sets the latest (exclusive), respectively, time bounds for the search. The time string can be either a UTC time (with fractional seconds), a relative time specifier (to now) or a formatted time string. Refer to Time modifiers for search for information and examples of specifying a time string. Compare to index_latest parameter. Also see comment for the search_mode parameter.",
"remote_server_list" : "Comma-separated list of (possibly wildcarded) servers from which raw events should be pulled. This same server list is to be used in subsearches."
}

create_metric_alert#

Create a streaming metric alert.

Parameters

$body#

Type: object

{
"metric_indexes" : "Specify one or more metric indexes, delimited by comma. Combines with the filter setting to define the search result dataset that the alert monitors for the alert condition.",
"action.script" : "Indicates whether script is enabled or disabled for a particular metric alert.",
"description" : "Provide a description of the streaming metric alert.",
"action.logevent" : "Indicates whether logevent is enabled or disabled for a particular metric alert.",
"action.rss" : "Indicates whether rss is enabled or disabled for a particular metric alert.",
"groupby" : "Provide a list of dimension fields, delimited by comma, for the group-by clause of the alert search. This results in multiple aggregation values, one per group, instead of one aggregation value.",
"label" : { },
"action.email" : "Indicates whether email is enabled or disabled for a particular metric alert.",
"filter" : "Specify one or more Boolean expressions like = to define the search result dataset to monitor for an alert condition. Link multiple Boolean expressions with the AND operator. The filter does not support subsearches, macros, tags, event types, or time modifiers such as 'earliest' or 'latest'. This setting combines with the metric_indexes setting to provide the complete search filter for the alert.",
"condition" : "Boolean eval expression. Specifies an alert condition for one or more metric_name and aggregation pairs. You can set alert conditions that include multiple Boolean operators, eval functions, and metric aggregations. The Splunk software applies this evaluation to the results of the alert search on a regular interval. When the alert condition evaluates to 'true', the alert is triggered. Must reference at least one '()' clause in single quotes. The condition can also reference dimensions specified in the groupby setting.",
"action.webhook" : "Indicates whether webhook is enabled or disabled for a particular metric alert.",
"trigger.expires" : "Set the period of time that a triggered alert record displays on the Triggered Alerts page. Use , where can be 'm' for minutes, 'h' for hours, and 'd' for days. Set to 0 to make triggered alerts expire immediately so they do not appear on the Triggered Alerts page at all. Default is 24h.",
"trigger.max_tracked" : "Specify the maximum number of instances of this alert that can display in the triggered alerts dashboard. When this threshold is passed, the Splunk software removes the earliest instances from the dashboard to honor this maximum number. Set to 0 to remove the cap. Defaults to 20.",
"name" : "Specify the name of the streaming metric alert.",
"trigger.suppress" : "Define the suppression period to silence alert actions and notifications. The suppression period goes into effect when an alert is triggered. During this period, if the alert is triggered again, its actions do not happen and its notifications do not go out. When the period elapses, a subsequent triggering of the alert causes alert actions and notifications to take place as usual, and the alert is suppressed again. Use m to specify a timespan in minutes. Default is 0m."
}

Create a saved search.

Parameters

$body#

Type: object

{
"alert.suppress.period" : "Valid values: [number][time-unit] Specifies the suppresion period. Only valid if alert.supress is enabled. Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.",
"action.rss.hostname" : "Sets the hostname used in the web link (url) sent in alert actions. This value accepts two forms. hostname (for example, splunkserver, splunkserver.example.com) protocol://hostname:port (for example, http://splunkserver:8000 or https://splunkserver.example.com:443) See action.email.hostname for details.",
"action.email.inline" : "Indicates whether the search results are contained in the body of the email. Results can be either inline or attached to an email. See action.email.sendresults.",
"action.rss.maxtime" : "Valid values are Integer[m|s|h|d]. Specifies the maximum amount of time the execution of an action takes before the action is aborted. Default is 1m.",
"action.email.track_alert" : "Indicates whether the execution of this action signifies a trackable alert.",
"action.email.maxtime" : "Valid values are Integer[m|s|h|d]. Specifies the maximum amount of time the execution of an action takes before the action is aborted. Default is 5m.",
"dispatch.*" : "Wildcard argument that accepts any dispatch related argument.",
"alert_threshold" : "Valid values are Integer[%]. Specifies the value to compare (see alert_comparator) before triggering the alert actions. If expressed as a percentage, indicates value to use when alert_comparator is set to \"rises by perc\" or \"drops by perc.\"",
"action.email" : "The state of the email action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.",
"action.email.preprocess_results" : "Search string to preprocess results before emailing them. Defaults to empty string (no preprocessing). Usually the preprocessing consists of filtering out unwanted internal fields.",
"action.script.track_alert" : "Indicates whether the execution of this action signifies a trackable alert.",
"action.email.bcc" : "BCC email address to use if action.email is enabled.",
"auto_summarize.dispatch.latest_time" : "A time string that specifies the latest time for summarizing this saved search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.",
"auto_summarize.suspend_period" : "Time specfier indicating when to suspend summarization of this search if the summarization is deemed unhelpful. Defaults to 24h.",
"action.populate_lookup.hostname" : "Sets the hostname used in the web link (url) sent in alert actions. This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com) protocol://hostname:port (for example, http://splunkserver:8000 or https://splunkserver.example.com:443) See action.email.hostname for details.",
"auto_summarize.dispatch.earliest_time" : "A time string that specifies the earliest time for summarizing this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.",
"action.script.ttl" : "Valid values are Integer[m|s|h|d]. Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows , int is the number of scheduled periods. Defaults to 86400 (24 hours). If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.",
"schedule_window" : "Time window (in minutes) during which the search has lower priority. Defaults to 0. The scheduler can give higher priority to more critical searches during this window. The window must be smaller than the search period. Set to auto to let the scheduler determine the optimal window value automatically. Requires the edit_search_schedule_window capability to override auto.",
"action.summary_index.track_alert" : "Indicates whether the execution of this action signifies a trackable alert.",
"alert_comparator" : "Used with alert_threshold to trigger alert actions.",
"action.script.command" : "The search command (or pipeline) which is responsible for executing the action. Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.",
"alert.suppress.fields" : "Comma delimited list of fields to use for suppression when doing per result alerting. Required if suppression is turned on and per result alerting is enabled.",
"action.email.cc" : "CC email address to use if action.email is enabled.",
"dispatch.time_format" : "A time format string that defines the time format for specifying the earliest and latest time. Defaults to %FT%T.%Q%:z.",
"dispatch.rt_maximum_span" : "Allows for a per-job override of the [search] indexed_realtime_maximum_span setting in limits.conf. Default for saved searches is \"unset\", falling back to the limits.conf setting.",
"action.email.from" : "Email address from which the email action originates. Defaults to splunk@$LOCALHOST or whatever value is set in alert_actions.conf.",
"action.email.command" : "The search command (or pipeline) which is responsible for executing the action. Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.",
"dispatch.indexedRealtimeMinSpan" : "Allows for a per-job override of the [search] indexed_realtime_default_span setting in limits.conf. Default for saved searches is \"unset\", falling back to the limits.conf setting.",
"action.email.use_tls" : "Indicates whether to use TLS (transport layer security) when communicating with the SMTP server (starttls). Defaults to false.",
"auto_summarize.timespan" : "The list of time ranges that each summarized chunk should span. This comprises the list of available granularity levels for which summaries would be available. Specify a comma delimited list of time specifiers. For example a timechart over the last month whose granuality is at the day level should set this to 1d. If you need the same data summarized at the hour level for weekly charts, use 1h,1d.",
"actions" : "A comma-separated list of actions to enable. For example: rss,email",
"dispatch.indexedRealtime" : "Indicates whether to used indexed-realtime mode when doing real-time searches.",
"action.email.to" : "A comma or semicolon separated list of recipient email addresses. Required if this search is scheduled and the email alert action is enabled.",
"action.script.maxtime" : "Valid values are Integer[m|s|h|d]. Specifies the maximum amount of time the execution of an action takes before the action is aborted. Default is 5m.",
"auto_summarize.max_time" : "Maximum time (in seconds) that the summary search is allowed to run. Defaults to 3600. Note: This is an approximate time. The summary search stops at clean bucket boundaries.",
"allow_skew" : "Allows the search scheduler to distribute scheduled searches randomly and more evenly over their specified search periods. Defaults to 0 (skew disabled). This setting does not require adjusting in most use cases. Check with an admin before making any updates. When set to a non-zero value for searches with the following cron_schedule values, the search scheduler randomly skews the second, minute, and hour on which the search runs.\n* * * * * Every minute. */M * * * * Every M minutes (M > 0). 0 * * * * Every hour. 0 */H * * * Every H hours (H > 0). 0 0 * * * Every day (at midnight). When set to a non-zero value for a search that has any other cron_schedule setting, the search scheduler can randomly skew only the second on which the search runs. The amount of skew for a specific search remains constant between edits of the search. A value of 0 disallows skew. 0 is the default setting Percentage followed by % specifies the maximum amount of time to skew as a percentage of the scheduled search period. Duration specifies a maximum duration. The can be omitted only when the is 0. Valid duration units are\n m\n min\n minute\n mins\n minutes\n h\n hr\n hour\n hrs\n hours\n d\n day\n days\nExamples\n 100% (for an every-5-minute search) = 5 minutes maximum\n 50% (for an every-minute search) = 30 seconds maximum\n 5m = 5 minutes maximum\n 1h = 1 hour maximum",
"action.email.reportCIDFontList" : "Space-separated list. Specifies the set (and load order) of CID fonts for handling Simplified Chinese(gb), Traditional Chinese(cns), Japanese(jp), and Korean(kor) in Integrated PDF Rendering. If multiple fonts provide a glyph for a given character code, the glyph from the first font specified in the list is used. To skip loading any CID fonts, specify the empty string. Defaults to \"gb cns jp kor\"",
"action.email.reportIncludeSplunkLogo" : "Indicates whether to include the Splunk logo with the report.",
"action.script" : "The state of the script action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.",
"max_concurrent" : "The maximum number of concurrent instances of this search the scheduler is allowed to run. Defaults to 1.",
"action.email.use_ssl" : "Indicates whether to use SSL when communicating with the SMTP server. Defaults to false.",
"alert_type" : "What to base the alert on, overriden by alert_condition if it is specified.",
"search" : "Required. The search to save.",
"action.summary_index.maxtime" : "Valid values are Integer[m|s|h|d]. Specifies the maximum amount of time the execution of an action takes before the action is aborted. Default is 5m.",
"dispatch.rt_backfill" : "Whether to back fill the real time window for this search. Parameter valid only if this is a real time search. Defaults to 0.",
"alert.expires" : "Valid values: [number][time-unit] Sets the period of time to show the alert in the dashboard. Defaults to 24h. Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.",
"displayview" : "Defines the default UI view name (not label) in which to load the results. Accessibility is subject to the user having sufficient permissions.",
"action.email.subject" : "Specifies an alternate email subject. Defaults to SplunkAlert-.",
"disabled" : "Indicates if the saved search is enabled. Defaults to 0. Disabled saved searches are not visible in Splunk Web.",
"auto_summarize.max_summary_ratio" : "The maximum ratio of summary_size/bucket_size, which specifies when to stop summarization and deem it unhelpful for a bucket. Defaults to 0.1. Note: The test is only performed if the summary size is larger than auto_summarize.max_summary_size.",
"action.email.maxresults" : "Sets the global maximum number of search results to send when email.action is enabled. Defaults to 100.",
"cron_schedule" : "The cron schedule to execute this search. For example: */5 * * * * causes the search to execute every 5 minutes. cron lets you use standard cron notation to define your scheduled search interval. In particular, cron can accept this type of notation: 00,20,40 * * * *, which runs the search every hour at hh:00, hh:20, hh:40. Along the same lines, a cron of 03,23,43 * * * * runs the search every hour at hh:03, hh:23, hh:43. Schedule your searches so that they are staggered over time. This reduces system load. Running all of them every 20 minutes (*/20) means they would all launch at hh:00 (20, 40) and might slow your system every 20 minutes.",
"is_visible" : "Specifies whether this saved search should be listed in the visible saved search list. Defaults to 1.",
"auto_summarize.command" : "A search template that constructs the auto summarization for this search. Defaults to summarize override=partial timespan=$auto_summarize.timespan$ max_summary_size=$auto_summarize.max_summary_size$ max_summary_ratio=$auto_summarize.max_summary_ratio$ max_disabled_buckets=$auto_summarize.max_disabled_buckets$ max_time=$auto_summarize.max_time$ [ $search$ ] Caution: Advanced feature. Do not change unless you understand the architecture of auto summarization of saved searches.",
"action.summary_index.maxresults" : "Sets the maximum number of search results sent using alerts. Defaults to 100.",
"alert.track" : "Specifies whether to track the actions triggered by this scheduled search. auto - (Default) determine whether to track or not based on the tracking setting of each action, do not track scheduled searches that always trigger actions. true - force alert tracking. false - disable alert tracking for this search.",
"action.summary_index" : "The state of the summary index action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0",
"action.populate_lookup.maxresults" : "Sets the maximum number of search results sent using alerts. Defaults to 100.",
"dispatch.max_time" : "Indicates the maximum amount of time (in seconds) before finalizing the search. Defaults to 0.",
"action.script.maxresults" : "Sets the maximum number of search results sent using alerts. Defaults to 100.",
"action.email.reportServerEnabled" : "Not supported.",
"qualifiedSearch" : "Read-only attribute. Value ignored on POST. This value is computed during runtime.",
"action.populate_lookup.maxtime" : "Valid values are Integer[m|s|h|d]. Specifies the maximum amount of time the execution of an action takes before the action is aborted. Default is 5m.",
"action.summary_index._name" : "Specifies the name of the summary index where the results of the scheduled search are saved. Defaults to \"summary.\"",
"action.rss.ttl" : "Valid values are Integer[m|s|h|d]. Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows , int is the number of scheduled periods. Defaults to 86400 (24 hours). If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.",
"action.summary_index.command" : "The search command (or pipeline) which is responsible for executing the action. Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.",
"dispatch.max_count" : "The maximum number of results before finalizing the search. Defaults to 500000.",
"action.email.reportPaperSize" : "Specifies the paper size for PDFs. Defaults to letter.",
"alert.digest_mode" : "Specifies whether alert actions are applied to the entire result set or on each individual result. Defaults to 1.",
"action.email.pdfview" : "The name of the view to deliver if sendpdf is enabled",
"auto_summarize.dispatch.time_format" : "Defines the time format used to specify the earliest and latest time. Defaults to %FT%T.%Q%:z",
"action.email.reportPaperOrientation" : "Specifies the paper orientation. Defaults to portrait.",
"next_scheduled_time" : "Read-only attribute. Value ignored on POST. There are some old clients who still send this value",
"dispatch.latest_time" : "A time string that specifies the latest time for this saved search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.",
"action.email.format" : "Specify the format of text in the email. This value also applies to any attachments.",
"is_scheduled" : "Whether this search is to be run on a schedule",
"auto_summarize.max_disabled_buckets" : "The maximum number of buckets with the suspended summarization before the summarization search is completely stopped, and the summarization of the search is suspended for auto_summarize.suspend_period. Defaults to 2.",
"action.populate_lookup.track_alert" : "Indicates whether the execution of this action signifies a trackable alert.",
"alert.severity" : "Sets the alert severity level. Valid values are: 1 DEBUG 2 INFO 3 WARN (default) 4 ERROR 5 SEVERE 6 FATAL",
"request.ui_dispatch_view" : "Specifies a field used by Splunk Web to denote the view this search should be displayed in.",
"dispatch.buckets" : "The maximum number of timeline buckets. Defaults to 0.",
"dispatch.lookups" : "Enables or disables the lookups for this search. Defaults to 1.",
"alert.suppress" : "Indicates whether alert suppression is enabled for this scheduled search.",
"action.email.auth_username" : "The username to use when authenticating with the SMTP server. If this is empty string, no authentication is attempted. Defaults to empty string. NOTE: Your SMTP server might reject unauthenticated emails.",
"dispatch.earliest_time" : "A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.",
"realtime_schedule" : "Controls the way the scheduler computes the next execution time of a scheduled search. Defaults to 1. If this value is set to 1, the scheduler bases its determination of the next scheduled search execution time on the current time. If this value is set to 0, the scheduler bases its determination of the next scheduled search on the last search execution time. This is called continuous scheduling. If set to 0, the scheduler never skips scheduled execution periods. However, the execution of the saved search might fall behind depending on the scheduler load. Use continuous scheduling whenever you enable the summary index option. If set to 1, the scheduler might skip some execution periods to make sure that the scheduler is executing the searches running over the most recent time range. The scheduler tries to execute searches that have realtime_schedule set to 1 before it executes searches that have continuous scheduling (realtime_schedule = 0).",
"action.populate_lookup.dest" : "Lookup name of path of the lookup to populate",
"vsid" : "Defines the viewstate id associated with the UI view listed in 'displayview'. Must match up to a stanza in viewstates.conf.",
"action.email.sendpdf" : "Indicates whether to create and send the results as a PDF. Defaults to false.",
"auto_summarize.cron_schedule" : "Cron schedule that probes and generates the summaries for this saved search. The default value, */10 * * * * , corresponds to every ten hours.",
"dispatch.indexedRealtimeOffset" : "Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf. Default for saved searches is \"unset\", falling back to limits.conf setting.",
"action.summary_index.hostname" : "Sets the hostname used in the web link (url) sent in summary-index alert actions. This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com) protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443) See action.email.hostname for details.",
"name" : "Required. A name for the search.",
"action.summary_index.inline" : "Determines whether to execute the summary indexing action as part of the scheduled search. NOTE: This option is considered only if the summary index action is enabled and is always executed (in other words, if counttype = always). Defaults to true.",
"auto_summarize" : "Indicates whether the scheduler should ensure that the data for this search is automatically summarized. Defaults to 0.",
"action.rss.track_alert" : "Indicates whether the execution of this action signifies a trackable alert.",
"action.email.auth_password" : "The password to use when authenticating with the SMTP server. Normally this value is set when editing the email settings, however you can set a clear text password here and it is encrypted on the next platform restart. Defaults to empty string.",
"run_on_startup" : "Indicates whether this search runs on startup. If it does not run on startup, it runs at the next scheduled time. Defaults to 0. Set run_on_startup to true for scheduled searches that populate lookup tables.",
"action.email.width_sort_columns" : "Indicates whether columns should be sorted from least wide to most wide, left to right. Only valid if format=text.",
"action.email.mailserver" : "Set the address of the MTA server to be used to send the emails. Defaults to or whatever is set in alert_actions.conf.",
"action.populate_lookup.command" : "The search command (or pipeline) which is responsible for executing the action. Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.",
"auto_summarize.dispatch.ttl" : "Integer[p]. Indicates the time to live (in seconds) for the artifacts of the summarization of the scheduled search. Defaults to 60.",
"action.email.ttl" : "Valid values are Integer[m|s|h|d]. Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows , int is the number of scheduled periods. Defaults to 86400 (24 hours). If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.",
"description" : "Human-readable description of this saved search. Defaults to empty string.",
"action.rss" : "The state of the rss action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.",
"action.populate_lookup.ttl" : "Valid values are Integer[m|s|h|d]. Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows , int is the number of scheduled periods. Defaults to 86400 (24 hours). If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.",
"action.script.filename" : "File name of the script to call. Required if script action is enabled",
"action.summary_index.ttl" : "Valid values are Integer[m|s|h|d]. Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows , int is the number of scheduled periods. Defaults to 86400 (24 hours). If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.",
"action.rss.command" : "The search command (or pipeline) which is responsible for executing the action. Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.",
"auto_summarize.max_summary_size" : "The minimum summary size, in bytes, before testing whether the summarization is helpful. The default value, 52428800, is equivalent to 5MB.",
"action.email.hostname" : "Sets the hostname used in the web link (url) sent in email actions. This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com) protocol://hostname:port (for example, http://splunkserver:8000 or https://splunkserver.example.com:443) When this value is a simple hostname, the protocol and port which are configured within splunk are used to construct the base of the url. When this value begins with 'http://', it is used verbatim. NOTE: This means the correct port must be specified if it is not the default port for http or https. This is useful in cases when the Splunk server is not aware of how to construct an externally referencable url, such as SSO environments, other proxies, or when the server hostname is not generally resolvable. Defaults to current hostname provided by the operating system, or if that fails 'localhost'. When set to empty, default behavior is used.",
"action.rss.maxresults" : "Sets the maximum number of search results sent using alerts. Defaults to 100.",
"action.populate_lookup" : "The state of the populate lookup action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.",
"dispatch.reduce_freq" : "Specifies, in seconds, how frequently the MapReduce reduce phase runs on accumulated map values. Defaults to 10.",
"restart_on_searchpeer_add" : "Specifies whether to restart a real-time search managed by the scheduler when a search peer becomes available for this saved search. Defaults to 1. Note: The peer can be a newly added peer or a peer down and now available.",
"action.script.hostname" : "Sets the hostname used in the web link (url) sent in alert actions. This value accepts two forms. hostname (for example, splunkserver, splunkserver.example.com) protocol://hostname:port (for example, http://splunkserver:8000 or https://splunkserver.example.com:443) See action.email.hostname for details.",
"alert_condition" : "Contains a conditional search that is evaluated against the results of the saved search. Defaults to an empty string. Alerts are triggered if the specified search yields a non-empty search result list. NOTE: If you specify an alert_condition, do not set counttype, relation, or quantity.",
"action.email.reportServerURL" : "Not supported. For a default locally installed report server, the URL is http://localhost:8091/",
"request.ui_dispatch_app" : "Specifies a field used by Splunk Web to denote the app this search should be dispatched in.",
"dispatch.spawn_process" : "Specifies whether to spawn a new search process when this saved search is executed. Defaults to 1. Searches against indexes must run in a separate process.",
"action.email.sendresults" : "Indicates whether to attach the search results in the email. Results can be either attached or inline. See action.email.inline.",
"dispatch.ttl" : "Integer[p]. Defaults to 2p. Indicates the time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered. If an action is triggered, the action ttl is used. If multiple actions are triggered, the maximum ttl is applied to the artifacts. To set the action ttl, refer to alert_actions.conf.spec. If the integer is followed by the letter 'p', the ttl is interpreted as a multiple of the scheduled search period."
}

create_search_job#

Start a new search and return the search ID ()

Parameters

$body#

Type: object

{
"force_bundle_replication" : "Specifies whether this search should cause (and wait depending on the value of sync_bundle_replication) for bundle synchronization with all search peers.",
"search_mode" : "If set to realtime, search runs over live data. A real-time search may also be indicated by earliest_time and latest_time variables starting with 'rt' even if the search_mode is set to normal or is unset. For a real-time search, if both earliest_time and latest_time are both exactly 'rt', the search represents all appropriate live data received since the start of the search. Additionally, if earliest_time and/or latest_time are 'rt' followed by a relative time specifiers then a sliding window is used where the time bounds of the window are determined by the relative time specifiers and are continuously updated based on the wall-clock time.",
"status_buckets" : "The most status buckets to generate. 0 indicates to not generate timeline information.",
"replay_lt" : "Relative end time for the replay clock. The replay stops when clock time reaches this time.",
"sync_bundle_replication" : "Specifies whether this search should wait for bundle replication to complete.",
"allow_partial_results" : "Indicates whether the search job can proceed to provide partial results if a search peer fails. When set to false, the search job fails if a search peer providing results for the search job fails.",
"auto_cancel" : "If specified, the job automatically cancels after this many seconds of inactivity. (0 means never auto-cancel)",
"auto_pause" : "If specified, the search job pauses after this many seconds of inactivity. (0 means never auto-pause.) To restart a paused search job, specify unpause as an action to POST search/jobs/{search_id}/control. Auto_pause only goes into effect once. Unpausing after auto_pause does not put auto_pause into effect again.",
"rt_queue_size" : "For a real-time search, the queue size (in events) that the indexer should use for this search.",
"timeout" : "The number of seconds to keep this search after processing has stopped.",
"spawn_process" : "Specifies whether the search should run in a separate spawned process. Default is true. Searches against indexes must run in a separate process.",
"max_count" : "The number of events that can be accessible in any given status bucket. Also, in transforming mode, the maximum number of results to store. Specifically, in all calls, codeoffset+count max_count.",
"reuse_max_seconds_ago" : "Specifies the number of seconds ago to check when an identical search is started and return the job's search ID instead of starting a new job.",
"search_listener" : "Registers a search state listener with the search.",
"reload_macros" : "Specifies whether to reload macro definitions from macros.conf.",
"rt_maxblocksecs" : "For a real-time search with rt_blocking set to true, the maximum time to block. Specify 0 to indicate no limit.",
"search" : "The search language string to execute, taking results from the local and remote servers.",
"index_earliest" : "Specify a time string. Sets the earliest (inclusive), respectively, time bounds for the search, based on the index time bounds. The time string can be either a UTC time (with fractional seconds), a relative time specifier (to now) or a formatted time string. Compare to earliest_time parameter. Also see comment for the search_mode parameter. Refer to Time modifiers for search for information and examples of specifying a time string.",
"now" : "Specify a time string to set the absolute time used for any relative time specifier in the search. Defaults to the current system time. You can specify a relative time modifier for this parameter. For example, specify +2d to specify the current time plus two days. If you specify a relative time modifier both in this parameter and in the search string, the search string modifier takes precedence. Refer to Time modifiers for search for details on specifying relative time modifiers.",
"indexedRealtimeOffset" : "Set disk sync delay for indexed real-time search (seconds).",
"id" : "Optional string to specify the search ID (). If unspecified, a random ID is generated.",
"max_time" : "The number of seconds to run this search before finalizing. Specify 0 to never finalize.",
"indexedRealtime" : "Indicate whether or not to used indexed-realtime mode for real-time searches.",
"replay_et" : "Relative \"wall clock\" start time for the replay.",
"time_format" : "Used to convert a formatted time string from {start,end}_time into UTC seconds. The default value is the ISO-8601 format.",
"adhoc_search_level" : "Use one of the following search modes.",
"exec_mode" : "If set to normal, runs an asynchronous search. If set to blocking, returns the sid when the job is complete. If set to oneshot, returns results in the same call. In this case, you can specify the format for the output (for example, json output) using the output_mode parameter as described in GET search/jobs/export. Default format for output is xml.",
"workload_pool" : "Specifies the new workload pool where the existing running search should be placed.",
"replay_speed" : "Indicate a real-time search replay speed factor. For example, 1 indicates normal speed. 0.5 indicates half of normal speed, and 2 indicates twice as fast as normal. Earliest_time and latest_time arguments must indicate a real-time time range to use replay options. Use replay_speed with replay_et and replay_lt relative times to indicate a speed and time range for the replay. For more information about using relative time modifiers, see Search time modifiers in the Search reference.",
"reduce_freq" : "Determines how frequently to run the MapReduce reduce phase on accumulated map values.",
"enable_lookups" : "Indicates whether lookups should be applied to events. Specifying true (the default) may slow searches significantly depending on the nature of the lookups.",
"index_latest" : "Specify a time string. Sets the latest (exclusive), respectively, time bounds for the search, based on the index time bounds. The time string can be either a UTC time (with fractional seconds), a relative time specifier (to now) or a formatted time string. Refer to Time modifiers for search for information and examples of specifying a time string. Compare to latest_time parameter. Also see comment for the search_mode parameter.",
"rf" : "Adds a required field to the search. There can be multiple rf POST arguments to the search. These fields, even if not referenced or used directly by the search, are still included by the events and summary endpoints. Splunk Web uses these fields to prepopulate panels in the Search view. Consider using this form of passing the required fields to the search instead of the deprecated required_field_list. If both rf and required_field_list are provided, the union of the two lists is used.",
"earliest_time" : "Specify a time string. Sets the earliest (inclusive), respectively, time bounds for the search. The time string can be either a UTC time (with fractional seconds), a relative time specifier (to now) or a formatted time string. Refer to Time modifiers for search for information and examples of specifying a time string. Compare to index_earliest parameter. Also see comment for the search_mode parameter.",
"rt_blocking" : "For a real-time search, indicates if the indexer blocks if the queue for this search is full.",
"namespace" : "The application namespace in which to restrict searches. The namespace corresponds to the identifier recognized in the /services/apps/local endpoint.",
"auto_finalize_ec" : "Auto-finalize the search after at least this many events are processed. Specify 0 to indicate no limit.",
"rt_indexfilter" : "For a real-time search, indicates if the indexer prefilters events.",
"latest_time" : "Specify a time string. Sets the latest (exclusive), respectively, time bounds for the search. The time string can be either a UTC time (with fractional seconds), a relative time specifier (to now) or a formatted time string. Refer to Time modifiers for search for information and examples of specifying a time string. Compare to index_latest parameter. Also see comment for the search_mode parameter.",
"remote_server_list" : "Comma-separated list of (possibly wildcarded) servers from which raw events should be pulled. This same server list is to be used in subsearches."
}

delete_fired_alert#

Delete the record of this triggered alert.

Parameters

alert_name (required)#

Type: string

delete_metric_alert#

Deletes the named metric alert.

Parameters

alert_name (required)#

Type: string

Deletes the named saved search.

Parameters

search_name (required)#

Type: string

delete_scheduled_view#

Deletes the named scheduled view.

Parameters

view_name (required)#

Type: string

delete_search_job#

Deletes the named search job.

Parameters

search_id (required)#

Type: string

Dispatch the named saved search.

Parameters

search_name (required)#

Type: string

$body#

Type: object

{
"replay_speed" : "Indicate a real-time search replay speed factor. For example, 1 indicates normal speed. 0.5 indicates half of normal speed, and 2 indicates twice as fast as normal. earliest_time and latest_time arguments must indicate a real-time time range to use replay options. Use replay_speed with replay_et and replay_lt relative times to indicate a speed and time range for the replay. For example, replay_speed = 10, replay_et = -d@d, replay_lt = -@d specifies a replay at 10x speed, as if the 'wall clock' time starts yesterday at midnight and ends when it reaches today at midnight. For more information about using relative time modifiers, see Search time modifiers in the Search reference.",
"replay_et" : "Relative \"wall clock\" start time for the replay.",
"replay_lt" : "Relative end time for the replay clock. The replay stops when clock time reaches this time.",
"dispatchAs" : "Indicate the user context, quota, and access rights for the saved search. The saved search runs according to the context indicated.",
"dispatch.adhoc_search_level" : "Use one of the following search modes.",
"dispatch.now" : "Dispatch the search as if the specified time for this parameter was the current time.",
"trigger_actions" : "Indicates whether to trigger alert actions.",
"force_dispatch" : "Indicates whether to start a new search even if another instance of this search is already running."
}

dispatch_scheduled_view#

Dispatch the scheduled search associated with the {name} scheduled view.

Parameters

view_name (required)#

Type: string

$body#

Type: object

{
"dispatch.now" : "Dispatch the search as if the specified time for this parameter was the current time.",
"trigger_actions" : "Indicates whether to trigger alert actions.",
"force_dispatch" : "Indicates whether to start a new search even if another instance of this search is already running."
}

get_events_in_search_job#

Access {search_id} search events.

Parameters

search_id (required)#

Type: string

earliest_time#

A time string representing the earliest (inclusive), respectively, time bounds for the results to be returned. If not specified, the range applies to all results found.

Type: string

f#

A field to return for the event set. You can pass multiple POST f arguments if multiple field are required. If field_list and f are provided, the union of the lists is used.

Type: string

latest_time#

A time string representing the latest (exclusive), respectively, time bounds for the results to be returned. If not specified, the range applies to all results found.

Type: string

max_lines#

The maximum lines that any single event _raw field should contain. Specify 0 to specify no limit.

Type: number

output_mode#

Specifies the format for the returned output.

Type: string

Potential values: atom, csv, json, json_cols, json_rows, raw, xml

output_time_format#

Formats a UTC time. Defaults to what is specified in time_format.

Type: string

The post processing search to apply to results. Can be any valid search language string.

Type: string

segmentation#

The type of segmentation to perform on the data. This includes an option to perform k/v segmentation.

Type: string

time_format#

Expression to convert a formatted time string from {start,end}_time into UTC seconds.

Type: string

truncation_mode#

Specifies how "max_lines" should be achieved.

Type: string

Potential values: abstract, truncate

get_fired_alert#

List unexpired triggered instances of this alert.

Parameters

alert_name (required)#

Type: string

get_log_for_search_job#

Get the {search_id} search log.

Parameters

search_id (required)#

Type: string

attachment#

If true, returns search.log as an attachment. Otherwise, streams search.log.

Type: boolean

get_metric_alert#

Access the named streaming metric alert.

Parameters

alert_name (required)#

Type: string

get_parsing_for_search_language#

Parses Splunk search language and returns semantic map.

Parameters

enable_lookups#

If true, reverse lookups are done to expand the search expression.

Type: boolean

output_mode#

Specify output formatting.

Type: string

Potential values: xml, json

parse_only#

If true, disables expansion of search due evaluation of subsearches, time term expansion, lookups, tags, eventtypes, sourcetype alias.

Type: boolean

q#

The search string to parse.

Type: string

reload_macros#

If true, reload macro definitions from macros.conf.

Type: boolean

get_python_search_command#

Access search command information.

Parameters

command_name (required)#

Type: string

get_results_for_search_job#

Get {search_id} search results.

Parameters

search_id (required)#

Type: string

add_summary_to_metadata#

Set the value to "true" to include field summary statistics in the response.

Type: boolean

f#

A field to return for the event set. You can pass multiple POST f arguments if multiple field are required. If field_list and f are provided the union of the lists is used.

Type: string

output_mode#

Specifies the format for the returned output.

Type: string

Potential values: atom, csv, json, json_cols, json_rows, raw, xml

search#

The post processing search to apply to results. Can be any valid search language string.

Type: string

Access the named saved search.

Parameters

search_name (required)#

Type: string

get_scheduled_view#

Access the named scheduled view.

Parameters

view_name (required)#

Type: string

get_search_job#

Access the named search job.

Parameters

search_id (required)#

Type: string

get_search_scheduler_status#

This operation has no parameters

get_summary_for_search_job#

Get the getFieldsAndStats output of the events to-date, for the search_id search.

Parameters

search_id (required)#

Type: string

earliest_time#

Time string representing the earliest (inclusive), respectively, time bounds for the search. The time string can be either a UTC time (with fractional seconds), a relative time specifier (to now) or a formatted time string. (Also see comment for the search_mode variable.)

Type: string

f#

A field to return for the event set. You can pass multiple POST f arguments if multiple field are required. If field_list and f are provided, the union of the lists is used.

Type: string

histogram#

Indicates whether to add histogram data to the summary output.

Type: boolean

latest_time#

Time string representing the latest (exclusive), respectively, time bounds for the search.

Type: string

min_freq#

For each key, the fraction of results this key must occur in to be displayed. Express the fraction as a number between 0 and 1.

Type: number

output_time_format#

Formats a UTC time.

Type: string

search#

Specifies a substring that all returned events should contain either in one of their values or tags.

Type: string

time_format#

Expression to convert a formatted time string from {start,end}_time into UTC seconds.

Type: string

top_count#

For each key, specifies how many of the most frequent items to return.

Type: number

Get the {name} saved search alert suppression state.

Parameters

search_name (required)#

Type: string

expiration#

Indicates the time the suppression period expires.

Type: string

get_time_lookup_table#

Get a lookup table of time arguments to absolute timestamps.

Parameters

now#

The time to use as current time for relative time identifiers. Can itself either be a relative time (from the real "now" time) or an absolute time in the format specified by time_format.

Type: string

output_time_format#

Used to format a UTC time. Defaults to the value of time_format.

Type: string

time#

The time argument to parse. Acceptable inputs are either a relative time identifier or an absolute time. Multiple time arguments can be passed by specifying multiple time parameters.

Type: string

time_format#

The format (strftime) of the absolute time format passed in time. This field is not used if a relative time identifier is provided. For absolute times, the default value is the ISO-8601 format.

Type: string

get_timeline_for_search_job#

Get event distribution over time of the untransformed events read to-date, for the search_id search.

Parameters

search_id (required)#

Type: string

output_time_format#

Formats a UTC time.

Type: string

time_format#

Expression to convert a formatted time string from {start,end}_time into UTC seconds.

Type: string

list_alert_actions#

Access a list of alert actions.

Parameters

f#

Filters the response to include only the named values.

Type: array

[ "string" ]

output_mode#

Type: string

search#

Response filter, where the response field values are matched against this search expression.

Type: string

sort_dir#

Response sort order.

Type: string

Potential values: asc, desc

sort_key#

Field name to use for sorting.

Type: string

sort_mode#

Collated ordering. auto = If all field values are numeric, collate numerically. Otherwise, collate alphabetically. alpha = Collate alphabetically, not case-sensitive. alpha_case = Collate alphabetically, case-sensitive. num = Collate numerically.

Type: string

Potential values: auto, alpha, alpha_case, num

summarize#

Response type. true = Summarized response, omitting some index details, providing a faster response. false = full response.

Type: boolean

list_and_stream_search_jobs#

Get details of all current searches. Stream search results as they become available.

Parameters

f#

Filters the response to include only the named values.

Type: array

[ "string" ]

output_mode#

Type: string

search#

Response filter, where the response field values are matched against this search expression.

Type: string

sort_dir#

Response sort order.

Type: string

Potential values: asc, desc

sort_key#

Field name to use for sorting.

Type: string

sort_mode#

Collated ordering. auto = If all field values are numeric, collate numerically. Otherwise, collate alphabetically. alpha = Collate alphabetically, not case-sensitive. alpha_case = Collate alphabetically, case-sensitive. num = Collate numerically.

Type: string

Potential values: auto, alpha, alpha_case, num

summarize#

Response type. true = Summarized response, omitting some index details, providing a faster response. false = full response.

Type: boolean

list_autocomplete_terms#

Get a list of words or descriptions for possible auto-complete terms.

Parameters

output_mode#

Specify output formatting.

Type: string

Potential values: csv, xml, json

prefix#

The term for which to return typeahead results.

Type: string

list_fired_alerts#

Access a fired alerts summary.

Parameters

f#

Filters the response to include only the named values.

Type: array

[ "string" ]

output_mode#

Type: string

search#

Response filter, where the response field values are matched against this search expression.

Type: string

sort_dir#

Response sort order.

Type: string

Potential values: asc, desc

sort_key#

Field name to use for sorting.

Type: string

sort_mode#

Collated ordering. auto = If all field values are numeric, collate numerically. Otherwise, collate alphabetically. alpha = Collate alphabetically, not case-sensitive. alpha_case = Collate alphabetically, case-sensitive. num = Collate numerically.

Type: string

Potential values: auto, alpha, alpha_case, num

summarize#

Response type. true = Summarized response, omitting some index details, providing a faster response. false = full response.

Type: boolean

List available search jobs created from the {name} saved search.

Parameters

search_name (required)#

Type: string

savedsearch#

String triplet consisting of user:app:search_name. The triplet constitutes a unique identifier for accessing saved search history. Passing in this parameter can help you work around saved search access limitations in search head clustered deployments. As an example, the following parameter triplet represents an admin user, the search app context, and a search named Splunk errors last 24 hours: 'savedsearch=admin:search:Splunk%20errors%20last%2024%20hours'

Type: string

list_history_of_scheduled_view#

List search jobs used to render the {name} scheduled view.

Parameters

view_name (required)#

Type: string

This operation has no parameters

list_metric_alerts#

Access streaming metric alert configurations.

Parameters

f#

Filters the response to include only the named values.

Type: array

[ "string" ]

output_mode#

Type: string

search#

Response filter, where the response field values are matched against this search expression.

Type: string

sort_dir#

Response sort order.

Type: string

Potential values: asc, desc

sort_key#

Field name to use for sorting.

Type: string

sort_mode#

Collated ordering. auto = If all field values are numeric, collate numerically. Otherwise, collate alphabetically. alpha = Collate alphabetically, not case-sensitive. alpha_case = Collate alphabetically, case-sensitive. num = Collate numerically.

Type: string

Potential values: auto, alpha, alpha_case, num

summarize#

Response type. true = Summarized response, omitting some index details, providing a faster response. false = full response.

Type: boolean

list_python_search_commands#

Access Python search commands.

Parameters

f#

Filters the response to include only the named values.

Type: array

[ "string" ]

output_mode#

Type: string

search#

Response filter, where the response field values are matched against this search expression.

Type: string

sort_dir#

Response sort order.

Type: string

Potential values: asc, desc

sort_key#

Field name to use for sorting.

Type: string

sort_mode#

Collated ordering. auto = If all field values are numeric, collate numerically. Otherwise, collate alphabetically. alpha = Collate alphabetically, not case-sensitive. alpha_case = Collate alphabetically, case-sensitive. num = Collate numerically.

Type: string

Potential values: auto, alpha, alpha_case, num

summarize#

Response type. true = Summarized response, omitting some index details, providing a faster response. false = full response.

Type: boolean

list_saved_search_configurations#

Access saved search configurations. This endpoint returns an unusually high number of values. To limit the number of returned values, specify the f filtering parameter.

Parameters

add_orphan_field#

Indicates whether the response includes a boolean value for each saved search to show whether the search is orphaned, meaning that it has no valid owner. When add_orphan_field is set to true, the response includes the orphaned search indicators, either 0 to indicate that a search is not orphaned or 1 to indicate that the search is orphaned. Admins can use this setting to check for searches without valid owners and resolve related issues.

Type: boolean

earliest_time#

For scheduled searches display all the scheduled times starting from this time (not just the next run time)

Type: string

f#

Filters the response to include only the named values.

Type: array

[ "string" ]

latest_time#

For scheduled searches display all the scheduled times until this time (not just the next run time)

Type: string

listDefaultActionArgs#

Indicates whether to list default actions.

Type: boolean

output_mode#

Type: string

search#

Response filter, where the response field values are matched against this search expression.

Type: string

sort_dir#

Response sort order.

Type: string

Potential values: asc, desc

sort_key#

Field name to use for sorting.

Type: string

sort_mode#

Collated ordering. auto = If all field values are numeric, collate numerically. Otherwise, collate alphabetically. alpha = Collate alphabetically, not case-sensitive. alpha_case = Collate alphabetically, case-sensitive. num = Collate numerically.

Type: string

Potential values: auto, alpha, alpha_case, num

summarize#

Response type. true = Summarized response, omitting some index details, providing a faster response. false = full response.

Type: boolean

Access {name} saved search scheduled times.

Parameters

earliest_time (required)#

Absolute or relative earliest time

Type: string

latest_time (required)#

Absolute or relative latest time

Type: string

search_name (required)#

Type: string

list_scheduled_times_for_scheduled_view#

Get scheduled view times.

Parameters

earliest_time (required)#

Absolute or relative earliest time

Type: string

latest_time (required)#

Absolute or relative latest time

Type: string

view_name (required)#

Type: string

list_scheduled_views#

List all scheduled view objects.

Parameters

f#

Filters the response to include only the named values.

Type: array

[ "string" ]

output_mode#

Type: string

search#

Response filter, where the response field values are matched against this search expression.

Type: string

sort_dir#

Response sort order.

Type: string

Potential values: asc, desc

sort_key#

Field name to use for sorting.

Type: string

sort_mode#

Collated ordering. auto = If all field values are numeric, collate numerically. Otherwise, collate alphabetically. alpha = Collate alphabetically, not case-sensitive. alpha_case = Collate alphabetically, case-sensitive. num = Collate numerically.

Type: string

Potential values: auto, alpha, alpha_case, num

summarize#

Response type. true = Summarized response, omitting some index details, providing a faster response. false = full response.

Type: boolean

list_search_jobs#

Get details of all current searches.

Parameters

f#

Filters the response to include only the named values.

Type: array

[ "string" ]

output_mode#

Type: string

search#

Response filter, where the response field values are matched against this search expression.

Type: string

sort_dir#

Response sort order.

Type: string

Potential values: asc, desc

sort_key#

Field name to use for sorting.

Type: string

sort_mode#

Collated ordering. auto = If all field values are numeric, collate numerically. Otherwise, collate alphabetically. alpha = Collate alphabetically, not case-sensitive. alpha_case = Collate alphabetically, case-sensitive. num = Collate numerically.

Type: string

Potential values: auto, alpha, alpha_case, num

summarize#

Response type. true = Summarized response, omitting some index details, providing a faster response. false = full response.

Type: boolean

preview_results_for_search_job#

Preview {search_id} search results.

Parameters

search_id (required)#

Type: string

add_summary_to_metadata#

Set the value to "true" to include field summary statistics in the response.

Type: boolean

f#

A field to return for the event set. You can pass multiple POST f arguments if multiple field are required. If field_list and f are provided the union of the lists is used.

Type: string

output_mode#

Specifies the format for the returned output.

Type: string

Potential values: atom, csv, json, json_cols, json_rows, raw, xml

search#

The post processing search to apply to results. Can be any valid search language string.

Type: string

Set scheduled saved search to start at a specific time and then run on its schedule thereafter.

Parameters

search_name (required)#

Type: string

schedule_time#

The next time to run the search. The timestamp can be in one of three formats: ISO8601 format (adjusted for UTC time), UNIX time format, or relative time format.

Type: string

reschedule_scheduled_view#

Schedule the {name} view PDF delivery.

Parameters

view_name (required)#

Type: string

schedule_time#

The next time to run the search. The timestamp can be in one of three formats: ISO8601 format (adjusted for UTC time), UNIX time format, or relative time format.

Type: string

set_search_scheduler_status#

Enable or disable the search scheduler.

Parameters

disabled#

Indicates whether to disable the search scheduler. 0 enables the search scheduler. 1 disables the search scheduler.

Type: boolean

Edit settings that determine concurrent scheduled search limits.

Parameters

auto_summary_perc#

The maximum number of concurrent searches to be allocated for auto summarization, as a percentage of the concurrent searches that the scheduler can run.

Type: number

max_searches_perc#

The maximum number of searches the scheduler can run as a percentage of the maximum number of concurrent searches.

Type: number

Edit settings that determine the maximum number of concurrent scheduled searches.

Parameters

base_max_searches#

A baseline constant to add to the max number of searches (computed as multiplier of the CPUs.)

Type: number

max_rt_search_multiplier#

A number by which the maximum number of historical searches is multiplied to determine the maximum number of concurrent real-time searches. Note: The maximum number of real-time searches is computed as max_rt_searches = max_rt_search_multiplier x max_hist_searches

Type: number

max_searches_per_cpu#

The maximum number of concurrent historical searches allowed per cpu.

Type: number

update_metric_alert#

Update the named streaming metric alert.

Parameters

alert_name (required)#

Type: string

$body#

Type: object

{
"metric_indexes" : "Specify one or more metric indexes, delimited by comma. Combines with the filter setting to define the search result dataset that the alert monitors for the alert condition.",
"action.script" : "Indicates whether script is enabled or disabled for a particular metric alert.",
"description" : "Provide a description of the streaming metric alert.",
"action.logevent" : "Indicates whether logevent is enabled or disabled for a particular metric alert.",
"action.rss" : "Indicates whether rss is enabled or disabled for a particular metric alert.",
"groupby" : "Provide a list of dimension fields, delimited by comma, for the group-by clause of the alert search. This results in multiple aggregation values, one per group, instead of one aggregation value.",
"label" : { },
"action.email" : "Indicates whether email is enabled or disabled for a particular metric alert.",
"filter" : "Specify one or more Boolean expressions like = to define the search result dataset to monitor for an alert condition. Link multiple Boolean expressions with the AND operator. The filter does not support subsearches, macros, tags, event types, or time modifiers such as 'earliest' or 'latest'. This setting combines with the metric_indexes setting to provide the complete search filter for the alert.",
"condition" : "Boolean eval expression. Specifies an alert condition for one or more metric_name and aggregation pairs. You can set alert conditions that include multiple Boolean operators, eval functions, and metric aggregations. The Splunk software applies this evaluation to the results of the alert search on a regular interval. When the alert condition evaluates to 'true', the alert is triggered. Must reference at least one '()' clause in single quotes. The condition can also reference dimensions specified in the groupby setting.",
"action.webhook" : "Indicates whether webhook is enabled or disabled for a particular metric alert.",
"trigger.expires" : "Set the period of time that a triggered alert record displays on the Triggered Alerts page. Use , where can be 'm' for minutes, 'h' for hours, and 'd' for days. Set to 0 to make triggered alerts expire immediately so they do not appear on the Triggered Alerts page at all. Default is 24h.",
"trigger.max_tracked" : "Specify the maximum number of instances of this alert that can display in the triggered alerts dashboard. When this threshold is passed, the Splunk software removes the earliest instances from the dashboard to honor this maximum number. Set to 0 to remove the cap. Defaults to 20.",
"name" : "Specify the name of the streaming metric alert.",
"trigger.suppress" : "Define the suppression period to silence alert actions and notifications. The suppression period goes into effect when an alert is triggered. During this period, if the alert is triggered again, its actions do not happen and its notifications do not go out. When the period elapses, a subsequent triggering of the alert causes alert actions and notifications to take place as usual, and the alert is suppressed again. Use m to specify a timespan in minutes. Default is 0m."
}

Update the named streaming saved search.

Parameters

search_name (required)#

Type: string

$body#

Type: object

{
"alert.suppress.period" : "Valid values: [number][time-unit] Specifies the suppresion period. Only valid if alert.supress is enabled. Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.",
"action.rss.hostname" : "Sets the hostname used in the web link (url) sent in alert actions. This value accepts two forms. hostname (for example, splunkserver, splunkserver.example.com) protocol://hostname:port (for example, http://splunkserver:8000 or https://splunkserver.example.com:443) See action.email.hostname for details.",
"action.email.inline" : "Indicates whether the search results are contained in the body of the email. Results can be either inline or attached to an email. See action.email.sendresults.",
"action.rss.maxtime" : "Valid values are Integer[m|s|h|d]. Specifies the maximum amount of time the execution of an action takes before the action is aborted. Default is 1m.",
"action.email.track_alert" : "Indicates whether the execution of this action signifies a trackable alert.",
"action.email.maxtime" : "Valid values are Integer[m|s|h|d]. Specifies the maximum amount of time the execution of an action takes before the action is aborted. Default is 5m.",
"dispatch.*" : "Wildcard argument that accepts any dispatch related argument.",
"alert_threshold" : "Valid values are Integer[%]. Specifies the value to compare (see alert_comparator) before triggering the alert actions. If expressed as a percentage, indicates value to use when alert_comparator is set to \"rises by perc\" or \"drops by perc.\"",
"action.email" : "The state of the email action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.",
"action.email.preprocess_results" : "Search string to preprocess results before emailing them. Defaults to empty string (no preprocessing). Usually the preprocessing consists of filtering out unwanted internal fields.",
"action.script.track_alert" : "Indicates whether the execution of this action signifies a trackable alert.",
"action.email.bcc" : "BCC email address to use if action.email is enabled.",
"auto_summarize.dispatch.latest_time" : "A time string that specifies the latest time for summarizing this saved search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.",
"auto_summarize.suspend_period" : "Time specfier indicating when to suspend summarization of this search if the summarization is deemed unhelpful. Defaults to 24h.",
"action.populate_lookup.hostname" : "Sets the hostname used in the web link (url) sent in alert actions. This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com) protocol://hostname:port (for example, http://splunkserver:8000 or https://splunkserver.example.com:443) See action.email.hostname for details.",
"auto_summarize.dispatch.earliest_time" : "A time string that specifies the earliest time for summarizing this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.",
"action.script.ttl" : "Valid values are Integer[m|s|h|d]. Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows , int is the number of scheduled periods. Defaults to 86400 (24 hours). If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.",
"schedule_window" : "Time window (in minutes) during which the search has lower priority. Defaults to 0. The scheduler can give higher priority to more critical searches during this window. The window must be smaller than the search period. Set to auto to let the scheduler determine the optimal window value automatically. Requires the edit_search_schedule_window capability to override auto.",
"action.summary_index.track_alert" : "Indicates whether the execution of this action signifies a trackable alert.",
"alert_comparator" : "Used with alert_threshold to trigger alert actions.",
"action.script.command" : "The search command (or pipeline) which is responsible for executing the action. Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.",
"alert.suppress.fields" : "Comma delimited list of fields to use for suppression when doing per result alerting. Required if suppression is turned on and per result alerting is enabled.",
"action.email.cc" : "CC email address to use if action.email is enabled.",
"dispatch.time_format" : "A time format string that defines the time format for specifying the earliest and latest time. Defaults to %FT%T.%Q%:z.",
"dispatch.rt_maximum_span" : "Allows for a per-job override of the [search] indexed_realtime_maximum_span setting in limits.conf. Default for saved searches is \"unset\", falling back to the limits.conf setting.",
"action.email.from" : "Email address from which the email action originates. Defaults to splunk@$LOCALHOST or whatever value is set in alert_actions.conf.",
"action.email.command" : "The search command (or pipeline) which is responsible for executing the action. Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.",
"dispatch.indexedRealtimeMinSpan" : "Allows for a per-job override of the [search] indexed_realtime_default_span setting in limits.conf. Default for saved searches is \"unset\", falling back to the limits.conf setting.",
"action.email.use_tls" : "Indicates whether to use TLS (transport layer security) when communicating with the SMTP server (starttls). Defaults to false.",
"auto_summarize.timespan" : "The list of time ranges that each summarized chunk should span. This comprises the list of available granularity levels for which summaries would be available. Specify a comma delimited list of time specifiers. For example a timechart over the last month whose granuality is at the day level should set this to 1d. If you need the same data summarized at the hour level for weekly charts, use 1h,1d.",
"actions" : "A comma-separated list of actions to enable. For example: rss,email",
"dispatch.indexedRealtime" : "Indicates whether to used indexed-realtime mode when doing real-time searches.",
"action.email.to" : "A comma or semicolon separated list of recipient email addresses. Required if this search is scheduled and the email alert action is enabled.",
"action.script.maxtime" : "Valid values are Integer[m|s|h|d]. Specifies the maximum amount of time the execution of an action takes before the action is aborted. Default is 5m.",
"auto_summarize.max_time" : "Maximum time (in seconds) that the summary search is allowed to run. Defaults to 3600. Note: This is an approximate time. The summary search stops at clean bucket boundaries.",
"allow_skew" : "Allows the search scheduler to distribute scheduled searches randomly and more evenly over their specified search periods. Defaults to 0 (skew disabled). This setting does not require adjusting in most use cases. Check with an admin before making any updates. When set to a non-zero value for searches with the following cron_schedule values, the search scheduler randomly skews the second, minute, and hour on which the search runs.\n* * * * * Every minute. */M * * * * Every M minutes (M > 0). 0 * * * * Every hour. 0 */H * * * Every H hours (H > 0). 0 0 * * * Every day (at midnight). When set to a non-zero value for a search that has any other cron_schedule setting, the search scheduler can randomly skew only the second on which the search runs. The amount of skew for a specific search remains constant between edits of the search. A value of 0 disallows skew. 0 is the default setting Percentage followed by % specifies the maximum amount of time to skew as a percentage of the scheduled search period. Duration specifies a maximum duration. The can be omitted only when the is 0. Valid duration units are\n m\n min\n minute\n mins\n minutes\n h\n hr\n hour\n hrs\n hours\n d\n day\n days\nExamples\n 100% (for an every-5-minute search) = 5 minutes maximum\n 50% (for an every-minute search) = 30 seconds maximum\n 5m = 5 minutes maximum\n 1h = 1 hour maximum",
"action.email.reportCIDFontList" : "Space-separated list. Specifies the set (and load order) of CID fonts for handling Simplified Chinese(gb), Traditional Chinese(cns), Japanese(jp), and Korean(kor) in Integrated PDF Rendering. If multiple fonts provide a glyph for a given character code, the glyph from the first font specified in the list is used. To skip loading any CID fonts, specify the empty string. Defaults to \"gb cns jp kor\"",
"action.email.reportIncludeSplunkLogo" : "Indicates whether to include the Splunk logo with the report.",
"action.script" : "The state of the script action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.",
"max_concurrent" : "The maximum number of concurrent instances of this search the scheduler is allowed to run. Defaults to 1.",
"action.email.use_ssl" : "Indicates whether to use SSL when communicating with the SMTP server. Defaults to false.",
"alert_type" : "What to base the alert on, overriden by alert_condition if it is specified.",
"search" : "Required. The search to save.",
"action.summary_index.maxtime" : "Valid values are Integer[m|s|h|d]. Specifies the maximum amount of time the execution of an action takes before the action is aborted. Default is 5m.",
"dispatch.rt_backfill" : "Whether to back fill the real time window for this search. Parameter valid only if this is a real time search. Defaults to 0.",
"alert.expires" : "Valid values: [number][time-unit] Sets the period of time to show the alert in the dashboard. Defaults to 24h. Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour.",
"displayview" : "Defines the default UI view name (not label) in which to load the results. Accessibility is subject to the user having sufficient permissions.",
"action.email.subject" : "Specifies an alternate email subject. Defaults to SplunkAlert-.",
"disabled" : "Indicates if the saved search is enabled. Defaults to 0. Disabled saved searches are not visible in Splunk Web.",
"auto_summarize.max_summary_ratio" : "The maximum ratio of summary_size/bucket_size, which specifies when to stop summarization and deem it unhelpful for a bucket. Defaults to 0.1. Note: The test is only performed if the summary size is larger than auto_summarize.max_summary_size.",
"action.email.maxresults" : "Sets the global maximum number of search results to send when email.action is enabled. Defaults to 100.",
"cron_schedule" : "The cron schedule to execute this search. For example: */5 * * * * causes the search to execute every 5 minutes. cron lets you use standard cron notation to define your scheduled search interval. In particular, cron can accept this type of notation: 00,20,40 * * * *, which runs the search every hour at hh:00, hh:20, hh:40. Along the same lines, a cron of 03,23,43 * * * * runs the search every hour at hh:03, hh:23, hh:43. Schedule your searches so that they are staggered over time. This reduces system load. Running all of them every 20 minutes (*/20) means they would all launch at hh:00 (20, 40) and might slow your system every 20 minutes.",
"is_visible" : "Specifies whether this saved search should be listed in the visible saved search list. Defaults to 1.",
"auto_summarize.command" : "A search template that constructs the auto summarization for this search. Defaults to summarize override=partial timespan=$auto_summarize.timespan$ max_summary_size=$auto_summarize.max_summary_size$ max_summary_ratio=$auto_summarize.max_summary_ratio$ max_disabled_buckets=$auto_summarize.max_disabled_buckets$ max_time=$auto_summarize.max_time$ [ $search$ ] Caution: Advanced feature. Do not change unless you understand the architecture of auto summarization of saved searches.",
"action.summary_index.maxresults" : "Sets the maximum number of search results sent using alerts. Defaults to 100.",
"alert.track" : "Specifies whether to track the actions triggered by this scheduled search. auto - (Default) determine whether to track or not based on the tracking setting of each action, do not track scheduled searches that always trigger actions. true - force alert tracking. false - disable alert tracking for this search.",
"action.summary_index" : "The state of the summary index action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0",
"action.populate_lookup.maxresults" : "Sets the maximum number of search results sent using alerts. Defaults to 100.",
"dispatch.max_time" : "Indicates the maximum amount of time (in seconds) before finalizing the search. Defaults to 0.",
"action.script.maxresults" : "Sets the maximum number of search results sent using alerts. Defaults to 100.",
"action.email.reportServerEnabled" : "Not supported.",
"qualifiedSearch" : "Read-only attribute. Value ignored on POST. This value is computed during runtime.",
"action.populate_lookup.maxtime" : "Valid values are Integer[m|s|h|d]. Specifies the maximum amount of time the execution of an action takes before the action is aborted. Default is 5m.",
"action.summary_index._name" : "Specifies the name of the summary index where the results of the scheduled search are saved. Defaults to \"summary.\"",
"action.rss.ttl" : "Valid values are Integer[m|s|h|d]. Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows , int is the number of scheduled periods. Defaults to 86400 (24 hours). If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.",
"action.summary_index.command" : "The search command (or pipeline) which is responsible for executing the action. Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.",
"dispatch.max_count" : "The maximum number of results before finalizing the search. Defaults to 500000.",
"action.email.reportPaperSize" : "Specifies the paper size for PDFs. Defaults to letter.",
"alert.digest_mode" : "Specifies whether alert actions are applied to the entire result set or on each individual result. Defaults to 1.",
"action.email.pdfview" : "The name of the view to deliver if sendpdf is enabled",
"auto_summarize.dispatch.time_format" : "Defines the time format used to specify the earliest and latest time. Defaults to %FT%T.%Q%:z",
"action.email.reportPaperOrientation" : "Specifies the paper orientation. Defaults to portrait.",
"next_scheduled_time" : "Read-only attribute. Value ignored on POST. There are some old clients who still send this value",
"dispatch.latest_time" : "A time string that specifies the latest time for this saved search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.",
"action.email.format" : "Specify the format of text in the email. This value also applies to any attachments.",
"is_scheduled" : "Whether this search is to be run on a schedule",
"auto_summarize.max_disabled_buckets" : "The maximum number of buckets with the suspended summarization before the summarization search is completely stopped, and the summarization of the search is suspended for auto_summarize.suspend_period. Defaults to 2.",
"action.populate_lookup.track_alert" : "Indicates whether the execution of this action signifies a trackable alert.",
"alert.severity" : "Sets the alert severity level. Valid values are: 1 DEBUG 2 INFO 3 WARN (default) 4 ERROR 5 SEVERE 6 FATAL",
"request.ui_dispatch_view" : "Specifies a field used by Splunk Web to denote the view this search should be displayed in.",
"dispatch.buckets" : "The maximum number of timeline buckets. Defaults to 0.",
"dispatch.lookups" : "Enables or disables the lookups for this search. Defaults to 1.",
"alert.suppress" : "Indicates whether alert suppression is enabled for this scheduled search.",
"action.email.auth_username" : "The username to use when authenticating with the SMTP server. If this is empty string, no authentication is attempted. Defaults to empty string. NOTE: Your SMTP server might reject unauthenticated emails.",
"dispatch.earliest_time" : "A time string that specifies the earliest time for this search. Can be a relative or absolute time. If this value is an absolute time, use the dispatch.time_format to format the value.",
"realtime_schedule" : "Controls the way the scheduler computes the next execution time of a scheduled search. Defaults to 1. If this value is set to 1, the scheduler bases its determination of the next scheduled search execution time on the current time. If this value is set to 0, the scheduler bases its determination of the next scheduled search on the last search execution time. This is called continuous scheduling. If set to 0, the scheduler never skips scheduled execution periods. However, the execution of the saved search might fall behind depending on the scheduler load. Use continuous scheduling whenever you enable the summary index option. If set to 1, the scheduler might skip some execution periods to make sure that the scheduler is executing the searches running over the most recent time range. The scheduler tries to execute searches that have realtime_schedule set to 1 before it executes searches that have continuous scheduling (realtime_schedule = 0).",
"action.populate_lookup.dest" : "Lookup name of path of the lookup to populate",
"vsid" : "Defines the viewstate id associated with the UI view listed in 'displayview'. Must match up to a stanza in viewstates.conf.",
"action.email.sendpdf" : "Indicates whether to create and send the results as a PDF. Defaults to false.",
"auto_summarize.cron_schedule" : "Cron schedule that probes and generates the summaries for this saved search. The default value, */10 * * * * , corresponds to every ten hours.",
"dispatch.indexedRealtimeOffset" : "Allows for a per-job override of the [search] indexed_realtime_disk_sync_delay setting in limits.conf. Default for saved searches is \"unset\", falling back to limits.conf setting.",
"action.summary_index.hostname" : "Sets the hostname used in the web link (url) sent in summary-index alert actions. This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com) protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443) See action.email.hostname for details.",
"name" : "Required. A name for the search.",
"action.summary_index.inline" : "Determines whether to execute the summary indexing action as part of the scheduled search. NOTE: This option is considered only if the summary index action is enabled and is always executed (in other words, if counttype = always). Defaults to true.",
"auto_summarize" : "Indicates whether the scheduler should ensure that the data for this search is automatically summarized. Defaults to 0.",
"action.rss.track_alert" : "Indicates whether the execution of this action signifies a trackable alert.",
"action.email.auth_password" : "The password to use when authenticating with the SMTP server. Normally this value is set when editing the email settings, however you can set a clear text password here and it is encrypted on the next platform restart. Defaults to empty string.",
"run_on_startup" : "Indicates whether this search runs on startup. If it does not run on startup, it runs at the next scheduled time. Defaults to 0. Set run_on_startup to true for scheduled searches that populate lookup tables.",
"action.email.width_sort_columns" : "Indicates whether columns should be sorted from least wide to most wide, left to right. Only valid if format=text.",
"action.email.mailserver" : "Set the address of the MTA server to be used to send the emails. Defaults to or whatever is set in alert_actions.conf.",
"action.populate_lookup.command" : "The search command (or pipeline) which is responsible for executing the action. Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.",
"auto_summarize.dispatch.ttl" : "Integer[p]. Indicates the time to live (in seconds) for the artifacts of the summarization of the scheduled search. Defaults to 60.",
"action.email.ttl" : "Valid values are Integer[m|s|h|d]. Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows , int is the number of scheduled periods. Defaults to 86400 (24 hours). If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.",
"description" : "Human-readable description of this saved search. Defaults to empty string.",
"action.rss" : "The state of the rss action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.",
"action.populate_lookup.ttl" : "Valid values are Integer[m|s|h|d]. Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows , int is the number of scheduled periods. Defaults to 86400 (24 hours). If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.",
"action.script.filename" : "File name of the script to call. Required if script action is enabled",
"action.summary_index.ttl" : "Valid values are Integer[m|s|h|d]. Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows , int is the number of scheduled periods. Defaults to 86400 (24 hours). If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf.",
"action.rss.command" : "The search command (or pipeline) which is responsible for executing the action. Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$.",
"auto_summarize.max_summary_size" : "The minimum summary size, in bytes, before testing whether the summarization is helpful. The default value, 52428800, is equivalent to 5MB.",
"action.email.hostname" : "Sets the hostname used in the web link (url) sent in email actions. This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com) protocol://hostname:port (for example, http://splunkserver:8000 or https://splunkserver.example.com:443) When this value is a simple hostname, the protocol and port which are configured within splunk are used to construct the base of the url. When this value begins with 'http://', it is used verbatim. NOTE: This means the correct port must be specified if it is not the default port for http or https. This is useful in cases when the Splunk server is not aware of how to construct an externally referencable url, such as SSO environments, other proxies, or when the server hostname is not generally resolvable. Defaults to current hostname provided by the operating system, or if that fails 'localhost'. When set to empty, default behavior is used.",
"action.rss.maxresults" : "Sets the maximum number of search results sent using alerts. Defaults to 100.",
"action.populate_lookup" : "The state of the populate lookup action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. Defaults to 0.",
"dispatch.reduce_freq" : "Specifies, in seconds, how frequently the MapReduce reduce phase runs on accumulated map values. Defaults to 10.",
"restart_on_searchpeer_add" : "Specifies whether to restart a real-time search managed by the scheduler when a search peer becomes available for this saved search. Defaults to 1. Note: The peer can be a newly added peer or a peer down and now available.",
"action.script.hostname" : "Sets the hostname used in the web link (url) sent in alert actions. This value accepts two forms. hostname (for example, splunkserver, splunkserver.example.com) protocol://hostname:port (for example, http://splunkserver:8000 or https://splunkserver.example.com:443) See action.email.hostname for details.",
"alert_condition" : "Contains a conditional search that is evaluated against the results of the saved search. Defaults to an empty string. Alerts are triggered if the specified search yields a non-empty search result list. NOTE: If you specify an alert_condition, do not set counttype, relation, or quantity.",
"action.email.reportServerURL" : "Not supported. For a default locally installed report server, the URL is http://localhost:8091/",
"request.ui_dispatch_app" : "Specifies a field used by Splunk Web to denote the app this search should be dispatched in.",
"dispatch.spawn_process" : "Specifies whether to spawn a new search process when this saved search is executed. Defaults to 1. Searches against indexes must run in a separate process.",
"action.email.sendresults" : "Indicates whether to attach the search results in the email. Results can be either attached or inline. See action.email.inline.",
"dispatch.ttl" : "Integer[p]. Defaults to 2p. Indicates the time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered. If an action is triggered, the action ttl is used. If multiple actions are triggered, the maximum ttl is applied to the artifacts. To set the action ttl, refer to alert_actions.conf.spec. If the integer is followed by the letter 'p', the ttl is interpreted as a multiple of the scheduled search period."
}

update_scheduled_view#

Update the named scheduled view.

Parameters

action.email.to (required)#

Comma or semicolon separated list of email addresses to send the view to

Type: string

cron_schedule (required)#

The cron schedule to use for delivering the view. Scheduled views are dummy/noop scheduled saved searches that email a pdf version of a view. For example: /5 * * * * causes the search to execute every 5 minutes. Splunk recommends that you schedule your searches so that they are staggered over time. This reduces system load. Running all of them every 20 minutes (/20) means they would all launch at hh:00 (20, 40) and might slow your system every 20 minutes.

Type: string

is_scheduled (required)#

Whether this pdf delivery should be scheduled.

Type: boolean

view_name (required)#

Type: string

description#

User readable description of this scheduled view object.

Type: string

disabled#

Whether this object is enabled or disabled.

Type: boolean

update_search_job#

Update the named search job.

Parameters

search_id (required)#

Type: string

$body#

Type: object

{ }