Splunk · Schema
SearchJobCreateRequest
AnalyticsData AnalysisLoggingMachine DataMonitoringObservabilityPlatformSecuritySIEM
Properties
| Name | Type | Description |
|---|---|---|
| search | string | The SPL search query to execute |
| earliest_time | string | Earliest time for the search using relative or absolute time format |
| latest_time | string | Latest time for the search |
| search_mode | string | The search mode |
| exec_mode | string | Execution mode. Normal runs asynchronously, oneshot runs synchronously, blocking waits for completion. |
| max_count | integer | Maximum number of results to return |
| max_time | integer | Maximum time in seconds before the search is finalized |
| timeout | integer | Number of seconds to keep the search after processing has stopped |
| rf | string | Comma-separated list of required fields to include in results |
| namespace | string | Application namespace for the search |
| id | string | Optional custom search ID. If not specified, Splunk generates one automatically. |
| status_buckets | integer | Number of status buckets to generate for the search timeline. Set to a value greater than 0 to enable timeline. |
| auto_cancel | integer | Seconds of inactivity after which the search is automatically cancelled. 0 means never auto-cancel. |
| auto_finalize_ec | integer | Auto-finalize the search after this number of events have been processed. 0 disables auto-finalize. |
| auto_pause | integer | Seconds of inactivity after which the search is automatically paused. 0 means never auto-pause. |
| enable_lookups | boolean | Whether to enable lookups during the search |
| reload_macros | boolean | Whether to reload macro definitions before the search |
| reduce_freq | integer | How frequently to invoke the reduce phase (seconds) |
| spawn_process | boolean | Whether to run the search in a separate process |
JSON Schema
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"title": "SearchJobCreateRequest",
"type": "object",
"properties": {
"search": {
"type": "string",
"description": "The SPL search query to execute"
},
"earliest_time": {
"type": "string",
"description": "Earliest time for the search using relative or absolute time format"
},
"latest_time": {
"type": "string",
"description": "Latest time for the search"
},
"search_mode": {
"type": "string",
"description": "The search mode"
},
"exec_mode": {
"type": "string",
"description": "Execution mode. Normal runs asynchronously, oneshot runs synchronously, blocking waits for completion."
},
"max_count": {
"type": "integer",
"description": "Maximum number of results to return"
},
"max_time": {
"type": "integer",
"description": "Maximum time in seconds before the search is finalized"
},
"timeout": {
"type": "integer",
"description": "Number of seconds to keep the search after processing has stopped"
},
"rf": {
"type": "string",
"description": "Comma-separated list of required fields to include in results"
},
"namespace": {
"type": "string",
"description": "Application namespace for the search"
},
"id": {
"type": "string",
"description": "Optional custom search ID. If not specified, Splunk generates one automatically."
},
"status_buckets": {
"type": "integer",
"description": "Number of status buckets to generate for the search timeline. Set to a value greater than 0 to enable timeline."
},
"auto_cancel": {
"type": "integer",
"description": "Seconds of inactivity after which the search is automatically cancelled. 0 means never auto-cancel."
},
"auto_finalize_ec": {
"type": "integer",
"description": "Auto-finalize the search after this number of events have been processed. 0 disables auto-finalize."
},
"auto_pause": {
"type": "integer",
"description": "Seconds of inactivity after which the search is automatically paused. 0 means never auto-pause."
},
"enable_lookups": {
"type": "boolean",
"description": "Whether to enable lookups during the search"
},
"reload_macros": {
"type": "boolean",
"description": "Whether to reload macro definitions before the search"
},
"reduce_freq": {
"type": "integer",
"description": "How frequently to invoke the reduce phase (seconds)"
},
"spawn_process": {
"type": "boolean",
"description": "Whether to run the search in a separate process"
}
}
}