Splunk · Schema

SearchJobCreateRequest

AnalyticsData AnalysisLoggingMachine DataMonitoringObservabilityPlatformSecuritySIEM

Properties

Name Type Description
search string The SPL search query to execute
earliest_time string Earliest time for the search using relative or absolute time format
latest_time string Latest time for the search
search_mode string The search mode
exec_mode string Execution mode. Normal runs asynchronously, oneshot runs synchronously, blocking waits for completion.
max_count integer Maximum number of results to return
max_time integer Maximum time in seconds before the search is finalized
timeout integer Number of seconds to keep the search after processing has stopped
rf string Comma-separated list of required fields to include in results
namespace string Application namespace for the search
id string Optional custom search ID. If not specified, Splunk generates one automatically.
status_buckets integer Number of status buckets to generate for the search timeline. Set to a value greater than 0 to enable timeline.
auto_cancel integer Seconds of inactivity after which the search is automatically cancelled. 0 means never auto-cancel.
auto_finalize_ec integer Auto-finalize the search after this number of events have been processed. 0 disables auto-finalize.
auto_pause integer Seconds of inactivity after which the search is automatically paused. 0 means never auto-pause.
enable_lookups boolean Whether to enable lookups during the search
reload_macros boolean Whether to reload macro definitions before the search
reduce_freq integer How frequently to invoke the reduce phase (seconds)
spawn_process boolean Whether to run the search in a separate process
View JSON Schema on GitHub

JSON Schema

splunk-searchjobcreaterequest-schema.json Raw ↑ 
{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "#/components/schemas/SearchJobCreateRequest",
  "title": "SearchJobCreateRequest",
  "type": "object",
  "required": [
    "search"
  ],
  "properties": {
    "search": {
      "type": "string",
      "description": "The SPL search query to execute",
      "examples": [
        "search index=main sourcetype=syslog | head 100"
      ]
    },
    "earliest_time": {
      "type": "string",
      "description": "Earliest time for the search using relative or absolute time format",
      "examples": [
        "-24h@h",
        "2024-01-01T00:00:00.000Z"
      ]
    },
    "latest_time": {
      "type": "string",
      "description": "Latest time for the search",
      "examples": [
        "now"
      ]
    },
    "search_mode": {
      "type": "string",
      "description": "The search mode",
      "enum": [
        "normal",
        "realtime"
      ],
      "default": "normal",
      "example": "normal"
    },
    "exec_mode": {
      "type": "string",
      "description": "Execution mode. Normal runs asynchronously, oneshot runs synchronously, blocking waits for completion.",
      "enum": [
        "normal",
        "blocking",
        "oneshot"
      ],
      "default": "normal",
      "example": "normal"
    },
    "max_count": {
      "type": "integer",
      "description": "Maximum number of results to return",
      "default": 10000,
      "example": 10
    },
    "max_time": {
      "type": "integer",
      "description": "Maximum time in seconds before the search is finalized",
      "default": 0,
      "example": 10
    },
    "timeout": {
      "type": "integer",
      "description": "Number of seconds to keep the search after processing has stopped",
      "default": 86400,
      "example": 10
    },
    "rf": {
      "type": "string",
      "description": "Comma-separated list of required fields to include in results",
      "example": "example_value"
    },
    "namespace": {
      "type": "string",
      "description": "Application namespace for the search",
      "example": "example_value"
    },
    "id": {
      "type": "string",
      "description": "Optional custom search ID. If not specified, Splunk generates one automatically.",
      "example": "abc123"
    },
    "status_buckets": {
      "type": "integer",
      "description": "Number of status buckets to generate for the search timeline. Set to a value greater than 0 to enable timeline.",
      "default": 0,
      "example": 10
    },
    "auto_cancel": {
      "type": "integer",
      "description": "Seconds of inactivity after which the search is automatically cancelled. 0 means never auto-cancel.",
      "default": 0,
      "example": 10
    },
    "auto_finalize_ec": {
      "type": "integer",
      "description": "Auto-finalize the search after this number of events have been processed. 0 disables auto-finalize.",
      "default": 0,
      "example": 10
    },
    "auto_pause": {
      "type": "integer",
      "description": "Seconds of inactivity after which the search is automatically paused. 0 means never auto-pause.",
      "default": 0,
      "example": 10
    },
    "enable_lookups": {
      "type": "boolean",
      "description": "Whether to enable lookups during the search",
      "default": true,
      "example": true
    },
    "reload_macros": {
      "type": "boolean",
      "description": "Whether to reload macro definitions before the search",
      "default": true,
      "example": true
    },
    "reduce_freq": {
      "type": "integer",
      "description": "How frequently to invoke the reduce phase (seconds)",
      "default": 0,
      "example": 10
    },
    "spawn_process": {
      "type": "boolean",
      "description": "Whether to run the search in a separate process",
      "default": true,
      "example": true
    }
  }
}